InfoSec News

CubeCart 4.x/5.x | Setup Re-installation Privilege Escalation Vulnerability
CubeCart 4.4.6 and lower | Local File Inclusion Vulnerability
CubeCart 4.4.6 and lower | Multiple SQL Injection Vulnerabilities
CubeCart 4.4.6 and lower | Multiple Cross Site Scripting Vulnerabilities
CubeCart 4.4.6 and lower | Cross Site Request Forgery (CSRF) Vulnerability
CubeCart 5.0.7 and lower | Open URL Redirection Vulnerability
CubeCart 4.4.6 and lower | Open URL Redirection Vulnerability

Ira Winkler: Stupid users, or stupid infosec?
IDG News Service
19 column, "Can Infosec Cure Stupid?", had me scratching my head. Unusually for him, May's underlying assumptions are flawed. He argues that end users are generally stupid, his evidence being that they don't understand how the devices they use work ...

and more »

We wish all our readers Merry Christmas and hope you enjoy a lot with your families tonight. We will continue meanwhile watching what happens on the Internet ;)

Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler



e-mail: msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Craig Mundie has left his role as Microsoft's chief research and strategy officer to become senior adviser to the CEO, as he winds down before retirement.
[ MDVSA-2012:183 ] apache-mod_security
[ MDVSA-2012:182 ] apache-mod_security
CubeCart 3.0.20 (3.0.x) and lower | Multiple SQL Injection Vulnerabilities

According to chromium blog, Google Chrome 25 wont allow anymore silent extensions installs. This is good, because attacks like the Chrome malicious extension injecting ads to wikimedia pages in may wont happen without the users consent. This is similar to Internet Explorer Protected Mode, which does not allow extension installations and Firefox add-on control since Firefox 8.

This kind of controls enforce the security settings described in the corresponding security templates of web browsers. So far, the only browser that posess the most scalable security baseline is still Internet Explorer, as there are specific Global Policy Objects (GPO) to apply for Internet Explorer that has been tested and deployed worldwide. Google Chrome also have security templates with the corresponding documentation, but you need to build your own GPO to deploy to a Windows Domain. For Firefox, FirefoxADM is able to generate Security GPO to manage security parameters.

Have you suffered lately any attacks regarding malicious extensions for Chrome? For Firefox or Internet Explorer? Let us know!

Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler



e-mail: msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
CubeCart 3.0.20 (3.0.x) and lower | Arbitrary File Upload
Re: Re: Re: Microsoft Internet Explorer 9.x <= Remote Stack Overflow Vulnerability
VMSA-2012-0018 VMware security updates for vCSA and ESXi
CA20121220-01: Security Notice for CA IdentityMinder
Two more tips about iTunes 11 from the readers of Mac OS X Hints:
A new smartphone or tablet under the Christmas tree should be giftwrapped with a list of security and privacy guidelines, experts say.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
St. Nick and his reindeer have begun their Christmas Eve work delivering presents to children around the world and NORAD is tracking their progress today.
As a new session of the U.S. Congress convenes in early 2013, don't expect lawmakers to rush out a new version of the Stop Online Piracy Act (SOPA) or the Protect IP Act (PIPA).
Google on Friday said Chrome 25, now in development, automatically blocks browser add-ons installed on the sly by other software.
Assembly line workers are logging 12-hour days to churn out the latest handsets for Samsung Electronics at a factory in Huizhou, China.
As 2012 comes to a close, it's time to reflect on the security trends of the year with this look at the hottest security slideshows of 2012.
Yahoo's holiday gift to the masses is three free months of its Flickr Pro photo and video hosting service, which normally costs $24.95 a year.
As new public cloud plays leap in and the private cloud slowly evolves, we're on the brink of a shift to cloud computing for critical business workloads
WordPress Multiple CMSMasters Themes 'upload.php' Arbitrary File Upload Vulnerability
Mozilla on Friday backtracked from a decision to suspend all work on a 64-bit version of Firefox for Windows, acknowledging that user criticism had changed its mind.
Demand is increasing for data center space in multi-tenant facilities, driven by a number of trends, according to a new report.
China is on trackto overtake the U.S. in spending on research and development in about 10 years, as federal R&D spending either declines or remains flat.
Migrating from SharePoint 2010 is doable, but that's not true, unfortunately, from the 2007 version.
When Chrome 25 arrives, attempts by Windows applications to silently install extensions will now be blocked pending user approval. Firefox switched to blocking silent installs last year


Posted by InfoSec News on Dec 24


By Kelly Jackson Higgins
Dark Reading
Dec 21, 2012

Remember that rudimentary data-wiping malware found on a few computers
in Iran this month? Most security experts pegged it as a simple,
unsophisticated copycat of more sophisticated data-destruction malware

But in the latest...

Posted by InfoSec News on Dec 24


By John Cox
Network World
December 21, 2012

A new study finds that more than two-thirds of nurses are using their
personal smartphones for clinical communications. Yet 95% of nurses in
the sample say hospital IT departments don't support that use for fear
of security risks.

The report, "Healthcare without Bounds: Point of Care Computing for

Posted by InfoSec News on Dec 24


By Eric Chabrow
Bank Info Security
December 22, 2012

Karen Scarfone, who coauthored NIST's encryption guidance, sort of
figured out why many organizations don't encrypt sensitive data when
they should. The reason: they do not believe they are required to do so.

Scarfone, who left the National Institute of Standards and Technology in
2010 and founded a...

Posted by InfoSec News on Dec 24


By Lucian Constantin
IDG News Service
December 21, 2012

An increasing number of vulnerability researchers will focus their
attention on industrial control systems (ICS) in the year to come, but
so will cyberattackers, security experts believe.

Control systems are made up of supervisory software running on dedicated...

Posted by InfoSec News on Dec 24


By Jordan Press
Postmedia News
December 21, 2012

OTTAWA -- One year ago, three federal security agencies focused their
eyes on Anonymous. One labelled the collective the modern face of
hacktivism. Another warned Anonymous could soon have the ability to take
down critical infrastructure such as water systems and the electricity
Inkscape XML External Entity Information Disclosure Vulnerability
TWiki and Foswiki 'MAKETEXT' Variable Multiple Security Vulnerabilities
Internet Storm Center Infocon Status