//Week in review - 15 Jun 2018

AusCERT Week in Review for 15th June 2018


This week demonstrated AI’s potential to assist humanity, as it came out from this month’s Microsoft Patch Tuesday that Cortana would helpfully execute code for you even when the system was locked. All that was required was for the executable to have been indexed, and Cortana was more than happy to run it for you with elevated privileges.

The 3rd wave of speculative execution side-channels is upon us, dubbed “LazyFP”, but luckily is not quite as ubiquitous as its predecessors. Patches for some distributions have been released, so please make sure you’re up to date if a fix is available.

The EU has passed a motion that would see it phasing out the use of the AV vendor Kaspersky’s products in its institutions. They join the list of governing bodies worried about the company’s susceptibility to Russian influence. For its part, Kaspersky have been an active contributor to several anti-cyber crime initiatives, and have been a frequent collaborator with Interpol. The company has suspended any further collaboration in response.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Meltdown-Like ‘LazyFP’ Vulnerability Impacts Intel CPUs
Published: 14 Jun 2018
Author: Eduard Kovacs
Excerpt: “Intel and software vendors have started informing users about a new vulnerability involving side channel speculative execution that could be exploited by malicious actors to obtain sensitive information from the targeted system.

Dubbed LazyFP, the security hole is related to the floating point unit (FPU), also known as the math coprocessor. The FPU is used by the operating system when switching between processes – it saves the state of the current process and restores the state of the new process.”


Locked Win10 PCs can leak sensitive data via Cortana
Published: 14 Jun 2018
Author: Juha Saarinen
Excerpt: “Researchers from security vendor McAfee have demonstrated a way to use Microsoft’s personal digital assistant Cortana as an attack vector to get into locked Windows 10 PCs.”


Citation needed: Europe claims Kaspersky wares ‘confirmed as malicious’
Published: 13 Jun 2018
Author: Richard Speed
Excerpt: “The wide-ranging non-binding motion is primarily concerned with cyber defence, stating that “the EU and the Member States face an unprecedented threat in the form of politically motivated, state-sponsored cyber attacks”.”


Here are this week’s noteworthy security bulletins:

1) ESB-2018.1770 – [Linux][RedHat] kernel: Access privileged data – Existing account

Red Hat has released patches for the new LazyFP side-channel vulnerability.

2) ESB-2018.1756 – [Win][UNIX/Linux] BIND: Denial of service – Remote/unauthenticated

A regression in how BIND handles its configuration could allow recursive queries where they should be denied. This would allow the server to be used for reflective DoS attacks.

3) ESB-2018.1758 – [Win][UNIX/Linux] OpenSSL: Denial of service – Remote with user interaction

During handshake negotiation, a malicious server could send a large prime to the client, which would leave it scratching its head trying to generate a key and cause a DoS.

4) ESB-2018.1739 – [Win][UNIX/Linux][Debian] perl: Modify arbitrary files – Remote with user interaction

The Tar archiving module in perl would happily traverse the filesystem as it pleased while extracting, allowing archives to contain such files as ../etc/passwd ../../etc/passwd etc.

Stay safe, stay patched and have a good weekend!