This week offered a representative sampling of different corners of the cyber security world: The monthly Patch Tuesday, a brazen attack against the Olympics, new Meltdown and Spectre concerns, and a boost for Intel’s bug bounty program.

Oh, and the gargantuan Equifax data breach may have been even bigger than previously thought.

Winter Olympics hack confirmed

The 2018 Winter Olympics in Pyeongchang, South Korea are in full swing, featuring the world’s best ice skaters, skiers, hockey players and snowboarders, and also attracting, unfortunately, malicious hackers.

Attackers’ goals seem to be to disrupt the games in a variety of ways by interfering with and disabling IT systems.

Continue reading …

For this month’s Patch Tuesday, Microsoft has released patches covering 55 vulnerabilities, with 15 ranked as critical. This includes out-of-band Office patches from mid-January as well as patches for Adobe Flash that were released last week.

From this list, there are patches for a vulnerability (CVE-2018-0825) that impacts StructuredQuery in Windows servers and workstations. Exploitation of this vulnerability would be through a malicious file and would lead to remote code execution. This patch should be at the top of the priority list, aside from the Adobe Flash patches mentioned below.

Continue reading …

It’s been a busy week in InfoSec land, as Intel released a new Spectre patch, iOS source code was leaked online, and a zero-day Flash bug got exploited in the wild.

Also making noise these past few days: A major security hole in the Grammarly web app, WordPress updates tripping over each other, and a data breach at a Swiss telecom company.

As has been the case these past few weeks, we’ll lead off with the latest on Meltdown and Spectre, the hardware vulnerabilities whose disclosure on Jan. 3 sent shockwaves through the IT industry due to their scope and severity, and which are expected to remain an issue for years.

Continue reading …

Due to the disclosure of Meltdown and Spectre, Microsoft released several patches last week with the ranking “Important.” While there are no active attacks against these vulnerabilities, a special focus should be placed on any of the browser patches, due to potential attacks using JavaScript.

Continue reading …

Today Microsoft released a fairly large batch of patches covering 81 vulnerabilities as part of September’s Patch Tuesday update, with 38 of them impacting Windows. Patches covering 27 of these vulnerabilities are labeled as Critical, and 39 can result in Remote Code Execution (RCE).  According to Microsoft, one critical vulnerability impacting HoloLens has a public exploit, and there are active malware campaigns exploiting a .NET vulnerability. Microsoft has also patched the BlueBorne vulnerability that could allow an attacker to perform a man-in-the-middle attack against a Windows system.

Continue reading …

Flash has been the top target for exploit kits and we have observed that defender behavior, i.e. how fast patches are applied along with other factors in the threat landscape could have led to a decline in the number of Flash vulnerabilities being weaponized in exploit kits.  In 2016, the time to patch 80% of Flash vulnerabilities reduced by more than half to 62 days as compared to the previous year when it was 144 days. This data is based on more than 3 billion scans performed by Qualys and could be one of the contributing factors why Flash-based attack integration in exploit kits is declining. If organizations patch quickly it gives less time for exploit kits to integrate the exploits and the chances of phishing vulnerable users reduce greatly if more machines are patched quickly.

Continue reading …

Microsoft Fixes 45 Vulnerabilities with new Security Update Guide and says goodbye to Security Bulletins. Adobe Fixes Flash, PDF reader and Photoshop.

Adobe released five security bulletins today following a pre-notification which was released on Thursday of last week. Highest priority goes to the Flash update APSB17-10 as flash has been the top choice for malware and exploit kits. If left un-patched, the vulnerabilities allow attackers to take complete control of user’s computer if the user views malicious flash content hosted by the attacker. Although flash based exploit kit activity has reduced as compared to last year we still recommend updating this first. The affected versions are listed in the table below:

Continue reading …

UPDATE: Microsoft has announced that all updates will be delivered in the March 14 patch cycle.

As covered in our January blog, today Microsoft was supposed to scrap the existing system in which users used to get a bulletin like MS17-001 in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide. But as per Microsoft’s blog, February’s Patch Tuesday has been delayed as Microsoft discovered a last minute issue that could impact some customers and could not resolve it in time for the planned update. This comes on the heels of the announcement that individual patches will not be available as they will be bundled together in the monthly Security update or monthly Cumulative update. If there is a problem in the patch for one kernel vulnerability for example, then all kernel or related vulnerabilities cannot be released as they are bundled together. A zero day SMB vulnerability was expected to be patched today and as of this writing there is no official statement on the new release date.

On the Adobe front, three security updated were released and the most important one is for Flash APSB17-04 which affects Windows, Mac, Linux and ChromeOS. If left un-patched this allows attackers to take complete control of the system. An attacker would host malicious flash content and the vulnerability will trigger when victim views the content.

Continue reading …

Adobe started 2017 with release of two security bulletins – one for Flash and the other for Acrobat and Reader. Microsoft released three security updates for Office, Edge and LSASS.