Weekly Infosec News Brief: 08-14 February

Major Vulnerability in Cisco ASA Firewalls Announced; Patch Available

Cisco announced last Wednesday a major vulnerability that had been discovered in their ASA firewall platform. The flaw is found in the VPN service (specifically the IKE protocol for VPN authentication and setup) on the firewalls, and appears to affect every current version of the firewall. The flaw potentially allows an attacker to gain complete control of the firewall, and is already being actively exploited via the Internet. Cisco has an update available to fix the issue, and anyone running a Cisco firewall is urged to update as soon as possible. If it is not possible to update the firewall software immediately, disabling the VPN services on the firewall would appear to render the firewall invulnerable in the meantime. See Anchor's blog post from earlier this week for more details:
http://www.anchortechnologies.com/blog/very-serious-cisco-asa-firewall-vuln-patch-asap


 Microsoft Issues Twelve Security Bulletins, Five of them "Critical," for February

On "Patch Tuesday" last week, Microsoft issued twelve new security bulletins, five of them rated "critical." The most important of these affects all supported versions of Internet Explorer, and could potentially allow for remote code execution if the browser visits a "specially crafted webpage" designed to exploit the vulnerability. Microsoft's new Edge browser for Windows 10 has a similar update for a similar issue. Another critical vulnerability affects Microsoft Journal, allowing for arbitrary code execution if a malicious .jnl file is opened. Given how infrequently used this application is (and the number of recent vulnerabilities it has had), disassociating the application from opening the .jnl file extension may be a good measure for organizations to take to head off any future issues with it. Finally, a critical vulnerability in Microsoft's PDF Reader (built in to Windows 8, 10, and Server 2012) represents the first significant security issue with their Adobe Reader alternative.
https://blog.qualys.com/laws-of-vulnerabilities/2016/02/09/patch-tuesday-february-2016
https://technet.microsoft.com/en-us/library/security/ms16-feb.aspx


Adobe Issues 32 Vulnerability Fixes for Products Including Flash, AIR, Photoshop, and Connect

Last Tuesday was Adobe's regularly-scheduled monthly day to issue updates, and they issued for separate security bulletins: one for Flash and AIR, one for Photoshop and Bridge, one for Adobe Connect, and one for Adobe Experience Manager. Flash is by far the most common and important of these, and the update for Flash lists twenty-two separate CVE numbers that it fixes. Adobe marks this update as priority "1," and organizations and individuals are urged to install it as quickly as possible. Chrome and newer IE versions (on newer versions of Windows) include Flash organically and update it along with the browser; ensuring Flash is fully up-to-date on PCs is complex, and organizations should ensure they are able to perform this validation. Measures to limit or eliminate the use of Flash are also advisable.
http://www.scmagazine.com/adobe-issues-32-fixes-for-februarys-patch-tuesday/article/473065/
https://helpx.adobe.com/security/products/flash-player/apsb16-04.html
https://helpx.adobe.com/security.html


Google Set to Stop Accepting Flash-based Advertisements This July
June 30th, 2016, will mark the last day that Google will allow ads written in Flash to run on its advertising network. Flash-based ads are the most common type of "malvertisement" -- web ads that attempt to exploit vulnerabilities on users' browsers. The anonymity involved in the act of buying web advertising has made it a very popular way for hackers to spread malware, particularly cryptographic ransomware, over the past several years. If you're not willing to wait until that time, consider implementing measures to eliminate or limit the use of Flash in your network. Setting up "click-to-play" for Flash or enabling it in only one browser are two such measures.
http://www.csoonline.com/article/3031895/security/google-will-stop-accepting-new-flash-ads-on-june-30.html


Google Issues Chrome Update Fixes Serious Security Issues on Every Platform

Google released an update to their Chrome browser (to version 48.0.2564.109) that includes at least six security fixes. Several of these could potentially allow an attacker to take full control of affected systems. If you run Chrome in your organizational network, you should ensure that all clients are getting updated. Google has excellent tools available for managing Chrome on your organizational systems.
http://www.scmagazine.com/google-issues-chrome-update-to-fix-windows-mac-and-linux-bugs/article/473340/

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more