Posts Tagged ‘security vulnerability’
Monday, March 11, 2013 @ 10:03 PM gHale
Some printers manufactured by Hewlett-Packard, including 10 of its LaserJet Professional printers, have a security vulnerability that could allow an attacker to remotely access data, according to the Computer Emergency Response Team (CERT).
The problem stems from a telnet debug shell glitch that can allow an unauthenticated user to connect to the printer and in turn, glean data, according to CERT. HP’s Software Security Response Team wrote about the problem in a security bulletin last week.
HP’s following LaserJet Pro printers are vulnerable: P1102w, P1606dn, M1212nf, M1213nf, M1214nfh, M1216nfh, M1217nfw, M1218nfs, M1219nf and CP1025nw, according to the bulletin.
German security researcher Christop von Wittich with Hentschke Bau GmbH discovered the flaw.
HP is advising affected customers to download updated firmware for printers impacted by the bug from the company’s Support Center site. The company is also encouraging those still concerned with the vulnerability to email firstname.lastname@example.org for further guidance.
Printers have had a handful of security vulnerabilities of late, along with other Internet-enabled devices over the last few years.
Friday, October 12, 2012 @ 06:10 PM gHale
Mozilla temporarily removed Firefox 16 from the current installer page after it found a security vulnerability in the new version of its browser.
The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters, said Michael Coates, director of security assurance at Mozilla.
Mozilla does not, however, have any information the vulnerability is currently suffering from any exploitations, he said. It is working on a fix and plans to ship updates.
Users will automatically upgrade to the new version as soon as it becomes available, Coates said.
Firefox version 15 remains unaffected, and as a precaution users can downgrade to version 15.0.1. Or they can wait until Mozilla’s patches come out and automatically applied to address the vulnerability, Coates said.
The new version of the browser released and addressed a number of security vulnerabilities, including some considered critical.
Firefox had a 20.08 percent share of desktop browsers in September, compared to 53.63 percent share for Internet Explorer and 18.86 percent for Chrome, according to Web measurement company Net Applications.
Tuesday, September 18, 2012 @ 10:09 AM gHale
The free DNS server BIND, which the Internet Systems Consortium (ISC) maintains, contains a security vulnerability that allows attackers to crash it using specially crafted data records, according to the Austrian national CERT.
The ISC said resource records with RDATA fields that exceed 65535 bytes cause the domain name server to crash the next time this record ends up queried.
The following versions of BIND suffer from the issue:
• BIND 9.0.x to 9.6.x
• BIND 9.4-ESV to 9.4-ESV-R5-P1
• BIND 9.6-ESV to 9.6-ESV-R7-P2
• BIND 9.7.0 to 9.7.6-P2
• BIND 9.8.0 to 9.8.3-P2
• BIND 9.9.0 to 9.9.1-P2
ISC recommends users upgrade to one of the current versions – 9.7.7, 9.7.6-P3, 9.6-ESV-R8, 9.6-ESV-R7-P3, 9.8.4, 9.8.3-P3, 9.9.2 or 9.9.1-P3 – as soon as possible.
The Austrian national CERT said sealing off a server from the outside is not sufficient to protect it against an attack. Apparently, an email could trigger a name server query, causing the server to load the specially crafted record. That the query appears to come “from the inside” offers no protection in this case.
It remains unclear whether the flaw can only trigger server crashes or whether it can also inject malicious software.
Friday, April 13, 2012 @ 04:04 PM gHale
A new release of NVIDIA’s proprietary UNIX graphics drivers for Linux, Solaris and FreeBSD fixes a security vulnerability that allowed attackers to read and write arbitrary system memory in order to obtain root privileges.
To take advantage of the vulnerability, an attacker must have access permission for some device files, which for systems with these drivers is typically the case for users who can launch a graphical interface such as 3D acceleration.
Version 295.40 of the driver corrects this problem; for older drivers whose version numbers start with 195, 256 to 285, or 290 to 295, NVIDIA made patches available that change the vulnerable part of the kernel module belonging to the driver. Users who update the driver with this patch and use the CUDA debugger will also need to update the CUDA library before the debugger can work again.
NVIDIA has categorized the security hole as “high risk” and recommends users update to the new version if they use the drivers with GeForce 8, G80 Quadro graphics cards, or newer models from those lines. The company has not confirmed whether the problem also exists for older graphics card models or legacy drivers (such as the 173 line).
Wednesday, April 11, 2012 @ 03:04 PM gHale
By 2020, thousands of kilometers of new grids will be operating in Germany which will allow even more extensive use of power from renewable sources. The catch is, though, these smart grids also come with increased complexity, costs, safety issues and security vulnerability.
However, there is new software that can analyze and optimize transport grids for electricity, gas and water even at the planning stage, based on numerical simulations, said researchers at Fraunhofer Institute. By doing that analysis, it could lighten the task of retrofitting and expansion for system operators, save energy and cost outlays and enhance safety and security.
Almost every winter, news about reduced gas deliveries from Siberia to Europe makes the headlines. Regardless of the political reasons for a shortage, operating pipelines in severe winters is very challenging. One reason is if the gas in the pipes cools off too sharply, it partly liquefies and can no longer flow as swiftly. To maintain the temperature of the gases within a certain range consistently, pipeline operators need a complex system of compressors, pre-heaters, coolers and other elements. System operators constantly monitor the condition of their pipelines and plan ahead for reactions to potential temperature and pressure changes.
New simulation software, called MYNTS (Multiphysical Network Simulation Framework), helps with the operation and planning of such complex networks. The program ended up jointly developed by the Fraunhofer Institute for Algorithms and Scientific Computing SCAI and the team under mathematics professor Dr. Caren Tischendorf of the University of Cologne.
The program models the transport grids as systems of differential-algebraic equations. Thus through numerical simulations, it is possible to flexibly analyze and better plan the grids. Specifically, the simulation immediately demonstrates the effects of changes in various factors. Using MYNTS, one can calculate how temperature fluctuations alter the flow measurements, or how the failure of subnetworks influences other grid components.
“Regardless of dealing with transport systems for gas, power, water or electrical circuits, their simulation always traces back to the same numerical core,” said department head Dr. Tanja Clees. Because each field of application also has its unique features, specialized versions of the software are available for various utilities. With MYNTS for simulation of gas transport systems, a user can set up and control his or her own subnetworks or add compressor stations and mixing chambers. In order to accelerate simulation computations, the software runs on computers with multiple processors.
This software is also of interest for smart grids, which the German government is promoting. Intelligent networking and controlling of electricity producers, storage facilities, electricity consumers and network resources within supply networks are among the greatest economic and environmental technology challenges.
If bulk consumers could gain control of when they need and utilize power the most, they could adjust the power to match demand at different times, then there could be a cap on consumption peaks, and the consumption of electric energy equalized. Such bulk consumers include water companies. One study shows in industrialized nations, water companies consume three percent of the total electrical power – specifically for pumps. Intelligent control of the network would have major economic potential. Even minor incremental savings make a major contribution that benefits the environment.
Tuesday, February 21, 2012 @ 05:02 PM gHale
There was a security lapse at the Prairie Island nuclear station near Red Wing, MN, and Xcel Energy will feel the wrath of federal regulators.
Xcel received a letter from the Nuclear Regulatory Commission (NRC) about the violation discovered in an October inspection. Details of the incident ended up redacted from the letter.
The public’s safety was not an issue with the security problem, said NRC spokeswoman Viktoria Mitlyn. But no details, including its level of significance, will end up released so the plant can avoid publicizing a security vulnerability, she said.
It is the first time “in the recent past” the NRC cited Xcel for a security-related problem at its two nuclear stations in Minnesota.
The NRC ranks violations on a four-color scale, with red the highest — representing an unacceptable safety loss — and green the lowest significance. The NRC only said the Prairie Island violation was “greater than green.”
In a preliminary letter to Xcel in December, the NRC offered a hint the problem related to “human performance.” The letter said Xcel “failed to conduct an effectiveness review of safety significant decisions to verify the validity of the underlying assumptions, and identify possible unintended consequences.”
The Minneapolis-based utility must correct the root cause of the problem, and will be subject to a follow-up inspection. It also has 30 days to appeal the finding.
In a statement, Xcel said it hadn’t decided whether to appeal but that “Security and safety at our nuclear plants are our highest priorities.”
Wednesday, December 7, 2011 @ 01:12 PM gHale
While Hewlett-Packard still denies their printers can be set on fire via a remote attack, they did publish a list of devices that suffer from a “potential security vulnerability.”
“A potential security vulnerability has been identified with certain HP printers and HP digital senders. The vulnerability could be exploited remotely to install unauthorized printer firmware,” said the security bulletin issued by HP.
HP: Hackers Can’t set Printers on Fire
FBI: Hackers Hit Cities Via SCADA
Hackers can Set Printer on Fire
Feds: No Cyber Intrusion at IL Water Plant
NJ Water Plant Victim of ‘Terrorism’
Two Columbia University researchers said there is a vulnerability in HP LaserJet printers that could allow a hacker to remotely control it to launch cyber attacks, steal information being printed and even instruct its mechanical components to overload until the device catches on fire.
The flaw not only affects HP printers, but also other devices utilized by millions of individuals and companies that considered them safe, said Columbia researchers Ang Cui and Salvatore Stolfo.
HP LaserJet Enterprise 500 color M551, HP LaserJet Enterprise 600 M602, HP LaserJet M3035, HP Color LaserJet CP4005, HP LaserJet P4515 and HP LaserJet Enterprise M4555 MFP are just a few of the models out of the 40 listed by the company.
Users that purchased HP LaserJet models manufactured before 2009, may be susceptible to the attack.
Until HP finds a fix for the problem, the company published an advisory so customers can learn how to secure their devices against a potential unauthorized access.
Since the Remote Firmware Update (RFU) is default enabled, an update can go remotely to port 9100 without authentication, which could allow for someone to alter the machine’s firmware. Users should disable the Printer Firmware Update and consult the paper called “HP Imaging and Printing Security Best Practices.”
“HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action,” reads the advisory.