Skip to content

Gotham Security Daily Threat Alerts

by on June 3, 2016

June 2, Help Net Security – (International) KeePass update check MitM flaw can lead to malicious downloads. A security researcher reported that all versions of KeePass, an open source password manager, were susceptible to a man-in-the-middle (MitM) attack that could allow attackers to trick users into downloading malware disguised as a software update as the product uses Hypertext Transfer Protocol (HTTP) to request the current version information, allowing an attacker to modify the server response. A KeePass developer stated the vulnerability will not be fixed as the cost of switching to Hypertext Transfer Protocol Secure (HTTPS) make it a inviable solution. Source

June 2, SecurityWeek – (International) Cisco fixes flaws in network analysis modules. Cisco released patches addressing high and medium severity vulnerabilities in its Prime Network Analysis Module products that could allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition by sending a specially crafted Internet Protocol v6 (IPv6) packets on the network, as well as remotely execute arbitrary commands on the underlying operating system via specially crafted Hypertext Transfer Protocol (HTTP). Source

June 1, Softpedia – (International) Google fixes 15 security bugs in Chrome, awards $26,000 to researchers. Google released version 51.0.2704.79 for its Chrome Web browser which fixes 15 security flaws including two high-level vulnerabilities that could allow attackers to bypass the browser’s cross-origin code execution restrictions and run malicious code via the Blink engine and its Extensions component. The new Web browser version also patched some flaws that crashed the browser or scrambled up its download file paths. Source

June 1, Softpedia – (International) Microsoft patches Outlook.com to fix recent spam flood. Microsoft released a patch for its Outlook and Hotmail products after the company received reports of a massive spam flood that bypassed the products spam filters, allowing hackers to inundate users with Viagra ads and Russian bride ads. Source

June 1, SecurityWeek – (International) ABB patches password flaws in substation automation tool. ABB released software updates for one of its substation automation products, PCM600 after a security researcher from Positive Technologies found several vulnerabilities in industrial control systems (ICS) and found that the PCM600 product was plagued with four password-related flaws. The flaw can be exploited via the hash, which can be easily broken and allow an attacker to obtain the password. Source

June 1, SecurityWeek – (International) User data possible stolen in Scrum.org hack. Scrum.org released a patch and warned its users that their usernames, email addresses, encrypted passwords, password decryption keys, profile pictures, and certification information may have been compromised after an investigation revealed that an unknown user had created a new admin account on the mail server and modified the settings. In addition, Scrum.org was notified that its software was plagued with a flaw that could be exploited to conduct the same malicious activities. Source

Reprinted from the USDHS Daily Open Source Infrastructure Report

From → Security

Comments are closed.

%d bloggers like this: