Debian GNU/Linux 6.0.5 Released

Debian GNU/Linux 6.0.5 Released

Developers at Debian project is pleased to announce the fifth update of its stable distribution Debian 6.0 codenamed squeeze. According to the project release this update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available. If you have Debian 6.0.x already installed, it is not necessary to reinstall, you only need to install all the latest updates from your nearest mirror site. 

What's new in Debian GNU/Linux 6.0.2:-

• aide Properly support large files on 32-bit systems; fix group for bind9 log files

• approx Don't try caching InRelease or non-.gz compressed files

• apr Fix apr_ino_t changing size depending on -D_FILE_OFFSET_BITS on kfreebsd-*

• apt Fix file size calculation on big-endian arches; don't prompt for CD re-insertion on "apt-get update"; add XZ support

• apt-listchanges Correctly handle NEWS files containing only one entry

• base-files Update /etc/debian_version

• clive Adapt for liveleak.com changes

• dbus Fix local DoS for system services (CVE-2011-2200)

• deborphan Exclude libreoffice from --guess-section output; trap WINCH in a POSIX way; minor translation fixes

• dokuwiki Fix an ACL bypass issue in the XMLRPC interface

• dpkg Fix regression in 'dpkg-divert --rename'; dpkg-split: don't corrupt metadata on 32-bit systems; fix vsnprintf() compat declaration

• e2fsprogs Various bug fixes

• fakechroot Fix 'debootstrap --variant=fakechroot'

• fcgiwrap Fix init script's 'stop' target

• gdm3 Reset SIGPIPE handler before starting the session; execute the PostSession script even when GDM is killed or shut down

• git Allow remove and purge in one step by terminating the git-daemon/log service before removing the gitlog user

• gnome-settings-daemon Work around possible race condition when starting Xsettings manager

• ia32-libs Refresh packages from stable and proposed-updates.

• iceowl Security updates

• im-config Avoid breaking login via GDM if im-config is removed but not purged

• inn Stop using 'sort +1n' in makehistory; disable outdated CHECK_INCLUDED_TEXT option by default

• josm Give more verbose explanation to users who haven't agreed to the new OSM license

• kde4libs Wildcard SSL certificate and XSS security fixes; ktar checksum and UTF-8 longlink fixes

• kdenetwork Improve fix for CVE-2010-1000 directory traversal issue

• kernel-wedge Add hpsa and pm8001 to scsi-extra-modules; add bna to nic-extra-modules

• kerneltop Increase line buffer size to 1024 bytes

• klibc ipconfig: escape DHCP options and correctly handle multiple connected network devices (CVE-2011-1930)

• krb5 Fix DoS; fix interoperability with w2k8r2 KDCs; fix invalid free and double free; don't make authentication fail if PAC verification fails

• kupfer Use correct parameter type to allow keybindings to work again

• libapache2-mod-perl2 Rebuild against apr 1.4.2-6+squeeze3 to pick up apr_ino_t size fix on kFreeBSD

• libburn Don't create images with overly-restrictive permissions

• libfinance-quotehist-perl Disable test suite, broken by website changes

• libmms Fix alignment issues on arm

• linux-2.6 New hardware support; add longterm 2.6.32.41; fix oops via corrupted partition tables

• linux-kernel-di-amd64-2.6 Rebuild against kernel-wedge 2.74+squeeze3

• linux-kernel-di-armel-2.6 Rebuild against kernel-wedge 2.74+squeeze3

• linux-kernel-di-i386-2.6 Rebuild against kernel-wedge 2.74+squeeze3

• linux-kernel-di-ia64-2.6 Rebuild against kernel-wedge 2.74+squeeze3

• linux-kernel-di-mips-2.6 Rebuild against kernel-wedge 2.74+squeeze3

• linux-kernel-di-mipsel-2.6 Rebuild against kernel-wedge 2.74+squeeze3

• linux-kernel-di-powerpc-2.6 Rebuild against kernel-wedge 2.74+squeeze3

• linux-kernel-di-s390-2.6 Rebuild against kernel-wedge 2.74+squeeze3

• linux-kernel-di-sparc-2.6 Rebuild against kernel-wedge 2.74+squeeze3

• lua-expat Fix the 'billion laughs' DoS attack

• monkeysphere Fix monkeysphere-host revoke-key

• nagios-plugins Allocate a big enough buffer to handle all IPs of hosts being pinged

• nsd3 Remove statoverride before removing the package's user

• openldap Fix possible database corruption issues, several security issues and dpkg-reconfigure

• php-svn Rebuild against apr 1.4.2-6+squeeze3 to pick up apr_ino_t size fix on kFreeBSD

• php5 Rebuild against apr 1.4.2-6+squeeze3 to pick up apr_ino_t size fix on kFreeBSD

• pianobar Update API keys for XMLRPC v30

• postgresql-8.4 New upstream bugfix release; fix pg_upgrade use with TOAST tables

• prosody Fix the 'billion laughs' DoS attack

• puppet Fix service provider to properly use update-rc.d disable API

• python-apt Strip multiarch by default in RealParseDepends; add XZ support

• python-gudev Add missing dependency on python-gobject

• q4wine Stop shipping the library in lib64

• qemu Don't register qemu-mips(el) with binfmt on mips(el)

• qemu-kvm Fix division by 0 with some guests; fix vnc zlib overflow; don't abort on user hardware errors; fix migration on 32-bit

• qt4-x11 Blacklist some fraudulent SSL certificates; fix weakness in wildcard certificate verification

• rapidsvn Rebuild against apr 1.4.2-6+squeeze3 to pick up apr_ino_t size fix on kFreeBSD

• refpolicy Various permissions fixes

• reprepro Handle Release files which don't contain md5sums

• ruby1.8 Fix upgrades from lenny by making libruby1.8 conflict/replace irb1.8 and rdoc1.8

• samba Fix undefined symbol error from tdb2.so; several printing related bugs and a gid leak in winbind / idmap. Document the new and potentially disruptive 'map untrusted to domain'

• schroot Fix loading of dchroot.conf

• softhsm Remove statoverride entries before the package's user

• sun-java6 New upstream security update

• tzdata New upstream version

• vimperator Resolve compatibility issues with iceweasel

• widelands Fix potential security issue in Internet games

• xenomai Adapt kernel patch to apply cleanly to squeeze's kernel

• xserver-xorg-video-tseng Fix driver initialisation

To Download Debian 6.0 codenamed "squeeze" Click Here

  

-Source (Softpedia, Debian Project)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Debian GNU/Linux 6.0.5 Released"https://www.voiceofgreyhat.com/2012/05/debian-gnulinux-605-released.html</a>

WinMend System Doctor

Protect your system from the threats of spyware, adware, Trojans and viruses

With its innovative, intelligent detection engine, WinMend System Doctor can effectively detect and fix securityvulnerabilities in the system, fix software vulnerabilities in third-partyapplications, and prevent the running of malicious startup programs, Trojans, BHOs, processes and system services to significantly improve system security.

It also provides an “Expert”-level system scan option that can scan potentialsecurity threats in the system and protect the system from the threats of spyware, adware, Trojans and virusesand eliminate security risks.

Here are some key features of “WinMend System Doctor”:

· Intelligent Scan Engine WinMend System Doctor is integrated with a brand-new scan engine that can intelligently detect system vulnerabilities in Windows, software vulnerabilities in third-partyapplications and problems corresponding security settings, and it can help users fix problems found. It simplifies user operation, and helps you solve security risks more promptly and efficiently.

· Unique System Security Rating System WinMend System Doctor can rate the security of your operating system for you to see the security status of the system more visually.

· Comprehensive and Detailed Security Report WinMend System Doctor can generate comprehensive security reports that elaborate all details about each single security vulnerability and potential security threat in your system, so you can understand the security problems in the system and how to fix them with improved clarity.

· Expert-Level System Scan An “Expert”-level system scan is offered by WinMend System Doctor. It scans potential security threats in the system, such as in shared resources, user privilege management, remote control, etc., that could be easily used by malicious programs (or hackers), and can guide you through the steps to fix vulnerabilities and eliminate security risks in the system.

Requirements:

· 800mhz CPU
· 256MB RAM
· 12 MB of free hard disk space

Limitations:

· Can fix 5 windows system vulnerabilities in total

changelog

· Add Hungarian language pack.
· Improve Support for Windows Vista.

Click Here to Download WinMend System Doctor 1.5.7

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">WinMend System Doctor"https://www.voiceofgreyhat.com/2011/04/winmend-system-doctor.html</a>

Facebook Launches Security Bug Bounty

Facebook is set to announce today a bug bounty program in which researchers will be paid for reporting security holes on the popular social-networking Web site.

Compensation, which starts at $500 and has no maximum set, will be paid only to researchers who follow Facebook's Responsible Disclosure Policy and agree not to go public with the vulnerability information until Facebook has fixed the problem.

Facebook Chief Security Officer Joe Sullivan told that "Typically, it's no longer than a day" to fix a bug,

Facebook's Whitehat page for security researchers says: 

"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

The compensation program is a good way to provide an incentive and show appreciation to the research community for helping keep Facebook safe for users, according to the company's security team. Up until now, researchers received recognition on the Facebook Whitehat page, maybe some "swag," and--if they were lucky--a job.

"Some of our best engineers have come to work here after pointing out security bugs on our site," like Ryan McGeehan, manager of Facebook's security response team, said Alex Rice, product security lead at Facebook. (Facebook also recently hired famed iPhone jailbreaker and Sony PlayStation 3 hacker George Hotz, who works on security issues.)

Meanwhile, Facebook is allowing security researchers a way to create test accounts on Facebook to ensure they don't violate terms of use or impact other Facebook users, Rice and McGeehan said.

Facebook is following in the steps of Mozilla, which launched its bug bounty program in 2004, and Google, which offers a bug bounty program with payments ranging from $500 to more than $3,000 for finding Web security holes, as well as a program specifically for Chrome bugs.

