Security Alerts & News
by Tymoteusz A. Góral

History
#638 Cisco patches Denial-of-Service flaws across three products
Cisco released software updates to address five separate denial of service vulnerabilities, all which the company considers either high or critical severity, across its product line this week.

According to a series of security advisories issued on Wednesday, three of the five vulnerabilities exist in Cisco’s Wireless LAN Controller (WLC) devices, commonly used to manage and secure wireless networks in the enterprise.

The most pressing WLC vulnerability, marked critical, stems from improper handling of HTTP traffic, meaning an attacker could send a request to a device and from there trigger a buffer overflow condition, and subsequently, a denial of service condition.

The issue affects a wide spectrum of Cisco WLC devices, including those running 7.2, 7.3, 7.4 prior to 7.4.140.0(MD), 7.5, 7.6, and 8.0, prior to 8.0.115.0(ED).
#637 UK intel agencies spy indiscriminately on millions of innocent folks
The UK's intelligence agencies (MI5, MI6, and GCHQ) are spying on everything you do, and with only the flimsiest of safeguards in place to prevent abuse, according to more than a thousand pages of documents published today as a result of a lawsuit filed by Privacy International.

The documents reveal the details of so-called "Bulk Personal Datasets," or BPDs, which can contain "hundreds to millions of records" on people who are not suspected of any wrongdoing.

These records can be “anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities,” Privacy International legal officer Millie Graham Wood said in a statement. "The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data."
#636 Adobe patches DOM-XSS flaw in analytics AppMeasurement for Flash library
Adobe today patched a vulnerability in the Adobe Analytics AppMeasurement for Flash library, which can be added to Flash projects to measure the usage of Flash-based content.

The vulnerability is a DOM-based cross-site scripting flaw that can be abused for cookie theft, said researcher Randy Westergren Jr., who privately disclosed the issue to Adobe.

Unlike traditional cross-site scripting exploits, where a payload is dropped onto a page in response to a HTTP(S) request, DOM-based XSS attacks modify the DOM environment in the browser used by client-side script, and malicious code affects the execution client-side code contained on a site, according to OWASP.
#635 Opera bundles free, unlimited VPN client into its browser
Opera Software has become the first major browser maker to introduce a built-in VPN client for its Web users.

The Norwegian company said that the latest version of its browser is only available via its "Developer" channel, and added that the VPN service is currently free of charge, and has no limits in traffic or usage time.

Opera users can choose between the firm's VPN servers in the US, Canada, and Germany—with the promise that the list of locations will grow longer soon.

The main advantages of having a VPN client built into the browser include improving public Wi-Fi security, hiding the IP address, and bypassing website access restrictions, Opera said.
#634 Test of telephone support services for Windows consumer security software 2016 (PDF)
Given the numerous risks to be found on the Internet today, effective antimalware software is essential when going online. If a user is unable to install or activate their security program, or it is not working as expected, rapid help from an expert is called for. Arguably the quickest way of getting assistance is to pick up the phone and speak to one of the manufacturer’s support agents. The aim of Support Tests is to assess how quickly and effectively the vendor’s support services cope with typical questions.

This report was initially requested and commissioned by PCgo and PC Magazin Germany.
#633 Sony trots out 2-factor authentication 5 years after breach
Five years after a hack exposed the data of 77 million users, Sony is finally adding two-factor authentication to its PlayStation Network.

The company did not provide details on the new service, but did say it was still under development and would be released at a later date. As passwords fall out of favor as a security construct, the current popular alternative is two-factor authentication, which requires the user have a second factor in order to gain access to a service.

Popular two-factor authentication schemes today include one-time passcodes sent via mobile SMS or to an email address. In addition, some online services, such as Google, are beginning to explore two-factor authentication using technology based on public key cryptography.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12