Posts

Showing posts from March, 2017

Critical Vulnerability Discovered in IIS 6.0 Web Services

Image
IIS 6, the version that runs on Windows 2003 Server, was revealed this week to have a serious vulnerability that could allow an attacker to run malicious code on the server. The vulnerability has apparently been known to some malicious groups for some time, as attacks exploiting this vulnerability have been observed as far back as summer of 2016. But last week a proof-of-concept exploit for the vulnerability was posted to GitHub, bringing public attention to the problems and providing potential attackers with a head start on developing their own exploit code.  That is likely to take this from a secretive exploit used by a few actors to one that will be widely used by many attackers, meaning anyone running a vulnerable server is a likely victim. Vulnerability announcements are common, but this one is especially problematic for several reasons: IIS 6.0 is a part of the Windows 2003 Server operating system, which aged out of support from Microsoft almost two years ago. There are an

Weekly Infosec News Brief: 13-19 March 2017

Microsoft Releases Massive Amount of Updates, Fixing 135 Vulnerabilities in 17 Security Bulletins ​After February's abortive Patch Tuesday, March's Patch Tuesday is predictably larger than usual. Nine of the bulletins are marked as critical. The Windows updates are bundled together per Microsoft's new patch distribution method, though the updates for the IE and Edge browsers are available separately. Several of the critical vulnerabilities fixed here are already publicly-known, and some are already being actively exploited. These include the GDI vulnerability fixed by MS17-013 and two of the browser vulnerabilities fixed in MS17-006/007. We recommend that organizations test and deploy these updates as quickly as possible. https://technet.microsoft.com/en-us/library/security/MS17-MAR http://www.computerworld.com/article/3180996/security/largest-ever-patch-tuesday-from-microsoft.html http://www.csoonline.com/article/3181411/security/microsoft-fixes-record-number-of-fla

Certificate Problems are a Common Cause of Downtime

Image
The broad adoption and use of cryptography throughout modern enterprises is an important innovation and a key tool to improve the security of organizational systems and data. However, cryptography creates some complexities and dependencies that are often not well accounted-for and can lead to system downtime as a result. The use of cryptographic certificates for encryption and authentication is a key source of such downtime. In a recent survey , 79% of responding organizations said they had suffered at least one certificate-related system outage during 2016; 38% suffered six or more such outages! This is something that we see from time-to-time in our business. Even when an outage is not directly attributable to a certificate problem, it is common to see a system or service restore be significantly delayed due to a difficulty in restoring a certificate or a need to generate or obtain new certificates. A recent incident at the Department of Homeland Security underscores the risk h