Security Flaws & Fixes - W/E - 8/23/19
Cisco Issues Update Notice for Multiple Switch Models (08/22/2019)
Cisco issued a warning about a new security flaw in its Cisco UCS Director and Cisco UCS Director Express for Big Data products. According to the company, more than 30 vulnerabilities were fixed between the listed switch models. Cisco recommends owners of any of the impacted models update to versions 6.7.3.0 (for Cisco UCS Director) or 3.7.3.0 (for Cisco UCS Director Express for Big Data) as soon as possible. The company has not yet found any evidence of these flaws being exploited in the wild.
Cisco issued a warning about a new security flaw in its Cisco UCS Director and Cisco UCS Director Express for Big Data products. According to the company, more than 30 vulnerabilities were fixed between the listed switch models. Cisco recommends owners of any of the impacted models update to versions 6.7.3.0 (for Cisco UCS Director) or 3.7.3.0 (for Cisco UCS Director Express for Big Data) as soon as possible. The company has not yet found any evidence of these flaws being exploited in the wild.
GAO Finds DOD Tardy on Meeting Collaboration Objectives (08/22/2019)
The Government Accountability Office (GAO) released a series of new recommendations to the US Department of Defense (DOD) asking the agency to "improve collaboration and establish teams to address critical department-wide objectives." According to the GAO, the defense agency has failed to live up to its expectations. Not only is the DOD apparently 21 months late in applying the suggested changes, but its electronic warfare teams was apparently denied the funding it needed to complete the GAO's suggested tasks in a timely manner. In response to this, the GAO is now recommending that the DOD institute timelines for when the work will be completed, and clarifies its funding plans for the teams in question.
The Government Accountability Office (GAO) released a series of new recommendations to the US Department of Defense (DOD) asking the agency to "improve collaboration and establish teams to address critical department-wide objectives." According to the GAO, the defense agency has failed to live up to its expectations. Not only is the DOD apparently 21 months late in applying the suggested changes, but its electronic warfare teams was apparently denied the funding it needed to complete the GAO's suggested tasks in a timely manner. In response to this, the GAO is now recommending that the DOD institute timelines for when the work will be completed, and clarifies its funding plans for the teams in question.
iOS 12.4 Readmits Bug Fixed by iOS 12.3 (08/19/2019)
With its latest iOS update, Apple inadvertently reintroduced a vulnerability that had been fixed in the previous update. According to Motherboard, the new iOS 12.4 upgrade removed a safeguard that allows a hacker to jailbreak an up-to-date iPhone. The jailbreak makes it possible to override Apple's security restrictions and allow the installation of apps and other software not authorized by Apple. This can also potentially bypass the normal iOS safeguards. One hacker who identified the problem told Motherboard that "a malicious app could include an exploit for this bug that allows it to escape the usual iOS sandbox - a mechanism that prevents apps from reaching data of other apps or the system - and steal user data." Apple provided no statement and would not say when an iOS version 12.4.1 to address the issue might be released. The bug was initially identified by Google researchers and patched in the May iOS 12.3 release.
With its latest iOS update, Apple inadvertently reintroduced a vulnerability that had been fixed in the previous update. According to Motherboard, the new iOS 12.4 upgrade removed a safeguard that allows a hacker to jailbreak an up-to-date iPhone. The jailbreak makes it possible to override Apple's security restrictions and allow the installation of apps and other software not authorized by Apple. This can also potentially bypass the normal iOS safeguards. One hacker who identified the problem told Motherboard that "a malicious app could include an exploit for this bug that allows it to escape the usual iOS sandbox - a mechanism that prevents apps from reaching data of other apps or the system - and steal user data." Apple provided no statement and would not say when an iOS version 12.4.1 to address the issue might be released. The bug was initially identified by Google researchers and patched in the May iOS 12.3 release.
