//Week in review - 18 Oct 2019

AusCERT Week in Review for 18th October 2019


This week we saw Oracle release its quarterly “Critical Patch Updates,
Alerts and Bulletins”. Numerous vulnerabilities and patches were reported
in their broad range of products, that will need to be managed. We can
expect many other vendors to release patches over the next few weeks for
their products which might be built around Oracle technologies including
databases and Java products.

Please refer to our webpage for details of upcoming events – hosted both
by AusCERT as well as other industry groups:

Here’s a summary (including excerpts) of some of the more interesting
stories we’ve seen this week:

Title: Germany’s cyber-security agency recommends Firefox as most secure browser
Author: Catalin Cimpanu
Date: 17 October 2019
“Germany’s BSI tested Firefox, Chrome, IE, and Edge. Firefox was only
browser to pass all minimum requirements for mandatory security features.”

Title: Sudo? More like Su-doh: There’s a fun bug that gives restricted
sudoers root access (if your config is non-standard)
Author: Chris Williams
Date: 14 October 2019
“Linux users who are able to run commands as other users, via the sudoer
mechanism, though not as the all-powerful root user, can still run commands
as root, thanks to a fascinating coding screw-up.”

Title: MacGibbon joins local cyber security push to challenge multinationals
Author: Justin Hendry
Date: 15 October 2019
“Two of Australia’s most high-profile IT executives have joined forces
to form the nation’s largest dedicated cyber security company, a move
that directly challenges the dominance of large US-affiliated vendors in
securing key contracts with major corporates and government.”

Title: ATO phone scammers turn up at Adelaide man’s house dressed as police with eftpos machine
Author: Eugene Boisvert
Date: 16 October 2019
“Two men turned up to another man’s house with an eftpos machine demanding
money after earlier calling him pretending to be from the Australian
Taxation Office (ATO), according to SA Police.”

Title: Planting tiny spy chips in hardware can cost as little as $200
Author: Andy Greenberg
Date: 13 October 2019
“Proof-of-concept shows how easy it may be to hide malicious chips inside
IT equipment.”

Here are some of this week’s noteworthy security bulletins (in no particular

ESB-2019.3826 – [UNIX/Linux][Ubuntu] sudo: Root compromise – Existing account
– See article above for discussion of issue.

ASB-2019.0294 – [Win][UNIX/Linux] Oracle Java SE: Multiple vulnerabilities
– One of the outputs from Oracle’s CPU this week.

ESB-2019.3835 – [SUSE] linux kernel: Multiple vulnerabilities
– Another root compromise vulnerability.

ESB-2019.3881 – [Cisco] Cisco Identity Services Engine: Multiple
– Cisco had a big week too reporting vulnerabilities and patches, this is
one of those.

ESB-2019.3861 – [Win][Mac] Acrobat and Reader: Multiple vulnerabilities
– 68 CVEs reported!

Stay safe, stay patched and have a great weekend,