Articles

A recently-discovered Linux rootkit dubbed “VENOM” was announced by researchers at CERN earlier this week, and is believed to have been used by malicious actors as early as October 2016.
 
VENOM allows attackers to maintain unauthorized access to compromised Linux servers by implementing backdoor communication and remote code execution functionality.
 
You can read more information about the VENOM rootkit on CERN's Security Advisory.

On October 20th, security researchers identified a Linux privilege escalation vulnerability being exploited in the wild. This vulnerability, dubbed DirtyCow, has existed since Kernel version 2.6.22 (released in 2007). There is already exploit proof of concept code available. In essence, to exploit the vulnerability, an attacker needs to be able to write a file to the filesystem and execute it; this vulnerability is also applicable in cases where a web server allows the attacker to upload and execute a file on the system.

On February 1, 2017, WordPress disclosed a critical zero-day vulnerability in the WordPress REST API which allows unauthenticated attackers to perform remote privilege escalation and content injection against versions 4.7 and 4.71 of the popular content management system.
 
A fix for the vulnerability is available in version 4.7.2 of WordPress, and administrators who have not patched their WordPress instances yet are advised to do so as soon as practical.
 

WordPress 4.7.3 is now available. It is strongly recommended that you update your sites to the most current version.

A remote attacker could exploit some of these vulnerabilities to take control of an affected website. WordPress versions 4.7.2 and earlier are affected by these six critical security issues listed below:

Earlier this week, Apple released updates for multiple products including iOS, Safari, tvOS, watchOS, and macOS. These updates fix vulnerabilities in Apple software that allow for denial-of-service, remote code execution, memory disclosure, and more.

Detailed information about these updates is available on Apple’s security updates page.

A critical access bypass vulnerability has been identified in version 8 of Drupal.  Although neither the exploit code nor documentation for this vulnerability has yet been posted to public forums, based on Drupal's security advisory, the vulnerability is very easy to exploit and should be patched ASAP.  Once exploited, this vulnerability could be used to access or modify any information on the site.
 
The following criteria must be met for the site to be vulnerable:
·       The site has the RESTful Web Services (rest) module enabled.

April 25, 2017, Joomla released version 3.7, which patches multiple XSS, Information Disclosure and ACL violation vulnerabilities. This update is highly recommended as it also updates the core Joomla PHPMailer Library, which had a Remote Code Execution vulnerability. Because certain Joomla extensions come with their own version of PHPMailer, we recommend that all Joomla Administrators determine the PHPMailer versions used by their extensions and update or disable if vulnerable.

A new version of ransomware dubbed Petya has been infecting computers globally and is causing numerous organizations to stop operations. Petya uses the same SMB EternalBlue exploit used by WannaCry, however it uses additional infection techniques such as document phishing attacks and is much more disruptive. In addition to encrypting files, it encrypts the Master File Table (MFT), the structure used by the Operating System to identify the location of files and directories, as well as overwrites the Master Boot Record (MBR) with a custom built one.

This week, Microsoft released a security bulletin which details important security updates for multiple versions of Windows. These updates address critical vulnerabilities in Adobe Flash Player libraries used by multiple versions of Internet Explorer and Microsoft Edge.

More information about these updates is available on Microsoft's Security Bulletin MS17-005 webpage.

Adobe has released numerous security updates to address vulnerabilities in Adobe Campaign, Flash Player, Acrobat and Reader, Photoshop CC, and Creative Cloud. Exploitation of these vulnerabilities may allow a remote attacker to take control of an affected system. If you have not already done so, please update or patch your software ASAP.

 On May 8, 2017, Microsoft released an emergency patch for the Microsoft Malware Protection Engine which exists in Windows Defender. The vulnerability allows a remote attacker to obtain SYSTEM level privileges if a specially crafted file is scanned. Malware Protection Engine version 1.1.10701.0 or later are not affected by this vulnerability. For more information, visit Microsoft. 

Developers of the Mozilla Firefox and Tor browsers have released a patch for a zero-day exploit that allows attackers to execute arbitrary code on victim workstations by tricking users into visiting specially-crafted webpages containing malicious Javascript and SVG code.  In particular, the exploit has been actively used against Windows workstations to de-anonymize users of the Tor browser by executing code that collects identifying information from victim computers.  The vulnerability can also potentially be exploited against other operating systems that use outdated versions of the Firefo

For December's Patch Tuesday, both Microsoft and Adobe patched numerous critical vulnerabilities. Adobe patched 31 vulnerabilities across 9 different product lines, including a Flash zero-day, which could lead to code execution, and which has been exploited in the wild. Microsoft patched a half-dozen critical browser vulnerabilities; most of which are remote code execution vulnerabilities.

Microsoft  released its January 2017 Security Bulletin earlier this week. The bulletin contains important information about security updates that should be applied to Windows devices as soon as possible, including updates for vulnerabilities in Microsoft Office, Edge, Adobe Flash Player, and more.

More information about these updates can be found on Microsoft's January 2017 Security Bulletin webpage.

Earlier this week, Cloudflare reported a recent bug involving their cloud edge servers.

The bug allowed Cloudflare's servers to leak private contents in memory, including authentication tokens, cookies, and the contents of HTTP POST requests.

Cloudflare estimates that at the period of highest impact, about 0.00003% of HTTP requests through the managed cloud service could have resulted in memory leakage.

A critical vulnerability in the Apache Struts 2 software has been disclosed. The bug allows for remote code execution on vulnerable servers and is trivial to exploit.

Apache recommends that all users of Struts versions 2.3.5 through 2.3.31 and 2.5 through 2.5.10 upgrade immediately to Struts 2.3.32 or Struts 2.5.10.1

Apache has provided more information about this vulnerability on the published advisory, Apache Security Bulletin S2-045.

May 17, 2017 WordPress and Joomla released security patches for vulnerabilities affecting their core components. The WordPress update includes patches for XSS, CSRF and validation check vulnerabilities. The Joomla update patches an SQL Injection vulnerability caused by inadequate filtering of request data. Due to the nature of these vulnerabilities, the IT Security Office recommends patching these vulnerabilities ASAP.

For more information visit:

Reports are coming in from Europe that a new form of ransomware called WannaCry/WanaCrypto 2.0 is using the previously patched MS17-010 vulnerability. This vulnerability was part of an 0-day exploit dump that occurred a few weeks ago by a group calling themselves “The Shadow Brokers.” This vulnerability affects SMBv1, SMBv2, SMBv3 in Windows Versions XP, 2003, 7, 2008 and 2008r2. Currently the malware is spreading by acting as a worm (A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers.