Security issues faced by users of unsupported OS versions?

Similar Messages

• Security Issue Regarding to User and Password (Abid)

  Dear all,
  There are two database servers of Oracle 10g are running on different machines in our company. On both server there are same users like
                      user name      password
  On machine A          abidusr          abc123
  On machine B          abidusr          abc123
  Select password from dba_users where username='SCOTT'
  password
  F894844C34402B67          machine a
  F894844C34402B67          machine b
  The Hash values of both users are same. One can access my this value and can guess my password.
  How I can overcome on this problem.
  Best regards,
  Abid Hussain
  [email protected]

  Hi,
  You can not, as you can not change the password encryption algorithm of Oracle.
  This is a serious problem in Oracle, and will probably be rectified in a future release. The encryption algorithm has changed in 11g, but I do not know if the hash is already unpredictable.
  Further info probably on http://www.petefinnigan.com
  Sybrand Bakker
  Senior Oracle DBA

• HFM Security Issue - User can submit a journal by by-passing the approval step even though they are not an admin.

  Hi All,
  I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
  The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
  If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
  input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
  "User does not have the access right to perform this journal task"
  The options I have thought for a workaround are as follows:
  1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
  2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
  Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
  We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
  they are:
  1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
  2.   2. A data reviewer (who approves journals)
  The process is as follows:
  1.       1. Logon as Data inputter to submit the journals
  2.       2. Logon as Data reviewer to approve the journals
  3.       3. Logon as Data inputter to post the Journals
  We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
  but once it comes back to step 3, we get an error as follows:
  "User does not have the access right to perform this journal task"
  (This error comes about when the access control on custom 4 is set to None, Read, Promote)
  Custom 4 Access Rights looks as follows:
  C4_ADJ01
  C4_ADJ02
  C4_ADJ03
  C4_ADJ04
  HFMDefault
  Read
  Read
  Read
  Read
  HFMLoad
  All
  Promote
  None
  Read
  HFMReview
  Read
  All
  All
  All
  When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
  For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
  Roles for the groups that users assigned look like the following:
  Test User Name
  Test User Name
  Access Rights
  1
  Base Data input/Journal Data input
  test_HFMLoad
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Enable write back in Web Grid
  Load Excel Data
  Generate Recurring
  Post Journals
  Create Unbalanced Journals
  Manage Templates
  Data Form Write Back from Excel
  Consolidate
  2
  Data Reviewer
  test_HFMReview
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Approve Journals
  Consolidate
  Reviewer 2
  Generate Recurring
  Manage Templates
  Create Unbalanced Journals
  Any help or advice would be much appreciated.
  Thanks in advance,
  M.

  Hi All,
  I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
  The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
  If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
  input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
  "User does not have the access right to perform this journal task"
  The options I have thought for a workaround are as follows:
  1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
  2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
  Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
  We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
  they are:
  1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
  2.   2. A data reviewer (who approves journals)
  The process is as follows:
  1.       1. Logon as Data inputter to submit the journals
  2.       2. Logon as Data reviewer to approve the journals
  3.       3. Logon as Data inputter to post the Journals
  We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
  but once it comes back to step 3, we get an error as follows:
  "User does not have the access right to perform this journal task"
  (This error comes about when the access control on custom 4 is set to None, Read, Promote)
  Custom 4 Access Rights looks as follows:
  C4_ADJ01
  C4_ADJ02
  C4_ADJ03
  C4_ADJ04
  HFMDefault
  Read
  Read
  Read
  Read
  HFMLoad
  All
  Promote
  None
  Read
  HFMReview
  Read
  All
  All
  All
  When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
  For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
  Roles for the groups that users assigned look like the following:
  Test User Name
  Test User Name
  Access Rights
  1
  Base Data input/Journal Data input
  test_HFMLoad
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Enable write back in Web Grid
  Load Excel Data
  Generate Recurring
  Post Journals
  Create Unbalanced Journals
  Manage Templates
  Data Form Write Back from Excel
  Consolidate
  2
  Data Reviewer
  test_HFMReview
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Approve Journals
  Consolidate
  Reviewer 2
  Generate Recurring
  Manage Templates
  Create Unbalanced Journals
  Any help or advice would be much appreciated.
  Thanks in advance,
  M.

