BusinessObjects security flaw left users vulnerable to attack

Similar Messages

• Mac firewall security flaw in Adobe CS3

  Security experts are warning of an issue within Adobe CS3's Version Cue application which can disable a Mac's built-in firewall.
  An alert from the experts at Secunia warns that Adobe Version Cue disables a Mac's firewall when it is installed. It does so in order to set certain ports up for "controlled access through the firewall", the experts said.
  The probelm is that the installer doesn't re-enable the firewall once installation is complete, leaving certain system services vulnerable to attacks.
  The security issue is reported in Adobe Version Cue CS3 Server, installed as part of Adobe Creative Suite 3 Design Premium, Design Standard, Web Premium, or Web Standard editions, Secunia explains.
  There is a simple fix to the flaw, which is rated as "less critical" – users simply need to re-enable their Mac OS X firewall in System Preferences once installation is complete.
  http://www.macworld.co.uk/procreative/news/index.cfm?newsid=18066&pagtype=allcha ndate
  I'm rather surprised that an application can simply turn off the firewall without any red flags to the user.
  Any comments?

  ..."From a user perspective, I did give authorization to install the software - I did not give authorization to turn the firewall off and keep it off."...
  That's the thing though - you may not think you gave it authorization to modify the firewall, but by providing an "admin" password, you actually did. It is a matter of education, but users must be made to recognize that inputing an "admin" password is giving the process that asked for it carte blanche powers. Such an arrangement seems to be fairly typical in personal computing. Installers that use Apple's installer do sometimes break things down a little and providing a bit of detail to what right is being requested, but from what I recall, Adobe uses something else.
  ..."Apple should probably have provided some safety net. After all, we are talking "firewall" here, not just some preference setting. "...
  I guess it's beside the point but in this case, this installer legitimately needed to modify firewall settings - you told it to install a type of server. It just happened that, there was a bug so it didn't restore the firewall after it was done. How does the system know that you didn't really want to turn off the firewall? Considering the diverse functions software can perform, it would probably be overly intrusive for the OS to try to second guess a programme every time it tried to do something. Changing any sort of user preference setting would not have required a password at all. If a programme asks for your "admin" password, that is the tip off that it intends to make changes to the system. The requirement for a password is actually a huge "safety net".
  With anything related to security, there's always a compromise between security and convenience. The presumption is that as the "admin", you are a person with authority over the computer and have some level of trust in the software you are about to install. If you think about it, compared to the alternative, the current arrangement saves you from having to click "Cancel" or "Allow" for every single file that the installer is going to create, or approve every individual port it wanted to open in the firewall (keeping in mind you are installing some sort of server), and in particular, from learning the ins and outs of every detail of the guts of OS X so you fully understand what it is that you are agreeing to. Now if it turns out that your trust in Adobe's intent or competence were misplaced, the result will unfortunately be the occasional problem like this one.
  ..."I wonder what happens if changes to the firewall are locked? Can a software install just override this without any authorization?"...
  With your "admin" password, yes. Files can be locked in certain ways where an installer or other process wouldn't be able to modify them, but as far as simply turning off the firewall, I don't think you could prevent something with authorization from your "admin" password from doing so.

• Adobe acknowledges critical security flaw in software...

  Link to BBC article:
  http://news.bbc.co.uk/2/hi/technology/10257411.stm
  Adobe says the vulnerability potentially enables hackers to take control of affected computer systems.
  Users running Windows, Macintosh or Linux might all be open to attack.
  The company is working to fix the problem. In the meantime, users of Reader, Acrobat and Flash are advised to ensure their anti-virus software is up to date.
  My antivirus software? God forbid...  Is this some new kind of FUD?
  What other sources have you found - perhaps even with more detailed info?

