vulnerabilities

now browsing by tag

 
 

#cybersecurity | hacker | Microsoft Patch Tuesday finds 115 vulnerabilities patched, 26 critical

Source: National Cyber Security – Produced By Gregory Evans

Micosoft’s
March 2020 Patch Tuesday released saw the company rollout patches for 115
vulnerabilities with 26 rated critical, however, in a rare event Adobe is
taking this month off publicizing no updates.

This is the second
month in a row that Microsoft has busy Patch
Tuesday
. In February the company patched 99 vulnerabilities, including one
zero day. One analyst piggy-backed on to today’s roll out to note that a
vulnerability included in February’s release, CVE-2020-0688, is being actively
exploited in the wild and even though a large number of new updates have been
issued, admins should prioritize taking care of his older CVE if they have not
done so already.

The critical
issues fixed by Microsoft this month include 58 elevation of privilege flaws
with Satnam Narang, principal research engineer at Tenable listing CVE-2020-0788,
CVE-2020-0877 and CVE-2020-0887 as the most severe. Microsoft agrees listing
them as most likely to be exploited.

“These are
elevation of privilege flaws in Win32k due to improper handling of objects in
memory. Elevation of Privilege vulnerabilities are leveraged by attackers
post-compromise, once they’ve managed to gain access to a system in order to
execute code on their target systems with elevated privileges,” he said.

Jay Goodman,
Automox’s strategic product marketing manager, cherry picked CVE-2020-0833,
CVE-2020-0824 and CVE-2020-0847 for added attention. The first two are remote
code execution vulnerabilities that could corrupt system memory giving an
attacker access in the role of the user.

“CVE-2020-0847
is also a remote code execution vulnerability, this time in VBScript. VBscript
is a scripting language used by Microsoft. It allows system admins to run
powerful scripts and tools for managing endpoints and will give the user
complete control over many aspects of the device,” he said.

CVE-2020-0847
is also a corrupt memory system issue with threat actors generally using
phishing or browser attacks to first gain entry.

In addition
to last month’s issue, Recorded Future’s Liska highlighted CVE-2020-8050,
CVE-2020-8051, CVE-2020-8052 and CVE-2020-8055. All are remote code execution
vulnerabilities in Microsoft Word that take advantage of how the software
handles objects in memory. A malicious actor would have to send and then
convince a victim to click on a malicious document to initiate an attack. However,
CVE-2020-8052 is even more dangerous and can be launched through an Outlook preview
page without the need to click on the document.

“As Recorded
Future has previously noted, Microsoft Office is among the most popular attack
vectors for cybercriminals. We expect one or more of these vulnerabilities will
be weaponized sooner rather than later,” he said.

Animesh Jain, from Qualys’ expert vulnerability management research team, pointed out that even some issues that Microsoft considers less likely to be exploited should still garner admin attention and concern. CVE-2020-0905 is a remote code execution vulnerability effecting effects the Dynamics Business Central client that falls into this category, but Jain said the fact that this is likely to reside on a critical server makes it important to patch.

Original Source link

The post #cybersecurity | hacker | Microsoft Patch Tuesday finds 115 vulnerabilities patched, 26 critical appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | New Windows Vulnerabilities Highlight Patch Management Challenges –

Source: National Cyber Security – Produced By Gregory Evans

Microsoft’s monthly “Patch Tuesday” is an important part of the cyber hygiene routine for anyone in IT (including home users). This month’s update proved to be a particularly critical one.

Early in January, the National Security Agency (NSA) alerted Microsoft to a major flaw in Windows 10 that could let hackers pose as legitimate software companies, service providers, websites, or others. “It’s the equivalent of a building security desk checking IDs before permitting a contractor to come up and install new equipment,” Ashkan Soltani, a security expert and former chief technologist for the Federal Trade Commission, told CNN.

Fortunately, Microsoft acted quickly and issued a critical update — CVE-2020-0601 — on January 14.

Despite this quick action, businesses and government have a habit of missing, ignoring, or delaying important patches and updates. They do so at their peril. In 2019, the majority of cybersecurity breaches were a result of unapplied patches. However, the reasons for this oversight are complicated and often unintentional.

Patch management — IT’s nightmare

Getting a handle on patch management is an unending challenge for IT and security teams. Last year, 12,174 common vulnerabilities and exposures (CVEs) were reported — making patching an almost impossible task for any organisation. In fact, it takes the average organisation 38 days to patch a vulnerability. Even then, 25% of software vulnerabilities remain unpatched for more than a year.