• Security Issues with the BP Internet user role creation--SU01

  Hi All,
  We are implementing the B2B Internet sales scenario using CRM 4.0. we
  have contact persons who logs in and chose the distributor and then
  start placing orders or look at product catalog .... Now contact person
  is created as a BP in CRM and relation ship is maintained to sold to
  (bp). During this process the contact person should be created under
  the Internet user role which uses the SU01. so we will be able to
  change password or change the roles of the users while creating BP
  under the internet user role -- same as what we do in SU01.
  This is now a security Issue because who ever can access the BP
  (create/change) will be able to do the things we can do under
  transaction SU01. But we still need to access the Internet user role in-order to assign the user id to the contact person . Is there any other
  way of doing this.
  Please advice ASAP.
  Thanks
  Vasu

  Hi Ashwini,
  you need to modify the logon routine and then in the user management (isauseradmin application) to do this. Then there are likely changes to the catalog identification, and very likely to most processes in the shop. I really wouldn't advise doing so. As accounts usually have contact persons: Why does your client insist in providing a login for the organization and not for a person?
  To achieve something that looks almost like the desired solution you, e.g., could model a dummy contact person for each account that shall get a logon, that then does the job. The contact person could be named like the company and then you are back to plain standard.
  Rgds
  Thomas

• Flash and Reader users take notice of critical security issue.

  http://www.zdnet.com/blog/security/adobe-warns-of-flash-pdf-zero-day-attacks/660 6
  This is a zero day attack, meaning it's out there right now. Until this gets patched, use Preview instead of Reader.
  Use a Flash blocker. For Safari: clicktoflash; for Firefox: NoScript or FlashBlock; Camino has built in Flash blocking capability.

  Is there more exacting information on how this affects the Mac OS X
  and what one would actually do other than not open new downloads
  or new content of unknown quality? (This may not affect me at all.)
  And for those users of older PPC hardware, the Adobe pre-release of
  their Flash Player is unlikely to be supported, especially in Tiger 10.4
  unless Adobe is going to offer transitional updates until they drop all
  support for the older OS X versions, especially affecting Tiger soonest.
  The end is near for some unsupported OS versions, from both internal
  support and external third-parties. So, this is another wake-up call to
  those using older Mac hardware and the decreased support for it.
  I noticed a similar thread on this Flash & Reader topic, in another page:
  http://discussions.apple.com/thread.jspa?threadID=2450866&
  +{While I do have Leopard 10.5, I choose to stay with what works best+
  +in the older PPC G4 hardware, for awhile longer. With three machines+
  +the transition is not of high interest to me. Leopard does not impress.}+
  Some clarity, outside of Intel-based and dual boot newer build Macs,
  is something lacking in the Adobe security source pages. They did an
  announcement some months ago, re: lack of 10.4.11 future support.
  However that works out...
  Good luck & happy computing!

• Company email access denied to iphone users due to security issues, help!

  I am interested in purchasing an iphone but my company said they won't allow access to our company email with the iphone due to security issues. Any one else heard of that? Is there some way for me to forward my company email to the account I would set up under the itunes? It seems there are a lot of unhappy people out there with these phones, are there any happy users out there? It seems like such a cool device and I want one but don't want to get stuck with something I can't use or that I am going to have problems with.

  Of course there are happy users.
  These discussions are like a hospital for Mac products with nothing but problems reported here. If you based a decision on purchasing an Apple product, any product on these discussions, you would never purchase any. Coming to the conclusion here that there are no happy users and the iPhone is nothing but problems would be like visiting a local hospital in your area full of patients (all are) and coming to the conclusion that everyone in your community must be sick and/or dying.
  What type of email account - POP, IMAP or Exchange through an Exchange Server?
  Accessing an email account on an iPhone is no different than accessing the account with a computer. Funny that your company claims the iPhone has security issues and prevents access but certainly allows PCs running Windows to access company email accounts? Sorry but this is my biggest laugh of the day - not at you but at your company. Your company has loads of security issues and concerns with any version of Windows accessing their network than they would ever come close to with an iPhone accessing the incoming mail server to download messages.
  If your company allows for email account forwarding, you can do so.

• Security issue between weblogic server

  Hello,
  Here is security issue that we are facing.
  Here is setup
  Environment 1
  Admin server say "env1admin"
  Managed Weblogic Server say "env1managed"
  We deployed an EJB called HelloEJB in env1managed server and this has an api
  sayHello(). HelloClient is a client to HelloEJB.
  S/w Weblogic 6.1 sp3
  Environment 2
  Admin server say "env2admin"
  Managed Weblogic Server say "env2managed"
  We deployed an EJB called ServiceEJB in env2managed server and this has an api
  serviceRequest(). We use weblogic role based security and restrict access to this
  api by user HelloEJB.
  s/w Weblogic 6.1 sp3
  Here is how the system works:
  We start the env2admin, env2managed (ServiceEJB is which is a Stateless session
  EJB deployed in env2Managed)
  We start the env1admin and env1managed (HelloEJB(which is a Stateless session
  EJB is deployed in env1Managed)
  Test case:
  1)HelloClient invokes HelloEJB api sayHello().
  2)Now at this point in ejbCreate() at HelloEJB() end we get a reference to ServiceEJB
  using Jndi and the context is never closed ). HelloEJB then calls serviceRequest()
  api in ServiceEJB. Then gets back a response and then returns response to HelloClient.
  Now if we repeat the above testcase.
  After step1 in step2 HelloEJB though has all the permissions to invoke api on
  ServiceEJB gets an SecurityException.
  Question is why doe this happen. Only way HelloEJB can make api calls to serviceEJB
  is by making a lookup() every single time. Which is very expensive. I looked at
  documents what they say is leave the context open and never close it. Though I
  am doing that I am getting this exception.
  Any thoughts ?
  Thanks in advance,
  Vijay

  Here are the details of exception stack trace:
  java.rmi.AccessException: Security violation: insufficient permission to access
  method; nested exception is:
  java.lang.SecurityException: Security violation: insufficient permission
  to access method
  java.lang.SecurityException: Security violation: insufficient permission to access
  method
  at weblogic.ejb20.internal.BaseEJBObject.preInvoke(BaseEJBObject.java:92)
  at weblogic.ejb20.internal.StatelessEJBObject.preInvoke(StatelessEJBObject.java:63)
  at service.ServiceBean_nr0s19_EOImpl.sendServiceRequest(ServiceBean_nr0s19_EOImpl.java:25)
  at service.ServiceBean_nr0s19_EOImpl_WLSkel.invoke(Unknown Source)
  at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:298)
  at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerRef.java:93)
  at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:267)
  at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:22)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  End server side stack trace
  ; nested exception is:
  Vijay
  "Vijay" <[email protected]> wrote:
  >
  Hello,
  Here is security issue that we are facing.
  Here is setup
  Environment 1
  Admin server say "env1admin"
  Managed Weblogic Server say "env1managed"
  We deployed an EJB called HelloEJB in env1managed server and this has
  an api
  sayHello(). HelloClient is a client to HelloEJB.
  S/w Weblogic 6.1 sp3
  Environment 2
  Admin server say "env2admin"
  Managed Weblogic Server say "env2managed"
  We deployed an EJB called ServiceEJB in env2managed server and this has
  an api
  serviceRequest(). We use weblogic role based security and restrict access
  to this
  api by user HelloEJB.
  s/w Weblogic 6.1 sp3
  Here is how the system works:
  We start the env2admin, env2managed (ServiceEJB is which is a Stateless
  session
  EJB deployed in env2Managed)
  We start the env1admin and env1managed (HelloEJB(which is a Stateless
  session
  EJB is deployed in env1Managed)
  Test case:
  1)HelloClient invokes HelloEJB api sayHello().
  2)Now at this point in ejbCreate() at HelloEJB() end we get a reference
  to ServiceEJB
  using Jndi and the context is never closed ). HelloEJB then calls serviceRequest()
  api in ServiceEJB. Then gets back a response and then returns response
  to HelloClient.
  Now if we repeat the above testcase.
  After step1 in step2 HelloEJB though has all the permissions to invoke
  api on
  ServiceEJB gets an SecurityException.
  Question is why doe this happen. Only way HelloEJB can make api calls
  to serviceEJB
  is by making a lookup() every single time. Which is very expensive. I
  looked at
  documents what they say is leave the context open and never close it.
  Though I
  am doing that I am getting this exception.
  Any thoughts ?
  Thanks in advance,
  Vijay

• Logitech Keyboard Issues with Fast User Switching

  I'm running OSX 10.4 on an 800 MHz iMac, and using a Logitech Cordless Navigator keyboard. The keyboard's main feature (for me) is the ability to have the function keys (F1-F12) automatically open applications and folders and such. When I have multiple accounts running though, this feature seems to be tied to whichever one I first logged into. If I switch accounts and try to use one of the keyboard shortcuts nothing happens where I am, but when I switch back to the original account I find that the keyboard has opened the program there. The keyboard types fine in the new account, and I can even change the preferences so the function keys do different things in the different accounts, but the extra functionality seems to be only available for whichever account logs in first.
  I realize this may just be a Logitech bug, but any ideas how to fix this? (Also even though I'm the only one using my computer this seems like a mild security issue, if theoretically another user could activate programs on my account without the password.)
  800 MHz iMac G4   Mac OS X (10.4.3)   768 MB RAM

  Logitech support is frustrating:
  Dear tajmahall14,
  Thank you for your recent inquiry about your Keyboards.
  I understand you are having issues with the settings for the function keys becoming non-functional when fast switching from one user account to another.
  Depending on the system configuration, the Fast User Switching may or may not work. Unfortunately this is not an issue I can address. You may need to contact Apple to see if they have a possible solution to your problem.

• Unable to assign all security roles to a user with a new custom security role

  Dear All,
  Happy New Year.!
  I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
  any desired security role to the new user.
  However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
  'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
  For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
  to assign some other security roles, including 'Support User Role', to new user 'y'.
  I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
  'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
  Appreciate any help that you can provide on the above issue.
  Thanks in anticipation.

  Hi,
  Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
  Refer:-
  http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
  Hope this helps!!!
  Thanks,
  Prasad
  Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

• Bit locker security issues (easy to crack) disk encryption?

  Bit locker security issues (easy to crack) disk encryption?
  Problem 1: When the PC run I think its too easy to get  malicious users (with usb pendrive) or spyware to get the encryption key (fast and easy)
  youtube.com/watch?v=0npTlOq6q_0
  Problem2:not resistant with bruteforce attacks
  youtube.com/watch?v=zvaJxnvbGic
  Problem 3: not resistant with boot hacking
  Im using DriveCrypt plus pack and searched security issues in bit locker.The bit locker allow you the bruteforce/dic attack easy.I think  It would be much safer 1. (I think the keys stored somewhere that is easily read) 2. Do not just be enough password
  need a password+file combination to decrypt the disk. DriveCrypt plus pack use a file+password combination if you know the password but you wont have the file you can not decrypt the disk (protect with bruteforce attack).On system boot protected bruteforce
  attak you can crash the (boot).If the boot system crash you can not decrypt the disk just the password you need the file+password combination plus to decrypt it. I am not a programmer but I see the BitLocker ( easy security catches to crack the disk encryption).Im
  tested DriveCrypt and I can not get the key that easy (Problem 1). I have not tested it in greater depth just trying to (catches to crack software encryption).

  Where is your question, sir?
  If the question were "is it easy to crack", the answer is "no". Your videos make use of several assumptions and ingredients and permissions that a normal attacker does not have.
  "Problem 3" is not clear, please describe what scenario you are talking about.

• Can I create a form that doesn't trigger Acrobat's JavaScript disabled / security issues warning?

  Hello,
  Can I create a pdf that doesn't trigger Acrobat's JavaScript is currently disabled and this document uses it for some features.  Enabling JavaScript can lead to potential security issues.
  I even get this error when I create a blank pdf.
  I'm not using any JavaScript in the form and the nature of the message might tend to be a bit scary to some people since it mentions enabling JS can lead to potential security issues.  I basically want to disable the messaging of a feature I'm not even using.
  Anyone know if this is possible and if so, how I go about it?
  Thank you.

  Hi,
  I too share your frustration!!
  Unfortunately I do not have a complete answer for you.
  From the start I must say that Stefan Cameron has been very helpful (http://forms.stefcameron.com/2010/01/14/acrobatreader-9-3-now-available/), however I have not had sufficient time available to deal with the issue (or find a satisfactory resolution).
  The original post that Srini shared with you related to an XFA form that had FormCalc and Javascript in it. I will now share with you another situation that is closer to your experiences.
  Sometimes where we have a complex solution/form, we often give our users a PDF with instructions and demonstrations. We generate these using Adobe products:
  LiveCycle Designer ES to generate the solution/form;
  Captivate to record the demonstration (.swf);
  Acrobat to package it up in a static PDF.
  The screen shots below are from a PDF that includes written instructions and six Flash (.swf) files. The PDF does NOT include fields/form objects and does NOT include any FormCalc or Javascript.
  One of the big sells in Acrobat 9 was that Adobe had fully integrated Flash (Adobe product, ex. Macromedia) into Acrobat 9. This mean that .swf files could run natively inside a PDF. Brilliant!!!  The website today is still pushing this message, for example:
  Now bear in mind that the following screenshots are from a PDF that does not contain any scripting - its sole purpose is to "inform" the user, "look as good as the work I put into it", incorporate instruction and "multimedia" in a "single polished file" and I should be "confident that my audience will be able to view my work exactly as intended".
  Not so!!
  When the user now opens the form, all looks OK. No warning. They can read the instructions and scroll down to the multimedia (.swf files).
  However when the user clicks on the multimedia, the yellow bar appears:
  I go through the "trust" process:
  And the PDF looks like it is OK, no yellow bar. When I click on the multimedia, it begins to play - yes!! BUT ONLY FOR A SECOND OR TWO AND THEN IT STOPS AND GOES BACK TO THE START - AGGGGHHHHHHH!!!!!. I would apologise for shouting, but this is beyond frustration. The work in capturing six screencasts in Captivate, annotating them, publishing to .swf and packaging up in Acrobat has been a complete waste of time. Worse than that I now have several PDFs out there, that do not work. Good advertisement for my business? I don't think so!!
  The document that Stefan provided (Managing JavaScript Execution in the Acrobat Family of Products) does not mention Flash/.swf as being a problem. However I would recommend that you go through this document, as it may help you.
  So, where to now? I don't know. The previous posts and Stefan's responses have several urls that may help. You should maybe consider logging your experiences as a bug (log at Adobe).
  In the meantime good luck,
  Niall
  UPDATE:
  This behaviour (.swf playing for only a few seconds) happens in PDFs where the .swf is inserted as legacy media to run in earlier versions of Acrobat/Reader. In this case Acrobat/Reader is making an external call to Flash Player. Hence the yellow bar. However it does not explain why the Flash video still does not play when trusted.
  If the .swf is added into the PDF as Flash media to run on Acrobat 9 and above, then it works without displaying the yellow warning bar.
  So maybe any feature of your PDF that calls an external resource is likely to show the yellow warning bar.

• Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery

  HI,
  We are getting following error message for all users while sending mail to external but we able to receive mail from internet.
  Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may
  be preventing delivery.

  Hi,
  Please follow Luke and Shelly’s suggestion to check your SPF record and Send Connector configuration. Also you can post the complete NDR message(with NDR status code) here for further analysis.
  If there is any updates, please feel free to let us know.
  Thanks,
  Winnie Liang
  TechNet Community Support

• Why is Java Deployment Toolkit (click-to-play) blocked, also the referenced bug is closed and there are no security issues known in Version 7 U51?

  I think it is important to block unsecure addons. But if you do so there should be an open bug assigened. The referenced bug for this add-on is allready resolved so I do not know why this plugin is disabled. https://bugzilla.mozilla.org/show_bug.cgi?id=636633
  I have the problem that I want to use Secure_Auth that is using the Java Deployment Kit in such a nasty way (via javascript) that firefox doesn't see that the deployment kit should be started. Therefore I will not be asked to allow this plugin always for this web site. Since there is no documentation available how to do this configuration in a config file I am stuck at the moment.
  I'm a liitle bit suprised that blocking all versions (even secure versions) is a way to get a good user experience.
  Regards
  Martin

  ''MG_DAU wrote:''
  The referenced bug for this add-on is allready resolved so I do not know why this plugin is disabled. https://bugzilla.mozilla.org/show_bug.cgi?id=636633
  That's a bug report in the Blocklisting component, meaning it's a request to add an add-on to the blocklist. The fact that it's marked as fixed means the add-on has been added to the blocklist.
  * https://addons.mozilla.org/firefox/blocked/p428
  * [[Add-ons that cause stability or security issues are put on a blocklist]]
  Given that there's no way to disable Click-to-Play for this plug-in (the only options are Ask to Activate or Never Activate), if Firefox doesn't trigger a Click-to-Play prompt, I see no way to use it apart from disabling the entire blocklist. This carries a considerable security risk, as no plug-ins will be blocked or set to Click-to-Play, including known malware. If you're sure you want to go through with it, set ''extensions.blocklist.enabled'' to '''false''' in [http://kb.mozillazine.org/About:config about:config].

• DB Links vs. Public Synonyms Security issue

  I have been debating on using either a public synonym or a db link for my purpose. I have a dev, test, and prod database. I have applications that have been developed using a public synonym. I know that if I were to switch to db links I would have to go back and change the applications to have access to the tables. I was wondering if it would be more secure to just have the public synonyms with select privilege or have db links. I need to decide if I should use db links for various users in the same DB (e.g. prod) and to use db links from one DB to another. Can someone explain what the security risks are between the two and which would be safer to use?
  Thanks

  I appreciate that you have taken the time to read my post. The version of the database I am using is 10g. I guess to clarify my post I am asking if someone can provide me advantages and disadvantages of using either public synonyms or db links. I don't know if I am clear, but when I refer to a DB Link I am referring to the following type of access where a client in a database A can access information in a remote database B (e.g. schema1.table2@databaseB). I am not sure what you mean by "Database links are two entirely different technologies that do two entirely different things". But I would appreciate if someone with DBA experience can provide some insight regarding security issues associated with using public synonyms and db links.
  Thank you,

• About "kernel.exec-shield" and "because they will bring security issue" for linux ASE

  In " ASE Quick Installation Guide for Linux", "kernel.exec-shield=0" and  “kernel.randomaize-va-space=0” should be set.
  But SuSE engineers say that  “kernel.exec-shield=0”and “kernel.randomaize-va-space=0” will bring the OS security issue.
  Customer want to know why ASE need the above parameters ?
  Has anybody the idea for customer's question?

  If the parameters are not set as documented, attempts to start additional engines beyond the first one will fail, generating stack traces.
  ASE acts in many ways like it's own operating system, scheduling individual user connections (spids) to actively run (note that ASE was developed well before native threading was commonly available).  Each spid has it's own stack information that gets swapped in when it is set to "running" state on the engine and swapped out when it yields the engine.  The mechanics of this is not that different from the buffer overrun exploits described in the Red Hat document linked to by the
  install guide, http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf
  and the exec-shield mechanics definatately interfere ASE's operations when ASE is using multiple dataserver processes (engines) that swap spids around.
  -bret