  You can install the release candidate of flashplugin 10.1, I just changed the version and download url from the PKGBUILD in my abs tree and it seems to work. This version should not be vulnerable to the security flaw, according to the adobe site.
  pkgname=flashplugin
  _licensefile='Reader_Player_AIR_WWEULA-Combined-20080204_1313.pdf'
  pkgver=10.1.rc7
  pkgrel=1
  pkgdesc='Adobe Flash Player'
  url='http://get.adobe.com/flashplayer'
  arch=('i686')
  depends=('mozilla-common' 'libxt' 'gtk2' 'nss' 'curl')
  replaces=('flashplugin-beta')
  provides=('flashplayer')
  license=('custom')
  source=('http://download.macromedia.com/pub/labs/flashplayer10/flashplayer10_1_rc7_linux_060210.so.tar.gz'
  "http://www.adobe.com/products/eulas/pdfs/${_licensefile}")
  build() {
  install -d -m755 ${pkgdir}/usr/lib/mozilla/plugins/ || return 1
  install -m755 ${srcdir}/libflashplayer.so ${pkgdir}/usr/lib/mozilla/plugins/ || return 1
  install -d -m755 ${pkgdir}/usr/share/licenses/${pkgname}/ || return 1
  install -m644 "${_licensefile}" ${pkgdir}/usr/share/licenses/${pkgname}/LICENSE.pdf || return 1
  md5sums=('e4cb4d26124605a54c3d498cc440368f'
  '1636037610ee2aa35c5fb736a697b7e0')
  Edit: I just made it so it works on my 32 bit system, 64 bit users will need to change the download url and md5sum.
  Last edited by Ramses de Norre (2010-06-08 17:23:39)

• Acrobat 9.2.0 Update Breaks Text Box Tool, Possibly Introduces a New Security Flaw.

  Anyone have any ideas for this one?
  Once we upgraded to version 9.2.0 (This is a major security release that fixes a Javascript security flaw) our text box tool no longer works the way we want it and crashes the program.
  Try this:
  1. Open any PDF document on a  Windows XP SP3 computer with Adobe Acrobat 9.2.0.
  2. Add the 'Text Box Tool'  to the toolbar by right-clicking the toolbar and selecting 'MoreTools' then placing a checkbox next to the 'Text Box Tool'.
  3. Click the 'Text Box Tool' on the toolbar and draw a new textbox anywhere on the PDF document.
  4. Click out of the textbox to cancel typing mode, then single click back on the textbox that you just created.
  5. Right-click the textbox that you created and select 'Properties..."
  6. Under the 'Appearance' tab,
  a. Select Style: No Border
  b. Select Fill Color: No Color
  c. Check the box 'Make Properties Default'
  d. Click OK.
  7. Click the Text Box Tool again, and draw another textbox (Since there is no border you will not see it but you will still be drawing a textbox).
  8. Let go of the mouse when you are done drawing your textbox rectangle and the program will crash at this point.
  Results:
  1. "An internal error occurred." dialog box is displayed.
  2. After clicking ok the following "Microsoft Visual C++ Runtime Library" dialog box is displayed:
  "Runtime Error!
  Program: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe
  R6025
  - pure virtual function call
  3. After clicking ok another dialog box is displayed:
  Error signature
  AppName: acrobat.exe AppVer: 9.2.0.124 ModName: acrobat.dll Offset: 000509dd
  4. The same error has occurred on all five computers that we tested the new version on.
  Expected results: A new textbox is created and you may start typing in text (This was the behavior in version 9.1.3).
  Additional Information
  At times, we need to add information to PDF files (i.e missing dates, etc). We have always used the Text Box Tool to do this with no border, and with no fill color as this is the EASIEST and FASTEST way to add information to PDF files in a precise manner. We want the fill color to be transparent so that we can fit text in between and exactly on lines easier, and so that there is not a solid background box behind the text. We want no border because a border around text that needs to go on a line looks stupid. Up until version 9.2 this procedure worked fine. Now, the program will crash. Perhaps this even adds another security vulnerability if the crash could be exploited. We want to maintain security by patching Adobe to address the JavaScript vulnerability that was addressed in version 9.2.0, however, we are not able to update our users as the new version breaks the fundamental purpose that we use Adobe Acrobat for. We are stuck with the vulnerable version 9.1.3 until this problem is addressed. Disabling JavaScript is not an option either, as we use a Java plug-in on a daily basis.
  Any thoughts would be great, I have attached screenshots of the errors.

  The question still is not answered.
  The problem continues in Acrobat 8.1.7 for Windows, even after updating toAcrobat  8.2.0. ( I can't comment on whether recent updates to Acrobat 9 fix the problem in Acrobat 9.)
  The internal error after text insertion problem occurs even with PDF documents created in Acrobat 8, i.e., not only old versions of PDF files. We have the text box insertion icon in the toolbar, and the properties set to "no color" for the box and "0" width for the text box lines, as other commentators have noted.
  The problem did not exist when Acrobat 8 Pro was installed, it was introduced by one of the updaters.
  The main reason we use Acrobat, rather than much cheaper PDF-creation software, is to annotate PDF files (including inputting data into spaces in standard forms).
  So justify the high price of Acrobat and fix the problem please, Adobe !

