Security

Mozilla Releases Multiple Updates

Date: May 16, 2013
Author: rparente
Categories: Security
Comments: Leave a reply

The Mozilla Foundation has released updates for the following products to address multiple vulnerabilities.

  • Firefox 21.0
  • Firefox ESR 17.0.6
  • Thunderbird 17.0.6
  • Thunderbird ESR 17.0.6

These vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or operate with elevated privileges.

US-CERT encourages users and administrators to review the Mozilla Foundation Advisory for Firefox 21.0, Firefox ESR 17.0.6, Thunderbird 17.0.6, and Thunderbird ESR 17.0.6 and apply any necessary updates to help mitigate the risk.

Original post:US-Cert

McAfee ePolicy Orchestrator 4.6.4 and earlier pre-authenticated SQL injection and directory path traversal vulnerabilities

Date: April 29, 2013
Author: rparente
Categories: Security
Comments: 2 Replies

Vulnerability Note VU#209131

Overview

McAfee ePolicy Orchestrator 4.6.4 and earlier contains a pre-authenticated sql injection and directory path traversal vulnerability which could allow an attacker to inject malicious code into the system.

Description

McAfee ePolicy Orchestrator 4.6.4 and earlier contains a pre-authenticated sql injection and directory path traversal vulnerability:

1. Server-side pre-Authenticated SQL Injection within the Agent-Handler component (Agent-Server communication channel).
The attack is performed by registering a rogue Agent to the ePolicy Orchestrator server, and sending a crafted HTTP request to the ePolicy Orchestrator server. Successful attacks allow remote attackers to retrieve sensitive information from the ePo database (such as administrative domain credentials), to create additional web console administrator accounts, and to perform remote code execution with SYSTEM privilege. CVE-2013-0140

2. Server-side pre-Authenticated Directory Path Traversal within File upload process.
The attack is performed by registering a rogue Agent to the ePolicy Orchestrator server, and sending a crafted HTTP request to the ePolicy Orchestrator server. Successful attacks allow remote attackers to upload unrestricted file content. A typical scenario would be to store malicious files under /Software/ folder, to make them available for download from the ePolicy Orchestrator server. CVE-2013-0141

Read the entire article here.

Linode hacked due to a vulnerability in ColdFusion server

Date: April 16, 2013
Author: rparente
Categories: ColdFusion, Security
Comments: 4 Replies

Yesterday, a group named HTP claimed responsibility for accessing Linode Manager web servers, we believe by exploiting a previously unknown zero-day vulnerability in Adobe’s ColdFusion application server. The vulnerabilities have only recently been addressed in Adobe’s APSB13-10 hotfix (CVE-2013-1387 and CVE-2013-1388) which was released less than a week ago.

As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database. We have been working around the clock since discovering this vulnerability. Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure.

Credit card numbers in our database are stored in encrypted format, using public and private key encryption. The private key is itself encrypted with passphrase encryption and the complex passphrase is not stored electronically. Along with the encrypted credit card, the last four digits are stored in clear text to assist in lookups and for display on things like your Account tab and payment receipt emails. We have no evidence decrypted credit card numbers were obtained.

Read the complete article here.

Your Skype Account Can Be Hacked Using Just Your Email Address

Date: November 14, 2012
Author: rparente
Categories: Security
Comments: Leave a reply

The Next Web is reporting that a security hole in Skype’s password recovery tool means that your account can be hacked using just your email address and username. A team of Russian hackers discovered the flaw and posted details online. Since, The Next Web has confirmed that the technique works. The five-step hack—not linked to here—uses some nimble tricks to allow a password reset to be intercepted.

Read the whole article here.

ColdFusion 10 Update 4

Date: November 2, 2012
Author: rparente
Categories: ColdFusion, Security
Comments: Leave a reply

 

The ColdFusion 10 Update 4 released on November 2, 2012, includes several important bug fixes. ColdFusion 10 Update 4 is a cumulative update. It includes all the bug fixes from previous updates of ColdFusion 10. All the issues reported in Update 3 have been resolved in this update. Adobe recommends that you apply this update to ColdFusion 10.

