//Week in review - 17 Nov 2017

AusCERT Week in Review for 17th November 2017

AusCERT Week in Review
17 November 2017


As Friday 17 November closes, Cisco have announced and addressed a bug with certain upgrade paths in their appliances which left a root user wide open. The world’s most mainstream security target, Apple’s latest iPhone, has been fooled by researchers with an affordable mask. JavaScript cryptocurrency miners have also hit the news, with implementations available for all sorts of currencies, becoming a new XSS favourite.

As for more news, here’s a summary of some of the more interesting stories we’ve seen this week:

Title:  Microsoft November Patch Tuesday Fixes 53 Security Issues
URL: https://www.bleepingcomputer.com/news/microsoft/microsoft-november-patch-tuesday-fixes-53-security-issues/
Date:   14 November 2017
Author: Catalin Cimpanu

No zero-days this month
Details about four vulnerabilities were published online before today’s
patches, but fortunately, none were exploited in real-world attacks.”


Title:    APCERT 2017 AGM and Conference: A Window into the CERT community
URL:    https://www.auscert.org.au/blog/2017-11-17-apcert-2017-agm-and-conference-window-c/
Date:   17 November 2017
Author: Anthony Vaccaro (of AusCERT!)

“Additionally, some external speakers were invited to give talks at the conference. Some highlights included a talk by Akamai representative Amol Mathur on attacks that target API services directly, bypassing many of the protections that are built into front-end applications, and an overview on using machine learning to analyse malware samples by Rajesh Nikam of Quick Heal. As malware campaigns grow in both size and number, we need to move away from manual analysis in order to process as many samples as possible, making use of technologies such as machine learning to automate the process.”


Title:    2,500+ Websites Are Now “Cryptojacking” To Use Your CPU Power And Mine Cryptocurrency
URL:    https://fossbytes.com/2500-websites-are-now-cryptojacking-to-use-your-cpu-power-and-mine-cryptocurrency/
Date:   10 November 2017
Author: Adarsh Verma

“Most of these websites are using a JavaScript-based miner from the website Coinhive. By simply pasting a code snippet on the website, any webmaster can start mining. They just need to share a small cut with Coinhive.”

Title:    Researchers Fool iPhone X’s Face ID with $150 3D Printed Face
URL:    https://www.cso.com.au/article/629951/researchers-fool-iphone-x-face-id-150-3d-printed-face/
Date:   14 November 2017
Author: Liam Tung

“The company hasn’t revealed exactly how it tricked Face ID but says it was possible because they understood how Apple’s Face ID artificial intelligence worked. Face ID requires the user look directly at the camera by directing the direction of the user’s gaze, and then uses neural networks for matching and anti-spoofing.”


And lastly, here are this week’s noteworthy security bulletins (in no
particular order):

1. ESB-2017.2953 – [Win][UNIX/Linux] OpenSAML2 metadata filter bypass

CVE-2017-16853: A filtering engine omits to run checks, leading to metadata exposure in a major SAML library. Expect to hear more on this.

2. ESB-2017.2931 – [Cisco] Known Root Credentials Enabled After Some Upgrades

The vulnerability occurs when a refresh upgrade or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password. Subsequent upgrades disable this flag.

3. ESB-2017.2913 – [Debian] mediawiki: Multiple vulnerabilities

Cross-site scripting, revealing account existence and a set of HTML mangling attacks.

4.  ASB-2017.0194 – [Win] Microsoft Edge: Multiple vulnerabilities

In seeking to speed up its Edge browser, Microsoft is producing and flattening RCEs.

Wishing you the best from AusCERT and hope to see you next week,