• Security Flaw on iPhone???

  Critical iPhone security flaw found
  Fortify Software, a security firm, has uncovered a critical security flaw in the Apple iPhone which could lead to phishing attacks.
  Because the iPhone only displays the first few characters of a URL in its Safari web browser, phishers could easily hide a fraudulent URL at the end of a link without the user even knowing it.
  Even worse, the iPhone connects the browser and the phone in such a way that it may be possible to embed scam telephone numbers into a site to make the phone automatically dial the scam number.
  Let’s hope Apple is working on a fix for this one because that is some scary stuff. Now, if you input addresses yourself and use bookmarks, the chances of being affected by this are relatively minimal. That said, watch out for strange emails and Google results — you can’t always trust that either.
  Anybody read this? Any comments or thoughts??? Valid?

  It's hardly a new flaw since disguising URLs in links has been common practice for some time. However, while the browser does indeed only show a limited number of characters from the URL being opened (more if in landscape mode than portrait) to get to the URL at all the user would either have to enter it manually, or encounter it in an email or web page where the full URL should readily be discovered.
  It seems probable to me that over time, security holes will be found as in all accessible and discoverable devices on the internet. Based on experience with Apple and MacOS, I would have confidence that genuine weaknesses found in the iPhone will benefit from security fixes as expeditiously as possible.

• Security flaw-To use CSOM/Javascript code for Custom Office365(Sharepoint Online) application

  Hi,
  I've developed custom application in Office365(Sharepoint Online) using CSOM/Javascript. Security team from client side has been reported one major issue to the our application that any end user can comment our CSOM/Javascript code and bypass the validation
   or can update / insert into sharepoint list item using developer tool/ Console in Google Chrome(F12 Key).
  Also end user can write his own separate code in console of Google Chrome (Developer Tool / F12) and can update / insert  into Sharepoint List.
  Note:- End user has Add, Edit, View permission on all Sharepoint List.
  This is one major security flaw of the Sharepoint/Office365 to use CSOM /Javascript for writing code, to overcome this issue could you please provide me some solution.
  Your help would be greatly appreciated!!!  
  Looking for reply.
  Thanks,
  Mahesh Sherkar
  Web: http://Mahesh-Sherkar.com
  Email: [email protected]

  Hello Paras, 
  Did you get any solution for this? I think your website was implemented this form. Can you please tell me the way how I can achieve it? I am also facing same problem. Please reply me as early as possible.
  Thanks,
  Mihir

• Security Flaw: Screen Saver Authentication

  Hi,
  I have found a security flaw, it exists in both Panther and Tiger. If a system has 2 accounts, the first account being active and locked through a screen saver. The second account (if administrator) can type their username/password in the authentication screen, and it will unlock the first account. This works if the first account is an administrator or not. Any administrator username/password will authenticate any other account from the screen saver authentication box. I have proven this on 2 machines, a D2.5 G5, and a 1.6 iMac G5.
  Please contact me for further testing.

  it's not a TECHNICAL flaw, it is however a logical flaw, yes.
  Because admins are part of the sudoers files, one admin does have the permission to unlock another admin like that, the same as how when logged in with one account you can use another admin account to authorize the installation of software (why it's not necessary to be logged in with your admin account)
  The behavior I suspect you desire is the behavior Windows uses, where when you use an admin account to unlock a computer, it logs out the user who locked it (assuming the admin isn't the one logged in).
  I suggest you submit a feature request to Apple.

• IOS 7 security flaw

  Major Security flaw in IOS 7
  I your phone is locked with a passcode (even the complex one) and you swipe up to get to the control centre
  Click on alarms
  hold down the sleep on/off button until you get the slide to power off
  Cancel this
  Double click the Home button
  hey presto you can get to the apps that were open
  The phone is also unlocked
  However this doesnt work if you had left the camera app open

  I tried it in all different ways, it wouldn't open the phone. But when i do open the phone normally, it opens immediatly in the mutlitasking page. But I am sure this could be a security flaw that might work with others.

