Oracle Releases January 2015 Security Advisory

Original release date: January 20, 2015

Oracle has released its Critical Patch Update for January 2015 to address 169 vulnerabilities across multiple products.

This update contains the following security fixes:

  • 8 for Oracle Database Server
  • 36 for Oracle Fusion Middleware
  • 10 for Oracle Enterprise Manager Grid Control
  • 10 for Oracle E-Business Suite
  • 6 for Oracle Supply Chain Products Suite
  • 7 for Oracle PeopleSoft Products
  • 1 for Oracle JD Edwards Products
  • 17 for Oracle Siebel CRM
  • 2 for Oracle iLearning
  • 2 for Oracle Communications Applications
  • 1 for Oracle Retail Applications
  • 1 for Oracle Health Sciences Applications
  • 19 for Oracle Java SE
  • 29 for Oracle Sun Systems Products Suite
  • 11 for Oracle Linux and Virtualization
  • 9 for Oracle MySQL

US-CERT encourages users and administrators to review the Oracle January 2015 Critical Patch Update and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Playing NSA, hardware hackers build USB cable that can attack

Just over a year ago, Jacob Appelbaum and Der Spiegel revealed pages from the National Security Agency's ANT catalog, a sort of "wish book" for spies that listed technology that could be used to exploit the computer and network hardware of targets for espionage. One of those tools was a USB cable with embedded hardware called Cottonmouth-I—a cable that can turn the computer's USB connections into a remote wiretap or even a remote control.

Cottonmouth-I is the sort of man-in-the-middle attack that hackers dream of. Built into keyboard or accessory cables, it allows an attacker to implant and communicate with malware even on a computer that's "airgapped"—completely off a network. And its hardware all fit neatly into a USB plug. Because of the sophistication of the hardware, the advertised price for Cottonmouth-I was over $1 million per lot of 50—meaning each single device cost $20,000.

But soon, you'll be able to make one in your basement for less than $20 in parts, plus a little bit of solder. At Shmoocon in Washington, DC, this past weekend, Michael Ossman, a wireless security researcher and founder of Great Scott Gadgets, and a contributor to the NSA Playset–a set of projects seeking to duplicate in open source the capabilities in the NSA's toolbox, showed off his progress on TURNIPSCHOOL, a man-in-the-middle USB cable project under development that fits a USB hub-on-a-chip and a microprocessor with a built-in radio onto a circuit board that fits into a molded USB plug.

Read 5 remaining paragraphs | Comments

FAQ: Should I Upgrade Magento and Change My Theme at the Same Time?

When discussing Magento upgrades with clients these days what is coming up more and more often is questions about changing the theme in use on the website and more specifically whether that should be done at the same time as the upgrade. Our current recommendation is to split up the upgrade and the theme change, for reasons we will get to in a moment, doing the upgrade first and then using the copy of the website used for testing the upgrade to test out the new theme before finally changing the theme on the production website.

Avoiding Additional Issues with the Upgrade

Upgrading Magento is almost never a process without issues, if you are lucky they are rather small, but in many cases they are rather large. To the extent possible you want to avoid making other changes at the same time as doing that as makes it harder to deal with the issues since you won’t know which change is the root of the issue when you start dealing with it. That advice applies not just to theme changes, but other major changes.

While new themes do not cause problems on the same level as an upgrade, they can sometime cause problems, with this being more likely if the new theme also adds new extensions to the website. Often times the new theme is going to go through a fair amount of customization, which can be accomplished without impacting the production website by using the copy of the website created for the upgrade to do that.

Limited Downside

The downside to splitting up the upgrade and theme change is that often themes will need some minor changes made to them to make them compatible with versions of Magento released after the theme was released, with a new theme designed for the new version that shouldn’t be necessary. If you hire a professional to do the upgrade – which we would definitely recommend based having seen the many problems that can come up during an upgrade – they shouldn’t have a problem checking if changes need to be made and making those changes, so the advantage a new theme provides is limited based on that. Further limiting the advantage is that we often find that those changes need to be made in design files that come with an extension instead of a theme, so most of the work related to this still needs to be done if a new theme is used during an upgrade.

Wireless device in two million cars wide open to hacking

An electronic dongle used to connect to the onboard diagnostic systems of more than two million cars and trucks contains few defenses against hacking, an omission that makes them vulnerable to wireless attacks that take control of a vehicle, according to published reports.

US-based Progressive Insurance said it has used the SnapShot device in more than two million vehicles since 2008. The dongle tracks users' driving to help determine if they qualify for lower rates. According to security researcher Corey Thuen, it performs no validation or signing of firmware updates, has no secure boot mechanism, no cellular communications authentication, and uses no secure communications protocols. SnapShot connects to the OBDII port of Thuen's 2013 Toyota Tundra pickup truck, according to Forbes. From there, it runs on the CANbus networks that control braking, park assist and steering, and other sensitive functions.

"Anything on the bus can talk to anything [else] on the bus," Thuen was quoted as saying in an article from Dark Reading. "You could do a cellular man-in-the-middle attack" assuming the attacker had the ability to spoof a cellular tower that transmits data to and from the device.

Read 1 remaining paragraphs | Comments