10.1 C
London
Monday, October 23, 2017

2934088 – Vulnerability in Internet Explorer Could Allow Remote Code Execution...

Revision Note: V2.0 (March 11, 2014): Advisory updated to reflect publication of security bulletin.Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS14-012 to address this issue. For more in...

TA14-069A: Microsoft Ending Support for Windows XP and Office 2003

Original release date: March 10, 2014 | Last revised: June 18, 2014Systems Affected Microsoft Windows XP with Service Pack 3 (SP3) Operating SystemMicrosoft Office 2003 ProductsOverview Microsoft is ending support for the Windows XP operating system and Office 2003 product line on April 8, 2014. [1] After this date, these products will no longer receive:Security patches which help protect PCs from harmful viruses, spyware, and other malicious softwareAssisted technical support from MicrosoftSoftware and content updatesDescription All software products have a lifecycle. End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. [2] As of February 2014, nearly 30 percent of Internet-connected PCs still run Windows XP. [3]Microsoft will send “End of Support” notifications to users of Windows XP who have elected to receive updates via Windows Update. Users in organizations using Windows Server Update Services (WSUS), System Center Configuration manager, or Windows Intune will not receive the notification. [4] Impact Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows XP or Office 2003.Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements. [4] Solution Computers operating Windows XP with SP3 or running Office 2003 products will continue to work after support ends. However, using unsupported software may increase the risk of viruses and other security threats.Users have the option to upgrade to a currently supported operating system or office productivity suite. The Microsoft “End of Support” pages for Windows XP and Office 2003 offer additional details.There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows XP or Office 2003 to a currently supported operating system or office productivity suite. US-CERT does not endorse or support any particular product or vendor.Users who choose to continue using Windows XP after the end of support may mitigate some risks by using a web browser other than Internet Explorer. The Windows XP versions of some alternative browsers will continue to receive support temporarily. Users should consult the support pages of their chosen alternative browser for more details. References [1] Support is ending for Office 2003 [2] Windows lifecycle fact sheet [3] Operating system market share [4] Support for Windows XP is ending Revision History March 10, 2014 - Initial Release June 18, 2014 - A spelling correction was made. This product is provided subject to this Notification and this Privacy & Use policy.

iOS 7.1

This update contains improvements and bug fixes, including: CarPlay iOS experience designed for the car Simply connect your iPhone to a CarPlay enabled vehicle Supports Phone, Music, Maps, Messages, and 3rd-party audio...

VU#341526: Huawei E355 contains a direct request vulnerability

Huawei E355 USB WiFi adapter with firmware version:21.157.37.01.910 has been reported to contain a direct request vulnerability in the web interface. (CWE-425)

JSA10617 – 2014-03 Security Bulletin: Junos Pulse Secure Access Service (SSL...

2014-03 Security Bulletin: Junos Pulse Secure Access Service (SSL VPN): Cross site scripting issue (CVE-2014-2291) Product Affected:This issue can affect all: SA700, SA2000, SA2500, SA4000, FIPS SA4000, SA4500, FIPS SA4500, SA6000, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611. The affected software releases includes IVE OS 7.1, 7.3, 7.4, and 8.0. Problem:A cross site scripting issue has been found in the Juniper Networks SSL VPN product. The problem is a result of incorrect user input validation on the SSL VPN web server. The issue exists within a file that pertains to the Pulse Collaboration (Secure Meeting) user pages that are only accessible by an authenticated session. This issue is only present when the Pulse Collaboration feature is enabled on a user's role.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2014-2291. Solution:The issue is fixed in SA/MAG (IVE OS) releases: 8.0r1, 7.4r8, 7.3r10, and 7.1r18, and all subsequent releases.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:This issue can be avoided if the Pulse Collaboration (Secure Meeting) feature is disabled. If this feature is enabled an upgrade to a fixed version is required to resolve this issue.To disable this feature, navigate the admin page to following page: Users --> User Roles --> (uncheck) "Meetings" --> Click " Save" Implementation:  Related Links: CVSS Score:4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Risk Level:Low Risk Assessment:Successful exploit of this vulnerability could allow an attacker to dynamically create arbitrary active content which could be rendered in the user's browser, leading to possible session theft, service disruption, or other information disclosure. Acknowledgements: 

JSA10616 – 2014-03 Security Bulletin: Junos Pulse Secure Access Service (SSL...