Microsoft has offered bounties of $250,000 for information leading to the arrest of virus writers, but does not pay researchers who find bugs in its software. However, other companies do, like TippingPoint's Zero Day Initiative.

Researchers typically are paid more for finding bugs in desktop software, which can take much longer to fix and to update software on computers than bugs in Web-based software, which can be fixed much more quickly.

According To FACEBOOK:- 

Eligibility

To qualify for a bounty, you must:

• Adhere to our Responsible Disclosure Policy:
  

  ... give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research ...
• Be the first person to responsibly disclose the bug
• Report a bug that could compromise the integrity or privacy of Facebook user data, such as:
  

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Remote Code Injection
• Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

Our security team will assess each bug to determine if qualifies.

Rewards

• A typical bounty is $500 USD
• We may increase the reward for specific bugs
• Only 1 bounty per security bug will be awarded

Exclusions

The following bugs aren't eligible for a bounty (and we don't recommend testing for these):

• Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
• Security bugs in third-party websites that integrate with Facebook
• Security bugs in Facebook's corporate infrastructure
• Denial of Service Vulnerabilities
• Spam or Social Engineering techniques

                                                                                                                                                                     -News Sourec (FACEBOOK & Cnet)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Facebook Launches Security Bug Bounty"https://www.voiceofgreyhat.com/2011/07/facebook-launches-security-bug-bounty.html</a>

PostgreSQL Patches Vulnerability in The built-in XML & XSLT (CVE-2012-3488,3489)

PostgreSQL Patches Vulnerability in The built-in XML & XSLT (CVE-2012-3488,3489)

PostgreSQL Global Development Group released security updates for all active branches of the PostgreSQL database system, including versions 9.1.5, 9.0.9, 8.4.13 and 8.3.20. This update patches security holes associated with libxml2 and libxslt, similar to those affecting other open source projects. All users are urged to update their installations at the first available opportunity. This security release fixes a vulnerability in the built-in XML functionality, and a vulnerability in the XSLT functionality supplied by the optional XML2 extension. Both vulnerabilities allow reading of arbitrary files by any authenticated database user, and the XSLT vulnerability allows writing files as well. The fixes cause limited backwards compatibility issues. These issues correspond to the following two vulnerabilities:

• CVE-2012-3488: PostgreSQL insecure use of libxslt
• CVE-2012-3489: PostgreSQL insecure use of libxml2

This release also contains several fixes to version 9.1, and a smaller number of fixes to older versions, including:

• Updates and corrections to time zone data
• Multiple documentation updates and corrections
• Add limit on max_wal_senders
• Fix dependencies generated during ALTER TABLE ADD CONSTRAINT USING INDEX.
• Correct behavior of unicode conversions for PL/Python
• Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT).
• Fix syslogger so that log_truncate_on_rotation works in the first rotation.
• Only allow autovacuum to be auto-canceled by a directly blocked process.
• Improve fsync request queue operation
• Prevent corner-case core dump in rfree().
• Fix Walsender so that it responds correctly to timeouts and deadlocks
• Several PL/Perl fixes for encoding-related issues
• Make selectivity operators use the correct collation
• Prevent unsuitable slaves from being selected for synchronous replication
• Make REASSIGN OWNED work on extensions as well
• Fix race condition with ENUM comparisons
• Make NOTIFY cope with out-of-disk-space
• Fix memory leak in ARRAY subselect queries
• Reduce data loss at replication failover
• Fix behavior of subtransactions with Hot Standby

Users who are relying on the built-in XML functionality to validate external DTDs will need to implement a workaround, as this security patch disables that functionality. Users who are using xslt_process() to fetch documents or stylesheets from external URLs will no longer be able to do so. The PostgreSQL project regrets the need to disable both of these features in order to maintain our security standards. These security issues with XML are substantially similar to issues patched recently by the Webkit (CVE-2011-1774), XMLsec (CVE-2011-1425) and PHP5 (CVE-2012-0057) projects. As with other minor releases, users are not required to dump and reload their database or use 

pg_upgrade

In order to apply this update release; you may simply shut down PostgreSQL and update its binaries. Perform post-update steps after the database is restarted. All supported versions of PostgreSQL are affected. Or you can download the new versions now at the main download page.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">PostgreSQL Patches Vulnerability in The built-in XML & XSLT (CVE-2012-3488,3489)"https://www.voiceofgreyhat.com/2012/08/PostgreSQL-Patches-Vulnerability-in-The-built-in-XML.html</a>

Vulnerability in Apple MacBooks Which Could ruin Batteries

One prominent security researcher has discovered a vulnerability in the batteries of Apple's MacBook line of portable computers that could allow hackers to ruin the batteries or install malware on them that could corrupt a Mac.
Charlie Miller, a renowned white-hat hacker who works for security firm Accuvant, plans to reveal and offer a fix next month for a MacBook battery vulnerability he has discovered, Forbes reports. Miller uncovered default passwords, which are used to access the microcontroller in Apple's batteries, within a firmware update from 2009 and used them to gain access to the firmware.

Apple and other laptop makers use embedded chips in their lithium ion laptop batteries to monitor its power level, stop and start charging and regulate heat.
During the course of his tests, the researcher "bricked" seven batteries, rendering them unusable by rewriting the firmware. Of more concern is the possibility that hackers could use the vulnerability to install difficult to remove malware, or, in a worst case scenario, cause the batteries to explode.

“These batteries just aren’t designed with the idea that people will mess with them,” he said. “What I’m showing is that it’s possible to use them to do something really bad.” According to him, IT few administrators would think to check the battery, providing hackers with an opportunity to hide malicious software on a battery that could repeatedly implant itself on a computer.

Miller admitted that he hasn't tried to blow up any batteries, but he did say it might be possible. "You read stories about batteries in electronic devices that blow up without any interference,” he noted. “If you have all this control, you can probably do it.”
another researcher, Barnaby Jack, who works for antivirus software maker McAfee, also looked into the battery issue a couple years ago, but said he didn't get as far as Miller did.

Miller, who is a regular winner of security contests demonstrating Mac, Safari and iPhone exploits, has notified Apple and Texas Instruments of the issue. Despite requests from several other researchers not to proceed, he plans to unveil the vulnerability, along with a fix he calls "Caulkgun," at the Black Hat security conference next month.
"Caulk Gun" will change a battery's default passwords to a random string of characters. While the fix will prevent hackers from breaking into the battery, it would also block any future firmware updates from Apple.

In spite of the battery vulnerability that he uncovered, Miller believes Mac OS X security is better than ever before. According to him, Apple engineers made few security-related changes in the jump from Leopard to Snow Leopard, but they made substantial improvements in Mac OS X 10.7 Lion, which was released on Wednesday.
"Now, they've made significant changes and it's going to be harder to exploit,” he said, as noted by The Register.
“It's a significant improvement, and the best way that I've described the level of security in Lion is that it's Windows 7, plus, plus,” said noted security consultant Dino Dai Zovi.
Apple offered security researchers, including Miller and Dai Zovi, an unprecedented early look at Lion in order to get their feedback.
According to researchers, Lion's biggest security improvement is Lion's support for Address Space Layout Randomization. ASLR randomizes the location of critical system components to reduce the risk of attack. Apple also added sandboxing security measures in Safari that will isolate potential bugs or malware. Finally, the newly revamped File Vault now allows an entire drive to be encrypted.

-News Source (Appleinsider)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Vulnerability in Apple MacBooks Which Could ruin Batteries"https://www.voiceofgreyhat.com/2011/07/vulnerability-in-apple-macbooks-which.html</a>

Google Chrome OS Has Security Hole (Black Hat 2011)

Black Hat Google has billed its Chrome operating system as a security breakthrough that's largely immune to the threats that have plagued traditional computers for decades. With almost nothing stored on its hard drive and no native applications, there's no sensitive data that can pilfered and it can't be commandeered when attackers exploit common software vulnerabilities.

But according to two researchers who spent the past few months analyzing the Chrome-powered Cr-48 beta released in December, the browser-based OS is vulnerable to many of the same serious attacks that afflict people surfing websites. As a result, users remain susceptible to exploits that can intercept email, documents, and passwords stored on centralized servers, many of which are maintained by Google.

“Even though they put these awesome security protections in place, we're just moving the security problems to the cloud now,” Matt Johansen, a researcher with WhiteHat Security, told The Register. “We're moving the software security problem that we've been dealing with forever to the cloud. They're doing a lot of things right, but it's not the end all and be all for security.”

Virtually all of the threats identified by Johansen and his WhiteHat colleague Kyle Osborn stem from Chrome's reliance on extensions, which are essentially web-based applications. A fair number of the extensions they analyzed contain XSS, or cross-site scripting, bugs, which have the potential to inject malicious code and content into a visitor's browser and in some cases steal credentials used to authenticate user accounts.

As they went about testing what kind of attacks various XSS vulnerabilities could allow, Johansen and Osborn noticed something curious: a bug in one extension often allowed them to hijack the communications of a second extension, even when the latter one had no identifiable security flaws. At the Black Hat security conference in Las Vegas on Wednesday, they demonstrated this weakness by exploiting an XSS hole in one extension to steal passwords from an otherwise secure account on cloud password storage service LastPass.

“If any of the other vulnerable extensions have an XSS hole, we can utilize JavaScript to hijack that communication,” Johansen said. “LastPass is doing absolutely nothing wrong here. You can have an extension that's perfectly fine, but if you have another that has a cross-site scripting error in it we can still access information in secure applications.”

The discovery has generated a quandary for the researchers.

“Whose problem is this to fix?” Johansen continued. “We don't really have an answer for that. LastPass did everything correctly. It's the other extension developers that developed an extension with a vulnerability in it.”

After being informed of the specific attack, LastPass made changes to its Chrome extension that prevented it from being carried out, so it's reasonable to assume extension makers foot some of the responsibility for preventing their apps from being compromised by others. But Johansen couldn't rule out the possibility that vulnerabilities and other apps could probably make LastPass vulnerable again. He said Google might be able to fix the problem by overhauling the application programming interfaces extension developers use.

The researchers also demonstrated an XSS vulnerability in Scratchpad, a text-editor extension that's bundled with Chrome. By sharing files with names containing JavaScript commands stored on Google Docs they were able to obtain the Google session cookies of anyone who used a Chromebook to view the documents. An attacker could exploit the vulnerability to read a victim's email, or to send instant messages to everyone on the victim's contact list. If any of the contacts are using Chromebooks, they could be similarly vulnerable to booby-trapped filenames stored on Google Docs.

A Google spokeswoman defended the security of Chromebooks and said the vulnerabilities enumerated by the researchers weren't unique to the cloud-based OS. In an email, she issued the following statement:

This conversation is about the web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.

The researchers stressed Google engineers were extremely quick to fix the Scratchpad vulnerability and awarded them a $1,000 bounty for their report. But they remain convinced that the security of Chrome OS in many cases is only as strong as its' weakest extensions. They also pointed out that penetration-testing tools such as the Browser Exploitation Framework could be used to help streamline attacks in much the way Metasploit is used to manage exploits for traditional machines.

And, Johansen said, Chrome hacking through XSS may be only the beginning, since the flaws are among the easiest to find and exploit.

“Who knows what we're going to be looking for months or years from now when Google can figure out a way to thwart the cross-site scripting threat,” he said. “Why would we be trying to write buffer overflows when we can just write a simple JavaScript command.” 

-News Source (The Register)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google Chrome OS Has Security Hole (Black Hat 2011)"https://www.voiceofgreyhat.com/2011/08/google-chrome-os-has-security-hole.html</a>

Oracle to Mitigate 73 Security Vulnerabilities in Upcoming Critical Patch Update

Oracle is all set for the upcoming critical patch update. The pre-release announcement by the company indicates that in all 73 vulnerabilities associated with numerous products will be mitigated during the next critical patch update. The update will mitigate security vulnerabilities associated with Oracle database server, fusion middleware, enterprise manager, e-business suite, supply chain products, PeopleSoft, JD Edwards suite, Siebel CRM, industry applications, Sun products and Open office suite.

The company releases quarterly critical patch updates on Tuesday closest to 17th day of January, April, July and October. The company uses Common Vulnerability Scoring System (CVSS) version 2.0 to rate vulnerabilities. The vulnerabilities are assigned scores based on the prerequisites for exploiting the vulnerability, ease of exploit, and impact of the attack on availability, confidentiality and integrity. Base scores range from 0.0 to 10.0 with ten being the most severe vulnerability.

Vulnerabilities may be caused by technological flaws, programming errors, and other human errors. Developers are required constantly upgrade their technical skills through online IT degree courses, training programs and refresher courses to deal with ever evolving threats.

The critical patch update will address six vulnerabilities in database server. The vulnerabilities affect components such as application service level management, database vault, Oracle help, security service, warehouse builder, UIX and network foundation. Two of the six vulnerabilities do not require authentication for exploitation of vulnerabilities. Highest base score for security flaws affecting database server is 6.5. The update will mitigate 9 flaws associated with fusion middleware, 6 of which are exploitable without authentication.

The vulnerabilities affect Oracle help, HTTP server, JRockit, outside In technology, security service, WebLogic server, portal and single sign on. Oracle has assigned highest severity score of 10 for vulnerabilities affecting fusion middleware. 4 vulnerabilities will be fixed in Oracle applications, 2 of which are exploitable without authentication. The vulnerabilities have been assigned a base score of 4.3 and affect application object library, applications install, and web ADI. The update will resolve a flaw in Supply chain products suite, which is exploitable without authentication. Highest base score for vulnerability in supply chain products suite is 4.3 and affects Agile technology program.

14 security flaws have related to PeopleSoft Suite will be fixed in the upcoming critical patch, 1 of which is exploitable without authentication. Highest base score for security flaws associated with PeopleSoft suite is 4.3 and affects PeopleSoft Enterprise, Enterprise CRM, ELS, HRMS and People tools. The critical patch update will resolve 8 issues associated with JD Edwards suite, 7 of which are exploitable without authentication. Highest base score for vulnerabilities in JD Edwards suite is 6.4 and affects EnterpriseOne tools.

The update will address a vulnerability associated with industry applications, which affects InForm. Highest base score for vulnerability in industry applications is 5.5. 8 security flaws will be mitigated in Sun products suite, seven of which are exploitable without authentication. Oracle has assigned highest severity score of 10 for security flaws affecting Sun products suite. The components affected include Java Dynamic Management Kit, Java system web server, Solaris, OpenSSO Enterprise, GlassFish Enterprise server, java system application server, java system access manager policy agent, and java system messaging server.

The upcoming critical patch update will fix 8 security issues related to Open Office suite, of which 7 are exploitable without authentication. Highest base score for security flaws in Open Office suite is 9.3. Open Office, StarOffice and StarSuite are affected by the vulnerabilities.

Vulnerabilities are identified by professionals qualified in IT degree programs and security certifications such as penetration testing. Developers encourage both in-house and independent security researchers to detect and report security flaws so that they can be mitigated before exploitation by attackers.

Online IT courses, e-tutorials, security blogs and alerts from computer emergency response teams could help users in gaining insights on security threats, their implications and importance of security updates. Users must keep track of the security releases and install necessary updates to safeguard their systems and data from unauthorized access. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Oracle to Mitigate 73 Security Vulnerabilities in Upcoming Critical Patch Update"https://www.voiceofgreyhat.com/2011/04/oracle-to-mitigate-73-security.html</a>

Federal Network Security Breaches Increases 650 Times in Last Five Years Exclusive Report By GAO

The latest Government Accountability Office report underscored how poorly equipped federal departments and agencies are to prevent network security breaches. Security incidents at federal agencies have soared 650 percent over the past five years, according to a report from the Government Accountability Office.

In the past five years, the number of reported events has grown from 5,503 in 2006 to 41,776 in 2010, federal auditors wrote in a Government Accountability Office report released Oct. 3. The GAO compiled the report based on information security-related reports and data from 24 federal agencies and departments that were collected between September 2010 and October 2011.

Nearly 30 percent of incidents involved malware infections, making it the most prevalent cyber-event, the report found. Other common issues included violations of acceptable use policies and intrusions into networks, applications and other data resources.

"Of the 24 major agencies, none had fully or effectively implemented an agency-wide information security program," Gregory C. Wilshusen, GAO director for information security issues, wrote in the report.

Agencies are vulnerable to cyber-attack and other security issues because they have failed to implement proper security controls, GAO auditors wrote. Agencies do not always adequately train system security personnel, regularly monitor safeguards, fix vulnerabilities or resolve incidents in a timely manner when they do occur, according to the report. These problems leave the departments vulnerable to both external and internal threats, Wilshusen said.

"As long as agencies have not fully and effectively implemented their information security programs, including addressing the hundreds of recommendations that we and inspectors general have made, federal systems will remain at increased risk of attack or compromise," wrote Wilshusen.

The audit found that the Internal Revenue Service did not block employees from accessing databases not required for their jobs. Financial and taxpayer information "remain unnecessarily vulnerable" to insider threats. The fact that any employee had access to the systems meant there was an increased risk of "unauthorized disclosure, modification or destruction," the report said.

Another incident involved a network user who clicked on a malicious link in an email. The employee was told he'd won a new car in a lottery he'd supposedly entered when he answered some questions on a survey about his pets. The employee discovered later that several credit cards had been opened in his name and large amounts of pet supplies ordered without his knowledge, according to the report.

The GAO periodically updates Congress on how well federal departments are complying with the 2002 Federal Information Security Act. FISMA is supposed to help federal departments and agencies define security policies, conduct security awareness training and implement proper surveillance of computer safeguards. Under the law, passed in 2002, every agency in the federal government has to have information security programs and plans for managing risks in place.

This is not the first time in recent months the GAO has called out departments on lax information security. In an August report, the GAO issued an audit report of the Federal Deposit Insurance Corporation (FDIC) which showed the FDIC did not use strong passwords, review user access and failed to encrypt sensitive financial information. The August GAO report found weaknesses in FDIC controls that are supposed to manage system configurations, deploy patches, and segregate certain network activities.

To download the Government Accountability Office (GAO) report click Here

For more about GAO report Click Here

  

-News Source (Eweek & GOA)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Federal Network Security Breaches Increases 650 Times in Last Five Years Exclusive Report By GAO"https://www.voiceofgreyhat.com/2011/10/federal-network-security-breaches.html</a>

Google Patches Sidejacking Vulnerability

Google has been rolling out a server-side patch for the ClientLogin authentication protocol vulnerability that affects 99.7% of Android smartphones.
"We recently started rolling out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days," said a Google spokesperson via email.

 Google's fix comes in response to a warning, published earlier this month by researchers at the University of Ulm in Germany, that Android devices could be exploited in a sidejacking-like attack. Just as website session cookies can be stolen (sidejacked), allowing attackers to impersonate a user, attackers could sniff data being sent to and from Android smartphones that are connected to unsecured Wi-Fi networks--by using a tool such as Wireshark--and capture tokens for any Google service that uses the ClientLogin authentication protocol. Applications that use this protocol include Google Calendar, Contacts, and Picasa, as well as third-party applications for Facebook and Twitter.
Android smartphone users running the latest OS, 2.3.4, were already protected against the vulnerability. But 99.7% of Android users are still on older operating systems.
Accordingly, Google's solution has been a server-side fix that forces Android devices to use HTTPS--to keep data encrypted--when syncing with the Google Contacts or Calendar, so that authentication credentials can't be intercepted. "The great news is that it doesn't require a software update on the Android devices themselves--meaning the fix is automatic and worldwide. Effectively this is a silent fix," said Graham Cluley, senior technology consultant at Sophos, in a blog post.
No attacks have been seen that exploit the vulnerability, and a fix is still in the works for Picasa. For now, Picasa users can mitigate the vulnerability by avoiding unsecured Wi-Fi networks, which would prevent their authentication credentials from being stolen.
Security-wise, Google's server-side patch is a crucial move because most cell phone carriers rarely push patches or OS updates to their customers. Because of that, some industry watchers had worried that Google would have difficulty securing older devices. For now, it's dodged that bullet, but in the future, major flaws could still pose a problem. "Concerns still remain as to how easy it would be to fix a serious security vulnerability on the Android devices themselves, given that Google is so reliant on manufacturers and carriers to push out OS updates," said Cluley.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google Patches Sidejacking Vulnerability"https://www.voiceofgreyhat.com/2011/05/google-patches-sidejacking.html</a>

