Weekly Infosec News Brief: 7-13 March
Adobe had a rough week last week. They issued updates for their Acrobat/Reader and Digital Editions software on Tuesday, their regular monthly day for issuing patches. They announced at that time that there would be a Flash update forthcoming soon. That Flash update was released on Thursday, and includes fixes for 18 critical vulnerabilities. One of these, CVE-2016-1010, is already being used in attacks in the wild, and the release of the update was likely delayed in order to incorporate a fix for this issue. Given that the vulnerability is already being exploited, this is an update that should definitely be installed as soon as possible.
http://arstechnica.com/security/2016/03/adobe-issues-emergency-patch-for-actively-exploited-code-execution-bug/
http://www.scmagazine.com/adobes-patch-tuesday-update-handles-four-vulnerabilities/article/481813/
http://www.computerworld.com/article/3042589/security/emergency-flash-player-patch-fixes-actively-exploited-flaw.html
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
Microsoft Patch Tuesday Patches Include Five Critical Updates
This month's Microsoft patches include one that fixes a critical flaw in every currently-supported version of Windows. The update (MS16-027) is for a flaw in how Windows handles media files and which could enable an attacker to run arbitrary code via a specially-crafted video or music file embedded in a website. The other critical vulnerabilities include two in Microsoft's browsers (MS16-023 for Internet Explorer and MS16-024 for the Edge browser on Windows 10) that could also allow for remote code execution, one (MS16-028) in the PDF library in Windows 8 and newer, and one (MS16-026) in the handling of OpenType fonts that could be exploited by a malicious website to run arbitrary code. There are no reports of any malicious actors exploiting any of these vulnerabilities in the wild at present, but they are all serious and should be patched as soon as possible.
http://www.computerworld.com/article/3042028/microsoft-windows/5-critical-updates-for-march-patch-tuesday.html
http://www.zdnet.com/article/march-2016-patch-tuesday/
https://technet.microsoft.com/en-us/library/security/ms16-mar.aspx
A critical Java vulnerability from back in 2013 (CVE-2013-5838) was patched at that time, but new research from the film that originally found it shows that it is extremely easy to bypass the patch and still exploit the flaw. The vulnerability makes it possible for a malicious Java applet to take full control of a machine, even if the user running the applet is not an administrator. It is not clear if or when Oracle will issue a new patch to more thoroughly eliminate the problem. This would be a good time for organizations to once again consider eliminating the use of Java altogether, or at least restricting its use to particular users or computers with a business requirement for it.
http://www.csoonline.com/article/3043203/security/two-year-old-java-flaw-re-emerges-due-to-broken-patch.html
New Versions of both Chrome and Firefox Browsers Released, Fixing Security Issues
Google and Mozilla both released new versions of their browsers last week. The new Chrome release, version 49.0.2623.87, fixes several serious security vulnerabilities, including one in the browser's internal PDF rendering engine. The new Firefox version (version 45) fixes eight critical bugs, including several in the browser's font-rendering code. Both browsers have self-updating capabilities, but it is common to find such browsers running on PCs in organizations that have not been updated in months. Contact Anchor if you need help in figuring out how to manage potentially disastrous web browser vulnerabilities in your organization.
http://www.zdnet.com/article/google-fixes-severe-vulnerabilities-in-chrome-browser-update/
http://googlechromereleases.blogspot.co.uk/2016/03/stable-channel-update_8.html
http://www.eweek.com/cloud/mozilla-firefox-45-removes-tab-groups-provides-security-updates.html
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45
Cisco Home Routers Get Patch for Serious Vulnerabilities
Cisco manufactures several models of cable modems and home routers that are typically provided to home users by their ISPs. Cisco issued software updates for several of these last week to fix a vulnerability in the administrative web service that could lead to unauthorized information disclosure.
Cisco also separately released an update for the software for their ASA 5500 series firewalls to fix a flaw in the HTTPS inspection service that could lead to a denial of service condition.
http://www.csoonline.com/article/3042731/security/cisco-patches-serious-flaws-in-cable-modems-and-home-gateways.html
http://www.securityweek.com/serious-flaws-patched-cisco-modems-gateways
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160309-cmre
Home Depot to pay $19.5 Million to Compensate Customers for Breach, Provide ID Theft Alerting
Last week Home Depot reached a settlement in a class action suit resulting from the 2014 breach of their payment systems. The money will provide compensation to customers whose data was lost, and will also be used to pay for ID theft alerting service for some of those customers. The settlement is dwarfed by the $161 million in expenses Home Depot has claimed as resulting from the breach overall. Breaches can lead to large financial losses, but even those often pale in comparison with the repetitional damage and potential loss of business. Proper prior planning can limit these losses and lead to a faster and more positive resolution.
http://www.csoonline.com/article/3041994/security/home-depot-will-pay-up-to-195-million-for-massive-2014-data-breach.html
Comments
Post a Comment