Posted by Avik Sarkar
On 4/18/2013 06:08:00 pm
42 Java Holes Fixed By Oracle in April 2013 Critical Patch Update (CPU) Advisory
The Oracle Corporation has released what it called a critical patch update for its Web-based Java programming language. Java SE software that fixes at least 42 security flaws in the widely-installed program and associated browser plugin. The Java update also introduces new features designed to alert users about the security risks of running certain Java content. The April patch, which targets 42 vulnerabilities, 19 of which have a severity rating of 10 (highest possible threat level) includes a majority of vulnerabilities that are currently being exploited. Among those 42 new security fixes across Java SE products of which 2 are applicable to server deployments of Java. According to Oracle, “39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.” Along with the fixes, Oracle changed the default setting of Java SE. Java applets will no longer run in a Web browser unless they have been digitally signed until a warning prompt is acknowledged. It has also extended how users will be alerted of other Java-related security issues. According to renowned security expert and blogger Brian Krebs - Java 7 Update 21 also introduces some new security warnings and message prompts for users who keep the program plugged into a Web browser (on installation and updating, Java adds itself as an active browser plugin). Oracle said the messages that will be presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority. Apps that present a lower risk display a simple informational message. This includes an option to prevent showing similar messages for apps from the same publisher in the future. Java applications considered to be higher risk — such as those that use an untrusted or expired
certificate — will be accompanied by a prompt with a yellow exclamation point in a yellow warning triangle.
Affected Product Releases and Versions:-
| Java SE | Patch Availability |
|---|
| JDK and JRE 7 Update 17 and earlier | Java SE |
| JDK and JRE 6 Update 43 and earlier | Java SE |
| JDK and JRE 5.0 Update 41 and earlier | Java SE |
| JavaFX 2.2.7 and earlier | JavaFX |
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. As Java has been run by millions of devices and users across
the globe, so we urge all of our readers to install and apply the security fixes to avoid any kind of threats. Note that - Oracle said that this week's security updates don't take care of all known flaws, they do address all known vulnerabilities currently being exploited in the wild.
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 11/09/2012 04:30:00 am
Chrome 23 Closes 15 Security Vulnerabilities, Promises Longer Battery Life & Added Do Not Track (DNT)
The searching giant Google finally included the Do Not Track (DNT) option into its first stable version of the company's browser which is Google Chrome 23. In February internet giant Google has agreed with the White House's Consumer Privacy Bill and here comes the result. Google has implemented the Do Not Track (DNT) header in its Chrome web browser. Few months ago Microsoft made Do Not Track (DNT) facility available by default in Internet Explorer 10. Also the Redmond based software giant drew some criticism recently for its decision to enable Do Not Track by default in IE 10. First it was Mozilla who proposed the Do Not Track mechanism, in Firefox in June 2011 when it released Firefox 5. The DNT option is disabled by default in Chrome and in order to turn it on, users need to go to the customization menu in the top right corner of the browser window. Then click on the Settings option in the left side and scroll down to open the Advanced Settings menu. Under the Privacy menu, check the box next to the "Send a 'Do Not Track' request with your browsing traffic" option. Once that option is enabled, the user will see a message explaining what the DNT system will do for them.
Not only DNT, with the release of Chrome 23, Google closes several security holes and promises to improve battery life for some users. For systems with dedicated graphics chips that support Chrome's GPU-accelerated video decoding, version 23 of the WebKit-based browser is said to significantly reduce power consumption. According to Google, batteries lasted on average 25% longer in its tests when GPU-accelerated video decoding was enabled compared to only using a system's CPU when streaming online videos. Version 23 of Chrome also addresses a total of 15 security vulnerabilities in the browser, 6 of which are rated as "high severity". These include high-risk use-after-free problems in video layout and in SVG filter handling, a integer bounds check issue in GPU command buffers and a memory corruption flaw in texture handling; a Mac-only problem related to wild writes in buggy graphics drivers has also been fixed. Eight medium-severity flaws including an integer overflow that could lead to an out-of-bounds read in WebP handling, and a low-risk have also been corrected. As part of its Chromium Security Vulnerability Rewards program, Google paid security researchers $9,000 for discovering and reporting these flaws. The update to Chrome also includes a new version of the Adobe Flash Player plugin which eliminates a number of critical vulnerabilities, all of which were discovered by the Google Security Team. Further information about the new features can be found in the release announcement, while a full list of security fixes is provided in a post on the Chrome Releases blog. Chrome 23.0.1271.64 is available to download for Windows, Mac OS X and Linux users.
