Tag: Vulnerability

Microsoft JET vulnerability still open to attacks, despite recent patch

A vulnerability in the Microsoft JET database engine is still open to attacks, even after Microsoft shipped an update earlier this week during the October 2018 Patch Tuesday.

The vulnerability, which was a zero-day at the time of its disclosure in mid-September, raised some alarms, mainly due to the fact that the JET database engine is included in all versions of Windows, and provided attackers with a huge attack vector they could target. Microsoft shipped an update this past Tuesday. But according to Mitja Kolsek, co-founder of 0patch, the recent patch is incomplete, and an attacker can still exploit the original vulnerability.

Read more about the issues with Microsoft’s recent JET patch on ZDNet.

ICS Security Plagued with Basic, Avoidable Mistakes

At least 33 percent of the security issues found in industrial control systems (ICS) are rated as being of high or critical risk. FireEye iSIGHT Intelligence compiled data from dozens of ICS security health assessment engagements performed by its Mandiant division, and found that these issues include unpatched vulnerabilities (32 percent); password issues (25 percent); and problems with architecture and network segmentation (11 percent).

In other words, ICS environments riddled with basic security snafus, meaning that the main security risks are eminently avoidable using best practices. However, these organizations have unique challenges that have contributed to their poor security posture.

Read more about the disturbing findings of the new research on Threatpost.

9 million Xiongmai cameras, DVRs wide open to attack

SEC Consult researchers have issued a warning about a handful of critical vulnerabilities they discovered in video surveillance equipment by Chinese manufacturer Hangzhou Xiongmai Technology.

The discovered vulnerabilities include a default admin password (i.e., no password, and no requirement to set one in the initial setup phase), insecure default credentials for a hardcoded “default” account, multiple unencrypted communication channels, and a failure to check the integrity of firmware updates, which are not signed.

Read more about the various vulnerabilities affecting some 9 million Xiongmai devices on Help Net Security.

Microsoft Fixes Privilege Escalation 0Day Under Active Attack

Microsoft’s monthly Patch Tuesday came with 49 security fixes and two advisories for Internet Explorer (IE), Microsoft Edge, Windows components, Microsoft Office and Office Services, Exchange, SQL Server, ChakraCore, Hyper-V, and .NET Core.

Twelve of the patched vulnerabilities are deemed Critical, 35 are categorized Important, one is Moderate, and one is considered Low severity. Three were known at the time their patches were released, and one is currently being exploited in active attacks. The bug being abused in attacks is CVE-2018-8453, a Win32k elevation of privilege vulnerability that exists in Windows when the Win32k component doesn’t properly handle objects in memory.

Read more about this month’s Patch Tuesday security fixes on DarkReading.

Windows 10 Ransomware Protection Bypassed Using DLL Injection

Windows 10 comes with a ransomware protection feature called Controlled Folder Access that can be used to prevent modifications to files in protected folders by unknown programs. At the DerbyCon security conference, a security researcher showed how DLL injection can be used by ransomware to bypass the Controlled Folder Access ransomware protection feature.

Controlled Folder Access is a feature that allows you to protect folders and files so they can only be modified by whitelisted applications. Knowing that explorer.exe is whitelisted in Controlled Folder Access, Soya Aoyama, a security researcher at Fujitsu System Integration Laboratories Ltd., figured out a way to inject a malicious DLL into Explorer when it is started.

Read more about the newly discovered vulnerability on BleepingComputer.

Google shuts down Google+ after API bug exposed details for over 500,000 users

Google announced it is shutting down the Google+ social network after the company’s engineers found an API bug that might have exposed some private profile data for more than 500,000 Google+ users. The company said the bug was located in the Google+ People API.

By default, Google+ users can grant access to their profile data to third-party apps. Google+ users can also allow a third-party app to access the public profile information of a user’s friends. In a blog post, Ben Smith, Google fellow and vice president of engineering, said the bug allowed third-party apps to also gain access to users’ data that was marked private.

Read more about the potential data leak and the end of Google+ on ZDNet.

Code execution bug in malicious repositories resolved by Git Project

The Git Project has disclosed the existence of a severe vulnerability which can lead to the execution of arbitrary code. The vulnerability, CVE-2018-17456, was disclosed last Friday. The option-injection attack can be used to compromise the software’s submodules. Malicious repositories which are cloned and use a .gitmodules file with a URL field beginning with a ‘-‘ character can be used to execute code at the time of processing.

The latest version of the software, Git v2.19.1, has been released with a patch designed to resolve the security flaw. In addition, the Git Project has released backports for versions v2.14.5, v2.15.3, v2.16.5, v2.17.2, and v2.18.1 to eradicate the severe bug in older software.

Read more about the critical Git Project vulnerability on ZDNet.

Sony Smart TV Bug Allows Remote Access, Root Privileges

As the number of smart TVs grows, so does the number of vulnerabilities inside of them. Security researchers recently revealed that eight Sony Bravia smart TV models are vulnerable to three separate bugs, one rated critical.

The flaws – a stack buffer overflow, a directory traversal and a command-injection bug – were found by Fortinet in March by its FortiGuard Labs team. The most serious of the vulnerabilities is the command-injection (CVE-2018-16593) bug, which could be exploited to recruit a TV into a botnet or be used as springboard for additional attacks against devices that shared the same network.

Read more about the critical Sony Smart TV bug on Threatpost.

PoC Attack Escalates MikroTik Router Bug to ‘As Bad As It Gets’

A new hacking technique used against vulnerable MikroTik routers gives attackers the ability to execute remote code on affected devices. The technique is yet another security blow against the MikroTik router family. Previous hacks have left the routers open to device failures, cyptojacking and network eavesdropping.

The hacking technique, found by Tenable Research is tied to the existing directory traversal bug (CVE-2018-14847) found and patched in April. That vulnerability was rated medium in severity. However, Tenable Research says it has recently found a new attack technique that exploits the same bug.

Read more about why Tenable researchers say the medium severity bug should now be rated critical on Threatpost.

New study finds 5 of every 6 routers are inadequately updated for security flaws

A new study by a US consumer nonprofit has found that five out of six home routers are inadequately updated for security flaws, leaving the devices, and indirectly their users, vulnerable to hacking. Carried out by the American Consumer Institute (ACI), the study analyzed a sample of 186 SOHO (small office/home office) Wi-Fi routers from 14 different vendors with a presence on the US market.

ACI experts looked at the firmware version the routers were running and searched public vulnerabilities databases for known security flaws affecting each device’s firmware. “In total, there was a staggering number of 32,003 known vulnerabilities found in the sample,” said ACI experts in the study.

Read more about the disturbing findings of the study on ZDNet.