//Week in review - 24 Nov 2017

AusCERT Week in Review for 24th November 2017

AusCERT Week in Review
24 November 2017


Headline news this week is that security researchers discover multiple serious vulnerabilities in Intel firmware.
If your cubicle needs more decoration, OWASP have published an updated Top Ten cheatsheet.
And the Call for Proposals for AusCERT 2018 is now open.

As for more news, here’s a summary (including excerpts) of some of the
more interesting stories we’ve seen this week:


Title: Intel Chip Flaws Leave Millions of Devices Exposed
URL: https://www.wired.com/story/intel-management-engine-vulnerabilities-pcs-servers-iot/
Date: November 20, 2017
Author: David Paul Morris

“SECURITY RESEARCHERS HAVE raised the alarm for years about the Intel remote administration feature known as the Management Engine. The platform has a lot of useful features for IT managers, but it requires deep system access that offers a tempting target for attackers; compromising the Management Engine could lead to full control of a given computer. Now, after several research groups have uncovered ME bugs, Intel has confirmed that those worst-case fears may be possible.

[Intel] has also published a Detection Tool so Windows and Linux administrators can check their systems to see if they’re exposed.”


Title: Four Years Later, We Have a New OWASP Top 10
URL: https://www.bleepingcomputer.com/news/security/four-years-later-we-have-a-new-owasp-top-10/
Date: November 21, 2017
Author: Catalin Cimpanu

“The OWASP has seen several iterations over the years. Versions of the OWASP Top 10 have been released in 2004, 2007, 2010, 2013, and 2017, respectively.

As in previous years, injection remained the top application security risk, but there has been some shuffling in the ranking, with the appearance of three newcomers — XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging&Monitoring.”


Title: Uber Paid Hackers to Delete Stolen Data on 57 Million People
URL: https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data
Date: November 22, 2017
Author: Eric Newcomer

“Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.”


Title: IBM, Nonprofits Team Up in New Free DNS Service
URL: https://www.darkreading.com/analytics/ibm-nonprofits-team-up-in-new-free-dns-service/d/d-id/1330454
Date: November 17, 2017
Author: Kelly Jackson Higgins

“Setting up the Quad9 service entails reconfiguring the DNS setting on networked devices to When a user types an URL into his or her browser, or clicks on a website, the service checks it against IBM X-Force’s threat intelligence database, as well as nearly 20 other threat intelligence feeds including Abuse.ch, the Anti-Phishing Working Group, F-Secure, Proofpoint, and RiskIQ.”


And lastly, here are this week’s most noteworthy security bulletins:

1. ASB-2017.0203 – Apple iOS and MacOS: Root compromise – Existing account
21 November 2017

A vulnerability was addressed in iOS 11.1.2 and MacOS 10.13.1 which may have enabled arbitrary code execution with system privileges.

2. ESB-2017.2994 – libspring-ldap-java: Unauthorised access – Remote/unauthenticated

The library would, under certain circumstances, allow authentication with a correct username but an arbitrary password.

3. ESB-2017.2967 – libxml-libxml-perl: Execute arbitrary code/commands – Remote/unauthenticated
20 November 2017

Arbitrary code execution from a crafted file.

4. ESB-2017.2965 – procmail: Execute arbitrary code/commands – Remote/unauthenticated
20 November 2017

Malformed mail messages could crash the formail tool, or potentially execute arbitrary code.

Wishing all the best from AusCERT and see you next week,