Security Flaws & Fixes - W/E - 022616
Antiquated Systems, Lack of Security Left SC Medicaid Agency Highly Vulnerable (02/25/2016)
The state of South Carolina did not safeguard Medicaid Management Information System (MMIS) data and supporting systems in accordance with federal requirements, a new report from the Department of Health and Human Services (HHS)' Office of Inspector General claims. Specifically, the state had not implemented an adequate risk management process that included contractor oversight, established a security plan for the MMIS, implemented media protection for laptop computers, met federal requirements for the security of software and data, adequately addressed vulnerabilities on network devices or Web sites, or implemented adequate security awareness and role-based training programs. These weak security measures left about one million South Carolina residents vulnerable to cyber attacks. The report stated, "The weaknesses were collectively and, in some cases, individually significant and could have compromised the integrity of the state's Medicaid program."
Apple Ramping Up Security Research Despite Government Opposition (02/25/2016)
As Apple and the US Department of Justice continue to harden their respective stances over encryption, reports say that the iPhone maker is moving ahead to develop even stronger security features for its devices. Although Apple is continually researching ways to make its products safer and more secure, The New York Timesreports that the company is now looking into ways to make it even more difficult for government authorities to access a device's information. The controversy comes in the wake of a court order compelling Apple to develop a way into an iPhone used by one of the killers in a San Bernardino, CA, mass shooting in December. While Apple has until the end of this week to officially respond to the mandate, CEO Tim Cook has already said the company will not comply. "We are standing up for our customers because protecting them we view as our job," Cook told ABC News.
ASUS Home Router Users Warned of Security Risks (02/25/2016)
The Federal Trade Commission (FTC) is advising consumers who have Asus wireless home routers to take precautions to ensure that the devices have been secured. Key flaws in the routers left home networks widely exposed to attackers and it is recommended that the most recent updates be applied to protect the devices from hacks.
Baidu Browser Spews User Data, Lacks Basic Security (02/25/2016)
The Baidu browser, a free Web browser for Windows and Android, leaks data to its servers without encryption and is vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks. Citizen Lab has identified security concerns in both the Windows and Android versions of the browser that may expose personal user data, including a user's geolocation, hardware identifiers, nearby wireless networks, Web browsing data, and search terms. Such user data is transmitted unencrypted or can be easily decrypted. In addition, neither version of the application secures its software update process with a digital signature, enabling a malicious in-path actor the ability to cause the browser to download and execute arbitrary code.
Chrome Receives Update from Google (02/25/2016)
Google released version 48.0.2564.116 of Chrome for Windows, Mac, and Linux. The update fixes various security issues and vulnerabilities.
Criminals Attack the Security Measures in Microsoft EMET (02/25/2016)
Bromium Labs scientists uncovered methods to bypass the security techniques in Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a free downloadable tool that protects computer endpoints. The researchers notified Microsoft that attackers could circumvent the security processes in EMET by employing malicious code. Microsoft has addressed these issues in EMET 5.5.
Drupal Rectifies Vulnerabilities with New Versions (02/25/2016)
Drupal's latest security advisory addresses several critical vulnerabilities that, if exploited, could give attackers the capability to gain control of the affected system. Updates include Drupal core 6.38, Drupal core 7.43, and Drupal core 8.0.4.
Flexera Software Patches Remote Code Execution Vulnerability (02/25/2016)
Researchers at Securifera posted an advisory in regards to a vulnerability that was found in Flexera Software's FlexNet Publisher (License Manager). The impact, if exploited, is a remote code execution which can lead to a disruption of service. Secuifera first contacted Flexera in October and a patch was released the following month.
Multiple AMX Products Plagued by Credential Management Vulnerabilities (02/25/2016)
An advisory from the ICS-CERT alerts users that multiple Harman AMX multimedia devices have credential management vulnerabilities. AMX has produced patches and new product versions to mitigate one of the vulnerabilities in the affected products and is working to release new product versions to mitigate the remaining credential management vulnerability.
Nissan's Electric Car Vulnerable to Hacks Via the Web (02/25/2016)
Security researcher Troy Hunt has learned from a scientist in Norway that Nissan's LEAF electric car can be hacked over the Internet giving criminals the ability to abuse and control victims' vehicles. It has been determined that Nissan uses application programming interfaces (APIs) so that owners can control their cars' features, but these APIs are vulnerable. If a hacker knows the vehicle identification number, an URL can be created to access information about the car and then execute commands.
Scripting Flaw Patch for eBay Ineffective as Criminals Continue to Exploit Auctions (02/25/2016)
A bug in the eBay auction platform that was first identified by Check Point Software for enabling attackers to push scams to unsuspecting victims was patched by eBay, but the researchers at Netcraft say it is only a partial fix. After first being notified by the bug, eBay declined to issue a patch, but after receiving backlash from the security community, it went ahead and released a fix to prevent exploitation of the flaws. However, Netcraft researchers have noticed instances where criminals are including malicious JavaScript in eBay listing descriptions and when a person visits the auction, he or she is automatically redirected to a phishing site.
Twitter Fixes Data Leakage Bug (02/25/2016)
Twitter patched a bug that exposed the email addresses and phone numbers associated with about 10,000 user accounts, the social media site said on February 17. Only users who were affected by the vulnerability were contacted by Twitter.
VESP211 Serial Servers Vulnerable to Authentication Bypass (02/25/2016)
Security researcher Maxim Rupp has identified an authentication bypass vulnerability in B+B SmartWorx's VESP211 serial servers. The affected products are an interface for connecting serial devices to an Ethernet network. According to an ICS-CERT advisory, B+B SmartWorx has produced an implementation plan to mitigate this vulnerability.