Security Alerts

Cisco WebEx Meeting Center Site Redirection Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in a URL parameter of Cisco WebEx could allow an unauthenticated, remote attacker to perform site redirection.

The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including a remote site URL in the affected parameter of the Cisco WebEx URL. An exploit could allow the attacker to redirect a user to a malicious website.

To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.

Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-wms4 A vulnerability in a URL parameter of Cisco WebEx could allow an unauthenticated, remote attacker to perform site redirection.

The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including a remote site URL in the affected parameter of the Cisco WebEx URL. An exploit could allow the attacker to redirect a user to a malicious website.

To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.

Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-wms4
Security Impact Rating: Medium
CVE: CVE-2017-3799
Categories: Security Alerts

Cisco WebEx Meetings Server Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to view the fully qualified domain name of the Cisco WebEx administration server.
 
The vulnerability is due to insufficient masking of sensitive data in the HTTP response. An attacker could exploit this vulnerability by issuing specific HTTP requests. An exploit could allow the attacker to view the fully qualified domain name of the server.

Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-wms3 A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to view the fully qualified domain name of the Cisco WebEx administration server.
 
The vulnerability is due to insufficient masking of sensitive data in the HTTP response. An attacker could exploit this vulnerability by issuing specific HTTP requests. An exploit could allow the attacker to view the fully qualified domain name of the server.

Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-wms3
Security Impact Rating: Medium
CVE: CVE-2017-3797
Categories: Security Alerts

Cisco WebEx Meetings Server Command Bypass Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to execute predetermined shell commands on other hosts.

The vulnerability is due to insufficient security configurations of bash in interactive mode. An attacker could exploit this vulnerability by connecting to a host as root and then connecting to another host via SSH and issuing predetermined shell commands. A successful exploit could allow an attacker to execute commands as root on any other Cisco WebEx Meeting Server host.

Cisco has not released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-wms2 A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to execute predetermined shell commands on other hosts.

The vulnerability is due to insufficient security configurations of bash in interactive mode. An attacker could exploit this vulnerability by connecting to a host as root and then connecting to another host via SSH and issuing predetermined shell commands. A successful exploit could allow an attacker to execute commands as root on any other Cisco WebEx Meeting Server host.

Cisco has not released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-wms2
Security Impact Rating: Medium
CVE: CVE-2017-3796
Categories: Security Alerts

Cisco WebEx Meetings Server Arbitrary Password Change Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to conduct arbitrary password changes against any non-administrative user.

The vulnerability is due to insufficient parameter string security. An attacker could exploit this vulnerability by creating a password-protected meeting and utilizing system-provided parameters to change a non-administrative user password. A successful exploit could allow an attacker to change the password of a targeted user.

Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-wms1 A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to conduct arbitrary password changes against any non-administrative user.

The vulnerability is due to insufficient parameter string security. An attacker could exploit this vulnerability by creating a password-protected meeting and utilizing system-provided parameters to change a non-administrative user password. A successful exploit could allow an attacker to change the password of a targeted user.

Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-wms1
Security Impact Rating: Medium
CVE: CVE-2017-3795
Categories: Security Alerts

Cisco WebEx Meetings Server Cross-Site Request Forgery Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against an administrative user.

The vulnerability is due to insufficient CSRF protections. An attacker could exploit this vulnerability by convincing the user of the affected system to follow a malicious link or visit an attacker-controlled website. A successful exploit could allow an attacker to submit arbitrary requests to the affected device via the Administration pages with the privileges of the user.


Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-wms A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against an administrative user.

The vulnerability is due to insufficient CSRF protections. An attacker could exploit this vulnerability by convincing the user of the affected system to follow a malicious link or visit an attacker-controlled website. A successful exploit could allow an attacker to submit arbitrary requests to the affected device via the Administration pages with the privileges of the user.


Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-wms
Security Impact Rating: Medium
CVE: CVE-2017-3794
Categories: Security Alerts

Cisco NetFlow Generation Appliance Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in the web-based management interface of Cisco NetFlow Generation Appliance could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

Workarounds that address this vulnerability are not available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-nga A vulnerability in the web-based management interface of Cisco NetFlow Generation Appliance could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

Workarounds that address this vulnerability are not available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-nga
Security Impact Rating: Medium
CVE: CVE-2016-9222
Categories: Security Alerts

Cisco Nexus 5000, 6000, and 7000 Series Switches Software IS-IS Packet Processing Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in Intermediate System-to-Intermediate System (IS-IS) protocol packet processing of Cisco Nexus 5000, 6000, and 7000 Series Switches software could allow an unauthenticated, adjacent attacker to cause a reload of the affected device.

The vulnerability is due to improper processing of crafted IS-IS protocol packets. An attacker could exploit this vulnerability by sending a crafted IS-IS protocol packet over an established adjacency. An exploit could allow the attacker to cause a reload of the affected device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-nexus A vulnerability in Intermediate System-to-Intermediate System (IS-IS) protocol packet processing of Cisco Nexus 5000, 6000, and 7000 Series Switches software could allow an unauthenticated, adjacent attacker to cause a reload of the affected device.

The vulnerability is due to improper processing of crafted IS-IS protocol packets. An attacker could exploit this vulnerability by sending a crafted IS-IS protocol packet over an established adjacency. An exploit could allow the attacker to cause a reload of the affected device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-nexus
Security Impact Rating: Medium
CVE: CVE-2017-3804
Categories: Security Alerts

Cisco IOS and Cisco IOx Software Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in the web-based management interface of Cisco IOS and Cisco IOx Software could allow an unauthenticated, remote attacker to view confidential information that is displayed without authenticating to the device.
 
The vulnerability is due to lack of proper input validation of the HTTP URL being requested. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted device. An exploit could allow the attacker to view confidential information that should only be visible to authenticated users to the device. The attacker could use this information to conduct additional reconnaissance attacks.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-ios A vulnerability in the web-based management interface of Cisco IOS and Cisco IOx Software could allow an unauthenticated, remote attacker to view confidential information that is displayed without authenticating to the device.
 
The vulnerability is due to lack of proper input validation of the HTTP URL being requested. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted device. An exploit could allow the attacker to view confidential information that should only be visible to authenticated users to the device. The attacker could use this information to conduct additional reconnaissance attacks.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-ios
Security Impact Rating: Medium
CVE: CVE-2017-3805
Categories: Security Alerts

Cisco Hybrid Meeting Server Web Interface Cross-Site Request Forgery Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in Cisco Hybrid Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface.

The vulnerability is due to insufficient CSRF protections. An attacker could exploit this vulnerability by convincing the user of the affected system to follow a malicious link or visit an attacker-controlled website. A successful exploit could allow the attacker to submit arbitrary requests to the affected device via the web browser with the privileges of the user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-hms A vulnerability in Cisco Hybrid Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against the user of the web interface.

The vulnerability is due to insufficient CSRF protections. An attacker could exploit this vulnerability by convincing the user of the affected system to follow a malicious link or visit an attacker-controlled website. A successful exploit could allow the attacker to submit arbitrary requests to the affected device via the web browser with the privileges of the user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-hms
Security Impact Rating: Medium
CVE: CVE-2016-9218
Categories: Security Alerts

Cisco Email Security Appliance Filter Bypass Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in the content scanning engine of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to bypass configured message or content filters on the device.
 
The vulnerability is due to incomplete input validation of email message attachments in different formats. An attacker could exploit this vulnerability by sending a crafted email message with an attachment to the ESA. An exploit could allow the attacker to bypass configured content or message filters configured on the ESA. This message filter bypass could allow email attachments that contain malware to pass through the targeted device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-esa A vulnerability in the content scanning engine of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to bypass configured message or content filters on the device.
 
