Tag Archives: released

Update Samba Servers Immediately to Patch Password Reset and DoS Vulnerabilities

Samba maintainers have just released new versions of their networking software to patch two critical vulnerabilities that could allow unprivileged remote attackers to launch DoS attacks against servers and change any other users’ passwords, including admin’s.

Samba is open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available

Memcached DDoS Exploit Code and List of 17,000 Vulnerable Servers Released

Two separate proofs-of-concept (PoC) exploit code for Memcached amplification attack have been released online that could allow even script-kiddies to launch massive DDoS attacks using UDP reflections easily.

The first DDoS tool is written in C programming language and works with a pre-compiled list of vulnerable Memcached servers.

Bonus—its description already includes a list of nearly

WordPress Update Breaks Automatic Update Feature—Apply Manual Update


WordPress administrators are once again in trouble.

WordPress version 4.9.3 was released earlier this week with patches for a total 34 vulnerabilities, but unfortunately, the new version broke the automatic update mechanism for millions of WordPress websites.

WordPress team has now issued a new maintenance update, WordPress 4.9.4, to patch this severe bug, which WordPress admins have to install manually.

According to security site WordFence, when WordPress CMS tries to determine whether the site needs to install an updated version, if available, a PHP error interrupts the auto-update process.

If not updated manually to the latest 4.9.4 version, the bug would leave your website on WordPress 4.9.3 forever, leaving it vulnerable to future security issues.

Here’s what WordPress lead developer Dion Hulse explained about the bug:

“#43103-core aimed to reduce the number of API calls which get made when the auto-update cron task is run. Unfortunately, due to human error, the final commit didn’t have the intended effect and instead triggers a fatal error as not all of the dependencies of find_core_auto_update() are met. For whatever reason, the fatal error was not discovered before 4.9.3’s release—it was a few hours after release when discovered.”

The issue has since been fixed, but as reported, the fix will not be installed automatically.

Thus, WordPress administrators are being urged to update to the latest WordPress release manually to make sure they’ll be protected against future vulnerabilities.

To manually update their WordPress installations, admin users can sign into their WordPress website and visit Dashboard→Updates and then click “Update Now.”

After the update, make sure that your core WordPress version is 4.9.4.

However, not all websites being updated to the faulty update have reported seeing this bug. Some users have seen their website installed both updates (4.9.3 and 4.9.4) automatically.

Moreover, the company released two new maintenance updates this week, but none of them includes a security patch for a severe application-level DoS vulnerability disclosed last week that could allow anyone to take down most WordPress websites even with a single machine.

Since WordPress sites are often under hackers target due to its wide popularity in the content management system (CMS) market, administrators are advised to always keep their software and plugins up-to-date.

Critical Oracle Micros POS Flaw Affects Over 300,000 Payment Systems


Oracle has released a security patch update to address a critical remotely exploitable vulnerability that affects its MICROS point-of-sale (POS) business solutions for the hospitality industry.

The fix has been released as part of Oracle’s January 2018 update that patches a total of 238 security vulnerabilities in its various products.

According to public disclosure by ERPScan, the security firm which discovered and reported this issue to the company, Oracle’s MICROS EGateway Application Service, deployed by over 300,000 small retailers and business worldwide, is vulnerable to directory traversal attack.

If exploited, the vulnerability (CVE-2018-2636) could allow attackers to read sensitive data and receive information about various services from vulnerable MICROS workstations without any authentication.

Using directory traversal flaw, an unauthorized insider with access to the vulnerable application could read sensitive files from the MICROS workstation, including service logs and configuration files.

As explained by the researchers, two such sensitive files stored within the application storage—SimphonyInstall.xml or Dbconfix.xml—contain usernames and encrypted passwords for connecting to the database.

“So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise,” the researchers warned. 

“If you believe that gaining access to POS URL is a snap, bear in mind that hackers can find digital scales or other devices that use RJ45, connect it to Raspberry PI, and scan the internal network. That is where they easily discover a POS system. Remember this fact when you pop into a store.”

ERPScan has also released a proof-of-concept Python-based exploit, which, if executed on a vulnerable MICROS server, would send a malicious request to get the content of sensitive files in response.

Besides this, Oracle’s January 2018 patch update also provides fixes for Spectre and Meltdown Intel processor vulnerabilities affecting certain Oracle products.

