The 50th period (2018.06.18-2018.06.24)
One, this week flaw is fundamental posture
This week high thill is attacked prevent a lab to be collected in all, arrange information safety flaw 426, high high among them flaw 266, in danger flaw 136, low danger flaw 24, relatively reduce 110 quite last week, reduce 25.8 % compared to the same period. Discover according to statistic SQL infuse flaw is this Zhou Zhanbi's largest hole, also be since occupying statistic, divide the 7th period and the 40th period beyond, weekly flaw amount is occupied than the largest hole.
The basis monitors a result, this week high thill is attacked prevent a lab to arrange flaw in all 426, among them other industry 103, teach a trade 82, Internet industry 69, commercial platform industry 67, industry of medical treatment sanitation 34, industry of electronic government affairs 34, financial industry 12, energy industry 11, traffic industry 7, , distributinging statistic graph is shown as follows:
This week flaw type distributings statistic
This week monitors mutual flaw 426, among them, what flaw amount ranks the first place is SQL infuse flaw is occupied than for 40% , flaw amount ranks second is to command executive flaw occupies flaw to compare for 18% , flaw amount ranks tertiary is not accredit is visited / attributive bypasses flaw is occupied than for 13% , amount of these 4 kinds of flaw holds sum total 71% , with compare last week, discover amount of SQL infuse flaw and command carry out flaw amount to occupy than increasing, not accredit is visited / attributive bypasses flaw amount is occupied than decreasing, among them amount of SQL infuse flaw is occupied than increasing 6% , the command carries out flaw to occupy than increasing 13% , not accredit is visited / attributive bypasses flaw is occupied than decreasing 1% ; Other 29% what a few kinds of flaw hold sum total only, in these a few kinds of flaw, flaw of tiring-room weak countersign is occupied than be 10% , other flaw is occupied than 6% , Xss crosses station script to atttack flaw 5% , sensitive information divulges flaw to occupy than 3% , aleatoric file alls over all previous / download flaw is occupied than 3% , design flaw / logistic and wrong flaw is occupied than 2% .
Classics statistic, SQL infuse flaw exists in educational industry relatively apparent, command executive flaw exists in Internet industry relatively apparent, not accredit is visited / attributive bypasses flaw exists in commercial platform relatively apparent. At the same time SQL infuse flaw also is this week flaw type occupy in statistic than most flaw, broad user should strengthen pair of SQL infuse flaw be on guard. Flaw type distributinging statistic pursues as follows:
This week is general-purpose flaw presses statistic of influence object type
Applied process flaw 149, network equipment flaw 49, WEB application flaw 17, safe product flaw 2.
2, this week is general-purpose product announcement
1, flaw of Adobe product safety
Adobe Acrobat is editor of file of a PDF and changeover tool, documentation of a PDF reads Adobe Reader software. Adobe Flash Player is multimedia program player. Adobe Photoshop, abbreviation " PS " , it is image processing software. This week, afore-mentioned products are put in many flaw by exposure, aggressor can use flaw to divulge sensitive information, implement aleatoric code.
Collected relevant flaw includes: Memory of AdobePhotoshop cross the border writes cross the border of flaw, Adobe Acrobat/Reader to be written into cross the border of flaw, Adobe Acrobat/Reader to read take flaw (CNVD-2018-11737) , Adobe Acrobat/Reader memory destroys flaw (CNVD-2018-11792) , Adobe Acrobat/Reader type is promiscuous flaw (CNVD-2018-11795) , solution of Adobe Acrobat/Reader suspect finger cites suspect data of flaw, AdobeColdFusion turns over alignment to convert hole, . Among them, except " Adobe Acrobat/Reader cross the border is read take flaw (CNVD-2018-11737) " outside, the integrated grade of the others flaw is " Gao Wei " . Current, the manufacturer had released afore-mentioned flaw revamp a program. Remind an user seasonable download patch is updated, avoid to cause the network safety incident related flaw.
Referenced link:
Https://helpx.adobe.com/security/products/photoshop/apsb18-17.html
Https://helpx.adobe.com/security/products/acrobat/apsb18-09.html
Https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html
Https://helpx.adobe.com/security/products/flash-player/apsb18-19.html
2, flaw of Foxit product safety
Foxit Reader is reader of documentation of a PDF. Foxit PhantomPDF is edition of a commerce. This week, afore-mentioned products are put in long-range code to carry out flaw by exposure, aggressor can use flaw to implement aleatoric code.
Collected relevant flaw includes: Long-range code of FoxitReader and PhantomPDF carries out flaw (CNVD-2018-11901, CNVD-2018-11902, CNVD-2018-11903, CNVD-2018-11904, CNVD-2018-11905, CNVD-2018-11906, CNVD-2018-11907, CNVD-2018-11908) . Current, the manufacturer had released afore-mentioned flaw revamp a program. Remind an user seasonable download patch is updated, avoid to cause the network safety incident related flaw.
