//Week in review - 14 Jul 2017
AusCERT Week in Review for 14th July 2017
As Friday 14th July comes to a close along with the monthly Microsoft Security Update, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:
Title: Microsoft Patches 19 Critical Vulnerabilities in July Patch Tuesday Update
Date Published: July 12 2017
Author: Sean Michael Kerner
Excerpt: “Microsoft released its latest monthly Patch Tuesday update on July 11, patching a total of 54 vulnerabilities, of which 19 were rated as critical.
Microsoft’s HoloLens Virtual Reality (VR) technology received its first patch this month, for a critical remote code execution vulnerability identified as CVE-2017-8584. The vulnerability could have been triggered by an attack that sent a malicious WiFi packet to the HoloLens.”
Title: The laws of Australia will trump the laws of mathematics: Turnbull
Date Published: July 14 2017
Author: Chris Duckett and Asha McLean
Excerpt: “Regardless of what the laws of mathematics state around breaking into end-to-end encryption, the Australian government is determined to bring in laws that go against them, with the Prime Minister of Australia telling ZDNet that the laws produced in Canberra are able to trump the laws of mathematics.
‘The laws of Australia prevail in Australia, I can assure you of that,’ he said on Friday. ‘The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.’
On Friday, the government unveiled plans to introduce legislation this year that would force internet companies to assist law enforcement in decrypting messages sent with end-to-end encryption.”
Title: Let’s Encrypt Wildcard Certificates a ‘Boon’ for Cybercriminals, Expert Says
Date Published: July 12 2017
Author: Ionut Arghire
Excerpt: “The organization will be offering wildcard certificates free of charge via an upcoming ACME v2 API endpoint. Only base domain validation via DNS will be supported in the beginning, but the CA may explore additional validation options over time.
Let’s Encrypt’s goal might be improved security and privacy for all users, but it doesn’t mean that its certificates can’t be misused. In March 2017, encryption expert Vincent Lynch revealed that, over a 12-month period, Let’s Encrypt issued over around 15,000 security certificates containing the term PayPal for phishing sites.
Title: China orders complete block on VPNs to begin by February 2018
Date Published: 11 July 2017
Author: Graeme Burton
Excerpt: “The Chinese government has ordered the country’s big-three telecoms and internet service providers, China Mobile, China Telecom and China Unicom, to completely block access to virtual private networks (VPNs) by February 2018 in the latest stage of its campaign to prevent web users from circumventing the ‘great firewall of China’.”
Here are this week’s noteworthy security bulletins:
1) ESB-2017.1714 – ALERT [Win][UNIX/Linux] Apache Struts: Execute arbitrary code/commands – Remote/unauthenticated
This *new* Apache struts issue went largely unnoticed by mainstream media despite there being POCs available and vulnerable servers visible in Google search. AusCERT advises members to inform web developers and users to check if sites are vulnerable.
2) ESB-2017.1715 – [UNIX/Linux][Debian] xorg-server: Multiple vulnerabilities
This was another vulnerability that went largely unnoticed. Two security issues were discovered in the X.org X server, the worst leading to privilege escalation. Since X server in most environments runs as root this vulnerability could potentially lead to root compromise.
3) ESB-2017.1721 – [Win][Linux][OSX] Adobe Flash Player: Multiple vulnerabilities
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. AusCERT advises members to remove Adobe Flash if possible otherwise to keep Adobe products upgraded.
4) ASB-2017.0100 – [Win] Microsoft Windows: Multiple vulnerabilities
Our hundredth ASB for 2017 is fittingly for Microsoft Windows and includes an unusual vulnerability – a critical remote code execution vulnerability in Microsoft’s HoloLens Virtual Reality (VR) technology. Refer to our first interesting article of the week for more details.
Stay safe, stay patched and have a good weekend!