Update Your Firefox Browser to Fix a Critical Remotely Exploitable Flaw


Mozilla has released an important update for its Firefox web browser to patch a critical vulnerability that could allow remote attackers to execute malicious code on computers running an affected version of the browser.

The update comes just a week after the company rolled out its new Firefox Quantum browser, a.k.a Firefox 58, with some new features like improved graphics engine and performance optimizations and patches for more than 30 vulnerabilities.

According to a security advisory published by Cisco, Firefox 58.0.1 addresses an ‘arbitrary code execution’ flaw that originates due to ‘insufficient sanitization’ of HTML fragments in chrome-privileged documents (browser UI).

Hackers could exploit this vulnerability (CVE-2018-5124) to run arbitrary code on the victim’s computer just by tricking them into accessing a link or ‘opening a file that submits malicious input to the affected software.’

“A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely,” the advisory states.

This could allow an attacker to install programs, create new accounts with full user rights, and view, change or delete data.

However, if the application has been configured to have fewer user rights on the system, the exploitation of this vulnerability could have less impact on the user.

Affected web browser versions include Firefox 56 (.0, .0.1, .0.2), 57 (.0, .0.1, .0.2, .0.3, .0.4), and 58 (.0). The vulnerability has been addressed in Firefox 58.0.1, and you can download from the company’s official website.

The issue, which was discovered by Mozilla developer Johann Hofmann, does not affect Firefox browser for Android and Firefox 52 ESR.

Users are recommended to apply the software updates before hackers exploit this issue, and avoid opening links provided in emails or messages if they appear from suspicious or unrecognized sources.

Administrators are also advised to use an unprivileged account when browsing the Internet and monitor critical systems.

Patch Tuesday: Microsoft Releases Update to Fix 53 Vulnerabilities


It’s Patch Tuesday—time to update your Windows devices.

Microsoft has released a large batch of security updates as part of its November Patch Tuesday in order to fix a total of 53 new security vulnerabilities in various Windows products, 19 of which rated as critical, 31 important and 3 moderate.

The vulnerabilities impact the Windows OS, Microsoft Office, Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, .NET Core, and more.

At least four of these vulnerabilities that the tech giant has now fixed have public exploits, allowing attackers to exploit them easily. But fortunately, none of the four are being used in the wild, according to Gill Langston at security firm Qualys.

The four vulnerabilities with public exploits identified by Microsoft as CVE-2017-8700 (an information disclosure flaw in ASP.NET Core), CVE-2017-11827 (Microsoft browsers remote code execution), CVE-2017-11848 (Internet Explorer information disclosure) and CVE-2017-11883 (denial of service affecting ASP.NET Core).

Potentially Exploitable Security Vulnerabilities

What’s interesting about this month’s patch Tuesday is that none of the Windows OS patches are rated as Critical. However, Device Guard Security Feature Bypass Vulnerability (CVE-2017-11830) and Privilege Elevation flaw (CVE-2017-11847) are something you should focus on.

Also, according to an analysis of Patch Tuesday fixes by Zero-Day Initiative, CVE-2017-11830 and another flaw identified as CVE-2017-11877 can be exploited to spread malware.

“CVE-2017-11830 patches a Device Guard security feature bypass vulnerability that would allow malware authors to falsely authenticated files,” Zero-Day Initiative said.

“CVE-2017-11877 fixes an Excel security feature bypass vulnerability that fails to enforce macro settings, which are often used by malware developers.”

The tech giant also fixed six remote code execution vulnerabilities exist “in the way the scripting engine handles objects in memory in Microsoft browsers.”

Microsoft identified these vulnerabilities as CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873, which could corrupt memory in such a way that attackers could execute malicious code in the context of the current user.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website,” Microsoft said. “These websites could contain specially crafted content that could exploit the vulnerability.” 

17-Year-Old MS Office Flaw Lets Hackers Install Malware

Also, you should be extra careful when opening files in MS Office.

All versions of Microsoft Office released in the past 17 years found vulnerable to remote code execution flaw (CVE-2017-11882) that works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

However, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user.

Exploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software, which could allow attackers to remotely install malware on targeted computers.

Adobe Patch Tuesday: Patches 62 Vulnerabilities

Besides fixing vulnerabilities in its various products, Microsoft has also released updates for Adobe Flash Player.

