Security issues related to widgets

I have experienced some very strange phenomena after installing a few widgets (laptop restarts spontaneously, huge hard drive inexplicably fills up). Although the widgets might not be responsible for all this I'd like to get rid of them.
Is there a way to uninstall widgets? Would removing the widgets in question guarantee that whatever they've installed—if anything—would be removed?

Since X doesn't have your passphrase, it can't put it into any core dumps. About the only private data X has inside it that I can think of it the xauth key, but that changes every time you restart X, so it's already expired anyway.
You can always try running "strings" on the core dump and looking for anything bad.

Similar Messages

  • Security issues with cached applets

    Question: Can anyone tell me where there is a summary or discussion of security issues relating to applets cached by the Java Plug-in?
    I'd like to use the Plug-in to cache applets on client boxes, but I'm wondering if that opens a security hole for hostile/attack applets. Most of the write-ups on applet security I've seen only deal with security on the client side. Does Sun or anyone else address "cached-applet security" as it relates to the server from which it was downloaded?

    The cached applets are treated as same as those downloaded from the net - permissions will be granted based on the original codebase - nothing more, nothing less.

  • Using latest version of fireFox to access Think Central, pages will not load and they say that this is a security issue with FireFox?

    Teachers in our district are supposed to use www.thinkcentral.com with FireFox.
    Some have no problem accessing the lesson plans.
    Most when they login click on a lesson plan and an icon shows up that says loading but never does.
    If you reboot the computer and login you can open a page once but not a second time and no other lessons will open.
    Think Central support says this is a security issue with Firefox.
    I have updated FireFox, all the Adobe, Reader, Flash, Air and Shockwave. As well as Java.
    I have allowed the pop ups to the think Central web site.
    Any help would be appreciated

    Are there any notification icons on the left end of the address bar? If so, please click them to see whether they related to security issues (such as blocked content - shield icon: [[How does content that isn't secure affect my safety?]]) or a plugin requiring permission (Lego-like icon).
    Does Think Central have any help pages about this issue? Without an account, it is difficult to explore the issue first-hand.

  • Can I create a form that doesn't trigger Acrobat's JavaScript disabled / security issues warning?

    Hello,
    Can I create a pdf that doesn't trigger Acrobat's JavaScript is currently disabled and this document uses it for some features.  Enabling JavaScript can lead to potential security issues.
    I even get this error when I create a blank pdf.
    I'm not using any JavaScript in the form and the nature of the message might tend to be a bit scary to some people since it mentions enabling JS can lead to potential security issues.  I basically want to disable the messaging of a feature I'm not even using.
    Anyone know if this is possible and if so, how I go about it?
    Thank you.

    Hi,
    I too share your frustration!!
    Unfortunately I do not have a complete answer for you.
    From the start I must say that Stefan Cameron has been very helpful (http://forms.stefcameron.com/2010/01/14/acrobatreader-9-3-now-available/), however I have not had sufficient time available to deal with the issue (or find a satisfactory resolution).
    The original post that Srini shared with you related to an XFA form that had FormCalc and Javascript in it. I will now share with you another situation that is closer to your experiences.
    Sometimes where we have a complex solution/form, we often give our users a PDF with instructions and demonstrations. We generate these using Adobe products:
    LiveCycle Designer ES to generate the solution/form;
    Captivate to record the demonstration (.swf);
    Acrobat to package it up in a static PDF.
    The screen shots below are from a PDF that includes written instructions and six Flash (.swf) files. The PDF does NOT include fields/form objects and does NOT include any FormCalc or Javascript.
    One of the big sells in Acrobat 9 was that Adobe had fully integrated Flash (Adobe product, ex. Macromedia) into Acrobat 9. This mean that .swf files could run natively inside a PDF. Brilliant!!!  The website today is still pushing this message, for example:
    Now bear in mind that the following screenshots are from a PDF that does not contain any scripting - its sole purpose is to "inform" the user, "look as good as the work I put into it", incorporate instruction and "multimedia" in a "single polished file" and I should be "confident that my audience will be able to view my work exactly as intended".
    Not so!!
    When the user now opens the form, all looks OK. No warning. They can read the instructions and scroll down to the multimedia (.swf files).
    However when the user clicks on the multimedia, the yellow bar appears:
    I go through the "trust" process:
    And the PDF looks like it is OK, no yellow bar. When I click on the multimedia, it begins to play - yes!! BUT ONLY FOR A SECOND OR TWO AND THEN IT STOPS AND GOES BACK TO THE START - AGGGGHHHHHHH!!!!!. I would apologise for shouting, but this is beyond frustration. The work in capturing six screencasts in Captivate, annotating them, publishing to .swf and packaging up in Acrobat has been a complete waste of time. Worse than that I now have several PDFs out there, that do not work. Good advertisement for my business? I don't think so!!
    The document that Stefan provided (Managing JavaScript Execution in the Acrobat Family of Products) does not mention Flash/.swf as being a problem. However I would recommend that you go through this document, as it may help you.
    So, where to now? I don't know. The previous posts and Stefan's responses have several urls that may help. You should maybe consider logging your experiences as a bug (log at Adobe).
    In the meantime good luck,
    Niall
    UPDATE:
    This behaviour (.swf playing for only a few seconds) happens in PDFs where the .swf is inserted as legacy media to run in earlier versions of Acrobat/Reader. In this case Acrobat/Reader is making an external call to Flash Player. Hence the yellow bar. However it does not explain why the Flash video still does not play when trusted.
    If the .swf is added into the PDF as Flash media to run on Acrobat 9 and above, then it works without displaying the yellow warning bar.
    So maybe any feature of your PDF that calls an external resource is likely to show the yellow warning bar.

