//Week in review - 13 Jul 2018

AusCERT Week in Review for 13th July 2018

AusCERT Week in Review
13 July 2018

Two package compromises this week serve as a reminder that we all rely on each other’s code, which few of us have the luxury of auditing. ESLint, a linter for JavaScript-family languages, published a malicious package which stole Node Package Manager credentials from developers.

(While I have this soapbox, linters are great and should be used for any code you write – even if that’s “only” shell scripting, try out ShellCheck!)

Microsoft Patch Tuesday also took place this week, with more vulns which could hijack Edge purely from opening a malicious page. If your users ask why they’re advised to delete spam emails, you can point them to the presence of these bugs in almost every Patch Tuesday.

In accordance with tradition, here are some interesting news articles from the week:

Patch Tuesday, July 2018 Edition
Author: Brian Krebs
Date: 10 July 2018

Microsoft and Adobe each issued security updates for their products today. Microsoft’s July patch batch includes 14 updates to fix more than 50 security flaws in Windows and associated software. Separately, Adobe has pushed out an update for its Flash Player browser plugin, as well as a monster patch bundle for Adobe Reader/Acrobat.

Postmortem for Malicious Packages Published on July 12th, 2018
Author: ESLint Project
Date: 12 July 2018

On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker. An .npmrc file typically contains access tokens for publishing to npm.

The malicious package versions are eslint-scope@3.7.2 and eslint-config-eslint@5.0.2, both of which have been unpublished from npm. The pastebin.com paste linked in these packages has also been taken down.

Malware Found in Arch Linux AUR Package Repository
Author: Catalin Cimpanu
Date: 10 July 2018

Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages.
[…] No other malicious actions were observed, meaning the acroread package wasn’t harming users’ systems, but merely collecting data in preparation for… something else.

Airport security card company reveals data hack as AFP investigates
Author: ABC News
Date: 12 July 2018

A company that issues Aviation Security Identity Cards (ASICs) — designed to stop organised criminals and terrorists from accessing planes and other restricted airport zones — has been hacked, leading to concerns that Australian airport security may have been compromised as a result.

Here are this week’s noteworthy security bulletins (in no particular order):

1. ESB-2018.2011 – [Appliance] Universal Robots Robot Controllers: Multiple vulnerabilities

Industrial robots would execute arbitrary code sent to certain TCP ports.

2. ESB-2018.2021 – ALERT [UNIX/Linux][Debian] cups: Multiple vulnerabilities

The Common UNIX Printing System patched a root compromise vulnerability.

3. ESB-2018.1984 – [Apple iOS] Apple iOS: Multiple vulnerabilities

Multiple memory corruption and data leak issues in WebKit, used by Safari & other browsers, plus a crash when a China-region phone received the Taiwanese flag emoji.

4. ESB-2018.1756.2 – UPDATE [Win][UNIX/Linux] BIND: Multiple vulnerabilities

Regression caused defaults to work incorrectly in the BIND nameserver, allowing denials of service (including DNS reflection attacks) and examining the DNS cache.

Stay safe, stay patched and have a good weekend,
David and the team at AusCERT