High Severity Vulnerabilities found during February, 2014 The UG-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week –Based in the United States.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of UG-CERT analysis. High Severity Vulnerabilities Computer Products Description Date CVSS The CVE affected Published Score Identity Apple Mac OS X Multiple type confusion issues existed in 2015-01-30 10.0 CVE-2014- coresymbolicationd's handling of XPC messages. 8817 These issues were addressed through improved type checking. A malicious application may be able to execute arbitrary code with system privileges

Symantec PGP Symantec PGP Universal Server and Encryption 2015-01-31 9.0 Link Universal and Management Server before 3.3.2 MP7 is susceptible Encryption to a shell command line injection when an Management Server authorized, but less privileged administrator, is submitting a request for a database backup. This could potentially result in the malicious administrator gaining privileged access on the server.

Adobe Flash Player Unspecified vulnerability in Adobe Flash Player 2015-02-02 10.0 CVE-2015- through 13.0.0.264 and 14.x, 15.x, and 16.x through 0313 16.0.0.296 on Windows and OS X and through SECTRACK 11.2.202.440 on Linux allows remote attackers to (link is execute arbitrary code via unknown vectors. external) BID (link is It has been exploited in the wild since February external) 2015. SECUNIA (link is external)

Uganda Communications Commission – UGCERT Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911 Website www.ug-cert.ug Face book / Twitter: UGCERT

Huawei Quidway Huawei Quidway switches with firmware before 2015-02-03 7.5 CVE-2015- switches V200R005C00SPC300 allows remote attackers to 1460 gain privileges via a crafted packet.

Trendmicro Vulnerability in Trend Micro Antivirus Plus, Internet 2015-02-06 7.2 CVE-2014- Security, and Maximum Security could allow an 9641 attacker to elevate privileges on the system.

Microsoft Windows This security update is rated Critical for all 2015-02-10 8.3 CVE 2015 Server supported editions of Windows Server 2003, 0008 Windows Vista, Windows Server 2008, , Windows Server 2008 R2, , Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Internet Microsoft 6 through 11 allows 2015-02-10 9.3 CVE-2015- Explorer remote attackers to execute arbitrary code or 0017 cause a denial of service (memory corruption) via a crafted web site.

Uganda Communications Commission – UGCERT Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911 Website www.ug-cert.ug Face book / Twitter: UGCERT

Microsoft Office Suite This security update is rated Important for all 2015-02-10 9.3 MS15-012 supported editions of 2007, 2007, 2010, Microsoft Excel 2010, Microsoft Word 2010, Microsoft Web Applications 2010, Microsoft Excel 2013, Microsoft Word Viewer, Microsoft Excel Viewer, and Microsoft Office Compatibility Pack.

The vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Google Android Vulnerabilities in Android through 5.0. 2015-02-15 10.0 CVE-2015- 1474 Successful exploits may allow an attacker to gain CONFIRM elevated privileges on the affected application. (link is Failed exploit attempts may crash the application, external) denying service to legitimate users.

Adobe Flash Player Use-after-free vulnerability in Adobe Flash Player 2015-02-21 10.0 CVE-2015- before 13.0.0.269 and 14.x through 16.x before 0331 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows an attacker to take control of the affected system.

Adobe is aware of reports that CVE-2015-0313 is actively being exploited in the wild via drive-by- download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. Adobe recommends users update their product installations to the latest versions D-Link D-Link DAP-1320 Rev Ax with firmware before 2015-02-23 10.0 CVE-2015- 1.21b05 allows attackers to execute arbitrary 2050 commands via unspecified vectors.

Samba All versions of Samba from 3.5.0 to 4.2.0rc4 are 2015-02-23 10.0 CVE-2015- vulnerable to an unexpected code execution 0240 vulnerability in the smbd file server daemon.

A malicious client could send packets that may set up the stack in such a way that the freeing of memory in a subsequent anonymous netlogon packet could allow execution of arbitrary code.

Uganda Communications Commission – UGCERT Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911 Website www.ug-cert.ug Face book / Twitter: UGCERT

This code would execute with root privileges.

For a full list of all of the vulnerabilities discovered throughout previous weeks go to the reports section on our website.

Uganda Communications Commission – UGCERT Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911 Website www.ug-cert.ug Face book / Twitter: UGCERT