Potential Security Issue / Question

Similar Messages

• Where can I submit a potential security issues for OSX10.8.4?

  This morning I found a potential security bug that allowed me to access files, applications and settings for my MBP before the OS had time to confirm my login credentials. I'm sure there are people looking to exploit this so I want to know if there is a place that I can submit the issue online or via telephone.

  http://www.apple.com/feedback/macbookpro.html

• Are there potential security issues if I run MySql Server?

  I am learning MySQL and PHP, and have followed the instructions to download and install MySQL server on OS X Lion.
  As I am beginner I am not sure if by enabling this I am leaving my system somehow more exposed to potential attack (I have selected the option "Automatically start MySQL server on startup").
  So my question is: am I putting my system at considerable more risk by having this service turned on? Should I disable it when I am not learning how to script PHP?
  If so, are there any simple instructions for making my system more secure while MySQL server is running?
  I use the built in OSX firewall and Little Snitch.

  Any time you run server software you are putting your systems at a higher risk. MySQL is known to be very secure. Still, there are ways to improve the security. You can restrict connections so that only localhost can connect to your server. Make sure you don't have default accounts/passwords or the root account enabled. Make sure to follow the initial securing procedures.
  In general, MySQL is very safe. There isn't anything to worry about.

• Can I create a form that doesn't trigger Acrobat's JavaScript disabled / security issues warning?

  Hello,
  Can I create a pdf that doesn't trigger Acrobat's JavaScript is currently disabled and this document uses it for some features.  Enabling JavaScript can lead to potential security issues.
  I even get this error when I create a blank pdf.
  I'm not using any JavaScript in the form and the nature of the message might tend to be a bit scary to some people since it mentions enabling JS can lead to potential security issues.  I basically want to disable the messaging of a feature I'm not even using.
  Anyone know if this is possible and if so, how I go about it?
  Thank you.

  Hi,
  I too share your frustration!!
  Unfortunately I do not have a complete answer for you.
  From the start I must say that Stefan Cameron has been very helpful (http://forms.stefcameron.com/2010/01/14/acrobatreader-9-3-now-available/), however I have not had sufficient time available to deal with the issue (or find a satisfactory resolution).
  The original post that Srini shared with you related to an XFA form that had FormCalc and Javascript in it. I will now share with you another situation that is closer to your experiences.
  Sometimes where we have a complex solution/form, we often give our users a PDF with instructions and demonstrations. We generate these using Adobe products:
  LiveCycle Designer ES to generate the solution/form;
  Captivate to record the demonstration (.swf);
  Acrobat to package it up in a static PDF.
  The screen shots below are from a PDF that includes written instructions and six Flash (.swf) files. The PDF does NOT include fields/form objects and does NOT include any FormCalc or Javascript.
  One of the big sells in Acrobat 9 was that Adobe had fully integrated Flash (Adobe product, ex. Macromedia) into Acrobat 9. This mean that .swf files could run natively inside a PDF. Brilliant!!!  The website today is still pushing this message, for example:
  Now bear in mind that the following screenshots are from a PDF that does not contain any scripting - its sole purpose is to "inform" the user, "look as good as the work I put into it", incorporate instruction and "multimedia" in a "single polished file" and I should be "confident that my audience will be able to view my work exactly as intended".
  Not so!!
  When the user now opens the form, all looks OK. No warning. They can read the instructions and scroll down to the multimedia (.swf files).
  However when the user clicks on the multimedia, the yellow bar appears:
  I go through the "trust" process:
  And the PDF looks like it is OK, no yellow bar. When I click on the multimedia, it begins to play - yes!! BUT ONLY FOR A SECOND OR TWO AND THEN IT STOPS AND GOES BACK TO THE START - AGGGGHHHHHHH!!!!!. I would apologise for shouting, but this is beyond frustration. The work in capturing six screencasts in Captivate, annotating them, publishing to .swf and packaging up in Acrobat has been a complete waste of time. Worse than that I now have several PDFs out there, that do not work. Good advertisement for my business? I don't think so!!
  The document that Stefan provided (Managing JavaScript Execution in the Acrobat Family of Products) does not mention Flash/.swf as being a problem. However I would recommend that you go through this document, as it may help you.
  So, where to now? I don't know. The previous posts and Stefan's responses have several urls that may help. You should maybe consider logging your experiences as a bug (log at Adobe).
  In the meantime good luck,
  Niall
  UPDATE:
  This behaviour (.swf playing for only a few seconds) happens in PDFs where the .swf is inserted as legacy media to run in earlier versions of Acrobat/Reader. In this case Acrobat/Reader is making an external call to Flash Player. Hence the yellow bar. However it does not explain why the Flash video still does not play when trusted.
  If the .swf is added into the PDF as Flash media to run on Acrobat 9 and above, then it works without displaying the yellow warning bar.
  So maybe any feature of your PDF that calls an external resource is likely to show the yellow warning bar.

