Thursday, 30 March 2017

On 04:39 by admin   No comments
Tian Rongxin Security Cloud Service Center Security Vulnerability and Security Events Daily (2017-3-30)
 
Latest Security Vulnerability Vulnerability Title: Microsoft Windows Vista SP2 and Server 2008 SP2 DLL Load Permissions and Access Control Vulnerability Submitted by: 2017-03-29 Disclosure / Discovery Time: Vulnerability Level: High CVE-ID: CVE-2017-0039 Vulnerability Category : 

Permission and Access Control Vulnerability CNNVD-ID: CNNVD-201703-796 Impact Component: Microsoft Windows Vista SP2 and Server 2008 SP2 Release Vulnerability Description: Both Microsoft Windows Vista SP2 and Server 2008 SP2 are published by Microsoft Corporation A series of operating systems. DLL Loading is one of the dynamic library loading components. The DLLs in the Microsoft Windows Vista SP2 version and the Server 2008 SP2 release have a bug that stems from the fact that the program did not correctly validate the input data before Windows loaded the dynamic link library (DLL) file. A remote attacker can exploit the vulnerability to obtain permissions with a specially crafted application. Security Advice: At present, the vendor has released an upgrade patch to fix this security issue, and the patch gets the link: https://technet.microsoft.com/en-us/library/security/ms17-012
Vulnerability: Violation Level: High CVE-ID: CVE-2016-9126 Vulnerability Category: Cross-Site Script Vulnerability CNNVD-ID: CNNVD-201703- 1192 Impact Component: Revive Adserver 3.2.3 Previous Version Vulnerability Description: Revive Adserver is an open source ad management system for the Revive Adserver team. The system provides advertising, advertising management, data statistics and other functions. There was a cross-site scripting vulnerability in previous versions of Revive Adserver 3.2.3. A remote attacker could exploit the vulnerability to access the administrator account. Security advice: At present manufacturers have released an upgrade patch to fix this security issue, patch access link: https: //www.revive-adserver.com/security/revive-sa-2016-001/
 
Vulnerability Title: OwnCloud Server and Nextcloud Server Cross-Site Script Vulnerability Submission Time: 2017-03-29 Disclosure / Discovery Time: Vulnerability Level: High CVE-ID: CVE-2016-9466 Vulnerability Category: Cross Site Script Vulnerability CNNVD-ID: CNNVD -201703-1176 Impact components: Nextcloud Server 10.0.1 before the version; ownCloud Server 9.0.6 before the version, 9.1.2 before the version of the vulnerability Description: ownCloud is Germany's ownCloud a set of free and open source personal cloud storage solution Program. Nextcloud is a set of open source self-hosted file synchronization and shared communication application platform. OwnCloud Server and Nextcloud Server are one of the server version. There are cross-site scripting vulnerabilities in the Gallery application in Nextcloud Server and ownCloud Server, which is due to the fact that the program does not filter out the exception information from the Nextcloud / ownCloud server. A remote attacker could exploit the vulnerability to inject any Web script or HTML. The following products and versions are affected: Nextcloud Server 10.0.1 before the version; ownCloud Server 9.0.6 before the version, 9.1.2 before the version. Security advice: At present manufacturers have released an upgrade patch to fix this security issue, patch access link: https: //nextcloud.com/security/advisory/?id=nc-sa-2016-009
Vulnerability Category: Permission and Access Control Vulnerability CNNVD-ID: CVE-ID: CVE-2017-1142 Vulnerability Category: Permission and Access Control Vulnerability CNNVD-ID : CNNVD-201703-1200 Impact Component: IBM Kenexa LCMS Premier on Cloud 9.1, 9.2, 9.2.1, 9.3, 9.4, 9.5, 10.0, 10.2, 10.3 Version Vulnerability Description: IBM Kenexa LCMS Premier On Cloud is a set of IBM Learning Content Management System (LCMS) for the development, maintenance and provision of efficient employee training. There is a security vulnerability in the IBM Kenexa LCMS Premier on Cloud that stems from the fact that the program does not set security flags for session cookies in SSL mode. A remote attacker could exploit the vulnerability to obtain sensitive information. The following editions are affected: IBM Kenexa LCMS Premier on Cloud 9.1, 9.2, 9.2.1, 9.3, 9.4, 9.5, 10.0, 10.2, 10.3. Security advice: At present manufacturers have released an upgrade patch to fix this security issue, patch access link: http: //www-01.ibm.com/support/docview.wss? Uid = swg21998874
Violation Title: Pivotal Cloud Foundry Elastic Runtime Information Disclosure Vulnerability Time: 2017-03-29 Disclosure / Discovery Time: Vulnerability Level: Medium CVE-ID: CVE-2017-4955 Vulnerability Category: Information Disclosure Vulnerability CNNVD-ID: CNNVD-201703 -1282 Impact Component: Pivotal Cloud Foundry Elastic Runtime prior to 1.6.65, pre-1.6.65, pre-1.7.48, pre-1.8.28, pre-1.9.5 Vulnerability Description: Pivotal Cloud Foundry (PCF) is an open source platform-as-a-service (PaaS) cloud computing platform from Pivotal Software, Inc. that provides container scheduling, ongoing delivery, and automated service deployment. Elastic Runtime is an operating environment for Pivotal Cloud Foundry. There is an information disclosure vulnerability in the PCF Elastic Runtime. An attacker could exploit the vulnerability to obtain sensitive information. The following versions are affected: Pivotal Cloud Foundry Elastic Runtime prior to 1.6.65, pre-1.6.65, pre-1.7.48, pre-1.8.28, pre-1.9.5. Security advice: At present manufacturers have released an upgrade patch to fix this security issue, patch access link: https: //pivotal.io/security/cve-2017-4955
Security information experts: Trump government to consider the four major network security trends Nowadays, the state support for hacker activities and Internet espionage is rampant, the US network security and defense situation triggered a hot debate. Security providers and experts point out that the Trump government must balance effective and practical measures as the global threat pattern changes rapidly. The Trump government needs to consider the following four security trends:
 