  • Ip phone and pc VLAN security issue - ISE 1.0

    Hello there.
    We are about to implement IP phones to our current network and during testing I have found 2 issues.
    1- ip phone connects to a protected port using ISE mab authentication for the data network.
    The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.
    Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.
    2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.
    Let me know your thoughts...thanks
    Port config info....below
    interface GigabitEthernet0/2
    description Extra port by Camilos Desk
    switchport mode access
    switchport voice vlan 220
    srr-queue bandwidth share 1 30 35 5
    priority-queue out
    authentication event fail action next-method
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication open
    authentication order mab dot1x
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    mls qos trust cos
    snmp trap mac-notification change added
    auto qos trust
    spanning-tree portfast
    end

    On # 1
    You have the make sure that
    "authentication host-mode multi-domain" command is under each port
    This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.
    On #2
    I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.
    On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.
    Hope this helps.

  • Security issues in Mavericks 9.04

    I just had a secure scan done on my Mavericks server. The main issues seem to be:
    OpenSSL Running Version Prior to 0.9.8za Upgrade to OpenSSL version 0.9.8za or newer.
    Apache mod_negotiation Multi-Line Filename Upload Vulnerabilities (Upgrade to Apache version 2.3.2 or newer.)
    Given that upgrading these would mean compiling and installing Apache and OpenSSL(which I'm not really keen to do) I'm wondering what experienced admins think of these threats.

    pkmusic wrote:
    Dumb question - so a self-signed SSL cert doesn't use Open SSL?
    Certificates are used with ssh and SSL/TLS and such, yes.  Most of OS X uses Secure Transport for its certificate- and SSL/TLS-related processing, but Apache does not.  Apache is linked against OpenSSL.
    Self-signed certificates lead to a different security issue.  
    An HTTPS site with a self-signed certificate will be considered untrusted by accessing web clients and the web browser will usually issue diagnostics before allowing access to the site or a diagnostic before marking the certificate as trusted, or that you've set up your own certificate chain and installed your own root certificate.  That you're asking this question implies the former; that you're not really running HTTPS with a trusted certificate chain.   Which generally means you can just shut off SSL/TLS.
    As for the original question, here's how the scanner is likely detecting the down-revision versions — if you look at the server details being returned to the client, you'll see some information on Apache and OpenSSL versions embedded in the response:
    $ telnet foo.example.com 80
    Trying 10.1.3.1...
    Connected to foo.example.com
    Escape character is '^]'.
    HEAD / HTTP/1.0
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 20 Jul 2014 14:40:11 GMT
    Server: Apache/2.2.26 (Unix) PHP/5.4.24 mod_ssl/2.2.26 OpenSSL/0.9.8y DAV/2
    Location: http://foo.example.com/
    Cache-Control: max-age=1209600
    Expires: Sun, 03 Aug 2014 14:40:11 GMT
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    Connection closed by foreign host.
    $
    That won't get fixed without replacing Apache et al or one of the other options, as described in my earlier reply.
    For completeness, some folks will manually configure the server to not return these details.  That'll derail the the vulnerability scanner, certainly.  It might not have the intended result, too, as the remote attackers can simply decide to throw every attack they have at your server — the attackers are not short on CPU cycles and network bandwidth, after all; unintended consequences.
    As for using a self-signed cert and given you probably aren't providing file-level access to other folks, I'd not (personally) be particularly concerned about that vulnerability scan — one of the limitations with using vulnerability scanners is that you then have to go off and figure out if you're actually vulnerable to whatever the scanner is reporting.  It's an issue certainly, but then you'll have to decide if your backups are complete and current and with copies kept off-site, and if your other security practices and password policies and such are also all up to date and secure, and at what else you might risk if the server is breached — if configuring a DMZ for your server might be appropriate, for instance, to isolate the server from the rest of your network should the server be breached.