These updates correspond with Adobe Update APSB17-33, which patches 62 CVEs for Acrobat and Reader alone. So, Flash Player users are advised to ensure that they update Adobe across their environment to stay protected.

It should also be noted that last Patch Tuesday, Microsoft quietly released the patch for the dangerous KRACK vulnerability (CVE-2017-13080) in the WPA2 wireless protocol.

Therefore, users are also recommended to make sure that they have patched their systems with the last month’s security patches.

Alternatively, users are strongly advised to apply November security patches as soon as possible in order to keep hackers and cybercriminals away from taking control of their computers.

For installing security updates, just head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Apple iPhone X’s Face ID Hacked (Unlocked) Using 3D-Printed Mask


Just a week after Apple released its brand new iPhone X on November 3, a team of hackers has claimed to successfully hack Apple’s Face ID facial recognition technology with a mask that costs less than $150.

Yes, Apple’s “ultra-secure” Face ID security for the iPhone X is not as secure as the company claimed during its launch event in September this year.

“Apple engineering teams have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID,” Apple’s senior VP of worldwide marketing Phil Schiller said about Face ID system during the event.

“These are actual masks used by the engineering team to train the neural network to protect against them in Face ID.”

However, the bad news is that researchers from Vietnamese cybersecurity firm Bkav were able to unlock the iPhone X using a mask.

Yes, Bkav researchers have a better option than holding it up to your face while you sleep.

Bkav researchers re-created the owner’s face through a combination of 3D printed mask, makeup, and 2D images with some “special processing done on the cheeks and around the face, where there are large skin areas” and the nose is created from silicone.

The researchers have also published a proof-of-concept video, showing the brand-new iPhone X first being unlocked using the specially constructed mask, and then using the Bkav researcher’s face, in just one go.

“Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it,” an FAQ on the Bkav website said.

“You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.”

Researchers explain that their “proof-of-concept” demo took about five days after they got iPhone X on November 5th. They also said the demo was performed against one of their team member’s face without training iPhone X to recognize any components of the mask.

“We used a popular 3D printer. The nose was made by a handmade artist. We use 2D printing for other parts (similar to how we tricked Face Recognition 9 years ago). The skin was also hand-made to trick Apple’s AI,” the firm said.

The security firm said it cost the company around $150 for parts (which did not include a 3D printer), though it did not specify how many attempts its researchers took them to bypass the security of Apple’s Face ID.

It should be noted that creating such a mask to unlock someone’s iPhone is a time-consuming process and it is not possible to hack into a random person’s iPhone.

However, if you prefer privacy and security over convenience, we highly recommend you to use a passcode instead of fingerprint or Face ID to unlock your phone.

Microsoft Issues Patches For Severe Flaws, Including Office Zero-Day & DNS Attack


As part of its “October Patch Tuesday,” Microsoft has today released a large batch of security updates to patch a total of 62 vulnerabilities in its products, including a severe MS office zero-day flaw that has been exploited in the wild.

Security updates also include patches for Microsoft Windows operating systems, Internet Explorer, Microsoft Edge, Skype, Microsoft Lync and Microsoft SharePoint Server.

Besides the MS Office vulnerability, the company has also addressed two other publicly disclosed (but not yet targeted in the wild) vulnerabilities that affect the SharePoint Server and the Windows Subsystem for Linux.

October patch Tuesday also fixes a critical Windows DNS vulnerability that could be exploited by a malicious DNS server to execute arbitrary code on the targeted system. Below you can find a brief technical explanation of all above mentioned critical and important vulnerabilities.

Microsoft Office Memory Corruption Vulnerability (CVE-2017-11826)

This vulnerability, classified by Microsoft as “important,” is caused by a memory corruption issue. It affects all supported versions of MS Office and has been actively exploited by the attackers in targeted attacks.

An attacker could exploit this vulnerability either by sending a specially crafted Microsoft Office file to the victims and convincing them to open it, or hosting a site containing specially crafted files and tricking victims to visit it.

Once opened, the malicious code within the booby-trapped Office file will execute with the same rights as the logged-in user. So, users with least privilege on their systems are less impacted than those having higher admin rights.

The vulnerability was reported to Microsoft by security researchers at China-based security firm Qihoo 360 Core Security, who initially detected an in-the-wild cyber attack which involved malicious RTF files and leveraged this vulnerability on September 28.

