Archive for the ‘Vulnerability News’ Category

VulnerabilityCyber Security Notifications: New Vulnerabilities of September 2014

Security vulnerabilities related to Netbsd : Descriptions of vulnerabilities related to products of this vendor of September 12, 2014.

This post presents and discloses a newly found, local network affecting, NetBSD security vulnerabilities.

#1 Denial of service in NetBSD

Danger: Low
Availability fix: corrective instructions
Number of vulnerabilities: 4
CVSSv2 Rating: (AV: L / AC: L / Au: N / C: N / I: N / A: C / E: U / RL: W / RC: C) = (more…)

VulnerabilityCyber Security Notifications: New Vulnerabilities of September 2014

New Microsoft vulnerabilities of September 10, 2014

  • Denial of service in the Microsoft Lync Server
  • Privilege escalation in the Microsoft Windows Task Manager
  • Denial of service in Microsoft .NET Framework
  • Multiple vulnerabilities in Microsoft Internet Explorer

(more…)

Java DangerAccording to the statements of experts discovered vulnerability allows an attacker to bypass the sandbox Java.

Representatives of the Polish company Security Explorations announced the discovery of a new vulnerability in Java 7, which allows an attacker to bypass the sandbox software and execute arbitrary code on the system.

To confirm the presence of gaps Adam Gowdiak, CEO and founder of Security Explorations, sent a notice to the PoC-code vulnerability in Oracle. According to the researcher, the vulnerability is present in the Reflection API – functions in Java 7. In the Security Explorations confirmed that the PoC-exploit code works for Java SE 7 Update 25 and earlier versions. (more…)

Vulnerabilities in Xen

Vulnerabilities in Xen

Vulnerabilities in Xen allowing from a guest environment to get access to a host system

In the components of virtualization based on the Xen hypervisor revealed a series of security vulnerabilities. An integer overflow (CVE-2013-2194) in the parser ELF format, used to load the cores for guest systems can be used for the organization of the code on the host system.

The problem occurs only when the guest system operating mode paravirtulizatsii (PV) has the power to indicate a custom kernel. System in which the use of nuclear specified by the host system, the issue does not occur. (more…)

New malware Clampzok

New MAC malware Clampzok

Information security specialists say about the identification of a new conceptual attacks aimed at compromising the operating system Mac OS X.

New malware called Clampzok.A is a cross-platform package that puts the appropriate operating system binaries. These files are in the performance of the file system infect nearby binary files..

Malicious software was written in assembly language and originally introduced back in 2006, for Windows and Linux, but now it has been updated to support 32-bit binaries Mach-O in OS X. (more…)

Apache VulnerabilitySecurity Bypass vulnerability has been found in the Apache mod_rewrite.

The vulnerability allows an attacker to execute arbitrary command when viewing the log file by the server administrator.

In the module mod_rewrite of the HTTP-server Apache 2.2.x series vulnerability has been discovered (CVE-2013-1862), which allows an attacker to execute arbitrary command when viewing the log file by the server administrator.

Through specially crafted requests to the web-server, an attacker can write to a log file, for example, system commands, as mod_rewrite when writing to the log file does not escape special characters. Proper manipulation of sequences allows you to run arbitrary commands as the user performing the scan log (usually these log files are readable only by the user root). (more…)

Critical vulnerabilities in routers

Vulnerability in nginx

Vulnerability allows execution of arbitrary code on the target system.

It turned out unscheduled update server nginx to version 1.4.1, which eliminated the vulnerability CVE-2013-2028, which allows the execution of arbitrary code on the target redundant system.

The vulnerability can lead to overwriting the stack areas of the workflow when processing specially designed chunked-queries. Gaps are subject to the implementation of nginx versions 1.3.9 and 1.4.0. (more…)

WordPress Plugins

CSRF attack in WordPress

Vulnerability: CSRF attack in WordPress (XSS)

1. CSRF attack in WordPress Facebook Members

Danger level: Low
The presence of fixes: Yes
The number of vulnerabilities: 1

CVE ID: CVE-2013-2703
Vector of operation: Remote
Impact: Cross Site Scripting

Affected products: WordPress Facebook Members Plugin 5.x
Affected versions: WordPress Facebook Members 5.0.4, possibly earlier. (more…)

McAfee logo

Vulnerabilities in Adobe Reader

New vulnerabilities in Adobe Reader

The anti-virus company McAfee reported about detection of new vulnerability in Adobe Systems Reader software, which manifests itself in the moment when the user already opened and looks through the PDF-file by means of this program. The company said that the vulnerability is not critical and does not allow for remote code execution. At the same time, the anti-virus company reports that has notified Adobe about the problem.

Haifei Li, anti-virus analyst of McAfee, said that they discovered the unusual behavior of the system when they were working with files in PDF. According to him, the company has transferred to Adobe detailed information about the vulnerability, and before the release of the corresponding patch it will not disclose technical information about the bug. (more…)

WordPress PluginsDetected a dangerous flaw in the popular plugins for caching, which allows you to execute arbitrary PHP code on the target system.

Information security researcher Frank Goosen has published details of the vulnerability in the popular plug-ins for caching pages WordPress – WP Super Cache and W3 Total Cache, with more than six million downloads. Discovered vulnerability allows an attacker to inject and execute arbitrary PHP code on the target system with the privileges of Web-server. (more…)