InfoSec News

Sydney Morning Herald

How to strengthen your computer defences
Sydney Morning Herald
However, he also notes that the "most important resource you can have is a professional trained in infosec". "This not something you can just do from a checklist," he said. For those banking, financial services and insurance organisations covered by ...

and more »
A satellite operator's proposal to offer an extra channel of Wi-Fi might actually give average Wi-Fi and Bluetooth users less bandwidth, according to some industry groups that have commented on the plan in filings to the FCC.
In its battle for the top spot in the rocky PC industry, Hewlett-Packard has edged out rival Lenovo to take back its leadership position.
[IA34] Serva v2.0.0 HTTP Server GET Remote Denial of Service
The National Institute of Standards and Technology (NIST) will host a workshop to discuss proposed supplements to the biometric data format standard that support voice recognition, dental and oral data, disaster victim identification and ...
Three former executives of bankrupt Nortel Networks were acquitted of falsifying financial reports in an accounting scandal that precipitated the company's eventual bankruptcy and demise.
It's starting to look like the BlackBerry store will be well stocked with apps when Research In Motion launches BlackBerry 10 at the end of this month.
[IA33] Serva v2.0.0 DNS Server Remote Denial of Service
Updated - CA20121018-01: Security Notice for CA ARCserve Backup

Overview of the January 2013 Microsoft Out of Cycle patches and their status.



Contra Indications - KB

Known Exploits

Microsoft rating(**)

ISC rating(*)




Security Update for Internet Explorer

(Replaces )

Internet Explorer 6,7,8


KB 2799329



Exploitability: 1



We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.

Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.

Important: Things where more testing and other measures can help.

Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.

Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.

All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


Post suggestions or comments in the section below or send us any questions or comments in the contact form


Richard Porter

richard /at/ pedantictheory.com

For Hire. Posted with Permission
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
With Facebook preparing for its mysterious press conference on Tuesday, speculation is surging that the announcement could be about anything from a new smartphone, a new mobile plan to a new search feature.
Gartner reports another bad quarter for global PC shipments, says we're in the midst of a 'structural shift' in the industry.
From cybersecurity to privacy, mobile broadband to net neutrality, the coming year in Washington promises to be a busy one for the technology sector.
A new beta version of Google's Chrome browser for PCs can run Web applications controlled via user voice commands, so that people will be able to play computer games and compose documents through speech.
Tablets will be rated based on the Energy Star specification in the future.
The U.S. Department of Justice did not mislead a court and attempt to entrap file storage site Megaupload on copyright infringement charges, the agency said in a new filing in the case.
Banking on the trend toward cloud computing, Hewlett-Packard has created a stand-alone organization to oversee the company's hosted computing services and software offerings.
Microsoft's Surface RT tablet sold 1 million units in the fourth quarter, fewer than expected, according to a UBS analyst.
Microsoft today shipped an emergency update for Internet Explorer to stymie attacks that have been occurring since at least Dec. 7.
Sales of Samsung's two Galaxy S smartphones have topped 100 million since the first version sold in May 2010, the company reported via its Flickr page.
The unemployment rate among U.S. IT workers stood at 3.3% in the fourth quarter of 2012, significantly lower than the overall unemployment rate of 7.8%, according to tech job board Dice.
Apple has slashed orders for iPhone screens in the first quarter by half, according to Monday reports out of both Japan and the U.S.
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0746 Remote Denial of Service Vulnerability
CVE-2012-5649 Apache CouchDB JSONP arbitrary code execution with Adobe Flash
CVE-2012-5650 Apache CouchDB DOM based Cross-Site Scripting via Futon UI
CVE-2012-5641 Apache CouchDB Information disclosure via unescaped backslashes in URLs on Windows
[SECURITY] [DSA 2605-1] asterisk security update
Microsoft has announced it will issue an out-of-band patch to the zero-day flaw affecting Internet Explorer versions 6 through 8.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Too often, New Year's resolutions to get into better shape are derailed because of a lack of realistic planning. The same thing happens in the security sphere.
Asustek has cut prices for Android tablets, announcing the $149 Memo Pad tablet, which has a 7-inch screen and Android 4.1, in challenge to Google, Amazon.
If you're using your flash drive as a vehicle for simple file transfers, you're missing out on one of the single-best roles one of these wee data buckets can fulfill. Indeed, hardcore enthusiasts know that simple flash drives are perfectA portable repositories for all the software that can breathe life into an otherwise ailing PC.
Tata Consultancy Services had strong revenue and profit growth in the fourth quarter, indicating that the offshoring market is recovering.
Social media is changing the way businesses interact with--and create marketing assets for--customers, says Simeran Bhasin, Marketing Head, Fastrack & New Brands at Titan Industries. It's time others got on board too.
The sudden rise of mobile devices to support bandwidth-hungry applications is raiding corporate networks. As CIOs struggle to manage the storm of personal devices users carry within enterprise networks, they must take a harder look at safeguarding their IT. Shweta Rao spoke to Albert Kuo, GM and VP -- field operations for Asia Pacific at Blue Coat Systems, to find out more about the security challenges that BYOD has brought with its arrival.
Shrinking project timelines, mobility, and budgetary constraints are all going to fuel the growth of the SaaS market, and Zoho is not doubtful of having its share of the pie. The Chennai-based company offers a host of online business, productivity and collaboration applications ranging from CRM, mail, and office suite to project management, invoicing, and Web conferencing among others to help organizations run their business processes, manage their information, and be more productive while at the office or on the go. Raju Vegesna, chief evangelist for Zoho, speaks about the SaaS market in India, the factors contributing to the increase in SaaS adoption, and how mobility and BYOD are changing the game.
NXP Semiconductors is planning to cut 700 to 900 jobs as part of a reorganization to reduce costs of support services, the company said on Monday.
Three updates to CouchDB include fixes to stop cross-site scripting, code execution in client browsers through JSONP, and the ability to retrieve arbitrary files from Windows systems