One of the biggest obstacles to frequent patching is that security teams struggle to identify everything that needs to be fixed. Understaffed and struggling with alert fatigue, it can be hard to identify the systems that are yet to be updated, prioritise remediation, and apply patches quickly.

To add to their workload, IT and cybersecurity teams must also make certain that the appropriate security policies are in place to ensure that users regularly update their PCs and devices, and don’t delay the inevitable “Windows Update”. Risk also extends beyond the four walls of the business.

Third- and fourth-party cyber risk is a big threat to businesses. 59% of breaches have their origins in vulnerable and unpatched third-party systems. The trouble is that vendor risk assessment questionnaires only offer a point-in-time view into the security posture, including unpatched software of suppliers, partners, and sub-contractors. This leaves IT in the dark.

Windows 7 — a new risk

Microsoft has been focused on closing gaps in its Windows 10 OS. This left Windows 7 users walking into a new cybersecurity landmine on January 14, 2020. Microsoft ended support for the nine-year-old OS and will no longer issue security patches or updates.

This is particularly problematic, since almost 70% of organisations are still using Windows 7 in some capacity. It leaves them susceptible to a security issue, attack, or breach — unless they purchase extended support from Microsoft or upgrade to Windows 10.

Fixing the patch management challenge

Maintaining a frequent patching cadence is critical to mitigating cyber risk, but it doesn’t have to be a nightmare.

With the BitSight Security Ratings platform, your organisation can shine a spotlight on vulnerable, unpatched systems and out-of-date operating systems. It provides insight for both internal systems and across nth parties (partners, vendors, customers, etc.). Using these insights, IT teams can prioritise which patches are most critical and take steps to measurably reduce risk. In addition, security ratings make it easier to share actionable security information with other business functions.

This information allows teams to collaborate with each other on pressing security issues. It also helps reduce risk across your business ecosystem. Furthermore, because patching cadence is indicative of the likelihood of a breach, it has stepped into the spotlight as something the Board and C-suite is interested in. Security ratings mean this conversation becomes much easier. Information about vulnerabilities is provided in a straightforward and non-technical way that is easy for everyone to understand.

Organisations can also share security ratings with partners. This allows third parties to identify and rectify issues and blind spots in their systems and software — continuously and in real-time, without waiting on lengthy audits or assessments.

Time is of the essence

As the recent Windows 10 critical update shows, organisations must do everything they can to stay on top of their patching cadence and that of their vendors.

But there’s no need for organisations to be paralysed by the sheer volume of ongoing patches. Learn more about how BitSight can help.


https://www.bitsighttech.com/BitSight transforms how companies manage third and fourth party risk, underwrite cyber insurance policies, benchmark security performance, and assess aggregate risk with objective, verifiable and actionable Security Ratings.

Source link

The post #nationalcybersecuritymonth | New Windows Vulnerabilities Highlight Patch Management Challenges – appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Samba issues patches for three vulnerabilities

Source: National Cyber Security – Produced By Gregory Evans

Samba
released security updates patching three issues CVE-2019-14902, CVE-2019-14907,
and CVE-2019-19344.

The medium-rated
CVE-2019-14902 fixes a problem where a newly delegated right, but more
importantly the removal of a previously delegated right, would not be inherited
on any domain controller other than the one where the change was made. This
means if a user had been delegated the right to make alterations to a subtree,
such as changing passwords, and that right was then rescinded, that move would
not automatically be taken away on all domain controllers.

The patch
fixes this issue, but Samba noted, “it
is vital that a full-sync be done TO each Domain Controller to ensure each ACL
(ntSecurityDescriptor) is re-calculated on the whole set of DCs.”

CVE-2019-14907,
medium rated, can allow a crash after failed character conversion at log level
three or higher affecting Samba 4.0 and later. In the Samba Active Directory
Domain Controller this may cause a long-lived process to terminate.

The final
issue, CVE-2019-19344,
covers a use after free issue during DNS zone scavenging in Samba Active
Directory Domain Controller in versions 4.9 and later. When Samba 4.9 was
rolled out it contained an off by default feature to tombstone dynamically
created DNS records that had reached their expiration point. There is a
use-after-free issue in this code that if the proper conditions exist save that
read memory into the database.

Patches for
all three issues have been posted.

Original Source link

The post #cybersecurity | hacker | Samba issues patches for three vulnerabilities appeared first on National Cyber Security.

View full post on National Cyber Security

Adobe Releases Patches for ‘Likely Exploitable’ Critical Vulnerabilities

Source: National Cyber Security – Produced By Gregory Evans

adobe software update

The last Patch Tuesday of 2019 is finally here.

Adobe today released updates for four of its widely used software—including Adobe Acrobat and Reader, Photoshop CC, ColdFusion, and Brackets—to patch a total of 25 new security vulnerabilities.

Seventeen of these flaws have been rated as critical in severity, with most of them carrying high priority patches, indicating that the vulnerabilities are more likely to be used in real-world attacks, but there are currently no known exploits in the wild.

The software update for Adobe Acrobat and Reader for Windows and macOS operating systems addresses a total of 21 security vulnerabilities, 14 of which are critical, and rest are important in severity.

Upon successful exploitation, all critical vulnerabilities in Adobe Acrobat and Reader software lead to arbitrary code execution attacks, allowing attackers to take complete control of targeted systems.

Adobe Photoshop CC for Windows and macOS contains patches for two critical arbitrary code execution vulnerabilities that were discovered and reported to the company by Honggang Ren of Fortinet’s FortiGuard Labs.

The last two flaws the company patched this month affect Brackets, a source code editor, and ColdFusion, a commercial rapid web application development platform by Adobe.

Web Application Firewall

The software update for Brackets addresses a critical code execution flaw, which was disclosed by Tavis Ormandy of Google Project Zero.

Adobe ColdFusion update comes with a security patch for an important privilege escalation bug, which occurs due to insecure inherited permissions of the default installation directory.

The company has released updated versions for all four vulnerable software for each impacted platform that users should install immediately to protect their systems and businesses from cyber-attacks.

If your system hasn’t yet detected the availability of the new update automatically, you should manually install the update by choosing “Help → Check for Updates” in your Adobe software.

The Original Source Of This Story: Source link

The post Adobe Releases Patches for ‘Likely Exploitable’ Critical Vulnerabilities appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Mozilla patches 11 vulnerabilities in Firefox 71 and ESR 68.3

Source: National Cyber Security – Produced By Gregory Evans Home > Security News > Vulnerabilities Mozilla issued patches for Firefox 71 and Firefox ESR 68.3 fixing 11 high- and moderate-rated vulnerabilities. The majority of the patches were shared between Firefox 71 and ESR 68.3 with Firefox 71 receiving an additional three fixes. The most severe […] View full post on AmIHackerProof.com

Ring Flaw Underscores Impact of IoT Vulnerabilities

Source: National Cyber Security – Produced By Gregory Evans

A vulnerability in Amazon’s Ring doorbell cameras would have allowed a local attacker to gain access to a target’s entire wireless network.

A vulnerability in Amazon’s Ring Video Doorbell Pro IoT device could have allowed a nearby attacker to imitate a disconnected device and then sniff the credentials of the wireless networks when the owner reconfigured the device, according to a report issued by security firm Bitdefender.

The issue, which was fixed by Amazon in September, underscores the impact of a single insecure Internet-of-Things device on the organization in which it is deployed. While the vulnerability may only occur in a single network device, the result of the flaw could be leaked information — the wireless network password, for example — which  would have far more serious repercussions.

“IoT is a security disaster, any way you look at it,” says Alexandru Balan, Bitdefender’s chief security researcher. “Security is not the strong suit of IoT vendors — only rarely, do we see vendors who take security seriously.”

The discovery of a serious vulnerability in a popular IoT product comes as businesses and consumers increasingly worry about the impact that such devices may have on their own security. Only about half of security teams have a response plan in place to deal with attacks on connected devices, according to recent report from Neustar. Even critical-infrastructure firms, such as utilities that have to deal with connected operational technology, a widespread class of Internet-of-Things devices, are ill-prepared to deal with vulnerabilities and attacks, the report says.

Vulnerabilities in IoT devices can have serious repercussions. In July, a team of researchers found widespread flaws in the networking software deployed in as many as 200 million embedded devices and found millions more that could be impacted by a variant of the issue in other real-time operating systems.

The issue with Amazon Ring is not as serious but it is a reminder that vulnerabilities can still be easily found in the devices by attackers paying attention, says Balan“We tend to look at the popular devices, and those tend to have better security than the less popular devices,” 

The rest of the Ring device’s communications are encrypted and secure, according to Bitdefender. The mobile application only communicates with the device through the cloud, even if the app and device are already on the same network, the company’s analysis stated. Cloud communications are conducted over encrypted connections to API services using Transport Layer Security (TLS) and certificated pinning. 

