January 23, Softpedia – (International) Remote code execution flaw found in iPass Open Mobile Windows Client. A security researcher at Code White GmbH reported vulnerability in the iPass Open Mobile Windows Client that could allow an attacker to execute arbitrary code by sending a specially-crafted unicode string to a subprocess with SYSTEM privileges. The developers released a patch to address the flaw in the iPass network that includes free and open access hotspots, certain hotel and convention venues, and provides Internet access to trains with WiFi support as well as in-flight WiFi in airplanes. Source
January 23, Securityweek – (International) Three OS X vulnerabilities disclosed by Google. Google released a report containing details and proof-of-concept code for three vulnerabilities, including a code execution vulnerability, memory corruption bug, and a sandbox escapes, affecting Apple’s OS X operating system reported on October 20, October 21, and October 23. Source
January 23, Softpedia – (International) “Friendlier” Critroni ransomware variants spotted in the wild. Security researchers at Trend Micro discovered new strains of Critroni ransomware (CTB-Locker) in January that allows a grace period of 96 hours, the opportunity to decrypt five files, and an increase in the ransom amount. Source
Recently I was on a United flight to a conference in Las Vegas, and upon boarding the plane, noticed that there were no headset displays. I don’t fly all that much to begin with; maybe once or twice a year, but of course, I rolled my eyes at the lack of in-flight entertainment. While the remaining passengers were boarding, I debated ordering some gadget from the SkyMall catalog, and started to review United’s magazine, Hemispheres, which has various articles about destinations, food, etc. – and United’s in-flight entertainment. Wait, what?
United actually does have in-flight entertainment; however you need your own device (laptop, iPad, etc.). Prior to take off, we were instructed to flip our devices to airplane mode, which was a first for me, as I was actually used to turning devices off. Once we hit cruising altitude, the plane provided Wi-Fi access. This included free browsing to United’s website, and paid browsing/email sync and streaming of movies/TV shows. I assume United has a media server that streams movies and TV shows. There wasn’t an option for live TV – at least not on my flight.
Why am I telling you this awesome story about in-flight entertainment on United? For the miles, of course (just kidding). This is actually an excellent example of bring your own device (BYOD) in action. One of the main concerns with BYOD is supporting multiple end-point devices. Instead of investing in headset displays and maintenance of those displays, United put the display portion on the customer. Similarly, some software companies provide a stipend for users/customers to purchase any device they want to connect into the backend environment. In those cases, the companies don’t support the end-point devices.
For BYOD to really take off, companies need to think outside of the box like United. It makes sense for the company, and to a certain degree, the end user. I only saw two flaws in United’s BYOD inflight entertainment: lack of power outlets and customers that don’t have a device. Then again, a good book works just fine without either of those items.
To discuss more about BYOD and the technologies that support that initiative, please reach out to your Gotham account manager.
Most disk array controllers on servers include a piece of RAM that can be utilized to temporarily buffer data being written to or read from disk. Since access to RAM is significantly faster than disk access, this cache can enhance overall server performance. With respect to Citrix XenApp servers, improved server performance can lead to much higher user density per server.
Unlike writing to disk, writing to RAM is volatile, which means it needs power to maintain the stored information. Array controllers usually come with a battery pack that allows them to cache write data safely. In the event of a power disruption, the battery would provide enough power to safely write all data to disk. The majority of hardware vendors won’t even allow you to enable write cache until a battery is attached. They will also often automatically disable write cache when there is a battery fault.
Having a battery fault or no battery at all can cause significant performance degradation on your servers during times of heavy writes. This typically occurs on a Citrix XenApp server during the loading of profiles and the use of applications that require heavy writing of temporary files (e.g., browsing websites in Internet Explorer). During these times of heavy writes, users may report sessions freezing and delayed logons. System administrators may see disk queue alerts on the Windows performance counters. However, if the problem is extreme enough, the system can enter a temporary hung state, and no performance data will be collected, so you may not receive any alerts at all.
The lesson to be learned is if you are using physical servers in your Citrix XenApp environment, make sure you check the batteries on your array controllers on a regular basis. It can be a small fix for a much larger problem.
January 20, Securityweek – (International) VideoLan says flaws exist in codecs library, not VLC. A security researcher discovered two vulnerabilities in libavcodec, a free open-source audio/video codecs library used by VLC, Xine and MPlayer media players that could allow the attacker the ability to corrupt memory and exploit arbitrary code. Source
January 20, Securityweek – (International) CSRF flaw allowed attackers to hijack GoDaddy domains. A security researcher discovered that Internet domain registrar GoDaddy failed to implement any cross-site request forgery (CSRF) protections for many DNS management actions which an attacker could have exploited to edit nameservers, edit DNS records, and modify automatic renewal settings. GoDaddy took measures to fix the vulnerability and introduced CSRF protections for sensitive account actions January 19. Source
January 20, Softpedia – (International) Oracle addresses 167 bugs in critical patch update. Oracle released its quarterly Critical Patch Update January 20, closing 167 vulnerabilities found in 48 of the company’s products. The developer’s Oracle Fusion Middleware product received 35 security patches, more than any other product, including 28 patches for vulnerabilities exploited remotely without authentication of the potential attacker. Source
January 20, CNET News – (National) Verizon races out fix for email security flaw. Verizon patched a serious vulnerability in its My FiOS mobile app after a security researcher discovered a flaw that could allow a user to access any Verizon email account, scan the inbox, read individual emails, and send messages. Source
January 19, Help Net Security – (National) 2+ million US cars can be hacked remotely, researchers claim. A researcher with Digital Bond Labs presented a vulnerability that he identified at the S4 conference in Miami when he reverse-engineered the Snapshot tracking dongle offered by Progressive Insurance that is currently in use in over 2 million vehicles across the U.S. that could allow the attacker to control some of the core functions of a car by compromising its on-board system via Snapshot remotely due to minimal security in the firmware. Source