US CERT Current Activity
Microsoft has released a security advisory to provide recommended mitigations for an unpatched vulnerability, (CVE-2014-6352) which affects all Microsoft Windows releases except Windows Server 2003. This vulnerability could allow an attacker to take control of an affected system if a user opens a specially crafted Microsoft Office file.
US-CERT recommends users and administrators review the Microsoft Security Advisory and apply the recommended workarounds.
Apple has released security updates for iOS devices and Apple TV to address multiple vulnerabilities, one of which could allow an attacker to decrypt data protected by SSL.
Updates available include:
- iOS 8.1 for iPhone 4s and later, iPod touch 5th generation and later, and iPad 2 and later
- Apple TV 7.0.1 for Apple TV 3rd generation and later
US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. Exploitation of this vulnerability may allow a remote attacker to decrypt and extract information from inside an encrypted transaction.
US-CERT recommends users and administrators review TA14-290A for additional information and apply any necessary updates to address this vulnerability.
Apple has released Security Update 2014-005 to address vulnerabilities in SSL 3.0.
US-CERT recommends users and administrators review Apple Security Update HT6531 for additional details.
Drupal has released a security advisory to address an application program interface (API) vulnerability (CVE-2014-3704) that could allow an attacker to execute arbitrary SQL commands on an affected system.
This vulnerability affects all Drupal core 7.x versions prior to 7.32.
US-CERT advises users and administrators review Drupal's Security Advisory and apply the necessary update or patch.
Google has released security updates to address multiple vulnerabilities in Chrome and Chrome OS, one of which could potentially allow an attacker to take control of the affected system.
Updates available include:
- Chrome 38.0.2125.104 for Windows, Mac and Linux
- Chrome OS 38.0.2125.108 for all Chrome OS devices except Chromeboxes
US-CERT reminds users to protect against email scams and cyber campaigns using the Ebola virus disease (EVD) as a theme. Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain malicious attachments that can infect a system.
Users are encouraged to use caution when encountering these types of email messages and take the following preventative measures to protect themselves:
- Do not follow unsolicited web links or attachments in email messages.
- Maintain up-to-date antivirus software.
- Refer to the Using Caution with Email Attachments Cyber Security Tip for information on safely handling email attachments.
- Refer to the Avoiding Social Engineering and Phishing Attacks Cyber Security Tip for information on social engineering attacks.
OpenSSL has released updates patching four vulnerabilities, some of which may allow an attacker to cause a Denial of Service (DoS) condition or execute man-in-the-middle attacks. The following updates are available:
- OpenSSL 1.0.1 users should upgrade to 1.0.1j
- OpenSSL 1.0.0 users should upgrade to 1.0.0o
- OpenSSL 0.9.8 users should upgrade to 0.9.8zc
US-CERT recommends users and administrators review the OpenSSL Security Advisory for additional information and apply the necessary updates.
The Mozilla Foundation has released security updates to address multiple vulnerabilities in Firefox and Thunderbird. Exploitation of these vulnerabilities may allow an attacker to obtain sensitive information, bypass same-origin policy and key pinning, cause an exploitable crash, conduct a man-in-the-middle attack, or execute arbitrary code.
The following updates are available:
- Firefox 33
- Firefox ESR 31.2
- Thunderbird 31.2
Adobe has released security updates to address multiple vulnerabilities in ColdFusion and Flash Player. Exploitation could allow attackers to take control of a vulnerable system.
Oracle has released its Critical Patch Update for October 2014 to address 154 vulnerabilities across multiple products.
US-CERT encourages users and administrators to review the Oracle October 2014 Critical Patch Update and apply the necessary updates.
Microsoft has released updates to address vulnerabilities in Windows, Office, Office Services and Web Apps, Developer Tools, .NET Framework, and Internet Explorer as part of the Microsoft Security Bulletin Summary for October 2014. These vulnerabilities could allow remote code execution, elevation of privilege, or security feature bypass.
US-CERT encourages users and administrators to review the bulletin and apply the necessary updates.
Cisco has released an advisory to address multiple vulnerabilities in the Cisco Adaptive Security Appliance (ASA) Software that could result in a denial of service condition. Cisco has released free software updates that address these vulnerabilities.
Users and administrators are encouraged to review the Cisco Advisory and apply the necessary updates.
Oracle has released security updates to address bash vulnerabilities found across multiple products.
US-CERT recommends users and administrators review the Oracle Security Article for additional details, and apply updates as necessary.
Google has released security updates to address multiple vulnerabilities in Chrome and Chrome OS, some of which could potentially allow an attacker to take control of the affected system or cause a denial of service condition.
Updates available include:
- Chrome 38.0.2125.101 for Windows, Mac and Linux
- Chrome 38.0.2125.59 for iPhone and iPad
- Chrome OS 38.0.2125.101 for all Chrome OS devices except Chromeboxes
Apple has released OS X bash Update 1.0 to address vulnerabilities found in the Bourne-again Shell (bash) which could allow a remote attacker to execute arbitrary shell commands.
Avisos Tecnicos INTECO (España)
- Defecto de la opción EDNS de BIND causa denegación de servicio.
- Denegación de servicio con paquetes IPv6 en Cisco IOS XR Software
- Boletines de seguridad de Microsoft de junio de 2014
- Elevación de privilegios y denegación de servicio en kernel de linux
- Credenciales embebidas en Daktronics Vanguard
- Nuevas versiones de OpenSSL resuelven múltiples vulnerabilidades
- Validación incorrecta de datos de entrada en DNP3 de COPA-DATA
- Múltiples vulnerabilidades en Cogent Datahub
- Consumo incontrolado de recursos en Triangle MicroWorks
- Escalada de privilegios en varios productos de VMware
- UsCert - TA13-051A: Oracle Java Multiple Vulnerabilities
- Hispasec - El sitio es el oficial, pero ¿y el archivo que estoy descargando?
- Hispasec - Elevación de privilegios en sudo (en multitud de distribuciones)
- Hispasec - Denegación de servicio en Samba
- Hispasec - Solucionadas dos vulnerabilidades en Asterisk
- Hispasec - Nuevos troyanos Spyeye orientados exclusivamente a entidades de Panamá y Honduras
- Hispasec - Nueva versión de PHP corrige dos vulnerabilidades
- Hispasec - Diversas vulnerabilidades en Wireshark
- Hispasec - Microsoft, ¿No quedamos en dejar de utilizar MD5? (y II)
- Hispasec - Ejecución remota de comandos en Apache Struts