The CERT Coordination Center (CERT/CC) has published data on vulnerabilities affecting versions of Microsoft Windows and Windows Server.
Microsoft had issued an advisory for CVE-2018-8611, a Windows kernel elevation of privilege bug that exists when the Windows kernel fails to properly handle objects in memory. An attacker who exploited this flaw could run arbitrary code in kernel mode. The company also issued CVE-2018-8626 for a Windows DNS server heap overflow vulnerability. A remote code execution flaw exists in Windows DNS servers when they don’t properly handle requests, Microsoft explains.
Read more about the critical Windows flaws on DarkReading.
In January of 2018, the world was introduced to two game-changing CPU vulnerabilities, Spectre and Meltdown, that brought “speculative execution side-channel vulnerability” into the enterprise IT security lexicon. Since then, a number of variants of the initial vulnerabilities have been found, along with new vulnerabilities taking advantage of similar functions within the CPUs.
Intel kicked off 2019 with a Jan. 2 editorial laying out its response to the Spectre and Meltdown vulnerabilities over the past year. The chip giant says the culture of the company has changed since the advent of Spectre and Meltdown, and its response has been effective. But vulnerabilities in the core of a CPU tend not to lend themselves too rapid, complete fixes, Intel says.
Read more about Intel’s response to Meltdown & Spectre on DarkReading.
Singapore Airlines (SIA) says a software glitch was the cause of a data breach that affected 285 members of its frequent flyer programme, compromising various personal information including passport and flight details.
The “software bug” surfaced after changes were made to the Singapore carrier’s website on January 4 and enabled some of its Krisflyer members to view information belonging to other travellers, SIA told ZDNet in an email.
Read more about the Singapore Airlines data breach on ZDNet.
A passel of privilege-escalation vulnerabilities in MacPaw’s CleanMyMac X software would allow a local attacker to gain root access to an Apple machine in various ways. CleanMyMac X is a cleanup application for MacOS that optimizes the drives and frees up space by scanning for unused, redundant or unnecessary files and deleting them. No fewer than a dozen flaws plague 4.0 and earlier versions of the software, all of them in the package’s “helper protocol.”
The helper functions of the software run as root functions and the flaws arise from the fact that they can be accessed by applications without validation – thus giving those applications root access.
Read more about the critical flaws in CleanMyMac X software on Threatpost.
A new version of the NRSMiner is actively spreading in the southern region of Asia. The majority of detections (54%) have been found in Vietnam, followed by Iran (16%) and Malaysia (12%). The new version either updates existing NRSMiner infections, or spreads to new systems using the EternalBlue exploit.
EternalBlue is one of the NSA exploits stolen by the Shadow Brokers and leaked to the public. It was patched by Microsoft in March 2017, leaked by Shadow Brokers in April 2017, and used by WannaCry in May 2017. That EternalBlue is still being used to spread malware nearly two years after it was patched by Microsoft points to a massive failure in patching.
Adobe released security bulletin APSB19-02 that describes two security updates for critical vulnerabilities in Adobe Acrobat and Reader. In these updates only two vulnerabilities were fixed, but they are classified as Critical because they allow privilege escalation and arbitrary code execution.
The first vulnerability was assigned ID CVE-2018-16011 and is a use after free bug that could allow arbitrary code execution. The second vulnerability was assigned CVE-2018-19725 and allows attackers to execute code at a higher privilege level.
A vulnerability recently patched by Google in Chrome for Android was an information disclosure bug that was originally reported in 2015, but not patched until the release of Chrome 70 in October 2018, security researchers say.
The issue is that the browser – along with WebView and Chrome Tabs for Android – discloses information about the hardware model, firmware version, and security patch level of the device it is installed on. Applications using Chrome to render web content are also impacted.
Read more about the Chrome for Android vulnerability on SecurityWeek.
Vein authentication, a biometric security method that scans the veins in your hand, has been cracked. Using a fake handmade out of wax, Jan Krissler and Julian Albrecht demonstrated how they were able to bypass scanners made by both Hitachi and Fujitsu, which they claim covers around 95 percent of the vein authentication market. The method was demonstrated at Germany’s annual Chaos Communication Congress.
While imprints of fingerprints can often be left behind on surfaces just by touching them, vein patterns cannot, and are considered to be much more secure as a result. However, this wasn’t a problem for the researchers, who were able to copy their target’s vein layout from a photograph taken with an SLR camera modified to remove its infrared filter.
Read more about how vein authentication can be bypassed on MSN.
Hardware based cryptocurrency wallets may not be as secure as promised. That’s the judgement of three security researchers who presented their research at a session at the 35c3 conference.”
The researchers demonstrated firmware, side-channel, microcontroller and supply-chain attacks that impact a range of wallets including Trezor One, Ledger Nano S, and Ledger Blue. Naturally, the manufacturers responded, claiming the research had holes and attacks were impractical and their hardware was safe to use. “The sad reality is there is just not a lot of security in cryptocurrency [development]. And that is painful to hear,” said one of the researchers.
Read more about the shortcomings of crypto wallet security on Threatpost.
Voicemail systems are vulnerable to compromise via brute-force attacks against the four-digit personal identification numbers (PINs) that protect them. Researchers say a malicious user can thus access the voicemail system to then take over online accounts for services like WhatsApp, PayPal, LinkedIn and Netflix.
Martin Vigo, a mobile security expert who presented his research at 35C3, warns that PINs that protect voicemail systems are far easier to crack than traditional passwords. “Automated phone calls are a common solution for password resets, account verification and other services,” Vigo said. “These can be compromised by leveraging old weaknesses and current technology to exploit this weakest link – voicemail systems.”
Read more about the vulnerabilities of voicemail systems on Threatpost.