• Java install security issues?

  Should I install Java on my macbook pro (2012 version, non retina)?  I have read there are potential security issues and you should not download it unless you need it.  I was looking for more information and insight, but did not find a whole lot with my searches.  I do not have it installed currently.  I have 1 program that I was going to install that uses it, but I use it infrequently and I have ways around using it.  Thanks in advance.

  Be sure you are not talking about JavaScript which has nothing really to do with Java. The main issue with Java has been security holes that can be exploited to hack into a computer or to plant malware. The current versions of OS X provide anti-malware software built-in to OS X. Since Java exploits more than likely come through your browser, you can disable Java in the browser to keep the computer protected until you must use Java.
  Java SE Runtime Environment 7 1.7.0_21 is the current official Java installer for Mountain Lion. After you install it simply open Safari preferences, click on the Security icon in the toolbar, and uncheck the Java checkbox unless you need to use Java. Or you can leave it enabled. I do and have yet to be bothered with malware.

• My account was deleted for security issues. I made a new account, but I can't syncronise my apps with this new account. I bought a new Iphone and would like to transfer the apps ans music on this new one. Can somebody help me?

  My account was deleted for security issues. I made a new account, but I can't syncronise my apps with this new account. I bought a new Iphone and would like to transfer the apps ans music on this new one. Can somebody help me?

  Why would you make a new account?  This will likely cause many problems.  Just get you old account enabled.
  Apple ID: "This Apple ID has been disabled for security reasons" alert appears
  Frequently Asked Questions About Apple ID
  Everything you purchased with the old account will always be tied to that account.  You will have to authorize the computer for that account and you will have to update the apps from that account.

• Bit locker security issues (easy to crack) disk encryption?

  Bit locker security issues (easy to crack) disk encryption?
  Problem 1: When the PC run I think its too easy to get  malicious users (with usb pendrive) or spyware to get the encryption key (fast and easy)
  youtube.com/watch?v=0npTlOq6q_0
  Problem2:not resistant with bruteforce attacks
  youtube.com/watch?v=zvaJxnvbGic
  Problem 3: not resistant with boot hacking
  Im using DriveCrypt plus pack and searched security issues in bit locker.The bit locker allow you the bruteforce/dic attack easy.I think  It would be much safer 1. (I think the keys stored somewhere that is easily read) 2. Do not just be enough password
  need a password+file combination to decrypt the disk. DriveCrypt plus pack use a file+password combination if you know the password but you wont have the file you can not decrypt the disk (protect with bruteforce attack).On system boot protected bruteforce
  attak you can crash the (boot).If the boot system crash you can not decrypt the disk just the password you need the file+password combination plus to decrypt it. I am not a programmer but I see the BitLocker ( easy security catches to crack the disk encryption).Im
  tested DriveCrypt and I can not get the key that easy (Problem 1). I have not tested it in greater depth just trying to (catches to crack software encryption).

  Where is your question, sir?
  If the question were "is it easy to crack", the answer is "no". Your videos make use of several assumptions and ingredients and permissions that a normal attacker does not have.
  "Problem 3" is not clear, please describe what scenario you are talking about.

• About "kernel.exec-shield" and "because they will bring security issue" for linux ASE

  In " ASE Quick Installation Guide for Linux", "kernel.exec-shield=0" and  “kernel.randomaize-va-space=0” should be set.
  But SuSE engineers say that  “kernel.exec-shield=0”and “kernel.randomaize-va-space=0” will bring the OS security issue.
  Customer want to know why ASE need the above parameters ?
  Has anybody the idea for customer's question?