Referenced link:
Https://www.foxitsoftware.com/support/security-bulletins.php
3, flaw of MMozilla product safety
Mozilla Firefox is browser of a Web opening a source. One Firefox ESR is Firefox lengthens supportive version. Skia is the 2D graph library of a among them open source, can offer the common API that can work on all sorts of hardware and software platform. This week, afore-mentioned products are put in many flaw by exposure, aggressor can use flaw to get sensitive information, bypass safety is restricted, implement aleatoric code or initiate reject to serve attack.
Collected relevant flaw includes: MozillaFirefox code carries out flaw (CNVD-2018-11787, CNVD-2018-11789) , Mozilla Firefox safety bypasses flaw (CNVD-2018-11790) , Mozilla Firefox information reveals flaw (CNVD-2018-11924, CNVD-2018-11923) , Mozilla Firefox and Firefox ESR memory destroy flaw (CNVD-2018-11925) , buffer of Mozilla Firefox ESR spills over memory of library of flaw, Mozilla FirefoxESR Skia destroys flaw. Among them, except " Mozilla Firefox information reveals flaw (CNVD-2018-11924, CNVD-2018-11923) " outside, the integrated grade of the others flaw is " Gao Wei " . Current, the manufacturer had released afore-mentioned flaw revamp a program. Remind an user seasonable download patch is updated, avoid to cause the network safety incident related flaw.
Referenced link:
Https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/
Https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/
4, flaw of Microsoft product safety
Microsoft Edge is browser of a Web. Microsoft Internet Explorer is browser of a webpage. This week, this product is put in memory to destroy flaw by exposure, aggressor can use flaw to implement aleatoric code, cause memory to destroy.
Collected relevant flaw includes: MicrosoftEdge memory destroys flaw (CNVD-2018-11917, CNVD-2018-11918) , Microsoft Edge and ChakraCore memory destroy flaw (CNVD-2018-11919, CNVD-2018-11920) , memory of Microsoft Internet Explorer destroys flaw (CNVD-2018-11932, CNVD-2018-11933, CNVD-2018-11936) , Microsoft Edge memory destroys flaw (CNVD-2018-11935) . The integrated grade of afore-mentioned flaw is " Gao Wei " . Current, the manufacturer had released afore-mentioned flaw revamp a program. Remind an user seasonable download patch is updated, avoid to cause the network safety incident related flaw.
Referenced link:
Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8110
Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8111
Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8227
Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8229
Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8249
Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8267
Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0978
Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8236
5, flaw of infuse of PvPGN Stats SQL
PvPGN Stats is the tool with a supportive website that is based on PHP and PvPGN game compositive server, it can show page of graph of server condition, echelon to wait. This week, pvPGN Stats is put in SQL infuse flaw by exposure, long-range aggressor but parameter of GET of have the aid of ' User ' the visit limits of authority that uses this flaw to get PvPGN database (include: Name of mail, user and password) . Current, the manufacturer has not release flaw to revamp a program. Remind broad user to pay close attention to manufacturer homepage at any time, in order to get newest version.
Referenced link:
Http://www.cnvd.org.cn/flaw/show/CNVD-2018-11636
3, fundamental flaw atttacks this week circumstance of test and verify
Code of random of POSCMS 'index' function carries out flaw
Description of test and verify
POSCMS (PhpOpenSourceCMS) be be based on PHP and MySQL one set, open a source, cross platform website content to run a system (CMS) .
Safe flaw exists in POSCMS 3.2.10 version. Aggressor but have the aid of
The 'index' function of DiymodulemembercontrollersadminSetting.php file uses this flaw to write code to Api/ucsso/config.php file.
Information of test and verify
POC link:
Https://github.com/myndtt/vulnerability/blob/master/poscms/3-2-10.md
Note: Information of above test and verify (method) the likelihood contains aggressiveness, use for what safety studies only. Ask what broad user strengthens pair of flaw to be on guard the job, download relevant patch as soon as possible.
4, this Zhou Anquan information
The code of 1. apple signs flaw will allow baleful software to circle product of safety of overmuch money Mac
The near future, the safe flaw that expert of safe company research signed discover one can be used in the mechanism in the code of MacOS. This flaw conceal a year long, it allows aggressor to pretend the baleful code that does not get credit the legal code that gets credit, circle the detecting of product of safety of overmuch money MacOS, include Little Snitch, F-Secure XFence, VirusTotal, Google Santa and Facebook OSQuery among them. If you are appearing in afore-mentioned list in used product, we suggest to replace the product that you use as soon as possible, if can be not used,update, change in time please use other defend product.
2.The attack of oriented web sth resembling a net that CVE-2018-5002 of FLASH0 day flaw is in middle east area is used
The near future, safe research group (the oriented web subsidiary channels in the human body through which vital energy that SRT) identifying gave CVE-2018-5002 of flaw of Adobe Flash 0 Day atttacks behavior, flaw of this 0 Day is used at be being permeated in the light of the network of personage of middle east area and organization by aggressor. Aggressor uses the baleful Flash target with this tectonic flaw, code can be implemented on target victim computer, a series of Payload that implementation follow-up permeates and baleful code move.
Add the 49th period flaw posture
