Vulnerability Note VU#887861

Similar Messages

• HT5678 Carnegie-Mellon/DHS Vulnerability Note VU#858729 "Java contains multiple vulnerabilitie"

  does this update address/resolve the Carnegie-Mellon/DHS Vulnerability Note VU#858729 "Java contains multiple vulnerabilities" http://www.kb.cert.org/vuls/id/858729 ?

  Do you believe this update has the necessary changes to make it safe to re-enable our Java?
  Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page, on the client. That was never a good idea, and Java's developers have had a lot of trouble implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style "virus" affecting OS X. Merely loading a page with malicious Java content could be harmful. Fortunately, Java on the Web is mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice.
  Java is not included in OS X 10.7 and later. A discrete Java installer is distributed by Apple, and another one by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it — not JavaScript — in your browsers. In Safari, this is done by unchecking the box marked Enable Java in the Security tab of the preferences dialog.
  Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a specific task, enable Java only when needed for the task and disable it immediately when done. Close all other browser windows and tabs, and don't visit any other sites while Java is active. Never enable Java on a public web page that carries third-party advertising. Use it, if at all, only on well-known, password-protected, secure websites without ads. In Safari 6 or later, you'll see a lock icon in the address bar with the abbreviation "https" when visiting a secure site.

• Cisco Ironport and heartbeat information disclosure - Vulnerability Note VU#720951

  Has there been any word from Cisco if Ironport software is vulnerable to this issue/bug?
  http://www.kb.cert.org/vuls/id/720951

  Please note the updated announcement for our products:
  As of Wednesday, April 9, Cisco Email and Web Security had been updated from our PSIRT, which handles all vulnerability and security responses for all Cisco products.
  The official PSIRT information can be found at the following link:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
  Please expand the Affected Products -> Products Confirmed Not Vulnerable to view the latest Cisco product listings.  Our products, Email and Web Security (ESA, IEA, WSA, SMA), are listed and updated in this public facing information.   
  The Cisco PSIRT continues to investigate the impact of this vulnerability on Cisco products, and will disclose any vulnerabilities according to our security policy, which is available at: 
  http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
  For any and all inquires regarding this vulnerability and the public facing notification, please contact the Cisco PSIRT at [email protected]
  Also, please see the following information released Tuesday, April 8, from our Security Intelligence Operations: 
  http://tools.cisco.com/security/center/viewAlert.x?alertId=33695

• CSCum96401 - Cisco ASA IKEv2 Denial of Service Vulnerability

  Hi Everyone,
  ASA is configured with ikev2 and below is config
  5520# show running-config crypto ikev2 | include enable
  crypto ikev2 enable outside client-services port 443
  5520# show running-config crypto map | include interface
  crypto map outside_map interface outside
  I checked below weblink
  CSCum96401 - Cisco ASA IKEv2 Denial of Service Vulnerability
  Not Affected
  Not Affected
  Not Affected
  8.4(7.15)
  Not Affected
  8.6(1.14)
  Not Affected
  9.0(4.8)
  9.1(5.1)
  Not Affected
  Not Affected
  https://tools.cisco.com/bugsearch/bug/CSCum96401
  ASA which i am running has version Cisco Adaptive Security Appliance Software Version 8.4(7)
  sh flash shows
  asa847-k8.bin
  Need to confirm if my ASA is not effected by this bug?
  Regards
  MAhesh

  Hi Mahesh,
  Your ASA code  (asa847-k8.bin) is affected by this Bug, recommended release is 8.4(7.23) and later.
  this bug is first fixed in 8.4(7.15).
  Thanks,
  Prashant Joshi

• Quicktime vulnerability - be careful

  I just got this from AusCERT:
  A feature of Apple's QuickTime movie files (.mov) allows
  the execution of arbitrary JavaScript
  Apparently this is being actively exploited (there is worm spreading through MySpace)...
  AusCERT recommends this, until a fix is available from Apple:
  Apple QuickTime does not support an option to prevent HREF
  text tags being honoured, and there is no 'Ask for
  permission' setting. At this stage the only mitigation is
  to disable automatic movie viewing within QuickTime and to
  avoid playing embedded QuickTime media.
  This can be done within QuickTime's System Preferences. In
  the "QuickTime" pane, select the "Browser" tab and
  unselect "Play movies automatically".
  QuickTime users, especially those who use MySpace, should
  apply this mitigation immediately until a more permanent
  fix is found.
  I'd provide a link to the full advisory, but access it for AusCERT members only...
  Cheers
  Steffen.

