Microsoft’s Windows Patch Tuesday resolves a total of 60 vulnerabilities, 19 of which are critical, including two zero-day security flaws which are being actively used in attacks today. The Redmond giant published a security advisory detailing the latest round of updates.
The update impacts the Windows operating system, Internet Explorer, Microsoft Edge, Microsoft Office services and apps, ChakraCore, the .NET Framework, Microsoft Exchange and SQL Server, as well as Visual Studio. Security updates were also released for Adobe Flash Player.
Read more about the resolved vulnerabilities on ZDNet.
According to the researchers who found it, “Foreshadow is a speculative execution attack on Intel processors which allows an attacker to steal sensitive information stored inside personal computers or third party clouds.”
Read more about the newly discovered Intel chip security problem on ZDNet.
According to researchers from Check Point, there are “shortcomings” in how Google’s Android operating system utilizes external storage resources. When third-party applications and developers are careless in how storage is managed, this may lead to what the team calls “Man-in-the-Disk” attacks.
Certain apps, once downloaded, will update or receive information from the developer’s server. This data will often pass through external storage before entering the app, providing an opportunity for threat actors to eavesdrop and manipulate this information before it is passed through to an app.
Read more about the novel attack technique that could even be used to crash a victim’s Android mobile device, on ZDNet.
The most crucial function police body cameras need to perform—beyond recording footage in the first place—is protecting the integrity of that footage so it can be trusted as a record of events. However, security researcher Josh Mitchel has found that many body cameras on the market today are vulnerable to remote digital attacks, including some that could result in the manipulation of footage.
Mitchell analyzed five body camera models from five different companies and found vulnerabilities in all but one that would allow an attacker to delete footage, or to download footage off a camera, edit it and then re-upload it, leaving no indication of the change.
Read more about the discovered vulnerabilities in police bodycams on Wired.
A newly discovered vulnerability in Microsoft’s Active Directory Federation Services (ADFS) lets threat actors bypass multifactor authentication (MFA) as long as they have the username and password for another person on the same ADFS service. Microsoft patched the flaw today.
This means the second factor for one account could be used for all other accounts in an organization. “If you can have one MFA factor for any user, you can have it for all users,” says Matias Brutti, director of research at Okta REX.
Read more about the newly discovered vulnerability in Microsoft ADFS , a service that many businesses use as a gatekeeper to manage identities and resources, on DarkReading.
Security researcher Eric Sesterhenn of X41 D-SEC GmbH has unearthed a number of vulnerabilities in several smart card drivers, some of which can allow attackers to log into the target system without valid credentials and achieve root/admin privileges.
As the company’s CEO Markus Vervier noted, the potential for abuse of these vulnerabilities is frightening – (vulnerable) smart card software stack implementations are used in ATMs, door locks and so on.
Read more about the uncovered vulnerabilities in smart card drivers that can be exploited via malicious smartcards on Help Net Security.
A new report from Risk Based Security released today reveals that the number of vulnerabilities discovered in software products shows no signs of abating.
Between January 1 and June 30 of this year, a total of 10,644 vulnerabilities were published compared to 9,690 in the same period in 2017. The trend so far this year suggests that the total number of disclosed vulnerabilities in 2018 will comfortably exceed the 20,832 vulnerabilities that Risk Based Security published during 2017 — which itself represented a 31% increase over 2016.
Read more about the new report from Risk Based Security, which also found that nearly 17% of the vulnerabilities disclosed so far this year have been critical, on DarkReading.
Security researcher Christopher Domas last week showed a room at Black Hat USA something quite astonishing, namely how to break the so-called ring-privilege model of modern CPU security.
In the hardware, different types of accounts are assigned to different “rings of privilege,” with users at ring three and the system administrator at ring 0. Domas in his research hacked the ring with a string consisting of four hexadecimal characters.
Read more about Domas’ ‘God Mode’ attack, which could allow a program from a “regular” user to assume kernel-level control, executing at a higher privilege than most security software – and bypassing most techniques used by anti-malware and hardware control systems today, on DarkReading.
A decade has passed since we learned about pacemaker hacks, but still implantable medical devices that can save patients’ lives can be hacked to potentially kill them. Even now, as was highlighted at Black Hat USA, attackers can cause pacemakers to deliver a deadly shock to the heart or deny a life-saving shock, as well as prevent insulin pumps from delivering insulin.
At the recent Black Hat and Def Con security conferences in Las Vegas, one set of researchers showed off hacks to pacemakers and insulin pumps that could potentially prove lethal, while another researcher explained how hospital patients’ vital signs could be falsified in real time.
Read more about the disturbing discoveries relating to medical device insecurity on CSO.
In 2014, IOActive researchers revealed security vulnerabilities they found in the most widely deployed satellite communications terminals and presented potential scenarios attackers could exploit once SATCOM systems have been compromised in the aviation, maritime, and military sectors. In 2018, they demonstrated that some of these scenarios are still actually possible.
Ruben Santamarta, principal security consultant with IOActive, presented this latest research at this year’s Black Hat conference in Las Vegas, and showed that it’s possible for remote attackers to take control of airborne SATCOM equipment on in-flight commercial aircrafts, earth stations on vessels and those used by the US military in conflict zones.