-Source (Google Chrome Blog, The-H & threatpost)
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 10/13/2012 01:26:00 am
THC-IPv6 Attack Toolkit, A Tool to Attack the Inherent Protocol Weaknesses of IPV6 & ICMP6
German hackers group, widely known as
THC -The Hacker's Choice released an comprehensive attack toolkit for the
IPv6 protocol suite named
'THC-IPv6 Attack Toolkit'.
THC is the first group who is releasing such attacking tool for IPv6 protocol. According to the
release note this is a complete tool set to attack the inherent protocol weaknesses of
IPV6 and
ICMP6, and includes an easy to use packet factory library. It comprises of state-of-the-art tools for alive scanning,
man-in-the-middle attacks, denial-of-service etc. which exploits inherent vulnerabilities in IPv6.
Features at a Glance:-
- parasite6: icmp neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite)
- alive6: an effective alive scanng, which will detect all systems listening to this address
- dnsdict6: parallized dns ipv6 dictionary bruteforcer
- fake_router6: announce yourself as a router on the network, with the highest priority
- redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever icmp6 redirect spoofer
- toobig6: mtu decreaser with the same intelligence as redir6
- detect-new-ip6: detect new ip6 devices which join the network, you can run a script to automatically scan these systems etc.
- dos-new-ip6: detect new ip6 devices and tell them that their chosen IP collides on the network (DOS).
- trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN
- flood_router6: flood a target with random router advertisements
- flood_advertise6: flood a target with random neighbor advertisements
- exploit6: known ipv6 vulnerabilities to test against a target
- denial6: a collection of denial-of-service tests againsts a target
- fuzz_ip6: fuzzer for ipv6
- implementation6: performs various implementation checks on ipv6
- implementation6d: listen daemon for implementation6 to check behind a fw
- fake_mld6: announce yourself in a multicast group of your choice on the net
- fake_mld26: same but for MLDv2
- fake_mldrouter6: fake MLD router messages
- fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication
- fake_advertiser6: announce yourself on the network
- smurf6: local smurfer
- rsmurf6: remote smurfer, known to work only against linux at the moment
- sendpees6: a tool by willdamn(ad)gmail.com, which generates a neighbor solicitation requests with a lot of CGAs (crypto stuff ;-) to keep the CPU busy. nice.
- thcping6: sends a hand crafted ping6 packet [and about 25 more tools for you to discover]
For detailed information about the usage, library interface & so on click
here. To Download
THC-IPv6 Attack Toolkit Click Here (Linux Only). For those who are hearing the name THC first time, we want to give you reminder that before this tool, this German hackers group published few other hack tools like Hydra (Fastest Login Cracker), THC SSL Dos and so on.
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 10/11/2012 03:51:00 am
Nessus 5.0.2 Vulnerability Scanner Released & Available For Download
Earlier we have discussed several times about
Nessus, a proprietary comprehensive vulnerability scanning tool. After almost
six months, yet again Tenable Network Security officially announced the availability of
Nessus 5.0.2. According to surveys done by
sectools.org, Nessus is the world's most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey. Tenable estimates that it is used by over 75,000 organizations worldwide. This update is largely a
bugfix release, however a new build for
Solaris 10 is now available. The major issues addressed in 5.0.2 include enhanced support for UTF8 encoding problems in reports and the detection of network congestion errors during scans more conservatively.
Official Change Log for Nessus 5.0.2:-
- UTF8 encoding problems would sometimes cause the generation of reports to fail
- Fixed a case where generating some compliance checks reports would cause the scanner to hang, using 100% of the CPU
- Resolved a resource leak issue occurring when a large number of different users are connected at the same time
- Network congestion errors are now detected more conservatively
- Upgraded libxml2, libxslt, openssl to their newest versions
- Some nessusd.rules directives were not honored by the port scanners
- Solaris 10 build
Other fixes:-
- Smarter max_hosts and global.max_hosts defaults
- Added support for named virtual hosts for IPv6
- Fixed a memory leak when mixing IPv4 and IPv6 targets
- Fixed the systemd control script (Fedora 16)
- Fixed a crash in nessus-mkcert on the command-line (Win32)
- Fixed a crash in localtime(), when passed an invalid argument (Win32)
- Fixed scratchpad_query() to allow NULL arguments
- PSSDK fix (Win32)
To Download Nessus 5.0.2 Click Here
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 4/28/2012 02:56:00 pm
Red Hat Announced Beta of Red Hat Enterprise Linux 6.3
Just over four months after the
release of
Red Hat Enterprise Linux (RHEL) 6.2, developer at
RedHat has made a beta of version of
RHEL 6.3 available. This beta includes a broad set of updates to the existing feature set and also provides rich new functionality particularly in the areas of
virtualization, scalability, storage, file systems, and
security. As always, the Red Hat Enterprise Linux 6.3 beta delivers new hardware enablement made possible by our strong relationships with our strategic hardware partners. This beta release has been designed for optimized performance, scalability, and reliability to cater to the diverse workloads running in physical, virtual and cloud environments.
Virtualization-
- A new tool called Virt-P2V that facilitates the conversion of physical Windows or Red Hat Enterprise Linux systems into virtual images to be deployed as KVM guests inside Red Hat Enterprise Linux or Red Hat Enterprise Virtualization.
- Stronger compliance with Payment Card Industry Data Security Standards (PCI-DSS), including the ability to perform secure wipes of virtual machine disks.
- The ability to perform live volume resizing, improving the overall availability of virtualized guests.
- The maximum number of virtual CPUs (vCPUs) has been increased from 64 to 160, which lets you run larger CPU-intensive workloads on the Red Hat Enterprise Linux platform. VMware ESX 5.0 currently support 32 vCPUs.
- The maximum supported memory configuration for KVM guests has been increased from 512GB to 2TB.
File Systems-
- GFS2 enhancements that create faster read-write capabilities for specific use cases.
- Support of O_Direct in FUSE (Filesystem in User Space), which can provide improved performance for certain workloads.
- Simplified configuration and administration for the file system. Integration of automount capability with System Security Services Daemon (SSSD) provides centralized management of configuration data and the ability to improve performance through caching and load balancing. (This feature is a Technology Preview.)
Storage-
- Red Hat Enterprise Linux 6.3 provides full support for Fibre Channel over Ethernet (FCoE) Target. This feature, which was previously provided as a Technology Preview, allows customers to present their Red Hat Enterprise Linux servers as FCoE storage devices. This feature complements the FCoE Initiator support that was delivered in Red Hat Enterprise Linux 6.0.
- The Logical Volume Manager (LVM) now provides support for RAID levels 4, 5, and 6. (Previously, support for these RAID levels was provided through the MD subsystem.) This expanded LVM RAID support simplifies overall storage administration by consolidating all management functions, such as creating volumes, resizing volumes, deploying RAID, taking snapshots, etc., into a single interface. (This feature is a Technology Preview.)
- The LVM now provides the ability to create thin provisioned logical volumes. Previously, storage was allocated when the volume was created, and needed to be monitored for space consumption and expanded manually. In Red Hat Enterprise Linux 6.3, storage is allocated as required, allowing volumes to expand up to the requested size on demand without intervention. (This feature is a Technology Preview.)
Security-
- Availability of a two-factor authentication mechanism, enhancing the overall security available to lock down Red Hat Enterprise Linux environments and enabling compliance with industry standards such as PCI-DSS.
- Expansion of the Advanced Encryption Standard (AES) to provide particular benefits for system performance on multi-processor machines.
Identity Management-
- With native support for netgroups and the services map in System Security Services Daemon (SSSD), Red Hat Enterprise Linux servers can be integrated into centralized systems -- such as Active Directory -- to manage system users.
- The addition of an automembership plug-in streamlines the administration of new users and hosts when they are added into the Identity Management system by automatically placing them into a predefined set of groups, speeding user and host provisioning.
- Performance improvements through session data caching, which lowers the overall load on authentication servers.
Hardware Enablement-
- Software bandwidth management for USB 3.0 for select Intel platforms is now available.
- Compiler optimization for Intel Xeon E5 processor family, which improves the result of string operations, is now included.
- Improvements to memory and I/O breakpoint execution operations within compiler tools are now included.
Developer Tools-
- With the introduction of OpenJDK 7, customers can develop and test with the latest version of open source Java.
To Download Red Hat Enterprise Linux 6.3 Click Here
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 4/20/2012 06:43:00 pm
Oracle Issued Critical Patch Update To Close 88 Security Hole
As part of its Critical Patch Update (CPU) Oracle released 88 security fixes addressing vulnerabilities in over 35 products in its portfolio. Last CPU of Oracle closed 78 security holes but this time the list added ten more so 78 became 88. Unlike Microsoft, which releases patches every month, Oracle follows a quarterly patch schedule across its entire product portfolio, excluding Oracle Enterprise Linux and Java. This April's Critical Patch Update contains six fixes for the Oracle Database Server, 11 for Oracle Fusion Middleware, 15 in Oracle Sun products, and six in MySQL, the company said in its CPU advisory released Apr. 17. Other affected suites include Oracle Enterprise Manager Grid Control, Oracle e-Business Suite, Oracle Supply Chain, Oracle PeopleSoft, Oracle Industry Applications, Oracle Financial Services, and Oracle Primavera Products. There are 15 new security fixes for the Oracle Sun Products Suite, five of which could be remotely exploited without the need for a username or password. Of the 88 fixes, 33 were considered critical, meaning they could be remotely exploited without needing a username and password. In contrast, January's CPU had only 16 remote code execution vulnerabilities. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible," the company said in the advisory.
