ICT Security-Sécurité PC et Internet

A dangerous Drupal flaw could leave your site completely compromised if you don't patch the flaw immediately.

Developers of popular open-source CMS Drupal are warning admins to immediately patch a flaw that an attacker can exploit just by visiting a vulnerable site.

The bug affects all sites running on Drupal 8, Drupal 7, and Drupal 6. Drupal's project usage page indicates that about a million sites are running the affected versions.

Admins are being urged to immediately update to Drupal 7.58 or Drupal 8.5.1. Drupal issued an alert for the patch last week warning admins to allocate time for patching because exploits might arrive "within hours or days" of its security release. So far, there haven't been any attacks using the flaw, according to Drupal.

The bug, which is being called Drupalgeddon2, has been assigned the official identifier CVE-2018-7600.

Drupal has given it a 'highly critical' rating with a risk score of 21 out of 25 under the NIST Common Misuse Scoring System.

Although there are no security releases for the unsupported Drupal 8.3.x and 8.4.x, Drupal has released patches for quick remediation.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Drupal

La mise à jour Flash Player est au rendez-vous prévu afin de corriger une vulnérabilité exploitée dans des attaques. Un exploit qui pourrait être nord-coréen. Adobe en profite pour corriger une autre faille critique.


Comme promis la semaine dernière, Adobe publie une mise à jour de sécurité pour Flash Player afin de corriger la vulnérabilité CVE-2018-4878 qui est exploitée dans des attaques ciblées visant des utilisateurs Windows.

L'exploitation s'appuie sur des documents Office avec du contenu Flash malveillant. Un objet ActiveX (un fichier SWF) est intégré dans le document et contient l'exploit Flash.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Flash-Player-Vulnerabilities

Have you watched a YouTube video lately in a country where English is widely used?

If so, we’re willing to bet that you’ve seen an advert for Grammarly, an online spelling and grammar checker.

In fact, we’ll suggest you’ve seen the Grammarly ad many times, perhaps even very many times – we certainly have.

The ads seem to be working, with the product currently closing in on 1,000,000 installs in Firefox, and already claiming more than 10,000,000 in Chrome.

As the product pitch in the Firefox add-on store explains:

Once you register your new account, you will start to receive weekly emails with personalized insights and performance stats (one of our most popular new features). Working on a large project, an essay, or a blog post? No sweat. You can create and store all of your documents in your new online editor.

In other words, your Grammarly account ends up knowing a lot about you, and holding copies of a lot of what you’ve written.

A security hole in Grammarly could therefore tell crooks much more about you than you’d like them to know.

Learn more / En savoir plus / Mehr erfahren.

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Grammarly

Mit dem Patch auf Version 52.6 behebt Mozilla einige schwerwiegende Fehler in seinem beliebten E-Mail-Client Thunderbird. Darunter befinden sich auch kritische Sicherheitslücken befinden, die gestopft wurden. Nutzer sollten schnell aktualisieren. CHIP hat die neueste Version der kostenlosen Software für Windows, macOS und Linux zum Download. Im Video zeigen wir Ihnen, wie Sie Thunderbird aktualisieren.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Thunderbird-Update

An seinem ersten Patchday des Jahres dichtet Adobe einen Speicherfehler im Flash Player ab, der zu einem Informationsleck führen kann.

Anlässlich seines Januar-Patchdays schließt Adobe eine Sicherheitslücke im Flash Player, die zu einem Informationsleck führen kann. Der Speicherfehler (Out of bounds) trägt die CVE-Nummer 2018-4871 und wurde anonym über Trend Micros Zero Day Initiative an Adobe herangetragen. Der Hersteller ordnete der Lücke den zweithöchsten Schweregrad "wichtig" zu, bislang seien keine Fälle bekannt, in denen die Schwachstelle für Angriffe missbraucht wurde. Betroffen sind alle Versionen des Flash Player bis einschließlich 28.0.0.126 auf allen unterstützten Plattformen.

