Category Archives: Security Updates

March 2018 Patches, Android Fixes Severe High Threat Flaws

Google has announced its March 2018 fixes of security updates for Android to state several dangerous and high severity susceptibilities in the famous mobile operating system. The majority of the serious susceptibilities stated this month could let a cybercriminal to implement code distantly on pretentious devices. Influenced components contain media structure, system, and kernel, Nvidia, and Qualcomm components.

An entire of sixteen susceptibilities were stated as part of the 2018-03-01 security fix level: eight regarded crucial severity and eight measured as high risk. The most serious of these susceptibilities could let a distant cybercriminal using a particularly crafted file to run random code with high rights. Four of the Critical flaws (three remote code execution bugs and one elevation of privilege issue) and two high risk flaws were stated in media framework. The left behind four crucial susceptibilities and six high risk problems were determined in system.

The 2018-03-05 security fix level stated 21 susceptibilities, only three of which were valued crucial severity. All of the left over flaws were measured high danger, Google records in a suggestion. The errors mark Kernel gears (two elevation of privilege and four information disclosure High risk issues), NVIDIA components (two High risk elevation of privilege bugs), Qualcomm components (two Critical – remote code execution – and nine High risk – six elevation of privilege, two information disclosure, and one denial of service – vulnerabilities), and Qualcomm closed-source components (one Critical and one High risk).

Google also stated above forty susceptibilities influencing its Pixel / Nexus devices the current month, maximum of them valued adequate severity. A reasonable risk elevation of rights problem was fixed in framework, two high serious rejection of service flaws were determined in Media framework, and two elevation of rights and two facts revelation susceptibilities were patched in system, all four average risk. Google also stated one high risk facts exposed and five adequate elevation of privilege problems in kernel components, three adequate facts exposed flaws in Nvidia components, and eighteen elevation of privilege and nine facts exposed problems in Qualcomm components (all adequate severity).

Pixel 2 and Pixel 2 XL devices also got patches for different working issues that were not associated to the security of these devices. As an alternative, they enhanced screen rouse rendering with fingerprint unlock, audio rendering when recording video, and smash reporting.

Fifty Flaws Patched in Windows, Office, and Browsers By Microsoft

Microsoft Patched fifty vulnerabilities in Windows, Office and the web browsers of the company. It was revealed by the company on Tuesday as February 2018 updates, but the list does not seem to comprise any zero-day vulnerabilities.

Fourteen of the security flaws have been evaluated serious, containing an information revelation vulnerability in Edge, a memory exploitation in Outlook, a distant code implementation flaw in Windows’ StructuredQuery element, and various memory exploitations in the scripting engines employed by Edge and Internet Explorer. One flaw, CVE-2018-0771, was openly exposed before Microsoft announced fixes. The problem is a Same-Origin Policy (SOP) avoid that survives as a result of the way Edge manages wishes of various origins.

“An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted,” Microsoft said. The company believes it’s unlikely that this flaw, which it has rated “important,” will be exploited in attacks.

Among these flaws, two of the most exciting flaws fixed this month are Outlook flaws exposed by Microsoft’s own Nicolas Joly. One of the vulnerabilities, CVE-2018-0852, can be corrupted to implement random code in the context of a customer’s session by receiving the object to run a particularly crafted file with a pretentious version of Outlook.

“What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” explained Dustin Childs of the Zero Day Initiative (ZDI). “The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.”

The additional Outlook flaw identified by Joly is an honor appreciation issue (CVE-2018-0850) that can be influenced to power Outlook to load a local or distant message store. The vulnerability can be corrupted by sending a particularly crafted email to an Outlook user.

“The email would need to be fashioned in a manner that forces Outlook to load a message store over SMB. Outlook attempts to open the pre-configured message on receipt of the email. You read that right – not viewing, not previewing, but upon receipt. That means there’s a potential for an attacker to exploit this merely by sending an email,” Childs said, pointing out that such a vulnerability would have earned Joly a prize in ZDI’s Pwn2Own competition.

Microsoft’s updates fix a complete of thirty four significant and two reasonable serious flaws. Microsoft updated the Adobe Flash Player this month some time ago the elements used by its products to mention two flaws, containing a zero-day supposed to have been corrupted by North Korean threat actors. Adobe on Tuesday announced updates for its Acrobat, Reader and Experience Manager Products to mention forty one security flaws.

Intel Announces New Spectre Fixes For Skylake Central Processors

Intel has announced new micro-code updates that should serve address one of the Spectre susceptibilities after the initial round of fixes affected noteworthy issues for many customers. The Intel Company has up to now announced new firmware updates merely for its Skylake central processors. However, it assumes updates to become accessible for other platforms as well in the future. The users and partners have been delivered the beta updates to make sure that they can broadly be verified before being encouraged into production.

The chip-maker commenced announcing micro-code fixes for the Spectre and Meltdown susceptibilities soon after the researchers revealed the threat approaches. But, the company was enforced to hang updates because of common reboots and other random system performance. Microsoft and other merchants also inactivated moderations or stopped presenting firmware updates because of Intel’s flaw fixes. The company states to have recognized the source of a problem that began systems to reboot more often after the fixes were installed.

Intel firstly stated simply the systems running Broadwell and Haswell CPUs practiced more common reboots, however similar performance was later witnessed on Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based grounds. The issue seems to be associated to the patch for CVE-2017-5715, one of the bugs that permits Spectre threats, precisely Spectre Variant 2. Meltdown and Variant 1 of Spectre can be fixed competently with software updates, however Spectre Variant 2 needs micro-code updates for a comprehensive patch.

Intel and AMD pronounced currently that they are functioning on central processors that will have built-in securities beside activities likely Spectre and Meltdown. Meanwhile, Intel has insisted the users to at all-time install updates as soon as they become accessible. Alternatively, many customers might choose to proceed a risk and not instantly smear patches so as to elude potential issues likely the ones announced by the initial round of Spectre and Meltdown fixes.

Intel Company has acknowledged that researchers or harmful actors will such as find new alternatives of the Spectre and Meltdown threats. Security firms have previously marked more than hundred malware illustrations abusing the Spectre and Meltdown susceptibilities. While a common seemed to be in the challenging stage, we could soon begin viewing threats in the wild, particularly since the samples examined by specialists are planned to work on main operating systems and browsers.

CISCO Again Fixes Harmful Firewall Flaw Allowing VPN Hacks

CISCO has again fixed a harmful susceptibility disturbing some of the organizational security appliances after recognizing new threat vectors and extra upset features, and controlling that the creative patch had been partial. The networking giant notified customers last month in January that its Adaptive Security Appliance (ASA) software is disturbed through a harmful error that can be oppressed by an isolated and unreliable cyberpunk to accomplish random code or source a Denial-of-Service (DoS) situation.

The susceptibility, trailed as CVE-2018-0101, disturbs different products functioning ASA software, containing Firepower firewalls, 3000 series industrial security appliances, ASA 5000 and 5500 series appliances, 1000V cloud firewalls, ASA facility modules for routers and switches, and Firepower Threat Defense (FTD) software. Cedric Halbronn, an NCC Group researcher who described the details of the security flaw and the bug to Cisco which was revealed at a conference held on February 2.

 “When exploited, this vulnerability known as CVE-2018-0101 allows the attacker to see all of the data passing through the system and provides them with administrative privileges, enabling them to remotely gain access to the network behind it,” NCC Group said in a blog post. “Targeting the vulnerability without a specially-crafted exploit would cause the firewall to crash and would potentially disrupt the connectivity to the network.”

CISCO at the start stated customers that the susceptibility is associated to the webvpn element, however additional analysis discovered extra threat vectors and influenced aspect. The company stated the error marks more than a dozen elements in an updated recommendation printed on Monday, containing Adaptive Security Device Manager (ASDM), AnyConnect IKEv2 Remote Access and SSL VPN, Cisco Security Manager, Clientless SSL VPN, Cut-Through Proxy, Local Certificate Authority, Mobile Device Manager Proxy, Mobile User Security, Proxy Bypass, the REST API, and Security Assertion Markup Language (SAML) Single Sign-on (SSO).

A definite configuration for each of these elements presents the vulnerability, but few of the structures are apparently usual for the marked firewalls. CISCO has now announced a new set of fixes after determining that the primary patches were susceptible to extra DoS threats.

“While Cisco PSIRT is not aware of any malicious use of this vulnerability, Cisco highly recommends all customers upgrade to a fixed software version,” said Omar Santos, principal engineer in the Cisco Product Security Incident Response Team (PSIRT). “This proactive patching is especially important for those customers whose devices and configurations include potential exposure through the expanded attack surface.”

Cato Networks stated that there are approximately 120,000 ASA devices with the webvpn element allowed access from the Internet. Moreover, some system administrators have carp about the accessibility of fixes and the time it uses to smear them. Colin Edwards, the system admin, posted a blog post signifying that CISCO may have underway fixing the susceptibility eighty days earlier issuing a security recommendation to notify customers.

“I can understand some of the challenges that Cisco and their peers are up against. But even with that, I’m not sure that customers should be willing to accept that an advisory like this can be withheld for eighty days after some fixes are already available,” Edwards said. “Eighty days is a long time, and it’s a particularly long time for a vulnerability with a CVSS Score of 10 that affects devices that are usually directly connected to the internet.”

Santos stated the organization issued the recommendation soon after knowing that there had been public acquaintance of the susceptibility.

Seagate Fixes Errors in Personal Cloud, GoFlex Products

Seagate currently fixed various vulnerabilities revealed by researchers in the company’s Personal Cloud and GoFlex products, but certain flaws influencing the occurring remain unpatched.

GoFlex Home Vulnerabilities

A researcher named Aditya K. Sood exposed vulnerabilities last year in September that can be oppressed for cross-site scripting (XSS) and man-in-the-middle (MitM) threats in Seagate’s GoFlex Home network-attached storage (NAS) product. GoFlex users are offered with a web service, which is accessible at, and lets them to distantly handle the product and upload data files to the cloud. The specific service can be functioned practicing the name of the device, a username, and a password. An HTTP server exists in the GoFlex firmware needs port accelerating on the customer’s router so as to link to the web service.

The researcher further discovered that the embedded server yet assists SSLv2 and SSLv3, and the service offers SSLv3. SSLv2 and SSLv3 are outdated protocols that are known to be susceptible to MitM threats, containing via the techniques called DROWN and POODLE. The researcher has recognized more than 50,000 Seagate deviceshosted on unique IP addresses” that have SSLv2 and SSLv3 permitted. The researcher also noted that the distinct name (device_id) of each device is not tough to discover. All through the tests he controlled, the expert handled to gather more than 17,000 distinct device IDs.

The researcher identified additional security hole which is an XSS marking the website. A cyberpunk could have oppressed this vulnerability to implement harmful code in the framework of a customer’s browsing session by receiving the victim to click on a particularly crafted link. Whereas Seagate has patched the XSS susceptibility, the company communicated to the researcher it does not organize on stating the issue associated to the practice of SSLv2 and SSLv3. The researcher also revealed further technical details about his discoveries this Monday on the susceptibilities are available on his personal blog.

Personal Cloud Vulnerabilities

A researcher from Securify; named Yorick Koster also revealed some vulnerabilities recently and he further exposed in Seagate products. Precisely, he discovered that Personal Cloud NAS devices are influenced by command inoculation and an error of a file deletion. The security holes influence the Seagate Media Server application, which permits the users to access their photos, music and movies without any difficulty. The app can be functioned without verification and invalidated users can upload data files using a Public folder.

The command inoculation susceptibilities, trialed as CVE-2018-5347, let an invalidated cyberpunk to run random commands with source rights. The security holes can be oppressed distantly via Cross-Site Request ForgeryCSRF threats even if a device is not straightly linked to the Internet. The researcher also discovered that the Media Server app is influenced by a vulnerability that permits an invalidated cyberpunk to erase random files and folders from the NAS device. As Cross-Site Request Forgery securities are misplaced, this fix can also be oppressed distantly by receiving the directed user to function a particularly crafted website.

The susceptibilities determined by researcher were fixed by Seagate last year in December along with the launching of firmware version Distinct advisories describing the command inoculation and error in file deletion, containing Proof-of-ConceptPoC code, were issued prior this month.

Oracle Releases Vulnerabilities Across Numerous Products

The January 2018 Oracle Critical Patch Update (CPU) patches about 237 new security susceptibilities all over hundreds of Oracle products, containing the company’s broadly practiced Oracle Database Server and Java SE.

The CPU comprises of patche for the Java Virtual Machine and four other susceptible modules within the Oracle Database Server, the major critical of which transmits a CVSS Base Score of 9.1 out of 10; some three of the errors may be oppressed distantly lacking credentials. The new security and protection patches for 21 vulnerabilities in numerous versions of Java SE, 18 of which are distantly useable without confirmation. The most critical of the susceptibilities in Java SE has a CVSS Base Score of 8.3. The CPU contains patches for errors in Java SE versions 6 through 9. The two deserialization susceptibilities recognized in the Java platform by Waratek are fixed in the January 2018 CPU. The complete vulnerabilities fixed in the Java platform have been twice since January 2016.

“The velocity and volume of Java software flaws continues to trend in the wrong direction,” said John Matthew Holt, CTO of Waratek. “One research report shows that 86% of the most severe patches require 30 days or more to apply, while another concludes that the average time to apply a patch is 90 days or longer. In either event, that is an unacceptably long period of time given that attacks often commence within hours of the announcement of a new vulnerability.”