2014-03 Security Bulletin: Junos Pulse Secure Access Service (SSL VPN): Linux Network Connect client local user privilege escalation issue (CVE-2014-2292) Product Affected:This issue can affect all: SA700, SA2000, SA2500, SA4000, FIPS SA4000, SA4500, FIPS SA4500, SA6000, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611. The affected software releases includes IVE OS 7.1, 7.3, 7.4, and 8.0. Problem:A privilege escalation issue has been found and corrected in the Linux Network Connect client. This issue could allow a non-root user to escalate their access to root privileges on a Network Connect end-user client system.Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2014-2292. Solution:The issue is fixed in SA/MAG (IVE OS) releases: 8.0r2, 7.4r8, 7.3r10, and 7.1r17, and all subsequent releases.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: There is no workaround for this issue. You must upgrade to a fixed version of the software for the fix. Implementation:  Related Links: CVSS Score:6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C) Risk Level:Medium Acknowledgements: Juniper Networks would like to thank two reporters for independently discovering this issue and bringing it to our attention: Jörg Scheinert from Verizon GCIS Vulnerability Management for the discovery and Thierry Zoller for analysis and coordination, and also Joep Vesseur.

JSA10615 – 2014-03 Security Bulletin: IDP (Stand-Alone) Series: Username enumeration issue...

This issue can affect all NetScreen IDP stand-alone platforms running IDP OS 5.1. A username enumeration issue has been found in the Juniper Networks IDP stand alone product. The problem is a result of incorrect configuration of the Apache webserver daemon. This misconfiguration allows the Apache web server to confirm if a given username is valid on the system. Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2001-1013.The fix for this issue requires a configuration change. The following steps must be followed in order to fix the issue:1) Log on as root (if via ssh, use admin, and then su - to root)2) Use a text editor to edit /etc/httpd/conf/httpd.conf3) Locate the following lines:SuexecUserGroup root root    UserDir public_html</IfModule>4) Change the config to reflect the following:SuexecUserGroup root root   UserDir Disabled</IfModule>5) Finally, you need to restart the services on the device:[root@defaulthost ~]# sh /etc/rc.d/init.d/httpd restartStopping httpd:[OK]Starting httpd:[OK][root@defaulthost ~]#KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.The steps outlined in the solution are the only fix for this issue. There are no other workarounds.

Cisco Small Business Router Password Disclosure Vulnerability

A vulnerability in the web management interface of the Cisco RV110W Wireless-N VPN Firewall, the Cisco RV215W Wireless-N VPN Router, and the Cisco CVR100W Wireless-N VPN Router could allow an unauthenticated, remote attacker to gai...

Multiple Vulnerabilities in Cisco Wireless LAN Controllers

The Cisco Wireless LAN Controller (WLC) product family is affected by the following vulnerabilities: Cisco Wireless LAN Controller Denial of Service Vulnerability Cisco Wireless LAN Controller Unauthorized Access to Associ...

VU#600724: ZTE F460/F660 cable modems contain an unauthenticated backdoor

ZTE F460/F660 cable modems contain an unauthenticated backdoor.

Microsoft Security Advisory (2862152): Vulnerability in DirectAccess and IPsec Could Allow...

Revision Note: V1.1 (February 28, 2014): Advisory revised to announce a detection change in the 2862152 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows RT 8.1.

This is a de...

Vulnerability in DirectAccess and IPsec Could Allow Security Feature Bypass –...

Revision Note: V1.1 (February 28, 2014): Advisory revised to announce a detection change in the 2862152 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows RT 8.1. This is a detection change...