Many Linux distributions are at risk due to a recently disclosed flaw in systemd: a flaw in its DNS resolver could cause a denial-of-service attack on vulnerable systems. The vulnerability is exploited by having the vulnerable system send a DNS query to a DNS server controlled by the attackers. The DNS server would then return a specially crafted query, causing systemd to enter an infinite loop that pins the system’s CPU usage to 100%. This vulnerability was assigned CVE-2017-15908.Read More
Intel recently released a security advisory detailing several security flaws in its Management Engine (ME). The advisory provides critical ME, Trusted Execution Technology (TXT), and Server Platform Services (SPS) firmware updates for versions 8.X-11.X covering multiple CVE IDs, with CVSS scores between 6.7 and 8.2.
But there is also another notable vulnerability that can pose a bigger risk especially to corporate computers and networks: CVE-2017-5689, a privilege escalation flaw. While there are certain factors and/or triggers for this vulnerability, it can provide attackers administration access and enable them to remotely reset or power off the vulnerable system if exploited successfully. This security issue was divulged in the research, “Silent Bob is Silent.” Compared to the recently identified ME vulnerabilities, CVE-2017-5689 was assigned a CVSSv3 score of 9.8.Read More
October’s macOS security update contained a fix for a vulnerability that Trend Micro privately disclosed to Apple earlier this year. The vulnerability (designated as CVE-2017-13811), was in the fsck_msdos system tool. This tool checks for and fixes errors in devices formatted with the FAT filesystem, and is automatically invoked by macOS when a device using FAT (such as a USB disk or an SD card) is inserted.Read More
Microsoft rolled out fixes for over 50 security issues in this month’s Patch Tuesday. The updates cover vulnerabilities and bugs in the Windows operating system, Internet Explorer (IE), Edge, ASP .NET Core, Chakra Core browsing engine, and Microsoft Office. Microsoft also released a security advisory providing defense-in-depth mitigations against attacks abusing the Dynamic Data Exchange (DDE) protocol in light of recent attacks misusing this feature.
Abusing DDE isn’t new, but the method has made a resurgence with reports of cyberespionage and cybercriminal groups such as Pawn Storm, Keyboy, and FIN7 leveraging it to deliver their payloads.Read More