1. The importance of fiduciary security When it comes to national security threats, we often think of events that cause physical harm to individuals or critical infrastructures. However, it is now more important than ever to quickly identify network threats and mitigate risks because, if not properly protected, hackers may shut down the city's resources, such as water, electricity, and many communications devices and networks.
 
IT security can pose a physical security risk as IT security is more integrated into everyday life (and perhaps much more than people know). This is why the Trump government investment talent, including network and physical integration, including security initiatives, and take the forefront of technological innovation. Appropriate technology, talent and processes will help to create a stronger security situation, which will also have a positive impact on national infrastructure and national security.
 
2. Interoperability and collaborative integration systems are critical to cost savings, improved collaboration, and overall efficiency. If individual systems are isolated from other systems, organizations and organizations can not fully realize situational awareness and can not improve organizational efficiency. Converting data from all networking devices to a unified interface saves time and money and is more strategic.
 
Faster security and information management is called "labor multiplier" for faster and more accurate completion of multiplayer work. If a software platform can obtain data from a number of different sources and can translate data into meaningful conclusions, such a platform can be described as "priceless."
 
Data analysis and real-time collaboration technology enable individuals to work with higher accuracy and accuracy to benefit the parties concerned. The Trump government should consider consolidating data from multiple isolated systems and institutions to provide a viable insight into the achievement of greater common goals.
 
3. Wise traffic and infrastructure planning
Guo Yonghong stressed the need to create a good construction environment to enhance safety awareness
The world has launched the Smart City program because Smart City promises to provide better community services, improve government efficiency and enhance public safety. In addition, Intelligent Transportation Systems (ITS) is a key component of Smart City and is expected to bring new infrastructure investments. ITS solutions will certainly be a key embodiment of the Smart City Initiative.
"The legend of the slag" because of the loss of data back to the explosion of stove open package mechanism!
 
As more and more cities and states are still using smart technology as part of public safety and homeland security policies, the use of integrated systems, applications and databases is not only to identify risks, but also to track and manage the use of government resources The
 
To prevent the penetration of military spies from the awareness of information confidential
 
If the right solution is used, the US federal government has the strength to correlate data and make informed decisions that ultimately save time, money, and even save lives in major events and crises.
4. Intelligent data
 
Xinhuang fire: in-depth cultural relics units to carry out safety knowledge preaching
 
Data filtering, association, and visualization are the source of effective security because they provide a way to detect effective and feasible information from noise. Even if you can collect all the data from a variety of sensors, cameras, devices, and social media, the raw data is of little use without using the technology platform to correlate the data and create viable intelligence solutions.

Over the years, the technology platform has made great progress, become more mature, more powerful. The current solution works like a human brain, such as giving up meaningless information and keeping only relevant information. Like a jigsaw puzzle, an organization can use its associated technology to set its own rules and parameters, and is fully customizable according to its own needs.
 
The importance of real-time analysis and threat response can play a pivotal role in any environment, especially for the federal government. Creating an interoperable platform enables secure professionals and law enforcement agencies to effectively correlate data and communicate effectively, which is critical to sound intelligent management.
 
The query will expose the user information. Researchers are looking for hidden queries on the Internet where the rapid development of online payment in developed countries, online shopping, gourmet search, map positioning and stock-related sites exist in the search page, users are always in the database Query, the database from time to time record the user's search data. As a result, valuable information may be leaked to the database.

 
For example, you have recently searched for a cookie in a shopping APP, and there may be a variety of cookies on the referral page; for example, you search for news about "funny" in the browser, maybe the next day the browser will automatically push All kinds of funny news and so on. While searching for these are just some of the personal preferences that have leaked. Once all the search information is used by criminals, the consequences are equivalent to a large number of real information leaks.
Researchers at the Massachusetts Institute of Technology's Science and Artificial Intelligence Laboratory have provided a way to hide the query but subdivide the query and use a different (same) database to process each query. This idea will be published next week at the USENIX Networked System Design and Implementation Seminar.
Frank Wang, a lead researcher at the Massachusetts Institute of Technology who specializes in this study, says that with the right design, only one data provider needs to protect user privacy.
Frank Wang and other researchers published research papers "Function Secret Sharing (FSS)". FSS is a "branch" that allows the client to break down a particular function into hidden parameters (unless all vendors are "colluded") without imposing too heavy a load on the system's CPU.
The concept of FSS was first proposed by Israeli researchers Yili-Boyle and Shafi-Godwassell in 2015. The two men and Frank Wang co-published this paper. The researchers used modern multicore processors that implement AES-NI (Advanced Encryption Standard).
This paper presents an allowable protocol that allows Splinter to support capturing SQL subsets of any popular online application. In Splinter, each provider in the system hosts a copy of the same database. The client decomposes the query into a "branch" that is submitted to a different provider, providing an answer after responding to the reorganization. In the academic language, FSS allows the client to decompose the function f into functions f1, f2 ... fk, so that many parties can help evaluate f without having to understand certain parameters.
In the case of a COUNT query, only the user knows the answer value of 5, assuming that the user wants to keep the calculated value secret (for example, SELECT COUNT () FROM items WHERE ItemId =?). FSS solves the problem of how to send different queries to the target database, so the client can calculate ItemId = 5 from the answer and return the answer.
 
The researchers explained that the database query was converted into a set of complementary math functions, each function being sent to a different database server. On each server, the function must be applied to each record in the database, otherwise the spy can determine the data that the user is interested in.
 
Each time the function is applied to each new record, the function updates the value stored in memory. When applied to the last record, the last value is returned to the user. However, this value is meaningless before it is combined with the value reported by another server.
 
Frank Wang described Splinter's application in this paper. When people search for a class of patents, Splinter will leak research related patents. Many times, when people search for stock quotes, Splinter will give you the stock information you will be buying. Another example is the map, when the user searches for the current location and the target location, Splinter will also display a large number of user information.
 
(Source: CNNVD fill days of financial security cloud service center Alpha laboratory and other related domestic popular security forum)
 
The message is collected from the moment it is generated, and it takes a lot of steps to collect, copy, access, move, and exit, and finally completes a life cycle, and this process necessarily needs to be good Management cooperation.

0 comments:

Post a comment