“The January 2018 CPU is released into an environment where virtually every enterprise is working to deploy the patches released for the Spectre and Meltdown chip vulnerabilities on top of the routine patches that must be routinely applied,” added Holt.

Analysis Performed

Although there is certain virtuous news in the January CPU including the number of complete bugs fixed in the Update is found down from the high of July 2017. The number of Java errors being found and patched is even quarter-over-quarter and has increased twice since last year January 2016. In the same way troubling is the quantity of Java SE errors that can be distantly oppressed lacking credentials leftovers in the twofold digits after years of sole digit threat.

Java deserialization susceptibilities also carry on to be a key element of the January 2018 CPU. Waratek explored the JRE codebase and has recognized two new limitless memory provision vulnerabilities in two JRE sub-components that may be distantly useable without confirmation.

Recommended Activities

Spread over the suitable binary CPU as fast as promising as additional than eighty five percent of the CVEs influencing Java users stated in the January 2018 CPU can be distantly oppressed lacking credentials. Smearing the physical CPU from Oracle needs binary alterations which escalates the threat of inconsistencies and unpredicted functionality disappointments. Thus, organizations are recommended to smear the CPU in QA and UAT environments before organizing it into creation.

Meltdown Updates Ruined Several Ubuntu Systems

Canonical was enforced to announce an additional round of Ubuntu updates that describe the freshly revealed CPU vulnerabilities after few users criticized that their systems no longer struck after installing the primary fixes. The Canonical announced Ubuntu updates designed to moderate Spectre and Meltdown on January 9, two newly revealed threat techniques that effort against processors from Intel, AMD, ARM, Qualcomm and IBM. The Linux kernel updates moderate the susceptibilities that permit the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) attacks.

Soon after the kernel was made updated to version 4.4.0-108, some Ubuntu users launched complains that their systems are unable to boot. So, the system was restored to the former version deceptively fixed the problem. Microsoft released the updates in response to the CPU errors also sourced complications, but only for users with older versions AMD processors. The company has chosen to deliver no more updates to AMD devices till compatibility errors are resolved for good. However, in the case of Ubuntu the update has marked the users with Intel processors.

Official has authorized that the patch for the Meltdown vulnerability presented a reversion that disallowed systems from restarting effectively. The issue has been stated with the announcement of new updates that carried out as version of the kernel. All the affected users have confirmed that they have successfully started their systems after new updates to 4.4.0-109. While it’s uncertain to find out the devices that have been affected, Officials’ advisories indicated “a few systems.”

The affected technology firms announced the accessibility of fixes and workarounds for the Spectre and Meltdown susceptibilities soon after the errors were revealed by researchers. The most recent companies to announce the improvements are IBM, whose POWER processors and Power Systems servers are influenced, and NVIDIA, which issued updates for GPU exhibit drivers and related products to support moderate the CPU releases.

Meltdown and Spectre permit hostile applications to avoid memory remoteness mechanisms and acquire passwords, photos, documents, emails, and other complex evidence. Fixes for the concealed susceptibilities may present noteworthy performance consequences.


SAP Announces Security Fixes Day for January 2018

SAP announces its monthly set of security fixes this week to report just three susceptibilities in its products, all of them rated average severity.

In addition to the three security notes, the January 2018 SAP Security Patch Day includes four updates to previously released security notes. These too had a Medium severity rating, the company said.

The major simple of the fixes were updates to a security note announced in October 2014, which stated code inoculation bug in awareness provider. The issue is trialed as CVE-2018-2363 and structures a CVSS score of 6.5.

“Depending on the code, attackers can inject and run their own code, obtain additional information that should not be displayed, change and delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or escalate privileges by executing malicious code or even perform a DOS attack,” ERPScan, a company that specializes in securing SAP and Oracle products, explains.

SAP also announced an update to a security note stated in December 2017, talking CVE-2017-16690, a DLL preload threat likely on NwSapSetup and Installation self-pulling out program for SAP Plant Connectivity (CVSS score 5.0). Recently decided issues contain CVE-2018-2361, an Improper Role Authorizations in SAP Solution Manager 7.2 (CVSS score 6.3), CVE-2018-2360, Missing Authentication check in Startup Service (CVSS score 5.8), and CVE-2018-2362, Information Disclosure in Startup Service in SAP HANA (CVSS score 5.3).