The industrial control systems of a power supplier and a power generation plant in the US have been infected via USB flash drives. The ICS-CERT reports that Project SHINE is working to highlight vulnerabilities

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0748 Information Disclosure Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0764 Remote Denial of Service Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0760 Buffer Overflow Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0756 Remote Code Execution Vulnerability
Change is a given in this business, but 2013 promises to be particularly interesting because of the convergence of multiple, transformative developments, none of which are new, per se, given we have been tracking them in depth for some time, but each of which is forcing us to rethink long held conventions.
Chicago this month disclosed that it plans to use Microsoft's cloud services to deliver email and desktop applications to some 30,000 employees, part of a significant effort to improve the city's IT operations.
After seeing 18 key IT staffers suddenly quit to take new jobs at General Motors, Hewlett-Packard has asked a Texas court for permission to depose two former managers to find out if employment contracts were violated.
A new study predicts that 2023 may be the year that America loses its global R&D leadership role.
Oracle on Sunday issued an emergency Java update to patch two critical vulnerabilities, including one that had been exploited in ongoing and accelerating attacks.
Evans Data Cloud Development Survey finds developers split on benefits and concerns about building in the cloud
DOS 4.0, Zune, and Windows 8 are but a few of the landmarks among 25 years of failures Redmond-style
As a new U.S. Congress gets to work this month, few insiders expect there will any rush to create new versions of the controversial Stop Online Piracy Act and the Protect IP Act. Insider (registration required)
Maridan Harris, vice president of IT at Philips North America, shares her ideas on how to build teams that enjoy work as much as she does.
Despite raising Tim Cook's salary 55% and awarding him a $2.8 million bonus, Apple says its CEO's overall compensation for the year was still down 99% compared to 2011 levels.
Enterprises that buy new mobile devices and invest in security and storage management will give worldwide IT spending a boost this year.
Oracle has released an update for Java 7 to address the recent 0day vulnerability which is being widely exploited. The update also closes a previously undisclosed critical hole

Microsoft has announced that it will provide a patch for the critical hole in versions 6 to 8 of Internet Explorer as an out-of-band update later today

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0758 Privilege Escalation Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0744 Remote Denial of Service Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0759 Address Bar URI Spoofing Vulnerability
ELinks CVE-2012-4545 Security Bypass Vulnerability
Qt 'QSslSocket::sslErrors()' Certificate Validation Security Weakness
The race for virtualization dominance between Microsoft and VMware has become more interesting with VMware's recent release of vSphere 5.1. We obtained vSphere around the same moment as the final release of Windows Server 2012, whose newly included virtual switch and enhanced Hyper-V features were designed to clobber VMware.
librdmacm 'ib_acm' Service Port Connection Security Vulnerability

Posted by InfoSec News on Jan 13


The Wall Street Journal
January 13, 2013

Just days before he hanged himself, Internet activist Aaron Swartz's hopes for
a deal with federal prosecutors fell apart.

Two years ago, the advocate for free information online, who...
Internet Storm Center Infocon Status