Roundup It wasn’t just fake CIA agents, database mega-hacks and Bing flings in the security world last week. Here are a few tidbits beyond what you’ve read in El Reg, among them a seven-day vuln and the scummy BlackSquid.
Exim bug resurfaces with improbable exploit
Are you running the latest version (4.9.2) of Exim on your Linux box? If so, you can go ahead and skip down to the next item, because you’re already clear of danger.
Everyone else may want to consider updating, because older versions of the Linux mail server have been found to contain a command execution vulnerability that has now been confirmed to be remotely exploitable.
The bug, initially thought only to be locally exploitable, was first addressed in February of this year when the latest Exim build was released. At the time, it was not considered to be a major security issue, but rather a minor bug that wouldn’t need to be addressed in older versions.
Fast-forward to May 25, when a team at Qualys discovered a way to remotely exploit the bug to execute commands. This necessitated a patch from Exim that was slated to arrive on June 11, but had to be moved up to the 5th after the issue was made public.
Fortunately, there is little actual danger of exploit at this moment, thanks to the complicated nature of the attack. Actually exploiting the vulnerability would take around seven days of continuous connection to the attack server. Still, it would be a good idea to update your software sooner than later.
Firefox smacks down trackers
Mozilla is continuing the campaign to paint itself as the good guy of the browser world by emphasizing privacy protections. This time, it is a new rule in Firefox that blocks third-party web trackers by default.
While it won’t make advertisers or marketing heads happy, the new setting will appeal to users tired of having their comings and goings monitored by sketchy sites and ad agencies. Mozilla is also going out of its way to assure users the new feature won’t break their favorite sites.
“Because we are modifying the fundamental way in which cookies and browser storage operate, we’ve been very rigorous in our testing and roll-out plans to ensure our users are not experiencing unforeseen usability issues,” said Mozilla’s Peter Dolanjski.
“If you’re already using Firefox and can’t wait, you can turn this feature on by clicking on the menu icon marked by three horizontal lines at the top right of your browser, then Content Blocking.”
Sandbox Escaper strikes again with Edge EoP disclosure
Bug-hunter SandboxEscaper has once again lived up to their moniker by disclosing an exploit that lets users break account protections via a race condition in Edge. The researcher has posted details and a video PoC showing how the flaw can be used to allow an unprivileged user to get admin privileges.
Apple loosens MDM rules for parental control
The notorious control freak Apple has decided to ease up a bit on the restrictions it placed around mobile device management (MDM) tools. In this case, the Cupertino iPhone maker is allowing some parental control tools to once again use its MDM APIs, provided they agree to strict privacy protections − something that had previously caused Apple to block several parental control tools it had deemed were posing a privacy risk to kids.
Citrix gets sued in fallout from employee data leak
Enterprise software house Citrix is the defendant in a class-action complaint accusing it of mishandling the sensitive data of its employees.
Their details were among the 6TB of data apparently pilfered by Iranian hackers. The complaint, filed on behalf of all employees whose data was included in the leak, seeks a jury trial to determine damages, but more likely will be dismissed or settled long before that happens.
Android malware did slip into a phone factory after all
Back in 2017, researchers found that a handful of Android phones appeared to be shipping with a piece of adware already installed. This week, that was confirmed when Google admitted hackers had managed to get the malware into the firmware at the factory level. Fortunately, the phones in question (Leagoo M5/M8 and Nomu S10/S20) weren’t particularly popular, so the outbreak wasn’t catastrophic.
Yet another RDP attack surfaces
No, you’re not having déjà vu and we aren’t just getting around to BlueKeep. This week an entirely new issue in Windows Remote Desktop was disclosed, when Joe Tammariello of SEI showed that an attacker could circumvent a locked RDP session by interrupting and resuming the network connection, thus forcing the session to be unlocked.
Microsoft, however, says this is not a bug, but rather its networking protocols working as designed:
“After investigating this scenario, we have determined that this behavior does not meet the Microsoft Security Servicing Criteria for Windows. What you are observing is Windows Server 2019 honoring Network Level Authentication (NLA). Network Level Authentication requires user creds to allow connection to proceed in the earliest phase of connection. Those same creds are used logging the user into a session (or reconnecting). As long as it is connected, the client will cache the credentials used for connecting and reuse them when it needs to auto-reconnect (so it can bypass NLA).”
To prevent this trick, Microsoft recommends disconnecting RDP sessions when finished, rather than just locking them down.
BlackSquid attack darkens the waters of cryptocoin mining
A particularly nasty strain of coin-mining malware caught the eye of Trend Micro this week.
Dubbed BlackSquid, the infection uses a whopping eight different bug exploits and also employs a litany of evasion techniques to help it avoid detection by antivirus tools. This, the researchers said, allows the malware to run longer and thus generate more digital funbux for the attackers. ®
>> Source Link