  • Security issues with connecting pdf to database

    I have a pdf form that is being called from a webform as part
    of a web application. The PDF has two dropdown lists that I was
    populating from a SQL Server Database. I had created a special user
    that had select access only to the tables for the dropdowns.
    My question is are there any known security issues with
    regard to allowing a pdf to connect to a database this way. The PDF
    is being called from a secure connection but I don't know if
    opening this database connection to populate these dropdowns
    exposes a security hole of any sort. If it does, do you have a
    solution to make this secure? I am asking because another developer
    on the project brought up the issue of this design creating a
    security risk and I haven't been able to find anything online
    discussing it either way.
    Thanks!
    Maureen

    Hello Maureen,
    Thanks for posting, but I'm not sure I see if your question
    relates to Acrobat.com
    Are you using any of the Acrobat.com Services as any part of
    your workflow?
    Thanks!
    Pete

  • Security issues faced by users of unsupported OS versions?

    Since Tiger users will relatively soon be in the same situation, I'm wondering what kinds of security issues 10.3.9 users have been faced with now that Panther has for some time not been supported by Apple (including no more security updates). I posted the following in the Tiger Forum, but I'd really appreciate hearing what your experience has been. (BD Aqua in Tiger thought issues simply to do with getting around the Internet would be more the problem than safety).
    I realize I will, sooner or later, have to buy a new Mac and install a more current version, but I would like to postpone this as long as possible. Thanks.
    http://discussions.apple.com/thread.jspa?threadID=2033860&tstart=0
    Now that S Leo has been officially announced for release in September, a question I've been meaning to ask for a while. What do we Tiger stalwarts have to look forward to in terms of security issues once there are no more security updates, and when, presumably, there are no more new browser versions or updates for soon to be archaic PPC and Tiger? (PPC, I realize, is a separate issue). Will we be, to put it simply, screwed and will it become impossible to safely navigate the internet? I realize the browser issues will probably arrive somewhat later than the OS security issues, since there will continue to be secure third party browsers, at least for a while.
    Since we will, relatively soon, be in a similar position, I'm wondering how the folks still running 10.3.9 are >managing with this? (Might post this over there, too.)

    Most security updates fix holes in the system that can be exploited by hackers. However, hackers are mostly interested in gaining access to systems that have something of value. An individual's system has virtually nothing of value worth a hacker's time and effort. It's far easier for them to get what they want via Internet phishing exploits, but such exploits cannot be fixed by security releases. They require effort on the part of the user to be careful about sites they visit and clicking on links they know nothing about thus providing information about themselves such as social security and/or banking numbers. No amount of security patches will help you with this.
    Most security patches recently issued relate to holes in Safari with a couple for the system. These are obscure holes that require hackers to have intimate knowledge of the software to exploit them. None of these exploits have been known to be used in the field. Rather they have been demonstrated as a way of exposing their existence so they can be fixed.

  • Security issue of using oaf

    Dear,
    We have used oaf to build the online payslip and we believe that oaf inherits all security applying to oracle ebs.
    We are concerned about issues related to sniffing, phishing etc… may happen
    can some one share any document/note or any material that clearly explains that the security for the custom oaf deployed pages is same as the ebs seeded page.
    much grateful for a quick response!

    As per "Oracle Application Framework Developer's Guide Release 12.1.3" [Note 1107973.1]
    +"It is the responsibility of the application framework to ensure that HTML transactions are authorized, private, and free from tampering. OA Framework provides built in protection against known HTML hacking strategies, leaving the application developer free to concentrate on application functionality."+
    Therefore, generically all OAF pages are the same regards security... i.e. all OAF pages run in the context of the OA Framework security.
    Having said that, if you are doing anything yourself within code, for example redirecting URL, then this would be outside the OAF security model and may need special attention by your own security team.
    Hope this helps
    regards
    Mike

  • Security Issues with the BP Internet user role creation--SU01

    Hi All,
    We are implementing the B2B Internet sales scenario using CRM 4.0. we
    have contact persons who logs in and chose the distributor and then
    start placing orders or look at product catalog .... Now contact person
    is created as a BP in CRM and relation ship is maintained to sold to
    (bp). During this process the contact person should be created under
    the Internet user role which uses the SU01. so we will be able to
    change password or change the roles of the users while creating BP
    under the internet user role -- same as what we do in SU01.
    This is now a security Issue because who ever can access the BP
    (create/change) will be able to do the things we can do under
    transaction SU01. But we still need to access the Internet user role in-order to assign the user id to the contact person . Is there any other
    way of doing this.
    Please advice ASAP.
    Thanks
    Vasu

