본문 바로가기

취약점 정보1

April 2015 Patch Tuesday Issues Updates to Microsoft Office This month’s Patch Tuesday release appears moderately light compared with the previous month’s, with only 11 security bulletins with four rated ‘Critical’, while the rest are rated as ‘Important’. Microsoft addressed a total of 26 vulnerabilities this April.The critical security updates issued by Microsoft all deal with remote code execution (RCE) vulnerabilities. One of the updates rated as ‘Cr.. 더보기
애플, OS X, iOS 업데이트 발표 애플은 OS X 요세미티, OS X 메버릭, OS X 마운틴 라이언, 사파리, Xcode 및 애플 TV에 대해 업데이트를 발표하였다. 최신의 OS X(10.10.3)는 루트 접근을 공격할 수 있는 백도어를 패치하였다. 애플은 또한 iOS 8.3에 대한 업데이트를 통해 40개의 보안 문제를 패치하였다. http://www.scmagazine.com/apple-releases-ios-83-with-multiple-security-fixes/article/408286/ http://arstechnica.com/security/2015/04/latest-version-of-os-x-closes-backdoor-like-bug-that-gives-attackers-root/ http://www.eweek.com/.. 더보기
AAEH Systems AffectedMicrosoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012OverviewAAEH is a family of polymorphic downloaders created with the primary purpose of downloading other malware, including password stealers, rootkits, fake antivirus, and ransomware.The United States Department of Homeland Security (DHS), in collaboration w.. 더보기
NTP Project ntpd reference implementation contains multiple vulnerabilities OverviewNTP Project ntpd reference implementation accepts unauthenticated packets with symmetric key cryptography and does not protect symmetric associations against denial of service attacks.DescriptionCVE-2015-1798, bug 2779:In NTP4 installations utilizing symmetric key authentication, versions ntp-4.2.5p99 to ntp-4.2.8p1, packets with no message authentication code (MAC) are accepted as thoug.. 더보기
Exploiting PHP Bug #66550 - SQLite prepared statement use-after-free - [A local PHP exploit] As the title says, this bug is useful only for post exploitation to bypass protections when the attacker already has arbitrary PHP code execution. Nevertheless, this was a good exploit exercise. This SQLite prepared statement use-after-free was reported by Sean Heelan. Here is the link to the bug and detailed analysisBug 66550 - SQLite prepared statement use-after-free. The summary as per Sean -.. 더보기
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products SummaryMultiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are active.. 더보기
Multiple SSL certificate authorities use email addresses as proof of domain ownership OverviewMultiple SSL certificate authorities may issue certificates to a customer based solely on the control of certain email addresses. This may allow an attacker to obtain a valid SSL certificate to perform HTTPS spoofing without generating a warning in the client software.DescriptionWhen a client such as a web browser accesses a resource using HTTPS, which subsequently uses SSL or TLS for en.. 더보기
이메일 인증을 통한 SSL 인증서 발급 주의 권고 개요SSL 인증서 발급 기관은 인증서 발급을 위해 ‘이메일 인증’을 지원인증에 이용되는 이메일 주소가 공격자 또는 제3자에 의해 사용이 가능할 경우, SSL 인증서 발급을 통해 HTTPS 통신 데이터의 변조 등이 가능[1] 설명SSL 인증서 발급 기관은 이메일 인증을 사용할 수 있는 관리자용 이메일 계정을 특정 계정(admin@yourdomain.com 등)으로 제한하여 인증을 제공인증서 발급 기관에서 허용한 관리자용 이메일 주소를 공격자 또는 제3자가 사용이 가능한 경우, 해당 이메일을 통해 유효한 SSL 인증서를 발급받아 사용자 모르게 HTTPS 통신 내용을 변조하거나 도청 해결 방안이메일 계정을 생성하는 관리자는 SSL 인증서 발급 기관이 허용한 특정 이메일 계정의 생성을 제한- 일반 사용자에 대해.. 더보기
OpenSSL Releases Patches to Address “Severe” Security Holes OpenSSL said last Tuesday, March 17, that they plan to release several code fixes address a number of vulnerabilities, which include those that have been classified as “high” severity. There had been speculation building around these vulnerabilities, as the bug was hinted as “the next Heartbleed” according to reports.The fix was released today, two days after their announcement. Today’s security.. 더보기
Exploit Kits and Malvertising In the past few weeks we’ve noticed a problematic pattern developing: the increasing use of exploit kits in malvertising. In particular, zero-day exploits (usually seen first in targeted attacks) are now being deployed in malicious ads right away, instead of first being used in targeted attacks against enterprises or other large organizations.This is a worrying trend, as it means that more users.. 더보기

티스토리툴바