End-of-Day report
Timeframe: Mittwoch 12-12-2018 18:00 - Donnerstag 13-12-2018 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Captchas are dead...ish.
According to a recently published research paper, some types of Captchas are now obsolete. The reason: machines have learned to solve those Captchas.
https://www.gdatasoftware.com/blog/2018/12/31374-captchas-are-dead-ish
OWASP Top 10 Security Risks - Part III
Today, we are going to explore items 5 and 6: broken access control and security misconfigurations.
https://blog.sucuri.net/2018/12/owasp-top-10-security-risks-part-iii.html
Wichtiges Sicherheitsupdate: WordPress 5.0.1 ist da
Aufgrund von mehreren Sicherheitslücken könnten Angreifer mit WordPress erstellte Websites attackieren. Eine fehlerbereinigte Version steht bereit.
http://heise.de/-4249500
Scanning for Flaws, Scoring for Security
Is it fair to judge an organizations information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for companies and entire industries.
https://krebsonsecurity.com/2018/12/scanning-for-flaws-scoring-for-security/
Vorsicht bei gamestar4.com
Der Online-Shop gamestar4.com, mit angeblichem Sitz in Wien, ist betrügerisch. Auf gamestar4.com finden Sie neben Haushaltszubehör und Elektrogeräten, billige Spielkonsolen, die als Wochendeals beworben werden. Bestellen Sie bei gamestar4.com, verlieren Sie Ihr Geld, übermitteln Betrüger/innen sensible Daten und erhalten keine Ware.
https://www.watchlist-internet.at/news/vorsicht-bei-gamestar4com/
Vulnerabilities
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr), Fedora (singularity), openSUSE (compat-openssl098, cups, firefox, mozilla-nss, and xen), and SUSE (cups, exiv2, ghostscript, and git).
https://lwn.net/Articles/774845/
Linux kernel vulnerability CVE-2018-5390
https://support.f5.com/csp/article/K95343321
IBM Security Bulletin: IBM® DB2® contains a denial of service vulnerability in scalar functions (CVE-2018-1977)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-contains-a-denial-of-service-vulnerability-in-scalar-functions-cve-2018-1977/
IBM Security Bulletin: Financial Transaction Manager for ACH Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-1871)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction-manager-for-ach-services-is-affected-by-a-potential-cross-site-scripting-xss-vulnerability-cve-2018-1871/
IBM Security Bulletin: Cross-Site Scripting vulnerability in IBM Business Automation Workflow (CVE-2018-1848)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-vulnerability-in-ibm-business-automation-workflow-cve-2018-1848/
IBM Security Bulletin: Potential MITM attack in Apache CXF used by IBM Event Streams (CVE-2018-8039)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-mitm-attack-in-apache-cxf-used-by-ibm-event-streams-cve-2018-8039/
IBM Security Bulletin: IBM Security Directory Server is affected by multiple vulnerabilities in GSKit
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-directory-server-is-affected-by-multiple-vulnerabilities-in-gskit/
IBM Security Bulletin: IBM Security Directory Server is affected by a vulnerability in GSKit
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-directory-server-is-affected-by-a-vulnerability-in-gskit/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-security-directory-server/