Weekly Infosec News Brief: 7-13 Dec

Microsoft "Patch Tuesday" Includes Eight Critical and Four Important Fixes

The last big batch of Microsoft patches for 2015 is indeed a big one. Eight of the patches are marked as "Critical" and allow for potential remote code execution. MS12-128 fixes a graphics vulnerability in all supported versions of Windows, as well as many versions of .NET Framework, Skype, Lync, and Office that could allow an attacker to execute arbitrary code. MS15-124 fixes a number of critical vulnerabilities in Internet Explorer (all supported versions) that could allow a malicious web page to run arbitrary code on the vulnerable machine. MS15-131 affects MS Office 2007 and newer, and fixes six vulnerabilities that could allow a malicious Office document to run arbitrary code on a vulnerable machine. These three are the ones the affect the most widely-deployed software and are most easily exploitable, and they should be tested and deployed as soon as possible. MS15-127 affects DNS services on supported versions of Windows Server. The patched vulnerability (CVE-2015-6125) may allow an attacker to remotely exploit a DNS server via a malformed request. This presents an extreme risk to any organization using Windows to service external DNS requests, and this patch should be a priority if your organization is doing so.
http://www.zdnet.com/article/december-2015-patch-tuesday/#ftag=RSSbaffb68
https://technet.microsoft.com/library/security/ms15-Dec


 Adobe Patches 78 Vulnerabilities in Flash Player

Adobe updated Flash Player last Tuesday, according to their normal monthly schedule. The update fixes 78 vulnerabilities, including five "priority 1" flaws, Adobe's highest category. Flash exploits have been a top target of attackers for the past several years. Google Chrome, as well as Microsoft IE and Edge browsers on Windows 8 & 10, will update Flash automatically with the browser. Updating Flash on all of your organization's PCs should be a priority. Does your organization have a method for deploying and/or verifying updates for Flash and other non-Microsoft software?
http://www.scmagazine.com/adobe-patches-78-bugs-in-last-patch-tuesday-of-2015/article/458571/
https://helpx.adobe.com/security/products/flash-player/apsb15-32.html


Microsoft to Drop Support for Older Internet Explorer Versions

As of January 12, 2016, Microsoft will no longer provide technical support or security updates for any versions of Internet Explorer other than the newest version compatible with a given operating system. For Windows 7 and newer, including Server 2012 R2 and Server 2008 R2 SP1, that is IE 11. On Vista SP2, and Server 2008 SP2 the latest version is IE 9, whereas for Server 2012 (non-R2) the latest compatible version is IE 10. These more recent versions of IE provide many security benefits over IE 7 or 8. What versions of IE are in use in your organization?
https://blogs.msdn.microsoft.com/ie/2014/08/07/stay-up-to-date-with-internet-explorer/


Apple Issues Updates for Macs and iPhones/iPads

Last Wednesday, Apple pushed out updates for its Mac OS X and it's IOS operating system for the iPhone and iPad. These updates include a large number of security fixes for both operating systems. The increased volume of vulnerability fixes reflects an increase in attention on security issues with Apple devices from both researchers and malicious hackers. Yet as Apple devices become more common in corporate networks, most security management solutions do not provide any support for them. If your organization provides or supports Apple devices, how do you manage updates for them?
http://www.eweek.com/security/apple-updates-os-x-ios-with-numerous-security-fixes.html
https://support.apple.com/en-ca/HT205635


Serious Vulnerability Discovered in Antivirus Software from McAfee, Kaspersky, and AVG

An Israel-based security company, enSilo, revealed last week that both McAfee and Kaspersky antivirus had been found to have similar vulnerabilities to the one that enSilo alerted AVG to back in March. All there antivirus programs were found to allocated key memory addresses as read-write-execute in predictable locations, providing attackers with a means to bypass built-in Windows protections such as address space layout randomization (ASLR). Because they have access to the operating system at a very fundamental level, anti-virus programs can easily lead to a total system compromise if they are exploited.
http://www.scmagazine.com/vulnerability-found-in-mcafee-kaspersky-and-avg-anti-virus-softwares/article/459241/
http://www.darkreading.com/endpoint/known-security-flaw-found-in-more-antivirus-products/d/d-id/1323480

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more