The device’s initial connection with the local network is the only time that it sends data without encryption, Balan says. “This is a proximity based attack, so its not that big of a threat on a global scale. You need to be with a hundred meters or so to issue the deauthentication packets and force the user to reset the password.”

The existence of the vulnerability is not an indicator of the commitment of Ring’s security team, Balan adds, noting that within a few days Amazon responded and two months later closed out the report. By September, the company issued a patch — within three months after the initial communication, according to Bitdefender’s disclosure timeline. As of November, all affected devices had been patched, which Balan says is a better outcome then the majority of disclosures that Bitdefender works on with other IoT vendors.

“Amazon is one of the few that take security seriously,” he says. “Inherently everything has some flaw that will be discovered. The only challenge with IoT is whether you take that disclosure seriously.”

The trend that more vulnerabilities are being discovered in popular products is a sign that the manufacturers are paying attention and responding to researchers, Balan observes. “If someone does not have vulnerabilities disclosed in their product, then that is likely the most risky product, from a security perspective. If the vulnerabilities were discovered, then props to them — that’s a good thing.”

Related Content

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What a Security Products Blacklist Means for End Users and Integrators.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

More Insights

Click here for the news story.

The post Ring Flaw Underscores Impact of IoT Vulnerabilities appeared first on National Cyber Security.

View full post on National Cyber Security

How to #Minimize #Cybersecurity #Vulnerabilities

Source: National Cyber Security News

When it comes to cybersecurity, your chief objective should be to manage things proactively and on your terms, as opposed to constantly playing catch-up and responding to vulnerabilities only after they’ve been exploited.

Unfortunately, too many organizations, including the U.S. federal government, still operate in a reactive mode because they generally lack two things: 1) accurate visibility into their own IT infrastructure and the potential cyber vulnerabilities lurking there; and 2) up-to-date, accurate information to help them prioritize and manage their vulnerabilities from a risk-management perspective.

After a decade of experience consulting with U.S. federal agencies, I’ve found it all too common for organizations to have little to no insight into the End-of-Support/End-of-Life (EOS/EOL) dates for their software and hardware assets. Many also don’t know the Common Vulnerability Scoring System (CVSS) values of their hardware and software assets.

This is understandable. Today, there are 31 million naming conventions that exist for 2 million hardware and software products—including, for example, 16,000 ways that inventory tools refer to an SQL Server. This lack of uniformity for how specific products are referred to results in a confusing hodgepodge of data that undermines most efforts at obtaining a comprehensive view of a network’s IT asset inventory and risk profile.

Read More….

advertisement:

View full post on National Cyber Security Ventures

CYBERSECURITY BILL TAKES AIM AT VULNERABILITIES IN MEDICAL DEVICES

Source: National Cyber Security – Produced By Gregory Evans

On July 27, U.S. Senator Richard Blumenthal (D-CT) introduced the Medical Device Cybersecurity Act of 2017, a bill that CHIME supports. The legislation, S.1656, would make the cybersecurity capabilities of medical devices more transparent to providers, clarifies expectations concerning security enhancements and maintenance of medical devices and establishes a cybersecurity…

The post CYBERSECURITY BILL TAKES AIM AT VULNERABILITIES IN MEDICAL DEVICES appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Vulnerabilities in infrastructure software concern cybersecurity experts

Source: National Cyber Security – Produced By Gregory Evans

Vulnerabilities in infrastructure software concern cybersecurity experts

Vulnerabilities in software that automates everything from factories to traffic lights has become the nation’s top cybersecurity threat, an agent on the FBI’s Denver Cyber Task Force said Thursday in Colorado Springs. Supervisory control and data acquisition software is used to control – sometimes remotely – many types of devices…

The post Vulnerabilities in infrastructure software concern cybersecurity experts appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Connected car technology vulnerabilities tested in Cyber Security Challenge

Source: National Cyber Security – Produced By Gregory Evans

Connected car technology vulnerabilities tested in Cyber Security Challenge

Amateur hackers have tested how to penetrate a car rental company’s IT system through a third-party Internet-connected device installed in one of its vehicles. The scenario, enacted as part of the Cyber Security Challenge 2017, saw six groups of aspiring …

The post Connected car technology vulnerabilities tested in Cyber Security Challenge appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures