Late Thursday, Microsoft released a patch for Windows 7 and Server 2008 R2 operating systems to resolve CVE-2018-1038. Apparently, this vulnerability was actually introduced by the patches released in January to mitigate the effects of Meltdown. Microsoft did include a partial fix in the March updates on Patch Tuesday, but did not completely resolve the issue.
Apple has been all over InfoSec news in the past week or so, along with Spectre / Meltdown developments, a tax season scam alert from the feds, and an apparent solution to the Winter Olympics’ hack whodunit. In addition, researchers warned about a new trend of using Memcached servers to significantly boost DDoS attacks, as GitHub became a victim of this new tactic.
Apple under siege
The second half of February was intense for Apple on the security front. A digital forensics vendor claimed having the ability to unlock all iPhone models, including the X, while a researcher warned about a Trojan targeting MacOs computers that’s not detected by anti-virus products. Oh, and Apple had to squash another one of those pesky bugs that let people crash iPhones via texting.
Forbes dropped a news bomb on Monday when it reported that Cellebrite recently started telling its customers — which are primarily government, military and corporate investigative teams — that it’s able to unlock and extract data from devices running iOS 11, such the iPhone X, as well as other iPhones, iPads and iPods.
While Cellebrite isn’t publicly trumpeting this capability, anonymous sources told Forbes that in recent months the company “has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe.”
As Forbes noted, Cellebrite has posted a brochure on its website where it details its ability to unlock these Apple products as well as several Android devices, and extract data from them. The way it works is that customers ship the devices to Cellebrite, where its engineers work their magic. Cellebrite can’t (or won’t) crack devices remotely.
This week offered a representative sampling of different corners of the cyber security world: The monthly Patch Tuesday, a brazen attack against the Olympics, new Meltdown and Spectre concerns, and a boost for Intel’s bug bounty program.
Oh, and the gargantuan Equifax data breach may have been even bigger than previously thought.
Winter Olympics hack confirmed
The 2018 Winter Olympics in Pyeongchang, South Korea are in full swing, featuring the world’s best ice skaters, skiers, hockey players and snowboarders, and also attracting, unfortunately, malicious hackers.
Attackers’ goals seem to be to disrupt the games in a variety of ways by interfering with and disabling IT systems.
It’s been a busy week in InfoSec land, as Intel released a new Spectre patch, iOS source code was leaked online, and a zero-day Flash bug got exploited in the wild.
Also making noise these past few days: A major security hole in the Grammarly web app, WordPress updates tripping over each other, and a data breach at a Swiss telecom company.
As has been the case these past few weeks, we’ll lead off with the latest on Meltdown and Spectre, the hardware vulnerabilities whose disclosure on Jan. 3 sent shockwaves through the IT industry due to their scope and severity, and which are expected to remain an issue for years.
This week brought new developments in the Meltdown / Spectre saga, including more concerns about Intel’s buggy patches, and mounting evidence that hackers are trying to create exploits for the vulnerabilities.
It seemed that after weeks of complaints and confusion, Intel’s issue had hit bottom and was headed for a resolution on Monday of last week. That’s when the company said its firmware updates for Broadwell and Haswell CPUs shouldn’t be installed anymore, because, as many customers had reported, they made systems behave erratically, including unexpectedly rebooting.
At the time, Intel said it had discovered the “root cause” for the firmware’s problems, and was already actively developing new updates. However, another shoe was about to drop. Three days later Intel acknowledged in its quarterly earnings report that the glitchy firmware can also cause “data loss or corruption.”
This disclosure prompted Microsoft to take the unusual step of releasing an emergency Windows update designed to disable Intel’s fix for one of the two Spectre variants. Microsoft’s “out-of-band” update — KB4078130 — targets Intel’s patch for CVE-2017-5715, Spectre’s branch target injection vulnerability.
IT departments and tech vendors continued grappling with Spectre and Meltdown this week, as Intel pulled its glitchy patches and the U.S. Congress questioned the vulnerability disclosures’ timing and scope.
Spectre and Meltdown aren’t typical vulnerabilities for a number of reasons, and as a result, they’ve proven problematic to deal with. Intel, whose products are the most impacted, has had a particularly rocky time crafting its firmware updates for mitigating the bugs.
The new year brought a new vulnerability type — the CPU-based Meltdown and Spectre bugs — that’s forcing vendors and IT departments to modify long-standing ways of identifying threats, prioritizing remediation, managing patches and evaluating risk.
“Meltdown and Spectre are different vulnerabilities from what you’re used to seeing,” Jimmy Graham, a Product Management Director at Qualys, said during a webcast on Wednesday.
As a result, it’s essential for organizations to fully understand the nature of these vulnerabilities, stay on top of the latest information, and analyze the vulnerabilities’ impact in their IT environments, in order to stay as safe as possible.
“It’s not a simple [process] of just install a patch and you’re done,” he said.
Since researchers disclosed the Meltdown and Spectrevulnerabilities on Jan. 3, vendors and IT departments have been consumed trying to figure out how to properly address the potentially devastating effects of these kernel-level bugs.
By now, one thing we know for sure is that dealing with the vulnerabilities is a moving target. This situation is compounded by the fact that they have broad implications and that every day seems to bring new, relevant information that must be factored into ongoing mitigation efforts.
Thus, it’s important to stay on top of the latest developments, so we’re providing a snapshot of what we know to date, how Qualys can help and and what InfoSec teams can do. We’re also tracking a list of Qualys resources.
In light of the recently released information about two security vulnerabilities, Qualys has considered the impact on the Qualys Cloud Platform and associated services. Qualys released a detailed advisory for customers of the Qualys Cloud Platform to help customers identify these vulnerabilities and to assist customers in their internal security assessment.
Below, please find information about how Qualys has performed its assessment and is taking steps to protect its environment and the Qualys Cloud Platform: