(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
IBM InfoSphere Information Server Web Console Interface Clickjacking Vulnerability
IBM InfoSphere Information Server CVE-2013-4067 Security Vulnerability
Humavox this week unveiled Eterna, a new platform that uses RF signals to wirelessly power the Internet of Things, especially medical and wearable devices such as hearing aids, smart watches and augmented-reality glasses.
The latest round of monthly patches from Microsoft illustrates the need for organizations to move from older versions of Microsoft software if they haven't done so already.
Microsoft introduced Windows XP in 2001, and it became an instant success. It combined the well-received consumer user interface from Windows 98 with the stability of Windows NT, was out-of-the-box Internet capable with an excellent browser -- Internet Explorer (IE) -- and quickly took over the market.
BMC Software has set up a private-label marketplace service that will allow independent software vendors (ISVs) and other organizations to run their own online app stores.

Researchers have recently uncovered two unrelated threats that have the potential to turn some Android devices into remotely controlled bugging and spying devices.

The first risk, according to researchers at antivirus provider Bitdefender, comes in the form a software framework dubbed Widdit, which developers for more than 1,000 Android apps have used to build revenue-generating advertising capabilities into their wares. Widdit includes a bare-bones downloader that requests a host of Android permissions it doesn't need at the time of installation.

"These permissions are not necessarily used by the SDK [software development kit], but requesting them ensures that anything introduced later in the SDK will work out of the box," Bitdefender researchers Vlad Bordianu and Tiberius Axinte wrote in a blog post published Tuesday. "Among the weirdest permissions we saw are permissions to disable the lock screen, to record audio, or to read browsing history and bookmarks."

Read 5 remaining paragraphs | Comments


When financial times are tough, the capability to streamline business processes, improve efficiency and achieve agility would appeal to any company. That's why firms today are increasingly finding new and sometimes unique ways to use BPM tools.
As quietly as Microsoft defined the dates it would stop selling Windows 7, over the weekend it revised its end-of-sales deadlines again, saying it had made a mistake.

Adobe also has published updates today for Flash Player, resolving CVE-2013-5331 and CVE-2013-5332.

This is a remote execution vulnerability, by way of a malicious SWF (Flash) content in an MS Word document.

The versions will vary from platform to platform, but if you are running Flash Player you should update soon (today if possible).

Shockwave Player also sees an update today, addressing CVE-2013-5333 and CVE-2013-5334 on the Windows and Mac platforms.  With this update applied, both platforms should be at version

These exploits also result in remote execution, so if you have Shockwave Player installed today is a good day to update, either right before or right after the Microsoft reboot.

You'd think by now most major products would have an auto update or a "click here to update" feature.   From this note, perhaps you'd think that Adobe might be unique in not having this, but you'd be surprised what other major system components don't update themselves!

Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle is now a corporate sponsor of the OpenStack Foundation and plans to weave parts of the open-source infrastructure platform into its own products, saying it will give customers more flexibility and options for managing clouds.
IT managers facing the task of explaining the business value of IT to the C-suite don't necessarily have an easy time of it. But eBay believes it has fixed this problem with a metric that translates IT resources into key business metrics

Overview of the December 2013 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS13-096 Code Execution Vulnerability in GDI+
(ReplacesMS13-054 )
GDI+ TIFF Codec (Vista, Windows 2008, Office 2003, Office 2007, Office 2010, Lync 2010, Lync 2013
KB 2908005 Yes. Severity:Critical
Exploitability: 1
PATCH NOW! Critical
MS13-097 Cumulative Security Update for Internet Explorer
(ReplacesMS13-088 )
Windows Signature Validation
KB 2898785 No. Severity:Critical
Exploitability: 1,1,1,1,1,2,1
Critical Important
MS13-098 Remote Code Execution Vulnerabilitiy in Windows
Windows Signature Validation
KB 2893294 Yes (targeted attacks). Severity:Critical
Exploitability: 1
PATCH NOW! Critical
MS13-099 Remote Execution Vulnerability in Microsoft Scripting Runtime Object Library
Windows Script 5.6, 5.7, 5.8
KB 2909158 No. Severity:Critical
Exploitability: 1
Critical Important
MS13-100 Remote Code Execution in Microsoft SharePoint Server
(ReplacesMS13-067 MS13-084 )
SharePoint Server
KB 2904244 No. Severity:Important
Exploitability: 1
N/A Critical
MS13-101 Privilege Elevation Vulnerabilities in Kernel Mode Drivers
(ReplacesMS11-081 )
Kernel Mode Drivers
KB 2880430 No. Severity:Important
Exploitability: 2,1,3,2,3
Important Important
MS13-102 Privilege Elevation Vulnerability in LPC Client/Server
(ReplacesMS13-062 )
LPC Client/Server XP/2003 ONLY
KB 2998715 No. Severity:Important
Exploitability: 1
Important Important
MS13-103 Elevation of Privilege Vulnerability in ASP.NET
ASP.NET SingalR Forever Frame Transport Protocol
KB 2905238 No. Severity:Important
Exploitability: 1
N/A Important
MS13-104 Information Disclosure Vulnerability in Microsoft Office
(Replaces )
Office 2013
KB 2909976 No. Severity:Important
Exploitability: 3
Important Less Important
MS13-105 Remote Code Execution in Microsoft Exchange Server
(ReplacesMS13-061 )
WebReady Document Viewing and Data Loss Prevention on Exchange Server
KB 2915705 No. Severity:Critical
Exploitability: 3
N/A Critical
MS13-106 ASLR Bypass Vulnerability in Microsoft Office Shared Component
Microsoft Office 2007 and 2010
KB 2905238 Yes (targeted attacks). Severity:Important
Exploitability: ?
Important Important
will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle Outside In Technology CVE-2013-5763 Stack Buffer Overflow Vulnerability
Microsoft SharePoint CVE-2013-1330 Remote Code Execution Vulnerability
A slightly-smaller percentage of American families plan to buy a tablet during the holiday season than last year, but tablets remain a hot-ticket item, a market research company reported today.
Cisco ONS 15454 Controller Card CVE-2013-6702 Denial of Service Vulnerability
Hewlett-Packard has redesigned its beige-boxed desktop PCs, sizing them down into mini-desktops without compromising on components.
Hewlett-Packard has added Intel's Haswell processors to a pair of new EliteBook business laptops, while making them slimmer.
SugarSync, which has offered 5GB of free capacity since its founding, today announced it will only offer that as a trial and that all capacity after the trial will have to be paid for.
Qualcomm and competitor MediaTek are working on chipsets that will open the door for LTE in low-cost smartphones and tablets, allowing people all over the world to benefit from the higher speeds it offers.
LiveZilla Stored XSS in operator clients
Air Gallery 1.0 Air Photo Browser - Multiple Vulnerabilities
Trends come and go in the technology industry but some things, such as IT system failures, bloom eternal.
LinuxSecurity.com: Murray McAllister discovered multiple integer and buffer overflows in the XWD plugin in Gimp, which can result in the execution of arbitrary code. For the oldstable distribution (squeeze), these problems have been fixed [More...]
LinuxSecurity.com: An integer overflow vulnerability in WebP could lead to arbitrary code execution or Denial of Service.
LinuxSecurity.com: Updated samba3x and samba packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Updated libjpeg-turbo packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
LinuxSecurity.com: An updated libjpeg package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]
LinuxSecurity.com: Updated samba4 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: Christoph Biedl discovered two denial of service vulnerabilities in munin, a network-wide graphing framework. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]
LinuxSecurity.com: A denial of service vulnerability was reported in varnish, a state of the art, high-performance web accelerator. With some configurations of varnish a remote attacker could mount a denial of service (child-process crash and temporary caching outage) via a GET request with trailing [More...]
Ruby on Rails 'number_to_currency' Helper Cross Site Scripting Vulnerability
Ruby on Rails CVE-2013-6417 Unsafe SQL Query Generation Vulnerability
RubyGems actionpack CVE-2013-6414 Denial of Service Vulnerability
RubyGems i18n Cross Site Scripting Vulnerability
EMC Data Protection Advisor DPA Illuminator EJBInvokerServlet Remote Code Execution

How to protect corporate data after the NSA Bullrun revelations
... to test and certify new encryption technologies without doubting their intentions. Our trust has been violated by the very organization that was supposed to be defending us in cyberspace, changing the foundation of infosec management and the ...

