Weekly Infosec News Brief: 11-17 January

TrendMicro AV Vulnerability Created Major Remote Exploit Potential on Computers

Last Monday Google's Project Zero disclosed a vulnerability they had found in TrendMicro's anti-virus software which made it possible for any website a "protected" computer visited to execute arbitrary code on the computer. A related flaw allowed a remote website to potentially harvest any and all stored passwords in the browser. TrendMicro has released a new version fixing the problems (Google held the disclosure until the fix was available). This is an excellent example of the danger of unsound security software -- security software, such as antivirus, is so deeply integrated into the machine that a vulnerability in this software has vast potential for creating mayhem.
https://code.google.com/p/google-security-research/issues/detail?id=693
http://arstechnica.com/security/2016/01/google-security-researcher-excoriates-trendmicro-for-critical-av-defects/


 Microsoft Patches Six Critical Vulnerabilities, Ends Support for Windows 8 and old IE Versions

The most serious patches for Windows this month are MS16-001 and MS16-002, which fix critical vulnerabilities in the Internet Explorer and Edge browsers, respectively. Both vulnerabilities could allow for remote code execution by a specially-crafted web page. MS16-004 fixes a number of memory corruption vulnerabilities in Office that could potentially allow a malicious document to execute code on a system. MS16-006 affects Microsoft's Silverlight web plugin on both Windows and Mac, and fixes a flaw that could allow an attacker to take control of a system remotely through a malicious webpage or advertisement. Also, this month is the last for updates to Windows 8; users are advised to update to Windows 8.1 (or Windows 10). Support for older versions of IE is also at an end--only the latest version available for any given OS will be supported in the future. Given that many small businesses are still using these older versions, there is a need for awareness of this issue, as well as rapid patching and upgrades.
http://www.zdnet.com/article/january-2016-patch-tuesday/
http://www.symantec.com/connect/blogs/microsoft-patch-tuesday-january-2016
https://technet.microsoft.com/library/security/ms16-Jan


Adobe Patches 17 Serious Vulnerabilities in Acrobat and Reader

Adobe's regular "second Tuesday" updates include an important update for their Acrobat and Reader software. This update fixes 17 serious vulnerabilities, all but one of which the vendor says allow for possible remote code execution (generaly the worst type of vulnerability). No update was provided for Flash, most likely because the update issued in late December was essentially a rushed-out version of the update planned for this month.
https://threatpost.com/adobe-patches-code-execution-flaws-in-reader-acrobat/115863/
https://helpx.adobe.com/security/products/reader/apsb16-02.html


Patch Available for Serious Flaws in Cisco Wi-Fi Access Points

Cisco has released a patch for many of their wireless access points that fixes several critical vulnerabilities, some of which could lead to a complete takeover of the access points by an adversary. One of these vulnerabilities involves the existence of a default user account with a static password. Two other critical vulnerabilities involve issues with authentication that could allow anyone who can access the administrative interface of the device(s) to log in as an administrator. The best way of avoiding such vulnerabilities (rather than patching them AFTER they are discovered) is to tightly limit access to the administrative interfaces of all networking devices.
http://www.zdnet.com/article/cisco-fixes-wi-fi-access-points-with-hard-coded-backdoor-access/
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160113-ise
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160113-wlc
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160113-air

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Critical Vulnerability Discovered in IIS 6.0 Web Services

Image
IIS 6, the version that runs on Windows 2003 Server, was revealed this week to have a serious vulnerability that could allow an attacker to run malicious code on the server. The vulnerability has apparently been known to some malicious groups for some time, as attacks exploiting this vulnerability have been observed as far back as summer of 2016. But last week a proof-of-concept exploit for the vulnerability was posted to GitHub, bringing public attention to the problems and providing potential attackers with a head start on developing their own exploit code.  That is likely to take this from a secretive exploit used by a few actors to one that will be widely used by many attackers, meaning anyone running a vulnerable server is a likely victim. Vulnerability announcements are common, but this one is especially problematic for several reasons: IIS 6.0 is a part of the Windows 2003 Server operating system, which aged out of support from Microsoft almost two years ago. There are an
Read more