The vulnerability is due to incomplete input validation of email message attachments in different formats. An attacker could exploit this vulnerability by sending a crafted email message with an attachment to the ESA. An exploit could allow the attacker to bypass configured content or message filters configured on the ESA. This message filter bypass could allow email attachments that contain malware to pass through the targeted device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-esa
Security Impact Rating: Medium
CVE: CVE-2017-3800
Categories: Security Alerts

Cisco Unified Communications Manager Web Interface Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system.

The vulnerability is due to insufficient input validation of some parameters that are passed via the HTTP GET or HTTP POST method. An attacker could exploit this vulnerability by intercepting user packets and injecting malicious code into those packets.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-cucm1 A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system.

The vulnerability is due to insufficient input validation of some parameters that are passed via the HTTP GET or HTTP POST method. An attacker could exploit this vulnerability by intercepting user packets and injecting malicious code into those packets.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-cucm1
Security Impact Rating: Medium
CVE: CVE-2017-3802
Categories: Security Alerts

Cisco Unified Communications Manager Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A cross-site scripting (XSS) filter bypass vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to mount XSS attacks against a user of an affected device.

The vulnerability is due to a failure to properly call XSS filter subsystems when a URL contains a certain parameter. An attacker who can persuade an authenticated user of an affected device to follow an attacker-provided link or visit an attacker-controlled website could exploit this vulnerability to execute arbitrary code in the context of the affected site in the user's browser.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-cucm A cross-site scripting (XSS) filter bypass vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to mount XSS attacks against a user of an affected device.

The vulnerability is due to a failure to properly call XSS filter subsystems when a URL contains a certain parameter. An attacker who can persuade an authenticated user of an affected device to follow an attacker-provided link or visit an attacker-controlled website could exploit this vulnerability to execute arbitrary code in the context of the affected site in the user's browser.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-cucm
Security Impact Rating: Medium
CVE: CVE-2017-3798
Categories: Security Alerts

Cisco Mobility Express 2800 and 3800 Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in 802.11 ingress connection authentication handling for the Cisco Mobility Express 2800 and 3800 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause authentication to fail.

The vulnerability is due to improper error handling for 802.11 authentication requests that do not complete. An attacker could exploit this vulnerability by sending a crafted 802.11 frame to the targeted device. An exploit could allow the attacker to impact the availability of the device due to authentication failures.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-cme2 A vulnerability in 802.11 ingress connection authentication handling for the Cisco Mobility Express 2800 and 3800 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause authentication to fail.

The vulnerability is due to improper error handling for 802.11 authentication requests that do not complete. An attacker could exploit this vulnerability by sending a crafted 802.11 frame to the targeted device. An exploit could allow the attacker to impact the availability of the device due to authentication failures.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-cme2
Security Impact Rating: Medium
CVE: CVE-2016-9221
Categories: Security Alerts

Cisco Mobility Express 2800 and 3800 802.11 Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in 802.11 ingress packet processing of the Cisco Mobility Express 2800 and 3800 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause the connection table to be full of invalid connections and be unable to process new incoming requests.

The vulnerability is due to lack of proper error handling when the 802.11 frame is received with an unexpected status code. An attacker could exploit this vulnerability by sending a crafted 802.11 frame to the targeted device. An exploit could allow the attacker to impact the availability of the device due to the connection table being filled with invalid connections.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-cme1 A vulnerability in 802.11 ingress packet processing of the Cisco Mobility Express 2800 and 3800 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause the connection table to be full of invalid connections and be unable to process new incoming requests.