Microsoft Issues Update Warning for Security Flaw in Android Remote Desktop Protocol (RDP) (08/22/2019)
Microsoft announced that its Android Remote Desktop Protocol (RDP) is among the apps impacted by a security flaw first revealed as part of the company's Patch Tuesday release for July 2019. The software apparently suffers from the same CVE-2019-1108 security flaw, and should be updated immediately. If left uncorrected, the security hole could allow attackers to "connect remotely to an affected system and run a specially crafted application." The fix is contained in Windows Update patch KB4507453 (Windows 10 64-bit), or the appropriate patch released at the same time for the user's version of Windows.
Microsoft announced that its Android Remote Desktop Protocol (RDP) is among the apps impacted by a security flaw first revealed as part of the company's Patch Tuesday release for July 2019. The software apparently suffers from the same CVE-2019-1108 security flaw, and should be updated immediately. If left uncorrected, the security hole could allow attackers to "connect remotely to an affected system and run a specially crafted application." The fix is contained in Windows Update patch KB4507453 (Windows 10 64-bit), or the appropriate patch released at the same time for the user's version of Windows.
Netflix Identifies DoS Flaw in HTTP/2 Protocol (08/19/2019)
Netflix has reportedly identified a series of DoS (denial-of-service) flaws in implementations of the HTTP/2 network protocol. "Exploiting them," Sophos noted, "could make servers grind to a halt." This vulnerability is related to updates for HTTP header compression, multiplexed streams and binary packets, and Server Push that, in turn, provide "more opportunity for bugs."
Netflix has reportedly identified a series of DoS (denial-of-service) flaws in implementations of the HTTP/2 network protocol. "Exploiting them," Sophos noted, "could make servers grind to a halt." This vulnerability is related to updates for HTTP header compression, multiplexed streams and binary packets, and Server Push that, in turn, provide "more opportunity for bugs."
Researchers ID New Instances of "Inaccurately Listed Affected Versions" of Apache Struts (08/19/2019)
Researchers with Black Duck Security Research of the Synopsys Cybersecurity Research Center have issued a series of advisories for Apache Struts, noting that it found an additional 61 instances - in addition to the nearly 25 unique versions - of "inaccurately listed affected versions" for the open-source development framework. These examples, Sophos subsequently noted, were affected by "at least" one previously-disclosed vulnerability. Researchers investigated 115 Struts releases, correlating them against 57 existing advisories.
Researchers with Black Duck Security Research of the Synopsys Cybersecurity Research Center have issued a series of advisories for Apache Struts, noting that it found an additional 61 instances - in addition to the nearly 25 unique versions - of "inaccurately listed affected versions" for the open-source development framework. These examples, Sophos subsequently noted, were affected by "at least" one previously-disclosed vulnerability. Researchers investigated 115 Struts releases, correlating them against 57 existing advisories.
Reuters: Google Shuts Down Cell Signal Measurement Service Over Potential Privacy Fears (08/19/2019)
Google has discontinued a popular service for Android developers over fears that it could raise privacy concerns among regulators and in the press. According to Reuters, the service, dubbed "Mobile Network Insights," used anonymized cell signal data collected from users opting into it to map out device usage, location, and diagnostic information. The feature originally launched in March 2017, and was apparently fairly popular with developers and network providers thanks to the accurate maps of cellular coverage performance it could produce. However, Reuters' sources claim that the shutdown was designed to head off any appearance of impropriety, something which has become a priority at the company in recent years due to its growing run-ins with regulators over allegedly monopolistic and exploitative business practices. While Google did provide a statement to Reuters confirming the shut-down, it would only say that the decision was reached due to "product priorities."
Google has discontinued a popular service for Android developers over fears that it could raise privacy concerns among regulators and in the press. According to Reuters, the service, dubbed "Mobile Network Insights," used anonymized cell signal data collected from users opting into it to map out device usage, location, and diagnostic information. The feature originally launched in March 2017, and was apparently fairly popular with developers and network providers thanks to the accurate maps of cellular coverage performance it could produce. However, Reuters' sources claim that the shutdown was designed to head off any appearance of impropriety, something which has become a priority at the company in recent years due to its growing run-ins with regulators over allegedly monopolistic and exploitative business practices. While Google did provide a statement to Reuters confirming the shut-down, it would only say that the decision was reached due to "product priorities."