• Screen Saver Password Protection - Security Flaw

  Although I have always felt OS X has been a solid and secure operating system, there continues to remain one painful, and blatant security flaw. I keep thinking that Apple will address the issue, but they certainly haven't done so thus far.
  Explanation:
  With any good security policy, and in any secure environment, there will always be a need to "lock" (password protect) a system when not in use. That is, after 'X' period of time, the user interface is password protected so as not to allow access to the system while not in use. This is probably the most common and fundamental security measure in any environment. However, Apple's (GUI) password protection falls short in a number of ways. The only current method of password protecting the user interface is through the Screen Saver. Although at a glance it appears functional, it is a poor design and is easy to disable.
  The screen saver configuration lies within two files; the ~/Library/Preferences/com.apple.dock.plist and ~/Library/Preferences/ByHost/com.apple.screensaver.<variable>.plist. It is especially important to note that both of these files are located in the users home folder, which gives them full access to the configuration files. There is absolutely nothing preventing a user from deleting these files, and thus, disabling the only mechanism to password protect the user interface. Giving the user the ability to disable or remove ANY security related configuration is a poor design.
  Now initially we thought we had a solution by setting the user immutable flag on the ByHost screen saver plist using chflags. This would still allow user access, but would prohibit them from deleting the ByHost plist. Well, it sounded good in theory. However, if ~/Library/Preferences/com.apple.dock.plist is deleted, you can say goodbye to your password protected screen saver, despite locking the screen saver plist. So naturally the idea occurred to me to set the user immutable flag on ~/Library/Preferences/com.apple.dock.plist. This works, but makes it impossible to modify the Dock. Needless to say, if the Dock can't be modified, there's no point in even having it.
  Now that isn't the only thing wrong with the screen saver password protection. You would expect that an administrator could unlock a users (password protected) screen saver, but you would also assume that the user was logged off as a result. Not in this case... If an admin unlocks a password protected screen saver for a user, they are now logged in as that user and have access to everything the user was doing when it was locked (email, spreadsheets, confidential information... anything). This is not the preferred method. If for some reason an admin needs to unlock a password protected screen saver, it should log off that user, not allow access to the user's session.
  Finally, the biggest flaw yet. With a recent update, the password protection doesn't even work, as indicated by several people in the following threads.
  http://discussions.apple.com/thread.jspa?messageID=2706417&#2706417
  http://discussions.apple.com/thread.jspa?messageID=1950444&#1950444
  http://discussions.apple.com/thread.jspa?messageID=2648700&#2648700
  I have personally seen this issue while developing our corporate OS X image. Despite any fix or workaround, the simple fact that this has occurred is disturbing. ...As if the design wasn't bad enough, it now has the potential to stop working entirely.
  Now don't get me wrong, I love OS X and prefer to work on it over any other operating system. Nonetheless, the current design for the "screen lock" is inadequate at best. For a large enterprise environment with stringent security requirements, it's far from sufficient. My hope in posting this is that someone from Apple acknowledges the design flaw and incorporates a more effective solution into the next OS.
  MacBook   Mac OS X (10.4.6)  

  One thing I forgot to mention is that "Workgroup Manager.app" is a part of the "Server Admin Tools" which can be downloaded free from Apple. Although it seems to be primarily intended to be used to configure OS X Server from an OS X Client machine, many of its functions can be used to configure the OS X Client machine itself, in the complete absence of OS X Server. Unfortunately, the 'mcx_settings' aren't really "image friendly" - as far as using them on OS X client is concerned, they are something that seem to need to be applied to user accounts individually (although it is possible to copy all of the settings at once so it isn't necessary to go through the whole configuration process for each setting for each user). I have tried tinkering and applying them to groups, but group members don't seem to automatically be restricted (I may be missing something). The "tools" are available here:
  http://www.apple.com/support/downloads/serveradmintools104.html
  I don't know if it would be any better than the screen saver "hot corner", but there is an option to lock the screen from the "Keychain Access" menu extra, which can normally be enabled through "/Applications" > "Utilities" > "Keychain Access.app", from its "Preferences". This setting is then stored in the "com.apple.systemuiserver.plist" file (ie independent of the "Dock"), but could in principle be controlled from 'mcx_settings' as well. The level of control seems to be incomplete - the user can still drag the item off of the menu bar, but it returns during the next login. However, it does provide convenient access to a method to lock the screen and keychains, and has a nice "padlock" icon so that its function is obvious. It is also potentially possible to assign a two-step keyboard shortcut to the "Lock Screen" item, but it would be somewhat less convenient than a direct key combo...
  One other note regarding the "admin" user's ability to unlock the screensaver. The configuration file allowing the "admin" user to do this is "/etc/authorization", under 'system.login.screensaver'. Currently, the "rule" is set to 'authenticate-session-owner-or-admin'. Changing it to 'authenticate-session-owner' would be expected to remove the "admin" user's ability to unlock the screensaver, and if "Fast user switching" is available, the "admin", being unable to authenticate, should be able to switch to the "login window" from the authentication dialogue. I haven't tested this at all in "Tiger", but in "Panther", there was apparently a problem with it (which is why it had slipped my mind since at the time it was rejected as a viable option) - the person who posts here as "LittleSaint" had mentioned some problem with user logins when set up that way but I don't remember what it was, and so can't test if it has been fixed in "Tiger" (not very reassuring, and I apologize). And again, this is a setting that an "admin" would be able to reverse for themselves. Also, should "Fast user switching" become disabled for some reason, and the screen saver kicks in and the user isn't available, it might be a hassle to get back into the machine (it might be possible to do something over ssh). Nevertheless, it might be something to look in to.

