Non classé

Cisco Jabber Client Framework for Mac Code Execution Vulnerability

Advisory ID:
First Published:
2019 September 4 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvq04288
CVSS Score:Base 6.7
my-tracker_cpteCisco Jabber Client Framework for Mac Code Execution Vulnerability
read more

The Capital One data breach: Time to check your credit report

If you needed yet another nudge to start keeping an eye on your credit report to protect against identity theft, Capital One has delivered it with its announcement that a data breach has exposed the personal information of 106 million of its credit card customers and credit card applicants in the United States and Canada.

News of the Capital One breach comes just one week after the Federal Trade Commission announced that Equifax agreed to pay up to $700 million to settle a lawsuit brought by the FTC, the Consumer Financial Protection Bureau, and 50 states and territories, stemming from the credit reporting giant’s 2017 data breach, which affected about 147 million people.

In the Capital One breach, 100 million people in the United States and 6 million in Canada were affected. According to the bank, most of the stolen information came from the credit card applications of consumers and small businesses. The information includes names, dates of birth, addresses, phone numbers, and more, all from applications filed between 2005 and early 2019.

For credit card holders, the stolen information includes credit scores, credit limits, balances, payment history, contact information and some transaction data. The bank says the hacker also stole about 140,000 Social Security numbers, 80,000 linked bank account numbers of secured credit card holders, as well as the Social Insurance Numbers of about one million Canadians.

Capital One has posted information about the breach and says it will notify the people affected and offer them free credit monitoring and identity protection services. However, whether or not you were affected, there is no time like the present to check your free credit report and take other steps to protect against identity theft.

Check out these articles to read the basics about credit reports and credit monitoring. And one more thing: a data breach is a magnet for scammers. Be alert to emails and calls pretending to be from Capital One or the government. Neither the bank nor the government will send an email or call you to ask for credit card or account information or your Social Security number.

Visit to learn more about protecting yourself after a data breach.

my-tracker_cpteThe Capital One data breach: Time to check your credit report
read more

July 2019 Security Updates

Release Date: July 09, 2019

The July security release consists of security updates for the following software:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Azure DevOps
  • Open Source Software
  • .NET Framework
  • Azure
  • SQL Server
  • Visual Studio
  • Microsoft Exchange Server

Please note the following information regarding the security updates:

  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
  • Starting in May 2019, Internet Explorer 11 is available on Windows Server 2012. This configuration is only present in only the IE Cumulative package.

The following CVEs have FAQs with additional information and may include * further steps to take after installing the updates. Please note that this is not a complete list of CVEs for this release.

Known Issues

KB Article Applies To
4493730 Servicing stack update for Windows Server 2008 SP2
4507434 Internet Explorer 11
4507435 Windows 10, version 1803
4507448 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4507449 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)
4507450 Windows 10, version 1703
4507453 Windows 10, version 1903, Windows Server version 1903
4507455 Windows 10, version 1709
4507457 Windows 8.1, Windows Server 2012 R2 (Security-only update)
4507458 Windows 10
4507460 Windows 10 1607 and Windows Server 2016
4507462 Windows Server 2012 (Monthly Rollup)
4507464 Windows Server 2012 (Security-only update)
4507469 Windows 10, version 1809, Windows Server 2019
4509408 Microsoft Exchange Server 2019
4509409 Microsoft Exchange Server 2013 and 2016
4509410 Microsoft Exchange Server 2010
my-tracker_cpteJuly 2019 Security Updates
read more

Cisco Trust Anchor module (TAm) improperly checks code and Cisco IOS XE web UI does not sanitize user input

Vulnerability Note VU#400865


Cisco’s Trust Anchor module (TAm) can be bypassed through manipulating the bitstream of the Field Programmable Gate Array (FPGA). This component handles access control to a hardware component within Cisco’s Secure Boot implementations, which affects multiple products that support this functionality. An authenticated, local attacker could write a new firmware image to the TAm. Additionally, Cisco’s IOS XE web UI improperly sanitizes user-input, and could allow an authenticated, remote attack to execute commands. An authenticated, remote attacker could execute commands as root on the vulnerable device.


CVE-2019-1649: Secure Boot Tampering, also known as Thrangrycat

The logic that handles the access controls to TAm within Cisco’s Secure Boot improperly checks an area of code that manages the Field Programmable Gate Array (FPGA). The TAm is a proprietary hardware chip used for many security services within Cisco products, including nonvolatile secure storage, cryptography services, and as a Secure Unit Device Identifier. The TAm can be bypassed by modifying the bitstream of the FPGA, allowing an authenticated, local attacker to make persistent modification to the TAm.

CVE-2019-1862: IOS XE Web UI Command Injection
The web user interface of Cisco IOS XE improperly sanitizes user-supplied input. This could allow an authenticated, remote attacker to execute commands as root on the underlying Linux shell.


A local or remote attacker could write a new firmware image to the TAm. When exploited together, these vulnerabilities could allow a remote, authenticated attacker to remotely and persistently bypass Secure Boot and prevent future software updates to the TAm.

To exploit CVE-2019-1649, an attacker would need to have privileged administrative access to the device. This type of access could be achieved by exploiting the vulnerability described in CVE-2019-1862 or other potential remote command injection vulnerabilities.


Cisco is in the process of developing and releasing software fixes for all affected platforms. We recommend installing this update when it is available.

Apply the update from Cisco.


Guidance from Cisco recommends that users refer to the Cisco Guide to Harden Cisco IOS Devices, as it provides information about how to harden the device and secure management access. Implementing the recommendations in this document would likely reduce the attack surface for this vulnerability.

Vendor Information

Affected   Unknown   Unaffected


CVSS Metrics

Group Score Vector
Base 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal 6.8 E:ND/RL:U/RC:C
Environmental 6.8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND




This document was written by Madison Oliver.

Other Information

CVE IDs: CVE-2019-1649, CVE-2019-1862
Date Public: 2019-05-13
Date First Published: 2019-05-14
Date Last Updated: 2019-05-15 13:58 UTC
Document Revision: 30
my-tracker_cpteCisco Trust Anchor module (TAm) improperly checks code and Cisco IOS XE web UI does not sanitize user input
read more

Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Filter Query Information Disclosure Vulnerability

Advisory ID:
First Published:
2019 May 1 16:00 GMT
Version 1.0:
No workarounds available
Cisco Bug IDs:
CVSS Score:
my-tracker_cpteCisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Filter Query Information Disclosure Vulnerability
read more