Note: This update is specific to ColdFusion 10; do not apply it to any previous versions of ColdFusion.

Read the article here.

ColdFusion 10 update 3 released

Date: October 16, 2012
Author: rparente
Categories: ColdFusion, Security
Comments: Leave a reply

We have released the ColdFusion 10 update 3 today. It fixes quite a number of important/critical issues, mostly related to connectors, in ColdFusion 10. This update can be downloaded and installed using the update installer mechanism in the administrator that we introduced in ColdFusion 10. Please make sure that you have applied the ColdFusion 10 mandatory update before applying this update.

Some of the important bugs fixed in this update are

  • ColdFusion server is non-responsive when receiving a POST request with an XML body for a Web Service.
  • Web sites fail with ‘Service Not Available’ error intermittently.
  • Pages with multiple frames load the incorrect pages when updating frames, intermittently.
  • Application pool on IIS 7.5 crashes due to certain Web Service requests.
  • DateConvert(“local2UTC”, date) breaks other DateTime functions.

For more details on this release, please refer to this technote.

Hackers Breached Adobe Server in Order to Sign Their Malware

Date: September 28, 2012
Author: rparente
Categories: Security
Comments: Leave a reply

The ongoing security saga involving digital certificates got a new and disturbing wrinkle on Thursday when software giant Adobe announced that attackers breached its code-signing system and used it to sign their malware with a valid digital certificate from Adobe.

Adobe said the attackers signed at least two malicious utility programs with the valid Adobe certificate. The company traced the problem to a compromised build server that had the ability get code approved from the company’s code-signing system.

Adobe said it was revoking the certificate and planned to issue new certificates for legitimate Adobe products that were also signed with the same certificate, wrote Brad Arkin, senior director of product security and privacy for Adobe, in a blog post.

“This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh,” Arkin wrote. “The revocation does not impact any other Adobe software for Macintosh or other platforms.”

Read the full article on Wired Magazine

ColdFusion MeetUp: Authentication made easy using Twitter/Facebook/Google/more, w/ Billy Cravens

Date: August 17, 2012
Author: rparente
Categories: ColdFusion, MeetUp, Security, Seminars, Training
Comments: Leave a reply

Our 12pm (US ET) talk on Thursday Aug 23 will be “Authentication made easy using Twitter, Facebook, Google, and more”, with Billy Cravens.

TOPIC DESCRIPTION: (provided by the speaker)

Authentication is one of those features we seem to implement in every app. It’s a chore for us, because poor security choices can mean failure. It’s a chore for users: yet another password to remember. Why not let those who have spent millions of dollars on this problem, where your users already have an account, deal with this? In this session, I’ll show you how to implement the various authentication APIs that are out there, presenting a login experience that allows your user to choose from the various options that are available (Twitter, Facebook, Google, LinkedIn, and more). You’ll also see how to wire this up to your application in a way that is unified to your app no matter what service your users choose.

MEETING URL: http://experts.adobeconnect.com/cfmeetup/

DURATION: Approx. 1 hour, plus time for questions

RECORDING: All meetings are recorded. The URL will be posted after meeting at recordings.coldfusionmeetup.com

SPEAKER: (provided by the speaker)

Read More…

Microsoft Updates for Multiple Vulnerabilities

Date: August 14, 2012
Author: rparente
Categories: Security
Comments: Leave a reply

Systems Affected

  • Microsoft Windows
  • Microsoft Internet Explorer
  • Microsoft Office
  • Microsoft Developer Tools
  • Microsoft Server Software
  • Microsoft SQL Server
  • Microsoft Exchange

Overview

Select Microsoft software products contain multiple vulnerabilities.  Microsoft has released updates to address these vulnerabilities.

Description

The Microsoft Security Bulletin Summary for August 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.

Source: US-CERT