• Security Flaw: Since upgrading to iOS 8.3, I can by-pass passcode security by simply hitting RETURN on my bluetooth keyboard

  I noticed when I typed my passcode incorrectly on my Logitech Fabric Skin Keyboard Folio, the iPad allowed me to log in.  I checked again, but this time by just hitting RETURN key without entering any passcode, and again it allowed me to log in.
  If I disconnect the keyboard, and use the soft keyboard on the iPad itself, it only allows the correct passcode.
  Has anybody else seen this security flaw?
  iPad Air
  iOS 8.3

  Please describe the problem in as much relevant detail as possible. The "etrecheck" fad hasn't made that step any less necessary. The better your description, the better the chance of a solution.
  For example, if the computer is slow, which specific actions are slow? Is it slow all the time, or only sometimes? What other changes did you make, if any, just before it became slow? Have you seen any alerts or error messages? Have you done anything to try to fix it? Most importantly, do you have a current backup of all data? If the answer to the last question is "no," back up now. Ask if you need guidance. Do nothing else until you have a backup.

• ADF security - prompt for user id and password again on page forward

  Hi,
  I am working with ADF using JDeveloper 10.1.3 with Business Components and ADF Faces.
  I have a Search page and a List page.
  Both pages are based on the same view within the same application module.
  The Search page is using the default Find and Execute Operations.
  The Execute button has an action that navigate to the List screen.
  faces-config.xml
  <navigation-rule>
  <from-view-id>/jspx/search.jspx</from-view-id>
  <navigation-case>
  <from-outcome>search</from-outcome>
  <to-view-id>/jspx/list.jspx</to-view-id>
  <redirect/>
  </navigation-case>
  </navigation-rule>
  <navigation-rule>
  <from-view-id>/jspx/list.jspx</from-view-id>
  <navigation-case>
  <from-outcome>find</from-outcome>
  <to-view-id>/jspx/search.jspx</to-view-id>
  <redirect/>
  </navigation-case>
  </navigation-rule>
  Security (Roles and Users) is based on the jazn-data.xml and web.xml
  URL Patterns for the pages have assigned to the role.
  Login Configuration is HTTP Digest Authentication
  <web-resource-collection>
  <web-resource-name>APP_SUPPORT</web-resource-name>
  <url-pattern>faces/jspx/search.jspx</url-pattern>
  <url-pattern>faces/jspx/list.jspx</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>APP_SUPPORT</role-name>
  </auth-constraint>
  <login-config>
  <auth-method>DIGEST</auth-method>
  </login-config>
  Everything is fine when running the application from JDeveloper,
  but when the application is deployed to the server (OC4J),
  After logging into the system, the Search page prompt for user id and password again
  on click of the Execute button.
  Have anyone experience this problem before?
  Thanks for any help.
  Jim

  Hi,
  does the same thing happen if you change your protected resource from:
  <web-resource-collection>
  <web-resource-name>APP_SUPPORT</web-resource-name>
  <url-pattern>faces/jspx/search.jspx</url-pattern>
  <url-pattern>faces/jspx/list.jspx</url-pattern>
  </web-resource-collection>to:
  <web-resource-collection>
  <web-resource-name>APP_SUPPORT</web-resource-name>
  <url-pattern>/faces/jspx/*</url-pattern>
  </web-resource-collection>Brenden

• Data Level security for specific Users

  Hi,
  Can you please suggest some ideas on by-passing the Data Level security for specific users or specific group?
  Currently, we have data level security defined on a group permissions for one group and for people belonging to another group, the security should not apply and they should see entire data.
  But, key thing here is that, the user belongs to both the groups.
  Any ideas helps.
  Thanks,
  Chandu.