The vulnerability is due to lack of proper error handling when the 802.11 frame is received with an unexpected status code. An attacker could exploit this vulnerability by sending a crafted 802.11 frame to the targeted device. An exploit could allow the attacker to impact the availability of the device due to the connection table being filled with invalid connections.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-cme1
Security Impact Rating: Medium
CVE: CVE-2016-9220
Categories: Security Alerts

Cisco IOS for Catalyst 2960X and 3750X Switches Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2017-01-18 14:00
A vulnerability in the Cisco IOS Software forwarding queue of Cisco 2960X and 3750X switches could allow an unauthenticated, adjacent attacker to cause a memory leak in the software forwarding queue that would eventually lead to a partial denial of service (DoS) condition.

The vulnerability is due to improper processing of IPv6 Neighbor Discovery (ND) packets. An attacker could exploit this vulnerability by sending a number of IPv6 ND packets to be processed by an affected device. An exploit could allow the attacker to cause a memory leak in the software forwarding queue that would eventually lead to a partial DoS service condition.

Workarounds that address this vulnerability are available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-catalyst A vulnerability in the Cisco IOS Software forwarding queue of Cisco 2960X and 3750X switches could allow an unauthenticated, adjacent attacker to cause a memory leak in the software forwarding queue that would eventually lead to a partial denial of service (DoS) condition.

The vulnerability is due to improper processing of IPv6 Neighbor Discovery (ND) packets. An attacker could exploit this vulnerability by sending a number of IPv6 ND packets to be processed by an affected device. An exploit could allow the attacker to cause a memory leak in the software forwarding queue that would eventually lead to a partial DoS service condition.

Workarounds that address this vulnerability are available.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-catalyst
Security Impact Rating: Medium
CVE: CVE-2017-3803
Categories: Security Alerts

Multiple Vulnerabilities in OpenSSL (June 2015) Affecting Cisco Products

Cisco Security Advisories - Tue, 2017-01-17 12:55
On June 11, 2015, the OpenSSL Project released a security advisory detailing six distinct vulnerabilities, and another fix that provides hardening protections against exploits as described in the Logjam research.

Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory.

This advisory will be updated as additional information becomes available.

Cisco will release software updates that address these vulnerabilities.

Workarounds that mitigate these vulnerabilities may be available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150612-openssl On June 11, 2015, the OpenSSL Project released a security advisory detailing six distinct vulnerabilities, and another fix that provides hardening protections against exploits as described in the Logjam research.

Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory.

This advisory will be updated as additional information becomes available.

Cisco will release software updates that address these vulnerabilities.

Workarounds that mitigate these vulnerabilities may be available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150612-openssl
Security Impact Rating: High
CVE: CVE-2014-8176,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792
Categories: Security Alerts

MS17-001 - Important: Security Update for Microsoft Edge (3214288) - Version: 1.0

Microsoft Comprehensive Security Alerts - Tue, 2017-01-10 10:00
Severity Rating: Important
Revision Note: V1.0 (January 10, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Edge. This vulnerability could allow elevation of privilege if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerability could elevate privileges in affected versions of Microsoft Edge.
Categories: Security Alerts

MS17-JAN - Microsoft Security Bulletin Summary for January 2017 - Version: 1.0

Microsoft Comprehensive Security Alerts - Tue, 2017-01-10 10:00
Revision Note: V1.0 (January 10, 2017): Bulletin published
Summary: This bulletin summary lists security bulletins released for January2017
Categories: Security Alerts

MS17-002 - Critical: Security Update for Microsoft Office (3214291) - Version: 1.0

Microsoft Comprehensive Security Alerts - Tue, 2017-01-10 10:00
Severity Rating: Critical
Revision Note: V1.0 (January 10, 2017): Bulletin published
Summary: This security update resolves a vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

3214296 - Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege - Version: 1.0

Microsoft Comprehensive Security Alerts - Tue, 2017-01-10 10:00
Revision Note: V1.0 (January 10, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information about a vulnerability in the public version of Identity Model Extensions 5.1.0. This advisory also provides guidance on what developers can do to help ensure that their apps are updated correctly.
Categories: Security Alerts

Pages

Subscribe to Willing Minds aggregator - Security Alerts