By exploiting CVE-2018-2360, an attacker could access a service “without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks,” ERPScan reveals. CVE-2018-2361’s exploitation could provide an attacker with the possibility to edit all tables on the server, which could result in data compromise, the company continues.

ERPScan, which ponders the code inoculation security note updates as a sole fix, says that 10 SAP Security Notes (5 SAP Security Patch Day Notes and 5 Support Package Notes) were sealed with the January 2018 SAP Security Patch Day. 3 were updates to earlier security notes and 5 were announced after the second Tuesday of the preceding month and earlier the second Tuesday of the current month.

Microsoft Releases Security Updates Fix Zero-Day Vulnerability in MS Office

Microsoft releases an update addressing more than fifty susceptibilities on Tuesday, containing a zero-day vulnerability in Office concerning to an Equation Editor error that has been exploited by different risk groups in the previous few months. The zero-day vulnerability, pursued as CVE-2018-0802, Microsoft has already mentioned as a memory exploitation issue that can be exploited for isolated code implementation by getting directed users to open a specifically crafted file via Office or WordPad.

Microsoft has benefited different researchers from Chinese companies Tencent and Qihoo 360, ACROS Security’s 0Patch Team, and professionals from Check Point Software Technologies for seeking out the error. The security and protection space concerning to CVE-2017-11882, a 17-year-old susceptibility in the Equation Editor (EQNEDT32.EXE), which the merchant described with the updates released in November 2017 Patch Tuesday. Based on how the fix was established, professionals trust Microsoft may have mislaid the application’s source code, which obligatory it to in some way fix the executable file openly.

Microsoft exchanged the Equation Editor section in Office 2007, but preserved the old one as well for working with each other. The tricky section has now been detached from Office. 0Patch researchers have been evaluating CVE-2017-11882, which has probable directed them to determining a new, concerning vulnerability. Check Point has announced in a blog post with the facts of CVE-2018-0802 and presented how an exploit functions, but they have not revealed any threats.

This also recommends that the Chinese researchers may have been the ones who marked the susceptibility being exploited in threats. This would not be for the first time that the professionals at Qihoo 360 observed the exploitation of MS Office zero-day. It was done back in October as well, after Microsoft announced a fix, they described seeing CVE-2017-11826 being influenced to carry malware. If CVE-2018-0802 is connected to CVE-2017-11882, there is a wide list of danger actors who may be misusing it. CVE-2017-11882 has been oppressed by Iranian cyberspies, the Cobalt hacking group, someone who uses TelegramRAT.

The updates Microsoft released also state a deceiving vulnerability in MSOffice for Mac that has previously been widely revealed. Sixteen of the errors fixed current month have been rated serious, a common distressing the scripting engine employed by the Edge and Internet Explorer web browsers. Microsoft has also regarded dangerous a Word susceptibility (CVE-2018-0797) that can be oppressed for distant code implementation using specifically crafted RTF files. The updates on Adobe for this month patch only one fact exposes susceptibility in Flash Player.

Apple Releases Spectre Security Update To Protect Safari, WebKit

Apple released security updates on Monday for iOS, macOS and Safari; should moderate the special effects of the susceptibilities exploited by the newly revealed attack technique named Spectre.

Apple briefed clients that iOS 11.2.2 and macOS High Sierra 10.13.2 Supplemental Update include security and protection enhancements for Safari and WebKit. The Safari progresses are also contain in version 11.0.2 of Apple’s web browser. The recent updates state the Spectre susceptibilities, particularly CVE-2017-5753 and CVE-2017-5715. Moderations for the Meltdown threats were revolved by Apple, before the errors were revealed, with the release of iOS 11.2, macOS 10.13.2 and tvOS 11.2. Apple Watch is not susceptible to either of the threat approaches.

Analysis done by Apple exhibited that the Spectre susceptibilities “are extremely difficult to exploit,” even by an indigenous app functioning on iOS or macOS, but the company notified that distant exploitation via JavaScript functioning in the browser is conceivable.

“Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark,” Apple said last week.

Apple trusts the Meltdown system, which depends on a susceptibility pursued as CVE-2017-5754, has the great prospective for exploitation. Malicious actors can employ Meltdown and Spectre to bypass memory separation mechanisms and acquire passwords, photos, documents, emails, and further defensive information.

The threats work contrary to devices with Intel, AMD and ARM processors. Intel has been hit the toughest, while AMD entitles the danger of threats is low and ARM sought that only ten of its CPUs are influenced. The fixes and workarounds have previously been announced by numerous major vendors, but they can announce major performance consequences, and Microsoft’s updates may also break Windows and countless apps.