AusCERT Week in Review for 27th September 2019

AusCERT Week in Review for 27th September 2019

Greetings,

This week has been a mix of something old and something new. On the old side, a vBulletin zero-day gained attention, and whilst this was shocking news to some, it was old news to others as we learned it had been an exploited commodity for years. It’s good to be in the know it seems.

Being in the know was echoed by Atlassian who published a community article stating their intention to retire support for Internet Explorer, coming at the same time as ZDNet’s report that Microsoft had released two brand-spanking patches, one to plug an IE zero-day, and the other squash a Defender bug.

In a change of tact, interesting to hear that hackers are looking into new methods of injecting card stealing code on “Layer 7” routers to steal payment card details, instead of utilising websites. Whether this focus change is due to frustration in having their lovingly crafted websites taken-down, or in wanting to remain undetected for longer, one things is certain, this should highlight an organisations need to perform effective asset management and patch management practices.

And in considering vulnerable assets, we should also consider those non-traditional or non-managed devices that connect to our networks and become potential threat vectors. As remote working practices are becoming more widely accepted, InsiderPro reported to the evolution of the Bring Your Own Device (BYOD) policy has recently raised discussions regarding Bring Your Own Office (BYOO). Perhaps it’s time to splash out on two sweet 27″ monitors for your home office.

Lastly, a reminder to both enterprise and consumers that Windows 7 support will end on 14 January 2020, so perhaps new year, new secure you! And if you’re an Apple device user, then definitely check Wired’s article for checking your iOS 13 privacy and security features.

vBulletin Zero-Day Exploited for Years, Gets Unofficial Patch
Date: 25 September
Author: BleepingComputer

A zero-day exploit for the vBulletin forum platform was publicly disclosed and quickly used to attack affected versions of the forum software. It turns out, though, that this exploit has been known, utilized, and sold by researchers and attackers for years.

Retiring IE11 support for Atlassian cloud, server, and data center products
Date: 23 September
Author: Atlassian
URL: https://community.atlassian.com/t5/Feedback-Forum-articles/Retiring-IE11-support-for-Atlassian-cloud-server-and-data-center/ba-p/1185312

In 2015 Microsoft released Edge as the browser to supersede Internet Explorer (IE). Since then IE has not received major updates, or added support for many modern web standards. Microsoft recently discouraged the use of Internet Explorer as a default browser, and we’ve also seen a decrease in IE11 usage across our cloud, server, and data center products over time.
To allow us to continue to take advantage of modern web standards to deliver improved functionality and the best possible user experience across all of our products, we have decided to end support for IE11.

Microsoft releases out-of-band security update to fix IE zero-day & Defender bug
Date: 23 September
Author: ZDNet

Microsoft has released an emergency out-of-band security update today to fix two critical security issues — a zero-day vulnerability in the Internet Explorer scripting engine that has been exploited in the wild, and a Microsoft Defender bug.
The updates stand out because Microsoft usually likes to stay the course and only release security updates on the second Tuesday of every month. The company rarely breaks this pattern, and it’s usually only for very important security issues.

Hackers looking into injecting card stealing code on routers, rather than websites
Date: 25 September
Author: ZDNet

Security researchers at IBM have found evidence that hackers have been working on creating malicious scripts they can deploy on commercial-grade “Layer 7” routers to steal payment card details.

Why your company needs a BYOO (bring your own office) policy
Date: 23 September
Author: InsiderPro

Remote work is not a trend. It’s there to stay. Insider Pro columnist Mike Elgan explains why it’s time to re-orient your organisation’s thinking around workshifting and BYOO. Just as the reality of consumer devices drove the BYOD policy trend, the reality of remote work demands the systematic thinking and communication of a bring your own office (BYOO) policy.

Windows 7 support will end on January 14, 2020
Date: Aug 3, 2019
Author: Microsoft

Microsoft made a commitment to provide 10 years of product support for Windows 7 when it was released on October 22, 2009. When this 10-year period ends, Microsoft will discontinue Windows 7 support so that we can focus our investment on supporting newer technologies and great new experiences. The specific end of support day for Windows 7 will be January 14, 2020. After that, technical assistance and software updates from Windows Update that help protect your PC will no longer be available for the product.

The iOS 13 Privacy and Security Features You Should Know
Date: 22 September
Author: WIRED

Your iPhone just got a major security upgrade. The reputation of iOS security may have taken some dings of late, but it’s still one of the most secure consumer operating systems available. Here are all the ways the latest version keeps you even more protected.

Here are some noteworthy bulletins from the week:

ESB-2019.3609
Adobe ColdFusion patched to resolve two critical and one important vulnerability.

ESB-2019.3617
Cisco IOx multiple vulnerabilities.

ESB-2019.3616
Cisco IOS XR root compromise vulnerability.

ESB-2019.3648
Confidential data access vulnerabilities patched in Apple iOS and iPadOS.

ESB-2019.3641
Apple iOS, macOS and watchOS were all patched due to an out-of-bounds read
with significant implications.

As always, stay safe, stay patched, and make it a good weekend!
Colin