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 3/15/2012 10:37:00 pm
NetBSD 6.0 BETA Is Available For Testing
Earlier in this year we got both
FreeBSD & PCBSD 9 along with
GhostBSD 2.5 Final version. Now its the time for NetBSD, and as expected The
NetBSD developers have
released a public beta of NetBSD 6.0 for testing purpose. This beta is substantially feature-complete; there may be some additional changes to the installer and possibly some additional hardware support if some is found missing and is easily added, but the major changes are done. What we need now is for you, the end users, to test it in your preferred configuration.
Change Log:-
- syslog improvements: Reliable TCP connections, encryption, syslog protocol API.
- LKMs removed; superseded by the new module(7) framework.
- Boot loaders on some arches (i386, amd64) support loading modules at boot.
- Added crash(8) a new utility based on ddb(4) to diagnose kernel crashes.
- Added netpgp(1), a BSD-licensed implementation of PGP.
- Added LVM (Logical Volume Manager) functionality.
- Multiprocessor support for Xen PV DomUs.
- Xen2 support has been dropped.
- Better Xen PV support on Linux dom0, including Citrix XenServer and Xen Cloud Platform.
- Much improved copmpat_linux support for running Linux binaries.
- x.org was updated with new versions of most utilities, and the X server.
- Some arches now default to UFS2 in sysinst.
- FFS: softdep is no longer available, use WAPBL logging instead.
- gpio(4) has been completely reworked to integrate with kauth(9)
- evbarm now have support for Gumstix Verdex and Verdex Pro, Marvell Sheevaplug and other Marvell SoC NAS boxes, i.MX51 SoC.
- arm platforms has support for Cortex-A8 CPUs.
- pfsync(4) from OpenBSD 4.2
- mDNSResponder is now in base.
- raid(4) now has parity maps, greatly improving parity rewrite times after unclean shutdown.
- Added support for 64-bit MIPS processors (O32, N32, N64 ABIs are supported)
- Added mkubootimage(1) tool for generating u-boot kernel images.
- Added NPF - the NetBSD Packet Filter - a work in progress.
- xz(1) - imported XZ compression tool.
- resize_ffs(8) - support for growing FFSv1 and FFSv2 file systems, and shrinking FFSv1.
- amd64,i386: booting from a disk with GUID Partition Table (gpt) is now possible.
- iSCSI: added an in-kernel iSCSI initiator, from Wasabi Systems.
- Added flash(9) and nand(9) subsystems to handle flash devices and NAND controllers.
- Added CHFS, a file system for flash(9) devices.
- Reworked quota subsystem for FFS
- Added TLS (Thread Local Storage) support for most platforms.
- Added dtv(4), a Digital TV framework.
- MIPS: add support for RALink RT3883 SoC
- sparc64: add support for Enterprise (Ex[45]00) systems, most ultrasparc III and IIIi systems.
- gcc 4.5.3 is the default compiler
- Support for building most of the tree with clang.
- devpubd(8) added, a device publishing daemon
- Xen: support for suspend/resume
- SQLite 3 is now in the base system.
- audio(9): audio drivers are now MP-safe.
- tprof(8): a sampling-based profiler
- x86, Xen: added CPU microcode loading support via cpuctl(8).
- Trusted Platform support added: TrouSerS, tpm-tools, and tpm(4).
- Added posix_spawn() functions.
- New apropos(1) implementation using SQLite Full Text Index.
To Download NetBSD 6.0_BETA binaries Click Here
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 3/02/2012 02:53:00 am
SUSE® Linux Enterprise 11 Service Pack 2 (SP2) Released
SUSE officially announced the general availability of SUSE® Linux Enterprise 11 Service Pack 2 (SP2). According to the official press release- With Service Pack 2, you get improved reliability, availability and serviceability and virtualization along with support for more third-party hardware. Because it's designed for interoperability and optimized for physical, virtual and cloud environments, SUSE Linux Enterprise Server paves the way for your future growth. It enables you to maximize the utilization of your existing IT resources and move easily from older physical servers to new, more powerful ones as they become available or your business needs change. SUSE Linux Enterprise Server is the most versatile and reliable Linux for mission-critical environments because we are committed to its continuous enhancement.