In today's business environment, companies are expected to grow quickly. This means their data centers must grow quickly, too. These four technological advances will help firms scale up -- and down, when necessary -- so growth doesn't turn into a bad thing.
The Internet Storm Center, an arm of the SANS Technology Institute, has started collecting reports of fake support calls in an attempt to figure out how prevalent the scam is among computer owners.
Hackers of likely Chinese origin infiltrated computers belonging to the foreign affairs ministries of five unnamed European countries ahead of the G20 Summit in September, according to security researchers at FireEye.
The U.S. Department of Justice is investigating a report alleging that Dell computers have been sold to the Syrian regime despite the trade embargo in place, according to a July filing by Dell to the U.S.A Securities and Exchange Commission (SEC) that was made public this week.
Multiple Dell SonicWALL Products Multiple HTML Injection Vulnerabilities

Developers of the FreeBSD operating system will no longer allow users to trust processors manufactured by Intel and Via Technologies as the sole source of random numbers needed to generate cryptographic keys that can't easily be cracked by government spies and other adversaries.

The change, which will be effective in the upcoming FreeBSD version 10.0, comes three months after secret documents leaked by former National Security Agency (NSA) subcontractor Edward Snowden said the US spy agency was able to decode vast swaths of the Internet's encrypted traffic. Among other ways, The New York Times, Pro Publica, and The Guardian reported in September, the NSA and its British counterpart defeat encryption technologies by working with chipmakers to insert backdoors, or cryptographic weaknesses, in their products.

The revelations are having a direct effect on the way FreeBSD will use hardware-based random number generators to seed the data used to ensure cryptographic systems can't be easily broken by adversaries. Specifically, "RDRAND" and "Padlock"—RNGs provided by Intel and Via respectively—will no longer be the sources FreeBSD uses to directly feed random numbers into the /dev/random engine used to generate random data in Unix-based operating systems. Instead, it will be possible to use the pseudo random output of RDRAND and Padlock to seed /dev/random only after it has passed through a separate RNG algorithm known as "Yarrow." Yarrow, in turn, will add further entropy to the data to ensure intentional backdoors, or unpatched weaknesses, in the hardware generators can't be used by adversaries to predict their output.

Read 5 remaining paragraphs | Comments


A workers' rights group is demanding Apple investigate the recent deaths of several workers at an iPhone factory in China, one of whom was a 15-year-old who died of pneumonia after working at the facility for a month.
[CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application
AT&T subscribers can now get LTE service outside the U.S., but fantasies of watching HD video on a tropical beach will have to wait: They can only roam in Canada.
Trustwave's SpiderLabs researchers have found a piece of malware that collects data entered into Web-based forms, pretending to be a module for Microsoft's Internet Information Services (IIS) web-hosting software.
Hewlett-Packard released new "converged systems" that aim to get customers up and running quickly with virtualized applications and big-data analytics.
As Bitcoin's popularity grows, so does talk about its standing as legal tender, but there are lingering issues that need to be sorted out before people start using Bitcoin to buy everyday things, experts said on Monday.
Rambus and Micron Technology said the companies signed a broad patent cross-license agreement, giving Micron the right to use any Rambus patent for the manufacture of specified integrated circuit products, including memories.
Home appliances, cars and computers could soon be talking to one another thanks to an open source framework that has the backing of consumer electronics manufacturers in a new industry alliance.
Taking a massive open online course in a technical topic can help IT workers advance their careers -- but only if they can show hiring managers how they've used the tech skills they learned online.
Pete Stein GoScript Remote Command Execution Vulnerability

Evil Dexter lurks in card reader, ready to SLASH UP your credit score
A new version of Dexter, first discovered by security researchers Seculert about a year ago, has been planted on 31 infected point-of-sale terminals, located in restaurants and famous shops in various major cities of the US, according to infosec start ...

and more »
Libmicrohttpd Multiple Remote Security Vulnerabilities
Microsoft Windows Kernel 'IsHandleEntrySecure()' Function Local Denial of Service Vulnerability
HP Integrated Lights-Out CVE-2013-4843 Unspecified Information Disclosure Vulnerability
Now SMS & MMS Gateway Message Processing Multiple Denial of Service Vulnerabilities
[SECURITY] [DSA 2815-1] munin security update
[SECURITY] [DSA 2813-1] gimp security update
HP Integrated Lights-Out CVE-2013-4842 Unspecified Cross Site Scripting Vulnerability
Internet Storm Center Infocon Status