9 Feb 2018

Week in review

AUSCERT Week in Review for 9th February 2018

Greetings,

The revolving door of information security continues, as Flash receives a patch for the 0day reported last week, while WordPress breaks auto-updating.

Cisco has observed attacks against its Adaptive Security Appliance in the wild, and released a follow up patch for the RCE – noting that the first release didn’t entirely fix the problem.

In non-security news, SpaceX has launched the 4th electric car to be sent into space (See: LRV-001 through 003). While they didn’t medal, their competition had a 44 year head start, so it remains impressive never the less.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title: Hackers Pounce on Cisco ASA Flaw (CVE-2018-0101)
Date Published: 08/02/2018
Author: Catalin Cimpanu
Excerpt: “Five days after details about a vulnerability in Cisco ASA software became public, hackers have now started exploiting this bug in the wild against Cisco ASA devices.”

—–

Title: WordPress Holds “Epic Fail Week” – Devs Break Background Updates, Ignore Zero-Day
Date Published: 08/02/2018
Author: Catalin Cimpanu
Excerpt: “A basic maintenance version released on Monday – WordPress 4.9.3 – a release meant to fix basic bugs caused huge problems for WordPress site owners by breaking the automatic update mechanism that upgrades WordPress sites in the background, without user interaction.”

—–

Title: How Long is Long Enough? Minimum Password Lengths by the World’s Top Sites
Date Published: 06/02/2018
Author: Troy Hunt
Excerpt: “I’ve been giving a bunch of thought to passwords lately. Here we have this absolute cornerstone of security – a paradigm that every single person with an online account understands – yet we see fundamentally different approaches to how services handle them. Some have strict complexity rules. Some have low max lengths. Some won’t let you paste a password. Some force you to regularly rotate it. It’s all over the place.”

—–

Title: Chrome will mark all HTTP sites ‘not secure’ from July
Date Published: 09/02/2018
Author: IT News
Excerpt: “The company is on a long-term drive to stamp out unencrypted web connections, having begun to demote unencrypted sites in search results in 2015. Last year it started labelling HTTP login pages and credit card forms as ‘not secure’.”

—–

Title: Cybersecurity job fatigue affects many security professionals
Date Published: 06/02/2018
Author: Jon Oltsik
Excerpt: “No one is talking about it, but I believe cybersecurity job fatigue is a real, growing, and troubling problem, exacerbated by the global cybersecurity skills shortage and the increasingly dangerous threat landscape. To address this, CISOs must assess the state of mind of key staff members, create work schedules to rotate personnel off the front lines, and provide the right levels of support, stress relief programs, and career counselling.”

Here are this week’s noteworthy security bulletins:

1) ESB-2018.0326.2 – UPDATED ALERT [Win][Linux][Mac] Adobe Flash Player: Execute arbitrary code/commands – Remote with user interaction

Flash 28.0.0.161 fixes last week’s 0day.

2) ESB-2018.0284.4 – UPDATE [Cisco] Cisco Adaptive Security Appliance: Execute arbitrary code/commands – Remote/unauthenticated

Cisco has released a follow up patch for the ASA RCE, as the first was insufficient.

3) ASB-2018.0041 – [Win][UNIX/Linux] WordPress: Reduced security – Existing account

WordPress’ auto-update may have just broken auto-update if it has auto-updated itself to 4.9.3. Manually update to 4.9.4 to remedy the issue.

4) ESB-2018.0404 – [Appliance] Kaspersky Secure Mail Gateway: Multiple vulnerabilities

Kaspersky has patched several vulnerabilities in its Secure Mail Gateway.

Stay safe, stay patched and have a good weekend!

Tim