ÐÅÏ¢°²È«Öܱ¨-2018ÄêµÚ16ÖÜ

°ä²¼¹¦·ò 2018-04-25

Ò»¡¢±¾Öܰ²È«Ì¬ÊÆ×ÛÊö
        2018Äê04ÔÂ16ÈÕÖÁ20ÈÕ¹²ÊÕ¼°²È«·ì϶47¸ö£¬ÖµµÃ¹Ø×¢µÄÊÇBelkin N750Õ»»º³åÇøÒç¶Âí½Å £»Discuz! DiscuzX CVE-2018-10298¿çÕ¾¾ç±¾·ì϶ £»Spring Data CommonsÔ¶³Ì´úÂëÖ´Ðзì϶ £»Oracle WebLogic Server·´ÐòÁл¯Ô¶³Ì´úÂëÖ´Ðзì϶ £»Adobe Flash PlayerÔ½½çдËÁÒâ´úÂë·ì϶ ¡£

       ±¾ÖÜÖµµÃ¹Ø×¢µÄÍøÂ簲ȫÊÂÎñÊÇÌ©¹úÔËÓªÉÌTrueMove HµÄÓû§Êý¾Ýй¶£¬Ô¼4.6ÍòÓû§Êܵ½Ó°Ïì £»×îеÄ×êÑÐÏÔʾ´óÁ¿AndroidÀûÓÃÎ¥¹æ²É¼¯¶ùͯµÄÒþÖÔÐÅÏ¢ £»×êÑÐÈËÔ±³ÆÊý°ÙÍò¸öAPPͨ¹ý¸æ°×SDKй¶Óû§Êý¾Ý £»CCleaner APTµ÷²éºóÐø£º¹¥»÷Õßͨ¹ýTeamViewer½øÈëPiriformµÄÍøÂç £»×êÑÐÈËÔ±·¢ÏÖÊý¾Ý¹«Ë¾LocalBloxµÄÔ¼4800ÍòÓû§Êý¾Ý¿É¹«¿ª½Ó¼û ¡£

        ƾ¾ÝÒÔÉÏ×ÛÊö£¬±¾Öܰ²È«ÍþвΪÖÐ ¡£


¶þ¡¢³ÁÒª°²È«·ì϶Áбí
1¡¢Belkin N750Õ»»º³åÇøÒç¶Âí½Å

        Belkin N750´æÔÚ»ùÓÚÕ»µÄ»º³åÇøÒç¶Âí½Å£¬ÔÊÐíÔ¶³Ì¹¥»÷ÕßÀûÓ÷ì϶Ïòproxy.cgi·¢ËÍHTTPÒªÇ󣬿ÉʹÀûÓ÷¨Ê½±ÀÀ £»òÖ´ÐÐËÁÒâ´úÂë ¡£

        Óû§¿É²Î¿¼Èçϳ§ÉÌÌṩµÄ°²È«²¹¶¡ÒÔ½¨¸´¸Ã·ì϶£ºhttps://www.tenable.com/security/research/tra-2018-08
2¡¢Discuz! DiscuzX CVE-2018-10298¿çÕ¾¾ç±¾·ì϶

        Discuz! DiscuzX data/template/1_diy_portal_view.tpl.phpδÏÞ¶ÈÄÚÈÝ£¬ÔÊÐíÔ¶³Ì¹¥»÷ÕßÀûÓ÷ì϶עÈë¶ñÒâ¾ç±¾»òHTML´úÂ룬µ±¶ñÒâÊý¾Ý±»²é¿´Ê±£¬¿É»ñÈ¡Ãô¸ÐÐÅÏ¢»ò½Ù³ÖÓû§»á»° ¡£

        Óû§¿É²Î¿¼Èçϳ§ÉÌÌṩµÄ°²È«²¹¶¡ÒÔ½¨¸´¸Ã·ì϶£ºhttps://laworigin.github.io/2018/04/22/Discuz-x-portal-Stored-XSS/
3¡¢Spring Data CommonsÔ¶³Ì´úÂëÖ´Ðзì϶

        Spring Data Commons´¦ÖÃSPEL±í°×ʽ´æÔÚ°²È«·ì϶£¬ÔÊÐíÔ¶³Ì¹¥»÷ÕßÀûÓ÷ì϶Ìá½»ÌØÊâµÄÒªÇó£¬ÒÔWEBȨÏÞÖ´ÐÐËÁÒâºÅÁî ¡£

        Óû§¿É²Î¿¼Èçϳ§ÉÌÌṩµÄ°²È«²¹¶¡ÒÔ½¨¸´¸Ã·ì϶£ºhttps://pivotal.io/security/cve-2018-1273
4¡¢Oracle WebLogic Server·´ÐòÁл¯Ô¶³Ì´úÂëÖ´Ðзì϶

        Oracle WebLogic Server´æÔÚ·´ÐòÁл¯·ì϶£¬ÔÊÐíÔ¶³Ì¹¥»÷ÕßÀûÓ÷ì϶Ìá½»ÌØÊâÒªÇó£¬ÒÔÀûÓ÷¨Ê½¸ßµÍÎÄÖ´ÐÐËÁÒâ´úÂë ¡£

        Óû§¿É²Î¿¼Èçϳ§ÉÌÌṩµÄ°²È«²¹¶¡ÒÔ½¨¸´¸Ã·ì϶£ºhttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
5¡¢Adobe Flash PlayerÔ½½çдËÁÒâ´úÂë·ì϶

        Adobe Flash Player´æÔÚÔ½½çд·ì϶£¬ÔÊÐíÔ¶³Ì¹¥»÷ÕßÀûÓ÷ì϶Ìá½»ÌØÊâÎļþ£¬ÓÕʹÓû§½âÎö£¬Äܹ»ÀûÓ÷¨Ê½¸ßµÍÎÄÖ´ÐÐËÁÒâ´úÂë ¡£

        Óû§¿É²Î¿¼Èçϳ§ÉÌÌṩµÄ°²È«²¹¶¡ÒÔ½¨¸´¸Ã·ì϶£ºhttps://helpx.adobe.com/security/products/flash-player/apsb18-08.html


Èý¡¢³ÁÒª°²È«ÊÂÎñ×ÛÊö
1¡¢Ì©¹úÔËÓªÉÌTrueMove HµÄÓû§Êý¾Ýй¶£¬Ô¼4.6ÍòÓû§Êܵ½Ó°Ïì

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

        °²È«×êÑÐÈËÔ±Niall Merrigan·¢ÏÖÌ©¹ú×î´óµÄ4GÒÆ¶¯ÔËÓªÉÌTrueMove HµÄÒ»¸öAmazon AWS S3¿É¹«¿ª½Ó¼û£¬Ð¹Â¶µÄÊý¾ÝÔ̺¬Óû§µÄ¼ÝÊ»ÅÆÕպͻ¤ÕÕµÈÉí·ÝÖ¤¼þµÄɨÃ裬Êý¾Ý×ÜÁ¿ÎªÔ¼4.6Íò±Ê¼Í¼£¬¹²32GB ¡£¸ÃÊý¾Ý¿âÖ±µ½4ÔÂ12ÈÕ»¹¿É³ÖÐø½Ó¼û£¬Ëæºó¸Ã¹«Ë¾ÏÞ¶ÈÁËÆä½Ó¼ûȨÏÞ ¡£TrueMove HÉêÃ÷³ÆÊý¾Ýй¶ÊÂÎñÓ°ÏìµÄÊÇÆä×Ó¹«Ë¾I True Mart ¡£

        Ô­ÎÄÁ´½Ó£ºhttps://securityaffairs.co/wordpress/71406/data-breach/truemove-h-data-leak.html

2¡¢×îеÄ×êÑÐÏÔʾ´óÁ¿AndroidÀûÓÃÎ¥¹æ²É¼¯¶ùͯµÄÒþÖÔÐÅÏ¢

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

        À´×ÔÃÀ¹ú¶àËù´óѧµÄÒþÖÔר¼Ò·ÖÎöÁËGoogle PlayÉ̵êµÄ¡°Îª¼ÒÍ¥¶øÉè¼Æ¡±£¨DFF£©´òËãµÄ5855¸öAndroid app£¬·¢ÏÖ³¬¹ý57%µÄapp¿ÉÄÜÎ¥·´Á˶ùͯÔÚÏßÒþÖÔ± £»¤·¨°¸£¨COPPA£© ¡£Ô¼5%µÄappδ¾­Ðí¿ÉÍøÂçÓû§µÄµØÎ»ºÍÁªÏµÈËÐÅÏ¢£¬Ô¼19%µÄappÓëµÚÈý·½¹²ÏíÃô¸ÐÐÅÏ¢£¬Ô¼40%µÄappÎ¥·´ÁËÖ¼ÔÚ± £»¤¶ùͯÒþÖÔµÄGoogle·þÎñÌõ¿î ¡£ÖØÒªÔ­ÒòÊÇ´óÎÞÊýappʹÓõÄSDKͨ³£×Ô¶¯ÍøÂçÓû§ÐÅÏ¢ ¡£