Skype Fixes Android App Vulnerability

Skype has fixed the privacy vulnerability its Android application that allowed malicious apps to harvest user data.

The vulnerability has been addressed in the latest Skype for Android, Version 1.0.0.983, and the user data has been properly secured on the mobile device, Adrian Asher, chief information security officer at Skype, wrote on the Skype blog on April 20. The problem did not exist for Verizon customers.

Skype for Android was storing names, dates of birth, location information, account balances, phone numbers, email addresses and other biographic details in a nonencrypted and easily accessible file on the mobile device, Justin Case, an amateur Android developer, wrote on the Android Police blog on April 15. Any rogue app could have harvested the personal data as well as old instant messages from insecure database files, according to Case.

Android by default sandboxes applications so that data from one app can’t be accessed by another. In this case, Skype overwrote the default by assigning incorrect file-level permissions, Case said. The data-collecting app Case developed to demonstrate the vulnerability did not require any unusual permissions and worked on non-jailbroken Android devices.

“We have had no reported examples of any third-party malicious application misusing information from the Skype directory on Android devices,” Asher said.

Case confirmed that the updated version closed the security hole and that his sample rogue app no longer can access the information stored in the database, David Ruddock posted on the Android Police blog. Skype changed the permissions of the databases where the data was stored so that only the Skype app can access the information, Ruddock said.

Case noted that the database files were unencrypted in his original analysis. Skype did not respond to eWEEK’s requests for whether the data is encrypted in the new version.

Case originally discovered the issue in the beta version of Skype Video that had been released last week. The fix will be addressed when Skype launches the official version.

In addition to the security fix, Skype added the ability to make VOIP (voice over IP) calls over 3G data connections to the app, even for calls in the United States. The 3G calling feature in the app will not be supported for Android phones over the Verizon Wireless network because Verizon already allows 3G Skype calls, thanks to an exclusive partner agreement signed in 2010.

The Android app previously allowed users to only send instant messages or place calls using the phone’s existing service or over WiFi. With this new version, users can call anyone without using up any minutes on their calling plan because the calls are carried over the mobile data plan. Bypassing the mobile carrier is not entirely free, as users are still subject to Skype fees.

Major carriers have opposed the practice in the past, and only Verizon customers had Skype’s VOIP capability up until now. Even if users aren’t interested in 3G calls, they should upgrade just for the security fix.

Asher reminded users to download the app only from Skype or the official Android Market links to avoid malicious apps.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Skype Fixes Android App Vulnerability"https://www.voiceofgreyhat.com/2011/04/skype-fixes-android-app-vulnerability.html</a>

Oracle Released Java 7 update 10 With Security Enhancements & Bug Fixes

Oracle Released Java 7 update 10 With Security Enhancements & Bug Fixes 

This is the third time in a year when Oracle has updated the standard edition of Java platform. This release includes new security controls in addition to a bug fix and updated timezone data. This latest update also contains a number of security enhancements and is now certified for Mac OS X 10.8 and Windows 8. The security enhancements include the ability to disable any Java application from running in the browser and the ability to set a desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications. While keeping in mind the last security issues with Java, in the press release of this Java update Oracle said "if the JRE is deemed expired or insecure, additional security warnings are displayed. In most of these dialogs, the user has the option to block running the app, to continue running the app, or to go to java.com to download the latest release."

Security Feature Enhancements

The JDK 7u10 release includes the following enhancements:

• The ability to disable any Java application from running in the browser. This mode can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
• The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
• New dialogs to warn you when the JRE is insecure (either expired or below the security baseline) and needs to be updated.

For more information, see Setting the Level of Security for the Java Client and Java Control Panel.

Bug Fixes

Notable Bug Fixes in JDK 7u10

The following are some of the notable bug fixes included in JDK 7u10.

Area: java command

Description: Wildcard expansion for single entry classpath does not work on Windows platforms.

The Java command and Setting the classpath documents describe how the wildcard character (*) can be used in a classpath element to expand into a list of the .jar files in the associated directory, separated by the classpath separator (;).

This wildcard expansion does not work in a Windows command shell for a single element classpath due to the Microsoft bug described in Wildcard Handling is Broken.

See 7146424.

For a list of other bug fixes included in this release, see JDK 7u10 Bug Fixes page. 

The updated Java Development Kit and Java Runtime Environment are available to download from the Oracle site. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Oracle Released Java 7 update 10 With Security Enhancements & Bug Fixes"https://www.voiceofgreyhat.com/2012/12/Oracle-Released-Java7-update-10.html</a>

Microsoft Patches Serious 34 Vulnerabilities

In today's Patch Tuesday, Microsoft released 16 bulletins addressing 34 vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight, VML and ISA. Nine of the bulletins are rated Critical, with seven rated as Important. Wolfgang Kandek, Qualys CTO, comments: "The only bulletin with a known expoit in the wild is MS11-046, a local privilege escalation flaw in the "afd.sys" driver. IT admins can check with their end-point security providers for coverage, but should include this bulletin high on their to-do lists in any case, as it is only a matter of time until we see more attackers use malware taking advantage of this exploit to gain control of your workstations."

Here are the bulletins:-

Vulnerability in OLE Automation 
This security update resolves a privately reported vulnerability in Microsoft Windows Object Linking and Embedding (OLE) Automation. The vulnerability could allow remote code execution if a user visits a Web site containing a specially crafted Windows Metafile (WMF) image. In all cases, however, an attacker would have no way to force users to visit such a Web site. Instead, an attacker would have to convince users to visit a malicious Web site, typically by getting them to click a link in an e-mail message or Instant Messenger request.

Vulnerability in .NET Framework and Microsoft Silverlight
This security update resolves a privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

Vulnerability in Threat Management Gateway Firewall Client 
This security update resolves a privately reported vulnerability in the Microsoft Forefront Threat Management Gateway (TMG) 2010 Client, formerly named the Microsoft Forefront Threat Management Gateway Firewall Client. The vulnerability could allow remote code execution if an attacker leveraged a client computer to make specific requests on a system where the TMG firewall client is used.

Vulnerability in Windows Kernel-Mode Drivers
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a network share (or visits a web site that points to a network share) containing a specially crafted OpenType font (OTF). In all cases, however, an attacker would have no way to force a user to visit such a web site or network share. Instead, an attacker would have to convince a user to visit the web site or network share, typically by getting them to click a link in an e-mail message or Instant Messenger message.

Vulnerabilities in Distributed File System
This security update resolves two privately reported vulnerabilities in the Microsoft Distributed File System (DFS). The more severe of these vulnerabilities could allow remote code execution when an attacker sends a specially crafted DFS response to a client-initiated DFS request. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Vulnerability in SMB Client
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit the vulnerability, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.

Vulnerability in .NET Framework
This security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

Cumulative Security Update for Internet Explorer
This security update resolves eleven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerability in Vector Markup Language
This security update resolves a privately reported vulnerability in the Microsoft implementation of Vector Markup Language (VML). This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows clients; and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows servers. Internet Explorer 9 is not affected by the vulnerability.

The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerability in MHTML
This security update resolves a publicly disclosed vulnerability in the MHTML protocol handler in Microsoft Windows. The vulnerability could allow information disclosure if a user opens a specially crafted URL from an attacker's Web site. An attacker would have to convince the user to visit the Web site, typically by getting them to follow a link in an e-mail message or Instant Messenger message.

Vulnerabilities in Microsoft Excel
This security update resolves eight privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-1272, CVE-2011-1273, and CVE-2011-1279. Microsoft Excel 2010 is only affected by CVE-2011-1273 described in this bulletin. The automated Microsoft Fix it solution, "Disable Edit in Protected View for Excel 2010," available in Microsoft Knowledge Base Article 2501584, blocks the attack vectors for exploiting CVE-2011-1273.

Vulnerability in Ancillary Function Driver
This security update resolves a publicly disclosed vulnerability in the Microsoft Windows Ancillary Function Driver (AFD). The vulnerability could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.

Vulnerability in Hyper-V Could
This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a specially crafted packet is sent to the VMBus by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to send specially crafted content from a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Vulnerability in SMB Server
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit this vulnerability.

Vulnerability in the Microsoft XML Editor
This security update resolves a privately reported vulnerability in Microsoft XML Editor. The vulnerability could allow information disclosure if a user opened a specially crafted Web Service Discovery (.disco) file with one of the affected software listed in this bulletin. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.

Vulnerability in Active Directory Certificate Services Web Enrollment
This security update resolves a privately reported vulnerability in Active Directory Certificate Services Web Enrollment. The vulnerability is a cross-site scripting (XSS) vulnerability that could allow elevation of privilege, enabling an attacker to execute arbitrary commands on the site in the context of the target user. An attacker who successfully exploited this vulnerability would need to send a specially crafted link and convince a user to click the link. In all cases, however, an attacker would have no way to force a user to visit the Web site. Instead, an attacker would have to persuade a user to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes the user to the vulnerable Web site.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Microsoft Patches Serious 34 Vulnerabilities"https://www.voiceofgreyhat.com/2011/06/microsoft-patches-serious-34.html</a>