  So you are saying you want a user to belong to a group with data-level security filters, but you don't want the filters to apply to that user?
  Why are they in the group then?
  Are the data filter defined with variables or are the hard-coded?
  If variables, you may be able to put logic in initialization block to set the variable appropriately for specific users.
  I'd rethink the security model - when I define data level security filters, I tend to force users to only belong to a single group/role.

• Java.lang.SecurityException: [Security:090391]Null User Identity

  Hello,
  I have deployed .ear file to the Weblogic9.2 server while doing "check .ear -->Start-->Servicing all request".Getting the following Error message:
  *java.lang.SecurityException: [Security:090391]Null User Identity
  *Errors were encountered while performing this operation.
  LOG:
  <Jun 10, 2009 11:12:50 AM IST> <Error> <Deployer> <BEA-149265> <Failure occured in the execution of deployment request with ID '1244612561983' for task '3'. E
  rror is: 'weblogic.management.DeploymentException: '
  weblogic.management.DeploymentException:
  at weblogic.application.internal.BaseDeployment.throwAppException(BaseDeployment.java:86)
  at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:214)
  at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:154)
  at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:80)
  at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:566)
  Truncated. see log file for complete stacktrace
  java.lang.SecurityException: [Security:090391]Null User Identity
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
  at weblogic.application.internal.flow.BaseLifecycleFlow$BaseAction.invoke(BaseLifecycleFlow.java:95)
  at weblogic.application.internal.flow.BaseLifecycleFlow.postStart(BaseLifecycleFlow.java:62)
  at weblogic.application.internal.flow.TailLifecycleFlow.activate(TailLifecycleFlow.java:33)
  at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:635)
  Truncated. see log file for complete stacktrace
  >
  <Jun 10, 2009 11:12:50 AM IST> <Error> <Deployer> <BEA-149202> <Encountered an exception while attempting to commit the 7 task for the application 'pfmEAR'.>
  <Jun 10, 2009 11:12:50 AM IST> <Warning> <Deployer> <BEA-149004> <Failures were detected while initiating start task for application 'pfmEAR'.>
  <Jun 10, 2009 11:12:50 AM IST> <Warning> <Deployer> <BEA-149078> <Stack trace for message 149004
  weblogic.management.DeploymentException:
  at weblogic.application.internal.BaseDeployment.throwAppException(BaseDeployment.java:86)
  at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:214)
  at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:154)
  at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:80)
  at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:566)
  Truncated. see log file for complete stacktrace
  java.lang.SecurityException: [Security:090391]Null User Identity
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
  at weblogic.application.internal.flow.BaseLifecycleFlow$BaseAction.invoke(BaseLifecycleFlow.java:95)
  at weblogic.application.internal.flow.BaseLifecycleFlow.postStart(BaseLifecycleFlow.java:62)
  at weblogic.application.internal.flow.TailLifecycleFlow.activate(TailLifecycleFlow.java:33)
  at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:635)
  Truncated. see log file for complete stacktrace
  Please help in resolving this.

  Exactly the file output file is binary. Do a vi on it, you'll see what I mean. To push this through our patching system it needs to be in it's xml format like in the BICatalogUtil.sh. To my understanding that archive is a compressed archive of the xml files (stored like the backend). I need to figure out how to uncompress so it can feed through our patching system.
  Would be better if we could just get the BICatalogUtil.sh error resolved as that method does work (most of the time).

• Serious security flaw found in IE

  *Important Information*
  A  serious  security flaw is found in Internet Explorer today and everybody is  been  advised  by  'MICROSOFT'  not  to  use  Internet Explorer for any confidential banking transactions until the new patch is released.
  The  new  patch  would  be  released  at the earliest and Microsoft advices everybody to use the browser from their rivals until the patch is released.
  Click on the below link to read:
  http://news.bbc.co.uk/2/hi/technology/7784908.stm

  I advise everybody to use the browser from their rivals, even after the the patch is released!
  I couldn´t agree more
  Maybe the browser was patched now so the data is not stolen by "someone" but to Microsoft instead when surfing MSDN
  </cynism>
  Markus

• Security flaw in bt home hub 4 & bt home hub 5

  there is a security flaw in the lastest two home hubs I recommend you avoid using these

  That's a sweeping statement. Do you want tell us what it is?
  EDIT: I see your other post
  https://community.bt.com/t5/Other-BB-Queries/WPS-no-longer-gets-disabled-by-BT/td-p/776140/page/2 
  about the "security flaw" and I see you have also been answered.