    Hi Ashwini,
    you need to modify the logon routine and then in the user management (isauseradmin application) to do this. Then there are likely changes to the catalog identification, and very likely to most processes in the shop. I really wouldn't advise doing so. As accounts usually have contact persons: Why does your client insist in providing a login for the organization and not for a person?
    To achieve something that looks almost like the desired solution you, e.g., could model a dummy contact person for each account that shall get a logon, that then does the job. The contact person could be named like the company and then you are back to plain standard.
    Rgds
    Thomas

  • My dv5 laptop has an internal "typing" noise/multiple security issues

    I'm not sure if this is a problem, but since I've had all kinds of issues with this particular model (the first Pavilion we were sent by HP had to be returned because the engineers finally deemed it unfixable), I thought I'd ask.  I'm a little nervous about a sound that makes me think of little gremlins inside the unit typing away.  It's not constant, but I'm wondering if that's normal and what the noise is. 
    Another problem is that periodically I'll get a message about the computer having "multiple security issues".  I then do a virus scan, which turns out fine, so I don't know what it means. 

    The Intel chipset issue is not at all related for your Notebook. Its quite unfortunate you are facing this problem as I would say its a coincidence that even your second hard drive went bad so soon.
    Time for you to RMA the new hard drive. 
    //Click on Kudos and Accept as Solution if my reply was helpful and answered your question//
    I am an HP employee!!

  • Locked Out of HD After Time Machine Restore Compatibility Issue related to OS

    AppleStore installed new HD onto my computer.  Unbeknownst to me they put on Snow Leopard.  Upon bootup at home I selected the "restore from time machine backup" option.  After 4 hours, computer rebooted with all of my logins.  Looks good, right?!
    Passwords are ignored.  Apparently, the issue relates to the fact that my data back up is based upon my "old" Mountain Lion OS from the previous HD.
    Call into Applestore and they were clueless how to resolve and they had me contact AppleCare.  Spoke with tech who ultimately put me on with a "senior tech"  I have a single 10.6 disk as well as a single 10.6.2 disk.  I think the HD is running 10.6.7or 10.6.8.  I do NOT have a bootable disk (only the single install).  She was stumped, put me on hold for atleast 10 minutes when the line went dead.  (She verified my return number twice).  I haven't heard back and am very frustrated.
    I feel like I'm in an Apple Catch-22.
    Please, any advice?

    Follow these instructions for reinstall 10.6, you will need to erase the ENTIRE drive by selecting the drive makers name and size on the left while booted from the 10.6 disk that came with your machine as this is the machine specific version with your free iLife included.
    How to erase and install Snow Leopard 10.6
    If you use the white 10.6 disk, (it's 10.6.3) then that doesn't have the free iLife, but if you later purchased it from AppStore it can be redownloaded when you get to 10.8 again.
    (ideally that older machine should stick with 10.6.8, but you have your files already in 10.8 on the TM drive, so...)
    Make sure you erase the entire drive with the Security Erase Zero All Data option, this will "pre-map" off any potentially failing sectors on the drive before they fail with your data on it, it makes your machine a lot more reliable.
    Reducing bad sectors effect on hard drives
    Once that's all done, log in and setup with your same user name as before (important) and Software Update to 10.6.8, log into AppStore and hold the option key down and click on Purchases, redownload 10.8 and install.
    Revisit and redownload other software like iLife etc.
    Use the TM drive to bring back copies of your files into their respective folders.
    Reboot the Mac holding the command and r keys down, use Terminal and enter resetpassword, a window appears, select your boot volume and user, then reset ACL's, should fix your user permissions issue.
    Note: What the AppleStore should have done is installed the 10.8 Recovery HD on your new drive, then you could have just reinstalled 10.8 from that.

  • RV042 reports tunnel disconnection without connection for foreign IP, Security issue?

    Dear all,
    we are recently working with a RV042 router, with VPN group tunnel (connectig throw shrew VPN). Last days router is logging disconnections like this ("[XXX]" text replaced for security reasons)
    Dec 9 17:02:58 2014 XXX VPN Log: (grpips0)[72] [XXX].[XXX].[XXX].0/24=== ...113.240.173.58===?: [Tunnel Disconnected] instance with peer 113.240.173.58 {isakmp=#0/ipsec=#0}
    But NO RELATED "connections" (apart from our own controled connection/disconnection) is reported previously. Is this a security issue/breach?
    (The foreign IP was left clear so if anyone knows about that particular IP, can make a comment.)
    Thanks in advance. Regards, Juan.

