Oracle Patches Bash Vulnerabilities

Original release date: October 07, 2014

Oracle has released security updates to address bash vulnerabilities found across multiple products.

US-CERT recommends users and administrators review the Oracle Security Article for additional details, and apply updates as necessary.


This product is provided subject to this Notification and this Privacy & Use policy.


Dozens of European ATMs rooted, allowing criminals to easily cash out

Criminals are installing fairly sophisticated malicious programs on banks' ATMs, allowing them to control access to the machines and easily steal cash, security firms Kaspersky and Interpol said in a joint statement released on Tuesday.

The malware, which Kaspersky dubbed 'Tyupkin,' allows low-level thieves, known as money mules, access to the machines at certain times of day using an intermittently changing code, similar to the six-digit electronic tokens used for security in the financial industry. More than 50 ATMs in Eastern Europe and Russia were found to have been infected with the malware to date, leading to the theft of currency equivalent to millions of dollars, according to the statement.

The attack shows that criminals are improving their tactics and appear to be able to gain enough access to ATMs to install code, Vicente Diaz, principal security researcher at Kaspersky Lab, said.

Read 7 remaining paragraphs | Comments

Adobe’s e-book reader sends your reading logs back to Adobe—in plain text [Updated]

Adobe even logs what you read in Digital Editions' instruction manual.

Adobe’s Digital Editions e-book and PDF reader—an application used by thousands of libraries to give patrons access to electronic lending libraries—actively logs and reports every document readers add to their local “library” along with what users do with those files. Even worse, the logs are transmitted over the Internet in the clear, allowing anyone who can monitor network traffic (such as the National Security Agency, Internet service providers and cable companies, or others sharing a public Wi-Fi network) to follow along over readers’ shoulders.

Ars has independently verified the logging of e-reader activity with the use of a packet capture tool. The exposure of data was first discovered by Nate Hoffelder of The Digital Reader, who reported the issue to Adobe but received no reply.

Digital Editions (DE) has been used by many public libraries as a recommended application for patrons wanting to borrow electronic books (particularly with the Overdrive e-book lending system), because it can enforce digital rights management rules on how long a book may be read for. But DE also reports back data on e-books that have been purchased or self-published. Those logs are transmitted over an unencrypted HTTP connection back to a server at Adobe—a server with the Domain Name Service hostname “adelogs.adobe.com”—as an unencrypted file (the data format of which appears to be JSON).

Read 12 remaining paragraphs | Comments