Apple has released security updates to address vulnerabilities in iOS, tvOS, watchOS, iCloud for Windows, Safari, iTunes for Windows, macOS Mojave, macOS Sierra and macOS High Sierra. Exploitation of these vulnerabilities may allow an attacker to take control of affected system.
Users and administrators are encouraged to review Apple Security Updates and apply necessary updates.
Adobe has released security update to address vulnerabilities in Adobe Acrobat 2017, Acrobat Reader 2017, Acrobat DC and Acrobat Reader DC for Windows and MacOS. Exploitation of these vulnerabilities may allow an attacker to take control of affected system with privileges of current user.
Users and administrators are encouraged to review Adobe Security Advisory and apply necessary updates.
Mozilla has released security updates to address vulnerabilities in Firefox prior to ver.64 and Firefox ESR prior to ver.60.4. Exploitation of these vulnerabilities may allow an attacker to take control of affected product.
Users and administrators are encouraged to review Mozilla Security Advisories and apply necessary updates.
Advisory No: TZCERT/SA/2018/12/05
Date of First Release: 6 December 2018
Source: Microsoft
Software Affected:
Overview:
Multiple vulnerabilities have been identified in Microsoft Team Foundation Server that could allow a remote unauthorized execution of arbitrary code that may result into compromise of potentially sensitive information on the targeted system.
Description:
Microsoft Team Foundation Server (TFS) has been reported to vulnerable to a remote code execution and Cross-site Scripting (CSS) vulnerabilities.
The remote code execution vulnerability is a result of disabling basic authorization on the communication between the Team Foundation Server (TFS) and the search services. Whereas, the Cross-site scripting vulnerability is caused by improper handling of user input into the Team Foundation Server (TFS).
An authenticated remote access exploit can exploit these vulnerabilities by sending a specially crafted payload to the Team Foundation Server, which can be executed on user’s behalf upon visiting the compromised page.
Impacts:
Successful exploitation of the remote code execution vulnerability could allow remote unauthorized access to bypass authorization to run certain commands on the Search service to execute arbitrary code with the privileges of the user.
The cross-site scripting vulnerability could allow unauthorized access to perform cross-site scripting attacks on affected systems. Exploitation of these vulnerabilities could allow take off control of the affected system.
Solution:
Users and administrators are urged to review security updates guide available on Microsoft web portal to fix the vulnerabilities.
Reference:
Advisory No: TZCERT/SA/2018/12/05
Date of First Release: 6th December, 2018
Source: PHP, CISCO
Software Affected: PHP versions 5.x through 7.1.24
Overview:
Potential vulnerability has been discovered in Hypertext Pre-processor (PHP) which can allow a remote attacker to cause denial of service condition on the affected system.
Description:
It has been revealed that “ext/standard/var.c” and “ext/standard/var_unserializer.c” files in PHP software are susceptible to Denial of Service (DoS) condition due to a NULL pointer dereference.
A remote unauthorized user can exploit this vulnerability when either unserialize call is made to “ext/standard/var_unserializer.c” file for the “com”, “dotnet” and its variant class or a specially crafted request sent malicious input to the affected PHP software.
Impact:
Successful exploitation of the vulnerabilities can allow an attacker to trigger pointer dereference condition that cause users of software crash resulted into a DoS condition on affected PHP software.
Solution:
Users and System administrators are advised to update the affected PHP to the latest version as well as the implement the following security measures;
References:
Tanzania Computer Emergency Response Team