Security Appliance Holes Fixed

Monday, July 27, 2015 @ 05:07 PM gHale

Security devices usually have a sense of defense surrounding them, after all they are supposed to be one step in a layer of defense mentality.

But when that device has a flaw, they need a quick fix.

Red Hat Patches Vulnerabilities
Mobile IE Zero Days
OS X Privilege Escalation Vulnerability
New Ransomware gets Tough

Along those lines, there are two security vulnerabilities within Sophos Security Web Appliance, which allow authenticated users to read files from the operating system and inject arbitrary JavaScript using the GUI management interface, researchers said.

The product is a security gateway designed to protect companies against malware and other risks by inspecting web traffic content, said Daniel Compton of Info-Assure Ltd., who found the vulnerabilities. The firm urged all users to upgrade to version 4.0.4 to mitigate the flaw, which it hasn’t detailed in full because of responsible disclosure.

“Once the vulnerability has been patched we will not disclose the exact details or exploitation methods for the vulnerability for three months,” Compton said. This gives all users of the product sufficient time to ensure they have updated their products and are protected against the issue.”

Info-Assure discovered the bug June 25 and reported it to the Cambridge-based security vendor on June 30. The vendor fixed the flaw by issuing a patch (4.0.4) on July 15.