    Zach,
    I will try to use that approach while using dynamic IPs to connect to VPN (cannot build an stable whitelist, and this can lead to connection lost in the near future until new IP is registered in the remote router).
    What I do not understand is:
    router logs a disconnection without a previous connection
    no other activity is detected on the VPN (perhaps only spying?)
    when I disconnect, two logs are generated (in order of appearance)
    Dec [xxx] [xxx]:[xxx]:[xxx] 2014 3EFF-3196 VPN Log: (grpips0)[73] 192.168.2.0/24=== ...[xxx].[xxx].[xxx].[xxx]===?: [Tunnel Disconnected] instance with peer [xxx].[xxx].[xxx].[xxx]{isakmp=#0/ipsec=#0}
    Dec [xxx] [xxx]:[xxx]:[xxx]2014 3EFF-3196 VPN Log: (grpips0)[73] [xxx].[xxx].[xxx].0/24=== ...[xxx].[xxx].[xxx].[xxx]===? #220: [Tunnel Established] ISAKMP SA established
    when foreign IP disconnects, only one is generated (e.g. whitout #220)
    Does this have an explanation?
    Thanks again, Juan.

  • Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator

    hi Guys 
    please help me out for below issue 
    Some time we are getting error while sending mail to particular recipient and getting below error
    "Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery.
    The following organization rejected your message:"
    but some mails are going without any issue

    Hi,
    First, please check if there is a transport rule blocking you from send email to the particular recipient. Besides, please check for any third party transport agents, I recommend you disable third party transport agents temporarily. If there is any AV/AS
    scanning on your Exchange server, please disable it temporarily and test again.
    If the issue persists, in order to troubleshoot the problem more efficiently, I need to clarify some information.
    1. Did you send emails externally or internally?
    2. How many recipients were affected?
    3. From "Some time we are getting error while sending mail to particular recipient", do you mean all users couldn't send emails to the particular recipient or just some users of all couldn't send emails to the particular recipient?
    Sometimes message tracking log is useful for us, to narrow down the issue, I recommend you check message tracking log for related error message.
    Best regards,
    Belinda
    Belinda Ma
    TechNet Community Support

  • Bluetooth security issues

    Can anyone tell me what sort of security issues I might face when using Bluetooth? Specifically, can anyone access my computer through Bluetooth, or 'see' what I am entering through my keyboard?
    A related question would be around the use of Airport/Express Base Station. Am I vulnerable to people accessing my computer through this technology?
    Thanks.

    Can anyone tell me what sort of security issues I
    might face when using Bluetooth? Specifically, can
    anyone access my computer through Bluetooth, or 'see'
    what I am entering through my keyboard?
    Yes, but they would probably have to be in the same room as you.
    A related question would be around the use of
    Airport/Express Base Station. Am I vulnerable to
    people accessing my computer through this
    technology?
    Yes, implement a non-dictionary WPA password on the AX and you will have secured your network from anyone trying to access it.
    iFelix

Maybe you are looking for

  • Down payment request in f-47

    Dear sap guru How I can stop making a down payment Request of more amount than the P.O Value? I have changed the Message control and made the warning as error.....Now if I make a downpayment more than the P.O amount in a single posting, it gives me e

  • Not able to print preview or print Smartform after the changes

    Hi Experts, I made a small change to the smartform, saved it and activated it. Transport it to our QAS system for testing. But while trying to print preview the form i am not able to see any print/print preview. After my debug in the report that call

  • Ios4 update failed on 3gs and now phone dont work at all

    so i updated as per apple instructions and update failed no code given and my iphone 3gs is now dead as in blank wiped clean but a black screen with white apple cant even pwer off and not recognized as connected to computer to restore or try updating

  • FTP file in ASCII

    I am having an issue in FTP a file to an external server I create a file using OPEN DATASET filename       FOR OUTPUT IN TEXT MODE ENCODING DEFAULT. Then to FTP I am using RSFTP002 and the put command. I am able to drop the file onto the external ser

  • Unable to view obiee 11.1.1.5  dashboards for newly created user

    Hi , Im working in obiee 11.1.1.5.0.I created a new user and tried to view a dashboard which I have created in the weblogic user.But it dispalyed the following error. Error Codes: YQCO4T56:OPR4ONWY:U9IM8TAC:OI2DL65P Odbc driver returned an error (SQL