  I think you're contradicting yourself. It is a MySpace problem because a
  malicious script could come from any other website?
  Yes. The point is, the vulnerability is in MySpace. Any method of sending arbitrary URLs to a web browser can exploit the vulnerability, not merely a QuickTime movie. QuickTime is only implicated because QuickTime was the delivery method used...the delivery method could just as easily have been a malicious script on another web site.
  Yes, the malware can come from any source (not just MySpace). And yes,
  it exploits a flaw in Quicktime (execution of arbitrary Javascript embedded
  in .mov files without prompting). Therefore, it is a Quicktime vulnerability.
  You are assuming that the unprompted execution of arbitrary Javascript is, in fact, a flaw in Quicktime. Quicktime does not execute arbitrary Javascript. Quicktime passes the arbitrary Javascript HREF to the default web browser and the web browser executes the Javascript without prompting. The Javascript is executed without prompting because *that's the way Javascript is supposed to work*. The ability to trigger it from an external application (a QuickTime movie) is a little unconventional, but within the limits of standard procedure...it's just "open browser with URL". As I understand it, this sort of behavior is generally considered 'safe' because of the designed-in limits on Javascript. It can screw up your current browser session, but Javascript isn't going to do any real damage to the local machine.
  The problem is that MySpace is written in such a way that passing arbitrary URLs can do damage to a logged-in account. Merely requiring a valid session ID or user ID in the URL would correct the problem by making it impossible for an arbitrary form URL to change a user's profile. THAT is why is is a MySpace problem and not a QuickTime problem. QuickTime and the various web browsers are only doing what they are designed to do, in the way they are intended to do it.
  --Dave Althoff, Jr.

• Safari Vulnerability

  Hi!
  Got this Information from a friend of mine:
  Apple Mac OS X Safari Command Execution Vulnerability
  Original release date: February 22, 2006
  Last revised: --
  Source: US-CERT
  Systems Affected
  Apple Safari running on Mac OS X
  Overview
  A file type determination vulnerability in Apple Safari could allow a
  remote attacker to execute arbitrary commands on a vulnerable system.
  I. Description
  Apple Safari is a web browser that comes with Apple Mac OS X. The
  default configuration of Safari allows it to automatically "Open
  'safe' files after downloading." Due to this default configuration and
  inconsistencies in how Safari and OS X determine which files are
  "safe," Safari may execute arbitrary shell commands as the result of
  viewing a specially crafted web page.
  Details are available in the following Vulnerability Note:
  VU#999708 - Apple Safari may automatically execute arbitrary shell
  commands
  II. Impact
  A remote, unauthenticated attacker could execute arbitrary commands
  with the privileges of the user running Safari. If the user is logged
  on with administrative privileges, the attacker could take complete
  control of an affected system.
  III. Solution
  Since there is no known patch for this issue at this time, US-CERT is
  recommending a workaround.
  Workaround
  Disable "Open 'safe' files after downloading"
  Disable the option to "Open 'safe' files after downloading," as
  specified in the document "Securing Your Web Browser."
  http://www.kb.cert.org/vuls/id/999708
  My question:
  Is the "Paranoid Android" Application v 1.3 sufficient to solve this problem?
  Can you recomend something else?
  Thanks!
  Power Book G4 Mac OS X (10.4.4)
  Power Book G4   Mac OS X (10.4.4)  

  turning off 'open safe files...' in safari still leaves the average user liable to open a dmg/zip/sit manually & then open the malicious file within. But it's being bandied around as the cure for this 'new' vulnerability.
  fwiw the disguised terminal script can also be sent via email as an attachment - it does NOT have to be enclosed in a zipped attachment, but will show as an icon - appearing to be something it isn't. double-click the icon & if terminal app is in the normal place - the code will run.
  running as a non-admin user, while fine advice - could still leave you majorly angry if some malicious thing messed with all the files in your home folder.
  I've so far read of only one person having troubles moving the terminal app , but have read other users with the same symptoms who haven't moved terminal at all, so it might not be related.
  Now I reckon that the perceived lack of response from Apple & MacBoffins™ in general could be because they've seen it all before & very little ever comes from such a 'threat' (so far). There seems to have been a similar vulnerability in 2004, with the same calm response, & the same panic stories from some av companies. It may just be that for whatever reason, hardly anyone ever writes/distributes effective malicious code for a mac. That's why there are so many experts opining ".....don't worry - it's only a proof of concept - not a real threat".
  I've switched 'open safe files...' back on - having found some pdf's won't open within safari & are forced to download - a trifling inconvenience I know, but having moved terminal ( mainly so my wife can browse/download without checking/worrying ) there's little concern .
  That's likely my $0.03 at todays currency rates.

