Security Flaws & Fixes - W/E - 032516
Apple Posts Updates for Multiple Products (03/24/2016)
Apple has released a batch of updates for various products including iOS, watchOS, tvOS, Xcode, OS X El Capitan, OS X Server, and Safari. These updates fix multiple vulnerabilities that have been identified in the products.
Apple Produces Patch after Researchers Penetrate iMessage Encryption (03/24/2016)
Researchers at Johns Hopkins University told The Washington Post that they have uncovered a vulnerability in Apple's encryption that could enable an attacker to decrypt photos and videos that were sent as iMessages. Matthew D. Green, a professor at the university and the head of the research team, found the bug while studying iMessage's encryption process, which he described as weak. He notified Apple but the flaw wasn't patched. Green's students were able to create an exploit that penetrated the encryption process by querying Apple's iCloud server to obtain the encryption key one character at a time until they recovered the entire key. Apple finally patched the bug in its latest version of iOS, which is 9.3.
Bug Affecting Multiple CCTV Systems Could Give Attackers Root Access (03/24/2016)
Security researcher Rotem Kerner has found a remote code execution bug in various closed circuit TV (CCTV) systems that could enable criminals to compromise the DVR boxes used by those systems. Kerner decided to analyze the CCTV systems after studying a 2014 report on the BackOff point-of-sale Trojan and found that all of the hacked devices from that publication used an HTTP server identified as "Cross Web Server." A Chinese company manufactured the systems, which are currently sold by 70 different DVR vendors, and Kerner discovered that the DVRs can all be rooted. Since many of the devices are Internet-accessible, an attacker could create an exploit to abuse the vulnerability and gain access to the CCTV system.
Cisco Advises on Multiple Vulnerabilities Across Its Product Line (03/24/2016)
Cisco has released multiple advisories to address various vulnerabilities within its products. Some of these vulnerabilities, if exploited, could enable an attacker to gain control over the affected system.
Drivers Should Be Vigilant of Possible Motor Vehicle Computer Hacking (03/24/2016)
An alert has been posted by the Internet Crime Complaint Center (IC3) to warn consumers that motor vehicles can be exploited through wireless communication vulnerabilities. The alert is based upon research that was conducted by scientists at IOActive in July 2015 which found that hackers could obtain unauthorized access to vehicle systems for the purposes of retrieving driver data or manipulating vehicle functionality, and potentially gaining control of the vehicle.
Oracle Quickly Patches Zero-Day Hole in Java (03/24/2016)
Oracle pushed out an emergency patch for Java SE to plug a zero-day bug that can be exploited over a network without the need for a username and password. The vulnerability, which is easily exploitable, affects Oracle Java SE 7 Update 97, and 8 Update 73 and 74 for Windows, Solaris, Linux, and Mac OS X. Due to the severity of this vulnerability and the public disclosure of technical details, Oracle strongly recommends that customers apply the updates provided by this security alert as soon as possible.
Siemens Offers Mitigation Info for APOGEE Insight Software (03/24/2016)
The ICS-CERT posted an advisory after Siemens identified an incorrect file permissions vulnerability in APOGEE Insight software, which provides a graphical interface to manage and control buildings. Siemens is working on a new APOGEE Insight version to resolve the vulnerability, and ICS-CERT will update this advisory as soon as new information becomes available. Siemens has provided detailed instructions on how to mitigate the vulnerability by correcting file permissions.
Symantec's Endpoint Protection Has Multiple Vulnerabilities (03/24/2016)
Symantec Endpoint Protection (SEP) is susceptible to a number of security findings that could potentially result in an authorized but less privileged user gaining elevated access to the Management Console. SEP Client security mitigations can potentially be bypassed allowing arbitrary code execution on a targeted client. The solution is to update to Endpoint Protection Manager 12.1-RU6-MP4.
Update for ABB Panel Builder 800 Fixes DLL Hijacking Vulnerability (03/24/2016)
An advisory from ICS-CERT warns that a DLL Hijacking vulnerability exists in the ABB Panel Builder 800 Version 5.1 application, which could allow an attacker who successfully exploits it to insert and run arbitrary code on an affected system. ABB has produced a new version to mitigate this vulnerability.
Zero-Day Badlock Vulnerability Affecting Microsoft, Samba to Get Patch on April 12 (03/24/2016)
SerNet, the Samba Team, and Microsoft will disclose a severe bug that affects almost all versions of Windows and Samba. Information about the bug, which will is called "Badlock," will be released on April 12. This announcement came from SerNet after one of its security researchers found the bug and worked closely with Microsoft and Samba to patch it. "Due to the fundamental functions that are affected by the bug there will be no detailed information prior to the release of fixes by Microsoft and the Samba Team," the statement on SerNet's Web site read.
Zero-Day in Apple's OS X Bypasses System Integrity Protection (03/24/2016)
Sentinel One has found a highly critical security vulnerability that allows for local privilege escalation and bypasses the System Integrity Protection in Apple's OS X operating system. The bug exists in every version of OS X and enables users to execute arbitrary code on any binary. Apple is currently working on a patch for this issue.
Apple has released a batch of updates for various products including iOS, watchOS, tvOS, Xcode, OS X El Capitan, OS X Server, and Safari. These updates fix multiple vulnerabilities that have been identified in the products.
Apple Produces Patch after Researchers Penetrate iMessage Encryption (03/24/2016)
Researchers at Johns Hopkins University told The Washington Post that they have uncovered a vulnerability in Apple's encryption that could enable an attacker to decrypt photos and videos that were sent as iMessages. Matthew D. Green, a professor at the university and the head of the research team, found the bug while studying iMessage's encryption process, which he described as weak. He notified Apple but the flaw wasn't patched. Green's students were able to create an exploit that penetrated the encryption process by querying Apple's iCloud server to obtain the encryption key one character at a time until they recovered the entire key. Apple finally patched the bug in its latest version of iOS, which is 9.3.
Bug Affecting Multiple CCTV Systems Could Give Attackers Root Access (03/24/2016)
Security researcher Rotem Kerner has found a remote code execution bug in various closed circuit TV (CCTV) systems that could enable criminals to compromise the DVR boxes used by those systems. Kerner decided to analyze the CCTV systems after studying a 2014 report on the BackOff point-of-sale Trojan and found that all of the hacked devices from that publication used an HTTP server identified as "Cross Web Server." A Chinese company manufactured the systems, which are currently sold by 70 different DVR vendors, and Kerner discovered that the DVRs can all be rooted. Since many of the devices are Internet-accessible, an attacker could create an exploit to abuse the vulnerability and gain access to the CCTV system.
Cisco Advises on Multiple Vulnerabilities Across Its Product Line (03/24/2016)
Cisco has released multiple advisories to address various vulnerabilities within its products. Some of these vulnerabilities, if exploited, could enable an attacker to gain control over the affected system.
Drivers Should Be Vigilant of Possible Motor Vehicle Computer Hacking (03/24/2016)
An alert has been posted by the Internet Crime Complaint Center (IC3) to warn consumers that motor vehicles can be exploited through wireless communication vulnerabilities. The alert is based upon research that was conducted by scientists at IOActive in July 2015 which found that hackers could obtain unauthorized access to vehicle systems for the purposes of retrieving driver data or manipulating vehicle functionality, and potentially gaining control of the vehicle.
Oracle Quickly Patches Zero-Day Hole in Java (03/24/2016)
Oracle pushed out an emergency patch for Java SE to plug a zero-day bug that can be exploited over a network without the need for a username and password. The vulnerability, which is easily exploitable, affects Oracle Java SE 7 Update 97, and 8 Update 73 and 74 for Windows, Solaris, Linux, and Mac OS X. Due to the severity of this vulnerability and the public disclosure of technical details, Oracle strongly recommends that customers apply the updates provided by this security alert as soon as possible.
Siemens Offers Mitigation Info for APOGEE Insight Software (03/24/2016)
The ICS-CERT posted an advisory after Siemens identified an incorrect file permissions vulnerability in APOGEE Insight software, which provides a graphical interface to manage and control buildings. Siemens is working on a new APOGEE Insight version to resolve the vulnerability, and ICS-CERT will update this advisory as soon as new information becomes available. Siemens has provided detailed instructions on how to mitigate the vulnerability by correcting file permissions.
Symantec's Endpoint Protection Has Multiple Vulnerabilities (03/24/2016)
Symantec Endpoint Protection (SEP) is susceptible to a number of security findings that could potentially result in an authorized but less privileged user gaining elevated access to the Management Console. SEP Client security mitigations can potentially be bypassed allowing arbitrary code execution on a targeted client. The solution is to update to Endpoint Protection Manager 12.1-RU6-MP4.
Update for ABB Panel Builder 800 Fixes DLL Hijacking Vulnerability (03/24/2016)
An advisory from ICS-CERT warns that a DLL Hijacking vulnerability exists in the ABB Panel Builder 800 Version 5.1 application, which could allow an attacker who successfully exploits it to insert and run arbitrary code on an affected system. ABB has produced a new version to mitigate this vulnerability.
Zero-Day Badlock Vulnerability Affecting Microsoft, Samba to Get Patch on April 12 (03/24/2016)
SerNet, the Samba Team, and Microsoft will disclose a severe bug that affects almost all versions of Windows and Samba. Information about the bug, which will is called "Badlock," will be released on April 12. This announcement came from SerNet after one of its security researchers found the bug and worked closely with Microsoft and Samba to patch it. "Due to the fundamental functions that are affected by the bug there will be no detailed information prior to the release of fixes by Microsoft and the Samba Team," the statement on SerNet's Web site read.
Zero-Day in Apple's OS X Bypasses System Integrity Protection (03/24/2016)
Sentinel One has found a highly critical security vulnerability that allows for local privilege escalation and bypasses the System Integrity Protection in Apple's OS X operating system. The bug exists in every version of OS X and enables users to execute arbitrary code on any binary. Apple is currently working on a patch for this issue.