SUSE® Linux Enterprise 11 Service Pack 2 At a Glance:-
Improved Performance
Twenty percent faster through scheduler and memory management enhancements in the 3.0 Linux kernel:-
- Improved performance of compute and memory intensive workloads with support for transparent huge pages
- Faster network performance through transparent per-CPU load balancing on multi-queue devices
- Control groups enhancements—I/O throttling and memory cgroup controller optimization—for optimal performance
- 10x faster speeds with USB 3.0
Improved Reliability, Availability and Serviceability
Run SUSE Linux Enterprise Server with even greater confidence with these new features:-
- Support for new hardware RAS features, like CPU and memory off-lining
- btrfs support—improved services availability and data integrity with copy on write, integrated volume management, and checksums. New snapshot and rollback capabilities offer improved resilience
Better Security and Enhanced Hardware Support
Secure your environment, and grow rapidly—or at your own pace—with Service Pack 2 (SP2) enhancements that include:-
- Role based access controls in AppArmor®
- More powerful firewalls with faster packet filtering
- Support for fanotify—for improved support of third-party anti-virus solutions
- New drivers for over 500 of the latest CPUs, chipsets, networking devices and storage systems
More Robust Virtualization Capabilities
SP2 enables you to utilize resources more efficiently and migrate workloads to virtual and cloud environments with features such as:-
- Support for Linux Containers—high efficiency, low overhead OS virtualization
- Updated Xen 4.1 and KVM 0.15+ hypervisors
- Windows guest OS support in KVM
- Improved virtual machine guest OS performance with additional paravirtualized drivers for Xen, KVM, VMware vSphere and MSFT Hyper-V
For 60 Days Free 60-Day Evaluation Click Here
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 1/18/2012 11:31:00 pm
As expected
Oracle today officially released their January security update. In this critical patch update they have closed
78 security holes. The company says that these patch day updates address vulnerabilities in "hundreds of Oracle products". 16 of the vulnerabilities patched are remotely exploitable without authentication. Affected products include Oracle Database 10g and 11g, Fusion Middleware 11g, Application Server 10g, Outside In Technology, WebLogic Server, versions 11i and 12 of its E-Business Suite, Oracle Transportation Management, JD Edwards, Sun Ray, VM Virtualbox, Virtual Desktop Infrastructure, MySQL Server, and PeopleSoft Enterprise CRM, HCM and PeopleTools,. A vulnerability in Solaris 9, 10 and 11 Express's TCP/IP is the highest rated of these with a CVSS score of 7.8 out of 10.0.
According to Oracle:-
Affected Products & Components:-
Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policyis as follows:
| Affected Products and Versions | Patch Availability |
|---|
|
| Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3 | Database |
| Oracle Database 11g Release 1, version 11.1.0.7 | Database |
| Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 | Database |
| Oracle Database 10g Release 1, version 10.1.0.5 | Database |
| Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0 | Fusion Middleware |
| Oracle Application Server 10g Release 3, version 10.1.3.5.0 | Fusion Middleware |
| Oracle Outside In Technology, versions 8.3.5, 8.3.7 | Fusion Middleware |
| Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5) | Fusion Middleware |
| Oracle E-Business Suite Release 12, versions 12.1.2, 12.1.3 | E-Business Suite |
| Oracle E-Business Suite Release 11i, version 11.5.10.2 | E-Business Suite |
| Oracle Transportation Management, versions 5.5, 6.0, 6.1, 6.2 | Oracle Supply Chain |
| Oracle PeopleSoft Enterprise CRM, version 8.9 | PeopleSoft |
| Oracle PeopleSoft Enterprise HCM, versions 8.9, 9.0, 9.1 | PeopleSoft |
| Oracle PeopleSoft Enterprise PeopleTools, version 8.52 | PeopleSoft |
| Oracle JDEdwards, version 8.98 | JDEdwards |
| Oracle Sun Product Suite | Oracle Sun Product Suite |
| Oracle VM VirtualBox, version 4.1 | Oracle Virtualization Product Suite |
| Oracle Virtual Desktop Infrastructure, version 3.2 | Oracle Virtualization Product Suite |
| Oracle MySQL Server, versions 5.0, 5.1, 5.5 | Oracle MySQL Product Suite |
For More Information Click Here
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
