Weekly Infosec News Brief: 27 Mar-2 Apr 2017

Unpatched Vulnerability in Microsoft IIS 6.0 Web Services Announced

A serious vulnerability in Microsoft Internet Information Server (IIS) 6.0 was publicized last week when someone posted proof-of-concept exploit code to GitHub. The vulnerability was apparently known to some hacker groups previously, and has been exploited in attacks since last summer, but its existence was not well-known and the ability to exploit it was not widespread. IIS 6.0 runs on Windows 2003 Server, which is no longer supported by Microsoft, so no patch for this flaw is expected to be released. Still, there are hundreds of thousands of publicly-accessible websites still running on IIS 6.0, so this is a serious issue.

VMWare Issues Patches for Critical VM-Escape Flaws in Multiple Products

Since virtual computing technology was popularized in the 2000s, the greatest security concern has been the possibility of "virtual machine escape," or the ability for an intruder to access one virtual machine from another, or to access the host layer from a virtual machine, via the virtualization platform rather than through the virtualized network. This would provide an attack route unique to virtualized environments that does not exist in conventional networks of physically separate computers networked together. While this has been a fear for a long time, few practical exploits of this type have been developed. During this year's "Pwn20wn" contest, hackers discovered vulnerabilities in several VMWare products that may constitute the most serious virtual machine escape vulnerabilities to date. The vulnerabilities, CVE-2017-4902 and CVE-2017-4903, are found in VMWare's flagship ESXi product, as well as their desktop virtualization products, VMWare Workstation/Player and Fusion (for PCs and Macs, respectively). VMWare promptly issued updates to fix the issues. Organizations are advised to upgrade to version 12.5.5 (8.5.6 for Fusion) as soon as possible. Given the centrality of ESXi in many organizations, testing prior to a full upgrade is recommended.

LastPass Fixes Critical Vulnerabilities in Their Password Manager Plug-ins

Last Monday (March 20th), Google's Project Zero researchers reported to LastPass some serious vulnerabilities that could have allowed attackers to steal users' passwords or possibly even run malicious code on their machines. The vulnerabilities were in the browser plug-ins that allow LastPass to automatically fill users' passwords into the blanks on web pages.
http://www.csoonline.com/article/3184117/security/lastpass-fixes-serious-password-leak-vulnerabilities.html
Google Takes Measures to Restrict the Validity of Symantec-Issued Certificates
In continuing fallout from a controversy that began in the fall of 2015, Google is taking action in its popular Chrome browser to limit the trust provided to certificates issued by Symantec's commercial certificate authorities, principally purchased from Verisign in 2010. Google's action will immediately results in Symantec-issued certificates will no longer be recognized as extended-validation certificates, even if they were originally issued as such (extended validation certificates are intended to denote a higher degree of trustworthiness.) The "maximum age" of Symantec-issued certificates will also be limited to end at the end of 2019, regardless of the expiration date on the certificates themselves. These actions are promising in that at least one browser maker is truly holding a major certificate authority responsible for failing to properly secure the certificate-issuance process; without that type of accountability, the usefulness of the entire certificate authority system is quite little.

Android Security Getting Better, but Still Generally Awful

Google issued their annual report on Android security, and it is very much a mixed bag. The good news is that security updates are being issued and installed in a much more timely fashion than in the past. The bad news is that that news applies only to about half of deployed devices. Ultimately, if you want to run Android, and do so securely, your best bet is a Google-branded device (currently their Pixel phones). Google has a commitment to release security updates for these devices as soon as they are available. Samsung is the next best bet, as they have redoubled their efforts to issue timely updates, and are generally updating within a month. Google's report also says that malware is making its way into the official store less frequently than in the past, so in either case ensuring that applications are installed only from the official Google Play store is essential. A few bad apps continue to slip in there, but the vast majority of Android exploits and malware have come through other installation routes.

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Critical Vulnerability Discovered in IIS 6.0 Web Services

Image
IIS 6, the version that runs on Windows 2003 Server, was revealed this week to have a serious vulnerability that could allow an attacker to run malicious code on the server. The vulnerability has apparently been known to some malicious groups for some time, as attacks exploiting this vulnerability have been observed as far back as summer of 2016. But last week a proof-of-concept exploit for the vulnerability was posted to GitHub, bringing public attention to the problems and providing potential attackers with a head start on developing their own exploit code.  That is likely to take this from a secretive exploit used by a few actors to one that will be widely used by many attackers, meaning anyone running a vulnerable server is a likely victim. Vulnerability announcements are common, but this one is especially problematic for several reasons: IIS 6.0 is a part of the Windows 2003 Server operating system, which aged out of support from Microsoft almost two years ago. There are an
Read more