  If the parameters are not set as documented, attempts to start additional engines beyond the first one will fail, generating stack traces.
  ASE acts in many ways like it's own operating system, scheduling individual user connections (spids) to actively run (note that ASE was developed well before native threading was commonly available).  Each spid has it's own stack information that gets swapped in when it is set to "running" state on the engine and swapped out when it yields the engine.  The mechanics of this is not that different from the buffer overrun exploits described in the Red Hat document linked to by the
  install guide, http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf
  and the exec-shield mechanics definatately interfere ASE's operations when ASE is using multiple dataserver processes (engines) that swap spids around.
  -bret

• Spoof dialog Boxes security issue

  Hi all
  Any one out there aware of this security issue with Safari
  "Secunia Research has discovered a vulnerability in various browser's, which can be exploited by malicious web sites to spoof dialog boxes.
  The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site."
  I found the above by accident as i was looking up something else.
  If you go to Secunia site and try the test you may find that you are also vulnerable.
  http://secunia.com/multiple_browser'sdialog_origin_vulnerabilitytest/
  The only way i found to stop the spoof dialog box was to turn off enable plug-ins in preferences. However i don't have any plug-ins in my Safari plug-in folder.
  I'am running safari 1.3(v312) however it would appear that it also effects version 2.2 of Safari too. Also i have installed the latest update but to no effect. Other browser effect are:-
  _ Internet Explorer for Mac
  - Internet Explorer
  - Opera
  - iCab
  - Mozilla / FireFox / Camino
  My question is, is this vulnerability true, or just a setup
  Any comments welcome.
  ~Tim

  Hi,
  The issue is resolved, but I don't know what caused this error.
  I uninstalled the java components and BO then I deleted the BO folder under program files, then I deleted all BO entries in the registry.
  Finally I reinstalled everything except the service pack and that finally worked. I don't know the cause of this error.
  Regards,
  Marcela

• I currently have Trend Micro...Does Firefox handle all the security issues like pfishing and viruses etc...I would like to cancel the other

  I cannot seem to get anyone to help me because I have asked this same question more than 6 or 7 times. Does Firefox handle all the security issues like pfishing and viruses, worms from attaching to my computer??????

  This question is a duplicate of https://support.mozilla.com/en-US/questions/884618

• Select Data Source and Microsoft Security Issue

  Hi,
  Tool- Xcelsius 2008, QAaWS
  When I open dashboard, it gives message "Microsoft Office has identified a potential security concern" "Data Connection have been blocked. If you choose to enable data connection, your computer may no longer be secure. Do not enable this content unless you trust the source of this file." with <Enable> and <Discable> buttons.
  If it Enabled then leads to "Select Data Source" screen and asks details for DSN.
  At every open it shows same messages.
  Please, help if anyone knows or faced this issue.
  Regards,
  Ashish

  hi,
  this is a really old post.
  please could you specify your exact workflow ?
  what connectors your dashboard is using?
  also, what version and SP and patch are you using for Xcelsius client?
  i.e. Are you up to date with latest compatibility updates?
  regards,
  H

• Im running os x10.9.1 macbook pro  do i have a security issue??

  im running os x10.9.1 macbook pro  do i have a security issue??

  If you mean this:
  goto fail
  there is a potential problem, though it's not known to have been exploited. If you're concerned, you can avoid it by temporarily switching from Safari to either Firefox or Chrome when using a public Wi-Fi hotspot.

• Potential Security Hole with 802.1x and Voice VLANs?

  I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
  If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
  Has anyone done any research into this potential security hole?
  Thanks
  Andy

  Thanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
  As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
  Andy

• Any security issues with My MSN or outlook bookmarks

  any security issues with My Msn and Outlook as bookmarks

  Your question is not quite clear, and no Mac can iOS, but anything and everything made by or for Microsoft carries a security risk.
  Which is why most sensible people run Apple OS X.

• How do I address SSL security issue on iPad 1

  This new security issue discovered recently had my wife and I getting busy updating our phones, great now I have a possible bigger issue. How do I address this SSL issue on my iPad 1 running iOS 5.1.1 . So far apple does not seem to be releasing anything for us iPad 1 folks.
  • Does this mean Apple does not care?
  • Are they trying to leverage us into newer iPads?
  • Is there a iOS 5.1.2 in the works?
  • Or does it mean our iPad 1's are not affected by this breach.
  Wish I had the coin to just go out and buy a new iPad but my disabled income does not have room for that, the one I have now was given to me by a very good friend and business owner before I was diagnosed. I use my iPad for virtually everything needing computing power. I really need to figure this out as I do Alot of shopping online.

  Since Apple does not discuss their customers or potential security breaches, I would assume that you are not affected.  My assumption is based solely on the fact that if there were an issue with your device and security, either an update would be made available or an announcement would come from Apple advising you to migrate to a newer device.