Short-News: Critical Oracle Java 7/8 patch for CVE-2016-0636 (remote code execution)

Oracle released a critical patch for Java 7/8 which patches CVE-2016-0636 – a remote code execution. This is a patch which has been released between two normal Oracle Java “Patch-Days”. This should be enough proof that the vulnerability is indeed critical. To quote Oracle: Due to the severity of this vulnerability and the public disclosure of […]

SSLv2 Protocol “DROWN” security flaw – CVE-2016-0800

Short News: Critical vulnerability in Network Security Services (nss-util) – CVE-2016-1950

It has been discovered that the nss-util (Network Security Services) is affected by a critical vulnerability. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. A heap-based buffer overflow flaw was found in the way NSS parsed certain ASN.1 structures. An attacker could use […]

“Secure” config for OpenSSH 6.6 Ubuntu 14.04

SSLv2 Protocol “DROWN” security flaw – CVE-2016-0800

As announced by the OpenSSL team some days ago, a new fix for several high severe vulnerabilities have been released. The main vulnerability is called “DROWN” (once again with a fancy logo, of course). Detailed information can be found on www.drownattack.com CVSS V2 Base Score 5.8 Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:N Access Vector Network Access Complexity Medium Authentication […]

Critical OpenSSL update is live!

Tricky spam – real message forward with passworded mail attachment

Well folks: It’s getting tricky. When I wrote about CTB-Locker, I joked around that everyone warned their users about suspicious attachments anyway. Now attackers use a new method to get around virus scanners and get their victims to open their infected files. The initial notice came from Heise with a German mail – and the notice […]

Crypto-trojan CTB-Locker infects hundred webservers

Short News: Incoming OpenSSL patch – release of version 1.0.2g/1.0.1s

The incoming release of OpenSSL versions – has just been announced on the OpenSSL mailing list. As usual on such release pre-notifications there ain’t many details known. These releases will be made available on 1st March 2016 between approximately 1300-1700 UTC. They will fix several security defects with maximum severity “high”. – OpenSSL Announcement Please […]

CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow vulnerability

CVE-2016-2384: arbitrary code execution due to a double-free in the usb-midi linux kernel driver

CVE-2016-2384 describes an interesting vulnerability within the usb-midi linux kernel driver. There is an extensive blog post on xairy’s github blog. The exploit can be either used for DOS (you’ll need physical access) or to execute code (you’ll need both physical and local access).   CVE-2016-2384 CVSS v2 Base Score 4.7 Base Metrics AV:L/AC:M/Au:N/C:N/I:N/A:C Access Vector Local […]

Short News: Hacked Linux Mint ISOs

CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow vulnerability

A new vulnerability has been discovered by Googles Online Security research team. It affects the glibc library and can potentially lead to DOS and code executions. How severe this is to your infrastructure depends on many factors – it is recommended to patch the issue as soon as possible. “Our initial investigations showed that the […]

Did you secure everything this week?