Microsoft Windows DNSAPI Remote Code Execution Vulnerability (CVE-2017-11779)

Among other critical vulnerabilities patched by Microsoft include a critical remote code execution flaw in the Windows DNS client that affects computers running Windows 8.1 and Windows 10, and Windows Server 2012 through 2016.

The vulnerability can be triggered by a malicious DNS response, allowing an attacker gain arbitrary code execution on Windows clients or Windows Server installations in the context of the software application that made the DNS request.

Nick Freeman, a security researcher from security firm Bishop Fox, discovered the vulnerability and demonstrated how an attacker connected to a public Wi-Fi network could run malicious code on a victim’s machine, escalate privileges and take full control over the target computer or server.

“This means that if an attacker controls your DNS server (e.g., through a Man-in-the-Middle attack or a malicious coffee-shop hotspot) – they can gain access to your system,” the researcher explains.

“This doesn’t only affect web browsers – your computer makes DNS queries in the background all the time, and any query can be responded to in order to trigger this issue.”

For full technical details, you can watch the video demonstration by Bishop Fox’s Dan Petro and head on to Bishop Fox’s blog post.

Windows Subsystem for Linux Denial of Service Vulnerability (CVE-2017-8703)

This denial of service (DoS) issue is yet another noteworthy vulnerability which resides in Windows Subsystem for Linux.

The vulnerability, classified by Microsoft as “important,” was previously publicly disclosed, but wasn’t found actively exploited in the wild.

The vulnerability could allow an attacker to execute a malicious application to affect an object in the memory, which eventually allows that the application to crash the target system and made it unresponsive.

The only affected Microsoft product by this vulnerability is Windows 10 (Version 1703). “The update addresses the vulnerability by correcting how Windows Subsystem for Linux handles objects in memory,” Microsoft said in its advisory.

Microsoft Office SharePoint XSS Vulnerability (CVE-2017-11777)

Another previously disclosed but not yet under attack vulnerability is a cross-site scripting (XSS) flaw in Microsoft SharePoint Server that affects SharePoint Enterprise Server 2013 Service Pack 1 and SharePoint Enterprise Server 2016.

The vulnerability, also classified by Microsoft as “important,” can be exploited by sending a maliciously crafted request to an affected SharePoint server.

Successful exploitation of this vulnerability could allow an attacker to perform cross-site scripting attacks on affected systems and execute malicious script in the same security context of the current user.

“The attacks could allow the attacker to read content that the attacker is not authorised to read, use the victim’s identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user,” Microsoft explains.

Besides these, the company has patched a total of 19 vulnerabilities in the scripting engine in Edge and Internet Explorer that could allow web pages to achieve remote-code execution, with the logged-in user’s permissions, via memory corruption flaws.

Just opening a web page could potentially land you in trouble by executing malware, spyware, ransomware, and other nasty software on the vulnerable computer.

More RCE And Other Vulnerabilities

Redmond also patched two vulnerabilities in the Windows font library that can allow a web page or document to execute malicious code on a vulnerable machine and hijack it on opening a file with a specially crafted embedded font or visiting a website hosting the malicious file.

The update also includes fixes for a bug in Windows TRIE (CVE-2017-11769) that allows DLL files to achieve remote code execution, a programming error (CVE-2017-11776) in Outlook that leaves its emails open to snooping over supposedly secure connections.

Other issues patched this month include two remote code execution flaws in the Windows Shell and a remote code execution bug in Windows Search.

Microsoft also published an advisory warning user of a security feature bypass issue affecting the firmware of Infineon Trusted Platform Modules (TPMs).

Surprisingly, Adobe Flash does not include any security patches. Meanwhile, Adobe has skipped October’s Patch Tuesday altogether.

Users are strongly advised to apply October security patches as soon as possible in order to keep hackers and cybercriminals away from taking control over their computers.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Powered by WPeMatico

Google Researcher Publishes PoC Exploit for Apple iPhone Wi-Fi Chip Hack


You have now another good reason to update your iPhone to newly released iOS 11—a security vulnerability in iOS 10 and earlier now has a working exploit publicly available.

