Weekly Infosec News Brief: 01-07 February

Multiple Critical Vulnerabilities in Malwarebytes Disclosed; Still no Patch Available

Last week Google's Project Zero disclosed several serious vulnerabilities in Malwarebytes' anti-malware software. Project Zero researcher Tavis Ormandy informed Malwarebytes of the issues back in November, and Malwarebytes says they were able to fix several of the reported bugs in the intervening months. They say that they should have a patch for the remainder in the next 3-4 weeks. Malwarebytes is advising customers to enable the "self-protection" setting on their software to mitigate the reported vulnerabilities.
http://www.scmagazine.com/malwarebytes-says-sorry-for-multiple-av-bugs-still-unpatched/article/470738/
http://tps//blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulnerability-disclosure/
https://code.google.com/p/google-security-research/issues/detail?id=714


 Oracle Announces Java Browser Plugin to be Discontinued

Oracle has announced plans to discontinue support for the Java browser plugin with their upcoming Java Development Kit (JDK) version 9. With an installed base of ~90% of all desktop computers in the US, Java changes have a massive potential to alter the PC security landscape. This move coincides with announcements from most browsers to stop supporting browser plugins altogether, which would eliminate Flash, Silverlight, Java, and other elements that have presented a great many vulnerabilities over the past several years. Note, however, that the plugin itself will continue to function in browsers that are not upgraded, and that client-side Java applets require the plugin in order to run. Organizations should start checking now to identify any programs, servers, or other technology based on client-side Java applets and to chart a course toward replacing them.
http://krebsonsecurity.com/2016/02/good-riddance-to-oracles-java-plugin/
https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free


Hackers Steal Confidential Info from Fraternal Order of Police, Post Contracts Online

The Fraternal Order of Police (FOP) stated last week that their website had been breached and 2.5 gigabytes of data taken. The activist apparently coordinating the information on behalf of the hackers, however, claims to have 18 terabytes of sensitive data that was obtained, portions of which were already posted online. Some news sources have cited significant vulnerabilities in the FOP website that could possibly have had a part in enabling the breach. If the breached data includes confidential data or sensitive personal data, that would also raise the issue of whether the web server was adequately isolated from other systems. It is essential for organizations to maintain awareness of where all of their sensitive data is stored and to ensure that externally-exposed systems (like web servers) are free of major vulnerabilities.
http://www.securityweek.com/documents-leaked-following-us-police-union-hack


 Cisco Patches Authentication Vulnerabilities and Other Issues in Multiple Products

Cisco has released security fixes for security vulnerabilities in a variety of products The most serious of these is an authentication bug in the RV220W wireless network security firewall that could allow attackers to bypass authentication and gain unauthorized access to the web-based control panel. The other issues fixed were mostly denial-of-service vulnerabilities and bug in the NTP service on some devices. NTP (network time protocol) allows network devices to synchronize their clocks to a trusted source, so an attacker could disrupt this service in order to frustrate incident responders with out-of-sync logs on various devices throughout the network.
http://www.computerworld.com/article/3027962/security/cisco-patches-authentication-denial-of-service-ntp-flaws-in-many-products.html


Critical Vulnerability Discovered in Netgear NMX300 Network Management Software

Carnegie Mellon's Computer Emergency Response Team published an advisory last week about Netter's NMX300 Network Management Software. A vulnerability in this system could allow an attacker to upload and execute arbitrary Java code on the server running the management software. No patch is currently available.
​Even when no such vulnerabilities are known, management system present a serious risk due to their ability to modify and control multiple systems from one place. As a general precaution, access to such systems should be limited to computers dedicated to this purpose; the majority of systems in the network should not be able to access a management system's control panel at all.
http://www.csoonline.com/article/3029623/security/serious-flaws-found-in-netgears-nms300-network-management-system.html
https://www.kb.cert.org/vuls/id/777024

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more