• Oracle Express 10G Vulnerability Report

  It is my understanding that Oracle Express 10G (10.2.0.2) release 2 does not have security patches released. The plan is to release another version (11g) when available. Is this correct?
  Is there any report that states Oracle Express 10G edition is vulnerable\not vulnerable to known security exploits? I have found very little information. What I have found is basically "Vulnerabilities may affect Oracle Database 10g Express Edition (XE). According to Oracle, Oracle Database XE is based on the Oracle Database 10g Release 2 code".
  What is Oracle's stance on security patches for Oracle Express? I imagine it states "if you're concerned there is an Enterprise edition that can be purchased with regular security patches".

  Check out the following thread at Re: Upgrade and Patch Policy . Security patches are provided in newer releases, not CPU patches.

• Does anyone know how to remove IOS 7.0.2 Firmware and restore IOS 7.0.1?

  I recently downloaded IOS 7.0.2 believing it to be a fix to a vulerablity as Apple's update notice stated.  It infact proved to be a complete revison of IOS 7.0.1 and now I find myself stuck using what I consider a less than stearling Graphic/Human interface.  I am more than willing to live with the vulnerablity in IOS7.0.1 just to haved the app graphics I enjoyed; a phone book that looked like a phone book, a note pad that actually looked like a note pad, and a internet browser I could easly deal with.  I know why Apple did what they did but I would have liked to have the choice to revert back to IOS 7.0.1 on the off hand chance IOS 7.0.2 didn't satisfy me. 
  Can anyone help explalin how I can restore my IOS on both my iPad Mini and iPhone to the previous version of the IOS?  I can live with the vulnerability not the extent to which Apple rewrote the firmware.  In my opinion no one is interested what's behind the door, so long as the door is functional and pretty
  Help restoring my devices to their previous IOS state is urgently solicited

  And v7.0.1 is for the 5c/5s iPhones only.

• Adobe update, or The Trojan?

  After all the news about the new trojan that is attacking Macs, I don't trust this re-occuring Adobe Reader 10.1.3 update popup I have been getting for the last couple of months.
  How can I be certain it isn't the trojan trying to load into my system????
  What anti-virus/anti-malware program can I use with confidence on a Mac?
  How do I find this program that is trying to install on my Mac? I'd like to know since I suspect I might have to use that knowledge some day.
  Thanks
  Mike Bauers

  The Flashback trojan doesn't have anything to do with Acrobat Reader, though it's still wise to be concerned about such things.  Check for updates manually in Acrobat Reader, or just manually download the latest version directly from Adobe's web site.  As woodmeister50 says, you can turn off update checking, but the downside to that is that you may miss out on an important update.  Both Flash and Acrobat Reader have been known to suffer from vulnerabilities that need to be fixed ASAP, lest the user become victim to something like Flashback.  (Flashback used a Java vulnerability, not one in Flash or Acrobat, but the same idea applies.)
  Regarding anti-virus software and other similar issues, see my Mac Malware Guide.
  (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

• E63 Firmware Updated now Content Copier "Hangs / H...

  Good evening.
  This is my first post here and it's a cry for help:
  I updated my E63's firmware this (10/9/09) evening and then did the restore from PC Suite Backup "Nokia Content Copier", downloaded fresher versions of 3 or 4 applications, redid my email accounts and, once everything was back the way I wanted it, tried to do a backup via PC Suite to "gel" my changes should I have trouble down the road.
  PC Suite Backup "Content Copier" goes through 7 of the eight progress points it lists without a hitch. On reaching the eighth "Settings" stage and displaying "67%", it stalls out... I've waited over an hour for it to resume / finish / error... 3 times! The program responds fine on the PC (WinXP) when I abort the backup.
  Any suggestions or ideas are most welcome at this point - I feel rather vulnerable not having a backup of my data to fall back on...
  Thanks in advance for your time

  MODERATOR - Please delete my post: Problem self-solved after soft reset. Sorry!