Für Abhilfe sorgt Version 28.0.0.137, die sich wie gewohnt als Desktop-Runtime für Windows und Linux direkt bei Adobe beziehen lässt. Um die Aktualität des Plug-ins für den Chrome-Browser kümmert sich Google; in Kürze erscheint voraussichtlich eine neue Chrome-Version, welche die aktuelle Flash-Version enthält. Das Flash-Plug-in für Edge und Internet Explorer bringt Microsoft über Windows Update auf den aktuellen Stand. 

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Flash+Updates

Microsoft has warned users that its patches for the dangerous Meltdown CPU bug won't reach them if their third-party antivirus hasn't been updated to support this week's Windows security update.

By now Windows users should have received the patches Microsoft released yesterday to plug the widespread Meltdown bug and its companion Spectre, which expose most computers and phones to speculative execution side-channel attacks that affect chips from Intel, AMD, and Arm.

Microsoft released software updates for Internet Explorer, Microsoft Edge, Windows, and SQL Server, but customers will also need to apply firmware updates from their respective hardware vendors too.

Surface and Surface Book users can expect an automatic firmware update from Microsoft but those with other hardware will need to check with their vendors.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Meltdown+and+Spectre+Attacks

Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt vor drei Sicherheitslücken in Googles Chrome-Browser. Auch die Open-Source-Variante Chromium soll betroffen sein.
Zwei der Schwachstellen sind als kritisch eingestuft. Sie ermöglichen es Hackern, beliebigen Code auszuführen.

Nutzern, die noch nicht auf die aktuellen Versionen (jeweils 61.0.3163.100) umgestiegen sind, wird dringend angeraten, das Browser-Update durchzuführen. Betroffen von der Schwachstelle sind Systeme mit Windows (ab Windows XP), Macintosh (Mac OS X und macOS Sierra) sowie Linux und Chrome OS. Bei Letzterem ist der Browser integraler Bestandteil.

Laut BSI ermöglichen die Lücken "einem entfernten, nicht authentifizierten Angreifer" das Ausführen von beliebigem Code. So könnte etwa ein Denial-of-Service (DoS)- Angriff durchgeführt werden.

Learn more / En savoir plus / Mehr erfahren:

https://gustmees.wordpress.com/2012/05/02/get-smart-with-5-minutes-tutorialsit-securitypart-1-browsers/

https://gustmeesde.wordpress.com/2014/12/16/browser-sind-das-einfallstor-fur-malware-sind-eure-browser-up-to-date/

The good news is developers are looking very closely at Linux's core code for possible security holes. The bad news is they're finding them.

At least the best news is that they're fixing them as soon as they're uncovered.

The latest three kernel vulnerabilities are designated CVE-2016-8655, CVE-2016-6480, and CVE-2016-6828. Of these, CVE-2016-8655 is the worst of the bunch. It enables local users, which can include remote users with virtual and cloud-based Linux instances, to crash the system or run arbitrary code as root.

MORE SECURITY NEWS

US government seeks more data on Apple customers
Electronics-sniffing dogs: How K9s became a secret weapon for solving high-tech crimes
This 'highly personalized' malware campaign targets retailers with phony customer queries
How the Cyber Kangaroo can help defend the Internet of Things
In short, it's nasty.

Learn more / En savoir plus / Mehr erfahren:

http://www.scoop.it/t/securite-pc-et-internet/?tag=Linux

macOS Sierra sowie dazugehörende Software wurde im Vorfeld der Keynote aktualisiert, nun folgen Sicherheitsupdates für Windows.

Canoncinal vient d’annoncer la disponibilité de correctifs pour 26 vulnérabilités recensées dans le noyau d’Ubuntu 14.04 (Trusty Tahr). Cette version qui est sortie depuis avril 2014 bénéficie d’un support Long Term Support abrégé LTS (pour support à long terme en français) ce qui fait qu’elle est prise en charge par l’équipe de développement pendant cinq ans (pour les versions bureau et serveur), soit jusqu’en avril 2019.

Dans cette récente annonce, l’entreprise rapporte parmi les failles corrigées qu’une vulnérabilité d’écriture hors limites existait dans le système de fichiers Flash-Friendly (f2fs) du noyau Linux. Cette faille qui a été consignée sous la référence CVE-2017-0750 pourrait être exploitée par un attaquant pour construire un système de fichiers malveillant qui, lorsqu’il est monté, peut provoquer un déni de service (panne du système) ou éventuellement exécuter du code arbitraire.

À côté de cette faille, une situation de concurrence débouchant sur une faille use-after-free a été découverte dans la fonction snd_pcm_info du sous-système ALSA PCM sur le noyau Linux. Cette situation de compétition rapportée par l’équipe de sécurité d’Ubuntu pourrait être utilisée par une personne malveillante pour obtenir des privilèges non autorisés à travers des vecteurs non spécifiés et provoquer une panne du système ou éventuellement exécuter du code arbitraire. Cette faille portant le code CVE-2017-0861 a été classée à un niveau élevé de sévérité selon la version 3 de CVSS Severity.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Linux

Adobe hat für seinen Flash Player ein Sicherheits-Update freigegeben. Version 28.0.0.161 schließt die kritische Sicherheitslücke, die vergangene Woche publik wurde. Nachdem die Lücke bereits ausgenutzt wird, sollten Sie als Flash-Nutzer dringend aktualisieren. Wie dies manuell funktioniert, erklären wir Ihnen im Video.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Flash-Player-Vulnerabilities

Why go to all the bother of writing ransomware that demands victims pay a Bitcoin ransom? If all you want is cryptocurrency, why not use the infected computers to mine the crypto coins themselves?

That way you don’t have to rely on a human victim buying some Bitcoin, and nervously making their way onto the dark web to make their ransom payment.

According to security researchers at Proofpoint, that’s exactly the reasoning shown by online criminals who are moving from regular ransomware to cryptomining.

A Monero-mining botnet called Smominru is said to have infected 526,000 Windows PCs since May 2017 – mostly in Russia, India, and Taiwan – and is earning millions of dollars for its operators.

In fact, the biggest clue that most users will have that their computers may be affected by a cryptominer is if they found the PC is slowing down, its battery running out at a quicker rate, or the fan blowing at full blast.

Don’t make the mistake of thinking that this is a victimless crime. If your computers get recruited into a cryptomining botnet like Smominru, it’s your electricity and computer power that is being stolen.

Keep your computers up-to-date with security patches, defended with layered security solutions, and your wits about you.

Learn more / En savoir plus / mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Coinhive

https://www.scoop.it/t/securite-pc-et-internet/?&tag=crypto-currency

https://www.scoop.it/t/securite-pc-et-internet/?&tag=cryptojacking

A new report from researchers at Sucuri reveals that websites are once again being found infected by cryptomining code – stealing the resources of visiting computers to mine for the Monero cryptocurrency.

Many web surfers almost certainly don’t realise that the reason that their laptop’s fan is running at full blast is because the website they are viewing is tied up with the complex number-crunching necessary to earn the digital currency.

But, in a twist, this particular attack isn’t just interested in mining Monero. While the website’s front-end is digging for cryptocurrencies, the back-end is secretly hosting a keylogger designed to steal unsuspecting users’ login credentials.

With the keylogger in place, any information entered on any of the affected websites’ web forms will be surreptitiously sent to the hackers.

And yes, that includes the site’s login form.

We’ve said it before, and we’ll no doubt say it again. And again.

If your website is powered by the self-hosted edition of WordPress, it’s essential that you keep both it, and any third-party plugins, updated.

Self-hosting your WordPress site is attractive in many ways, but you have to acknowledge that security is now your responsibility (or find yourself a managed wordpress host who is prepared to take it on for you). New vulnerabilities are found in the software and its many thousands of third-party plugins all the time.

In short, if you don’t know what you’re doing, there’s a chance that your WordPress-running website has security holes which a malicious hacker could exploit. Such security weaknesses could potentially damage your brand, scam your website visitors, and help online criminals to make their fortune.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=WordPress

Eine neu entdeckte Schwachstelle in Computer-Prozessoren hat weltweit Sorge vor Hackerangriffen auf sensible Daten geschürt. Die betroffenen Hersteller wollen nun nachrüsten. Das Bundesamt für Sicherheit in der Informationstechnik riet Nutzern, Updates zu installieren.

Nach Bekanntwerden der gravierenden Sicherheitslücken in zahlreichen Computer-Prozessoren hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) Nutzern zum Installieren von Updates geraten.

Privatanwendern und Unternehmen werde empfohlen, Sicherheits-Patches für Betriebssysteme und insbesondere Internetbrowser einzuspielen, sobald diese von den Herstellern zur Verfügung gestellt würden, erklärte das BSI. Auch für mobile Geräte wie Smartphones sollten Sicherheitsupdates unmittelbar installiert werden.

Grundsätzlich gelte, dass Software und Betriebssysteme stets auf dem aktuellen Stand gehalten werden sollten, teilte das BSI weiter mit. Zudem sollten Apps nur aus vertrauenswürdigen Quellen bezogen werden. Die Chip- und Hardwarehersteller rief das Bundesamt dazu auf, die Schwachstelle zu beheben. Der Fall sei ein erneuter Beleg dafür, "wie wichtig es ist, Aspekte der IT-Sicherheit schon bei der Produktentwicklung angemessen zu berücksichtigen", erklärte BSI-Präsident Arne Schönbohm.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Meltdown+and+Spectre+Attacks

https://gustmeesde.wordpress.com/2014/12/26/programme-die-auf-jeden-neuen-pc-und-smartphones-gehoren/

https://gustmeesde.wordpress.com/2014/12/16/browser-sind-das-einfallstor-fur-malware-sind-eure-browser-up-to-date/

Sometimes old fixed bugs come back to bite us. That's the case with CVE-2017-1000253, a Local Privilege Escalation Linux kernel bug.

This is a problem with how the Linux kernel loaded Executable and Linkable Format (ELF) executables. If an ELF application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack. This could cause memory corruption. Then, an otherwise unprivileged local user with access to a Set owner User ID (SUID) or otherwise privileged flawed PIE binary, could gain higher-level user privileges.


Qualys, a security company, worked out a way to exploit this hole. By smashing the PIE's .dynamic section with a stack-based string operation, they found they could force the ld.so dynamic linker to load and execute their own shared library.

This security hole may sound complicated, but it's relatively easy to exploit. Since it could give an ordinary user super-user privileges it's potentially very dangerous.

Learn more / En savoir plus / Mehr erfahren:

http://www.scoop.it/t/securite-pc-et-internet/?&tag=Linux

It's time to update your Raspberry Pi devices or risk them being infected with cryptocurrency mining malware.

Someone has developed a simple Linux trojan designed to harness the meager power of Raspberry Pi devices to mine cryptocurrency.

Raspberry Pi users may need to consider applying a recent Raspbian OS update to their devices, particularly if they are currently configured to allow external SSH connections.

According to Russian security firm Dr Web, the malware Linux.MulDrop.14 exclusively targets Raspberry Pi devices to use their processing power to mine a cryptocurrency.

Dr Web discovered the Raspberry Pi mining malware after its Linux honeypot machine became infected with it. The malware uses a simple Bash script to attempt to connect to Raspberry Pi devices configured to accept external SSH connections. It targets Raspberry Pi boards with the default login and password, which are 'pi' and 'raspberry', respectively.

Learn more / En savoir plus / Mehr erfahren:

http://www.scoop.it/t/securite-pc-et-internet/?&tag=Raspberry+PI

Le système de rapport de bugs d’Ubuntu était touché par des failles. Des vulnérabilités promptement corrigées par les développeurs.

Learn more / En savoir plus / Mehr erfahren:

http://www.scoop.it/t/securite-pc-et-internet/?tag=Linux

Adobe and Microsoft today each issued updates to fix critical security flaws in their products. Adobe’s got fixes for Acrobat and Flash Player ready. Microsoft’s patch bundle for October includes fixes for at least five separate “zero-day” vulnerabilities — dangerous flaws that attackers were already exploiting prior to today’s patch release. Also notable this month is that Microsoft is changing how it deploys security updates, removing the ability for Windows users to pick and choose which individual patches to install.

Zero-day vulnerabilities describe flaws that even the makers of the targeted software don’t know about before they start seeing the flaws exploited in the wild, meaning the vendor has “zero days” to fix the bugs.

Learn more / En savoir plus / Mehr erfahren:

http://www.scoop.it/t/securite-pc-et-internet