        Ô­ÎÄÁ´½Ó£ºhttp://news.softpedia.com/news/thousands-of-android-apps-are-tracking-kids-without-parental-consent-520696.shtml

3¡¢×êÑÐÈËÔ±³ÆÊý°ÙÍò¸öAPPͨ¹ý¸æ°×SDKй¶Óû§Êý¾Ý

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

        ¿¨°Í˹»ù³¢ÊÔÊÒ°²È«×êÑÐÔ±Roman Unuchek°µÊ¾£¬Êý°ÙÍò¸öAPPʹÓÃÁ˵ÚÈý·½µÄSDK£¬µ«²¢Ã»Óб £»¤ÕâЩ¸æ°×SDK´«Ê䏸µÚÈý·½¸æ°×É̵ÄÓû§Êý¾Ý ¡£ÕâЩÊý¾ÝÔ̺¬Óû§µÄÓ×ÎÒÉí·ÝÐÅÏ¢ÈçÐÕÃû¡¢´ºÇï¡¢ÊÕÈëÉõÖÁµç»°ºÅÂëºÍµç×ÓÓʼþµØÖ·µÈ£¬ÕâЩÊý¾Ýͨ¹ýHTTPÒÔδ¼ÓÃܵķ½Ê½´«Ê䣬ºÜÈÝÒ×±»À¹½ØºÍÅú¸Ä£¬µ¼Ö¶ñÒâÈí¼þϰȾºÍÀÕË÷µÈ ¡£

        Ô­ÎÄÁ´½Ó£ºhttps://threatpost.com/millions-of-apps-leak-private-user-data-via-leaky-ad-sdks/131251/

4¡¢CCleaner APTµ÷²éºóÐø£º¹¥»÷Õßͨ¹ýTeamViewer½øÈëPiriformµÄÍøÂç

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

        Avast×êÑÐÈËÔ±°ä²¼CCleaner APTµÄºóÐøµ÷²éÁ˾Ö ¡£¹¥»÷ÕßÊ×ÏÈÔÚ2017Äê3ÔÂ11ÈÕͨ¹ýÒ»¸ö¿ª·¢ÈËÔ±¹¤×÷Õ¾ÉϵÄTeamViewer½øÈëPiriform¹«Ë¾µÄÍøÂ磬ÆäÈôºÎ»ñÈ¡ÓÐЧµÄµÇ¼ʹ´¦»¹²»µÃ¶øÖª ¡£Æ¾¾ÝÈÕÖ¾Îļþ£¬¹¥»÷ÕßÔÚ±¾µØ¹¦·òÁ賿5µã½øÐÐÉøÈ룬ÆäʹÓõÄÓÐЧºÉÔØÊÇΪÕâ´Î¹¥»÷¶ø¶¨ÔìµÄShadowPad ¡£

        Ô­ÎÄÁ´½Ó£ºhttps://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer

5¡¢×êÑÐÈËÔ±·¢ÏÖÊý¾Ý¹«Ë¾LocalBloxµÄÔ¼4800ÍòÓû§Êý¾Ý¿É¹«¿ª½Ó¼û

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

        UpGuardµÄ×êÑÐÈËÔ±·¢ÏÖÊý¾Ý¹«Ë¾LocalBloxµÄÒ»¸öAWS S3¿É¹«¿ª½Ó¼û£¬ÀïÃæ´æ´¢Á˸ù«Ë¾´ÓFacebook¡¢LinkedIn¡¢TwitterºÍ·¿µØ²ú¹«Ë¾ZillowµÈÍøÕ¾ÉÏÍøÂçµÄÔ¼4800ÍòÓû§µÄ¹«¿ª×ÊÁÏ ¡£ÕâЩÊý¾ÝÔ̺¬Óû§µÄÐÕÃû¡¢µ®ÉúÈÕÆÚ¡¢ÏÖʵµØÖ·¡¢£¨LinkedIn£©¹¤×÷º¹Çà¼Í¼¡¢²¿ÃÅÓû§µÄIPºÍµç×ÓÓʼþµØÖ·ÒÔ¼°²¿ÃÅÓû§µÄÓ×ÎÒ¾»×ʲúµÈÐÅÏ¢ ¡£

        Ô­ÎÄÁ´½Ó£ºhttps://www.bleepingcomputer.com/news/security/data-firm-left-profiles-of-48-million-users-on-a-publicly-accessible-aws-server/