• I heard that there was a problem with Apple being vulnerable to Hackers. Has anyone seen an update for this issue? My IPad received the update last night but I have not seen anything for Safari.

  I heard that there was a problem with Apple being vulnerable to Hackers. Has anyone seen an update for this issue? My IPad received the update last night but I have not seen anything for Safari.

  Mac OS X 10.9.2 was released today for this issue and others. Earlier versions are not affected.
  See this Apple article - http://support.apple.com/kb/HT6114
  You can use the Mac app store to do the update or download it directly from here - http://support.apple.com/kb/DL1725
  Best of luck.

• What is the story on mac vulnerability? Is it serious or not serious?  If not serious, why is this not being explained?  If serious, why are Mac users not being informed of the risk?

  what is the story on mac vulnerability? Is it serious or not serious?
  If serious, why are we not kept informed
  If not serious, why is some much anxiety being created?

  IMO, it is being greatly over-blown in the media and online.
  Man in the middle attacks require the hacker to be connected to the same intranet network that your device is.  Even if they are, unless you go to a secure site and use personal data (like passcodes) they get nothing from stealing your data stream.
  If you are at your home, on your own secured intranet, then you really have virtually nothing to fear (as long as your own home network is secured and not wide open to anybody within range).  If you routinely use a VPN connection when on public wifi, again, you are fine.  Or if you use FireFox, Chrome or another browser that implements its own SSL security, then you are fine.
  The fact is, that even for those in a particular situation that is vulnerable to such an attack, most are not actually under any such attack - it is not nearly as rampant as the recent hype would have it seem to be.

• Firefox will not update plugins labeled in red as "potentially vulnerable plugins". Need help.

  Firefox will not update three plugins appearing below the
  statement in red : " vulnerable plugins". I tried three times, and
  all I got was other pages with lots of ads. I need help. Thanks.

  Some plugins may need to be removed using the Control Panel, or Windows Explorer, because they are managed by other software or dropped in nonstandard folders. Can you list the three plugins so people can give specific advice on them?
  For the RealPlayer Browser Record Plugin you might need to update RealPlayer or use its options dialog to turn off the recording/downloading feature in order to remove this one.

• Once I put the Firefox Icon in Apps, it shows up as a white circle/slash (as in "no" or "stop") NOT the standard Firefox Icon. I checked plug-ins."Shockwave Flash" shows up Vulnerable. When I update, I get download warnings. (more below)

  Downloaded Firefox and put it into my Apps folder as instructed. Its Icon in my Apps folder is not the Fox/Globe but a white icon of papers with a white circle&diagonal slash (like a white "stop" or do-not-enter sign). When I pulled that to my dock, it transferred there as the Fox/Globe; but I'm concerned about opening Firefox because that Icon in my Apps isn't right. I assumed the circle/slash icon telling me something's wrong with the App. So I checked the PlugIns.
  The PlugIn tells me "Shockwave Flash" is "Vulnerable, Update Now." But there are warnings about that download. When I check that, showing I'm a Mac, it gives me warnings for Windows!- but no warnings for Macs. What's going on?!
  Why am I not getting the standard Firefox Icon in my Apps folder?
  I don't want to corrupt my HD by opening Firefox if that Icon is telling me somethings wrong... (which seems the point of its circle/slash).
  This is all so unclear!

  What is your current Flash Player version: http://helpx.adobe.com/flash-player/kb/installation-problems-flash-player-windows.html ?
  What is your display adapter, driver version & date?  See http://forums.adobe.com/thread/945765

• Firefox Reader Update does not install older vulnerable version 10.1.13.16

  This has been a problem for at least a month
  In Firefox,  when checking to see if plugins are up-to-date, Reader attempts to correct the problem by bringing up the download page, etc.
  but it has installed the new version but not removed the older older vulnerable version 10.1.13.16 !

  What new version has it installed? If it is 11.x you can have both 10.x and 11.x installed, and can choose to uninstall. Is it definitely the Adobe download page which comes up, there have been reports of scams and I haven't heard of this (but don't use FireFox).