News in Brief: Yahoo agrees breach settlement, zero-days found in Arcserve UDP platform

News by Tom Reeve

News in Brief: Yahoo agrees to $50 million breach settlement, victims eligible for compensation; Four zero-days found, patched in Arcserve UDP platform; Mozilla updates fix several critical and high-rated vulnerabilities

Yahoo agrees to $50 million breach settlement, victims eligible for compensation

Yahoo agreed to pay a $50 million settlement and provide two years of credit monitoring services to 200 million people whose information was compromised in the 2013-2014 breach.

The incident wasn’t reported until 2016 and Yahoo has agreed to pay a portion of the settlement to compensate account holders with issues arising from the breach at a rate of $25 per hour for time spent dealing with issues arising from the  incident, according to the San Francisco Gate.

Those with documented losses can ask for up to $375 while those who can’t can file claims seeking up to five hours’ worth of compensation for time spent dealing with the breach. Account holders who paid between $20 and $50 annually for a premium email account will be eligible for a 25 percent refund.

In addition to the settlement, Altaba Inc., a company set up to hold Yahoo’s investments in Asian companies and other assets, has already paid a $35 million fine to the Securities and Exchange Commission for the delay in disclosing the breach.

* This story originally appeared in SCmagazine.com in the US.

Four zero-days found, patched in Arcserve UDP platform

Digital Defense VRT has revealed for zero-day vulnerabilities in Arcserve Unified Data Protection platform.

The issues found were

  • an unauthenticated sensitive Information disclosure via /gateway/services/EdgeServiceImpl
  • an unauthenticated XXE in /management/UdpHttpService
  • an unauthenticated sensitive information disclosure via /UDPUpdates/Config/FullUpdateSettings.xml 
  • a Reflected cross-site scripting flaw via /authenticationendpoint/domain.jsp

The two unauthenticated information disclosures and the external entity attack could be utilised by an attacker to gain access to a database and other credentials and to read files on the system hosting the UDP application without authentication. The reflected cross-site scripting issue could be utilised for phishing purposes, Digital Defense reported.

Arcserve has fixed the issues and the patch needed to update a system is available from Arcserve support.

* This story originally appeared in SCmagazine.com in the US.

Mozilla updates fix several critical and high-rated vulnerabilities

The Mozilla Foundation released updates for Firefox 62 and Firefox ESR 60.2 to fix several vulnerabilities, including two rated critical.

In Firefox 62 the critical issues are CVE-2018-12388 and CVE-2018-12390, which is also in Firefox ESR 60.2, Mozilla reported. Both are memory safety bugs that showed some evidence of memory corruption that possibly with enough effort could be used to run arbitrary code.

Both Firefox products also had three high-rated flaws, CVE-2018-12391, CVE-2018-12392 and CVE-2018-12393. The first fixes a situation where during HTTP Live Stream playback on Firefox for Android desktop, audio data can be accessed across origins in violation of security policies.

The second vulnerability is that while manipulating user events in nested loops while opening a document through script, it is possible to trigger a potentially exploitable crash due to poor event handling.

The third is an integer overflow during Unicode conversion while loading JavaScript reporter which could result in allocating a buffer that is too small for the conversion leading to a possible out-of-bounds write.

There are also three moderate issues shared between both that were addressed, CVE-2018-12395, CVE-2018-12396, CVE-20186-and CVE-2018-12397 while CVE-2018-12398 just affected Firefox 62.

All the vulnerabilities are fixed by updating to Firefox 63 and ESR 60.3.

* This story originally appeared in SCmagazine.com in the US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events