Gal Beniamini, a security researcher with Google Project Zero, has discovered a security vulnerability (CVE-2017-11120) in Apple’s iPhone and other devices that use Broadcom Wi-Fi chips and is hell easy to exploit.

This flaw is similar to the one Beniamini discovered in the Broadcom WiFi SoC (Software-on-Chip) back in April, and BroadPwn vulnerability disclosed by an Exodus Intelligence researcher Nitay Artenstein, earlier this summer. All flaws allow a remote takeover of smartphones over local Wi-Fi networks.

The newly discovered vulnerability, which Apple fixed with its major iOS update released on September 19, could allow hackers to take control over the victim’s iPhone remotely. All they need is the iPhone’s MAC address or network-port ID.

And since obtaining the MAC address of a connected device is easy, the vulnerability is considered a serious threat to iPhone users.

Beniamini informed WiFi chip maker Broadcom and privately reported this vulnerability in Google’s Chromium bug-reporting system on August 23.

Now, following iOS 11 release, Beniamini published a proof-of-concept (PoC) exploit for the flaw to demonstrate the risks this flaw could pose on iPhone users.

Beniamini says the flaw exists on Broadcom chips running firmware version BCM4355C0, which is not only used by iPhones but also used by a large number of other devices, including Android smartphones, the Apple TV and smart TVs.

Once his exploit executes, Beniamini was able to insert a backdoor into Broadcom chip’s firmware, which allowed him to remotely read and write commands to the firmware, “thus allowing easy remote control over the Wi-Fi chip.”

Once all done, “you can interact with the backdoor to gain R/W access to the firmware by calling the “read_dword” and “write_dword” functions, respectively.”

The researchers tested his exploit only against the Wi-Fi firmware in iOS 10.2 but believe the exploit should also work on all versions of iOS up to 10.3.3.

“However, some symbols might need to be adjusted for different versions of iOS, see ‘exploit/symbols.py’ for more information,” Beniamini writes.

Since there is no way to find out if your device is running the firmware version BCM4355C0, users are advised to update iPhones to iOS 11. Apple has also patched the issue in the most recent version of tvOS.

Also, Google has addressed this issue on Nexus and Pixel devices, as well as Android devices earlier this month. However, Android users are required to wait for their handset manufacturers to push out the updates on their devices.

Powered by WPeMatico

Microsoft Issues Security Patches for 25 Critical Vulnerabilities


Here we go again…

As part of its August Patch Tuesday, Microsoft has today released a large batch of 48 security updates for all supported versions Windows systems and other products.

The latest security update addresses a range of vulnerabilities including 25 critical, 21 important and 2 moderate in severity.

These vulnerabilities impact various versions of Microsoft’s Windows operating systems, Internet Explorer, Microsoft Edge, Microsoft SharePoint, the Windows Subsystem for Linux, Adobe Flash Player, Windows Hyper-V and Microsoft SQL Server.

CVE-2017-8620: Windows Search Remote Code Execution Vulnerability

The most interesting and critical vulnerability of this month is Windows Search Remote Code Execution Vulnerability (CVE-2017-8620), affects all versions of Windows 7 and Windows 10, which could be used as a wormable attack like the one used in WannaCry ransomware, as it utilises the SMBv1 connection.

An attacker could remotely exploit the vulnerability through an SMB connection to elevate privileges and take control of the targeted Windows computer.

“A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explains.

“In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.”

CVE-2017-8633: Windows Error Reporting Elevation of Privilege Vulnerability

Another significant elevation of privilege vulnerability resides in Windows Error Reporting (WER) that could allow an attacker to run a specially created application to gain access to administrator privileges on the targeted system to steal sensitive information.

“This update corrects the way the WER handles and executes files,” the advisory says.

CVE-2017-8627: Windows Subsystem for Linux DoS Vulnerability

An important vulnerability has been identified in Windows Subsystem for Linux that could allow an attacker to execute code with elevated permissions.

“To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by correcting how Windows Subsystem for Linux handles NT pipes” the advisory says.

Successful exploitation eventually could allow denial of service attack, leaving the targeted system unresponsive.

Microsoft has also released critical security updates for the Adobe Flash Player for Internet Explorer, although the company would end its support for Flash at the end of 2020.

Users and IT administrators are strongly recommended to apply security patches as soon as possible to keep away hackers and cybercriminals from taking control over your computer.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Powered by WPeMatico