More than 360,000 Apache websites imperiled by critical Plesk vulnerability (Updated)

Update:

Contrary to what Ars reported earlier, Plesk representatives responded promptly to requests for comment. Those responses were blocked by a spam filter. On Thursday morning, the company's vice president of shared hosting and control panels, Craig Bartholomew, told Ars that Plesk version 9.5.4 is not vulnerable, contradicting claims from kingcope that it is susceptible.

"Starting with Plesk 9.3, we have a CGI wrapper that deflects such calls to Apache," Bartholomew said. "You can't get directly to Apache this way. Our understanding is this vulnerability affects 4 percent of all Plesk installatons that we know of."

Bartholomew went on to say the attack code exploits the below-referenced CVE-2012-1823 vulnerability, but does so "with a twist."

Read 11 remaining paragraphs | Comments

Mac OS X update protects users against CRIME attacks

Mac users running the latest version of Apple's OS X are now fully protected against an attack that allows hackers to hijack some encrypted browsing sessions. Apple OS X users also received new defenses against malware attacks that exploit Oracle's frequently abused Java browser plugin.

In all, an OS X update released Tuesday fixes more then 30 security bugs in addition to a host of minor usability issues. On the same day, Apple also updated its Safari browser to plug more than two dozen security holes, some of which could allow attackers to remotely execute malicious code.

The most notable fix included an update to the open-source OpenSSL cryptography library to prevent attacks that allowed hackers to hijack browser sessions even when they were protected by the HTTPS encryption. Banks, e-commerce merchants, and other sites use this encryption to prevent snooping on sensitive transactions and to prove the authenticity of their webpages. The "CRIME" attacks—short for Compression Ratio Info-leak Made Easy—are able to decrypt encrypted communications when they incorporate one of two data-compression schemes designed to reduce network bandwidth. The OpenSSL fix works by disabling compression when using the transport layer security (TLS) protocol.

Read 4 remaining paragraphs | Comments

Apple Releases OS X 10.8.4 and Security Update 2013-002

Original release date: June 05, 2013

Apple has released OS X 10.8.4 and Security Update 2013-002 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, bypass security controls, or cause denial-of-service conditions. 

US-CERT encourages users and administrators to review Apple Security article HT5784 and apply any necessary updates to help mitigate these risks.


This product is provided subject to this Notification and this Privacy & Use policy.


Google Releases Google Chrome 27.0.1453.110

Original release date: June 05, 2013

Google has released Google Chrome 27.0.1453.110 for Windows, Macintosh, Linux and Chrome Frame to address multiple vulnerabilities. These vulnerabilities may allow a remote attacker to cause a denial-of-service condition, bypass security controls or execute arbitrary code. 

US-CERT encourages users and administrators to review the Google Chrome Release blog entry and follow best practice security policies to determine which updates should be applied.


This product is provided subject to this Notification and this Privacy & Use policy.