Here’s a common scenario organizations increasingly face: Too many web apps with too many vulnerabilities and no chance for immediate remediation.
In the interim, the organization is left exposed to potentially devastating breaches, at a time when web apps have become one of cyber attackers’ favorite targets.
Reserve Bank of India (RBI), India’s central banking and monetary authority, points out that the number, frequency, and impact of cyber incidents on Indian banks has increased substantially. Like their peers globally, Indian banks are committed to maintaining customer trust, protecting financial assets, and preserving their own brand and reputation as the industry will remain a top target of cybercriminals using increasingly sophisticated methods. Thus, it is urgent that banks continue to improve their cyber defenses.
In a race to adopt technology innovations, the exposure to cyber incidents/attacks has also increased, thereby underlining the urgent need to put in place a robust cyber security and resilience framework. The Reserve Bank of India has provided guidelines on Cyber Security Framework vide circular DBS.
IBM has released a patch for Lotus Domino to plug a security flaw which was disclosed in the latest Shadow Broker revelations. Lotus Domino includes an IMAP server. IMAP or Internet Message Access Protocol is an Internet standard protocol used by e-mail clients to retrieve e-mail messages from the mail server over a TCP/IP connection. The server contains a stack buffer overflow in the handling of mailbox names. This vulnerability affects Domino server 9.0.1FP8 and earlier versions, and this exploit has been referred to by the “EMPHASISMINE” code name by Shadow Brokers. CVE-2017-1274 has been assigned to this issue.
This release of the Qualys Cloud Platform version 2.26 includes updates and new features for Cloud Agent, AssetView, Security Assessment Questionnaire and Web Application Scanning as follows:
Today Oracle released a total of 299 new security fixes across all product families. It is important to note that it fixed 25 instances of the infamous Apache Struts vulnerability which could allow a remote attacker to take complete control of the server running Struts. The struts fix was applied to 19 instances of Oracle Financial Services Applications along with WebCenter, WebLogic, Siebel, Oracle Communications, MySQL and Oracle Retail.
Oracle also released Patch 25878798 for Solaris 10 and 11.3 which fixed the second Shadow Brokers EXTREMEPARR vulnerability CVE-2017-3622. EXTREMEPARR has a CVSS Base Score of 7.8, and if successfully exploited allows a local privilege escalation in the ‘dtappgather’ component. The other Shadow Brokers vulnerability CVE-2017-3623 (a.k.a. “Ebbisland” or “Ebbshave”) was previously addressed by Oracle in several Solaris 10 patch distributions issued since January 26th 2012 and does not affect Solaris 11.
Out of the 299 total fixes MySQL, Financial Services, Retail and Fusion Middleware take the lion’s share of fixes and the distribution is shown in the chart below. Majority of the vulnerabilities in the Financial Services, Retail and Fusion Middleware could be exploited via the HTTP protocol and attackers can take complete control of the system remotely without the need of any credentials.
SSL & Early TLS vulnerabilities such as QID 38628 “SSL/TLS Server supports TLSv1.0”\ will be marked as a Fail for PCI as of May 1, 2017 in accordance with the PCI DSS v3.2. For existing implementations, merchants will be able to submit a PCI False Positive / Exception Request and provide proof of their Risk Mitigation & Migration Plan, which will result in a pass for PCI until June 30, 2018.
On Friday, a hacker group known as The Shadow Brokers publicly released a large number of functional exploit tools. Several of these tools make use of zero-day vulnerabilities, most of which are in Microsoft Windows. Exploiting these vulnerabilities in many cases leads to remote code execution and full system access.
Both end-of-support and current Windows versions are impacted, including Windows 2003, XP, Vista, 7, 2008, 8, and 2012. Microsoft has released patches for each vulnerability across all supported platforms, but will not be releasing patches for end-of-support versions of Windows. It is highly recommended that any end-of-support Windows systems be replaced or isolated, as these systems will often be impacted by new vulnerabilities, without the availability of a patch.
For zero-day vulnerabilities in Operating Systems, you can use your existing asset inventory information from Qualys AssetView, and search for any OS to determine how many vulnerable assets are deployed. This can be done without additional scanning if the data is relatively fresh.
Microsoft Fixes 45 Vulnerabilities with new Security Update Guide and says goodbye to Security Bulletins. Adobe Fixes Flash, PDF reader and Photoshop.
Today is the first month since 1998 in which Microsoft stopped releasing security bulletins with the familiar MSxx-xxx format and replaced it with the new security update guide. We talked about this change earlier in a few blog posts and finally today it’s time to say good bye to security bulletins which essentially combined related vulnerabilities and products for easy of consumption.
In today’s release Microsoft fixed a total of 45 vulnerabilities that could lead to remote code execution, denial-of-service, elevation of privileges, security feature bypass and spoofing. Top priority goes to the Office and WordPad CVE-2017-0199 which fixed a 0-day vulnerability that is being actively exploited in the wild. Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Office or WordPad. Attacker could accomplish this by sending a specially crafted file to the user and then convincing the user to open the file. We recommend administrators patch this as soon as possible.
Adobe released five security bulletins today following a pre-notification which was released on Thursday of last week. Highest priority goes to the Flash update APSB17-10 as flash has been the top choice for malware and exploit kits. If left un-patched, the vulnerabilities allow attackers to take complete control of user’s computer if the user views malicious flash content hosted by the attacker. Although flash based exploit kit activity has reduced as compared to last year we still recommend updating this first. The affected versions are listed in the table below: