Computer Safety & News

The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors is a list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. 

https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html

Rank ID Name Score
[1] CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 75.56
[2] CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 45.69
[3] CWE-20 Improper Input Validation 43.61
[4] CWE-200 Information Exposure 32.12
[5] CWE-125 Out-of-bounds Read 26.53
[6] CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 24.54
[7] CWE-416 Use After Free 17.94
[8] CWE-190 Integer Overflow or Wraparound 17.35
[9] CWE-352 Cross-Site Request Forgery (CSRF) 15.54
[10] CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 14.10
[11] CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 11.47
[12] CWE-787 Out-of-bounds Write 11.08
[13] CWE-287 Improper Authentication 10.78
[14] CWE-476 NULL Pointer Dereference 9.74
[15] CWE-732 Incorrect Permission Assignment for Critical Resource 6.33
[16] CWE-434 Unrestricted Upload of File with Dangerous Type 5.50
[17] CWE-611 Improper Restriction of XML External Entity Reference 5.48
[18] CWE-94 Improper Control of Generation of Code (‘Code Injection’) 5.36
[19] CWE-798 Use of Hard-coded Credentials 5.12
[20] CWE-400 Uncontrolled Resource Consumption 5.04
[21] CWE-772 Missing Release of Resource after Effective Lifetime 5.04
[22] CWE-426 Untrusted Search Path 4.40
[23] CWE-502 Deserialization of Untrusted Data 4.30
[24] CWE-269 Improper Privilege Management 4.23
[25] CWE-295 Improper Certificate Validation 4.06

https://www.us-cert.gov/ncas/current-activity/2019/09/10/google-releases-security-updates-chrome

https://chromereleases.googleblog.com/2019/09/stable-channel-update-for-desktop.html

Google has released Chrome version 77.0.3865.75 for Windows, Mac, and Linux. This version addresses multiple vulnerabilities that an attacker could exploit to take control of an affected system.  The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

https://www.cnet.com/news/lastpass-fixed-a-major-exploit/

Password manager LastPass had an exploit that could be abused to reveal a user’s credentials. The company has fixed the issue in its latest update, according to a blog post Monday. For a hacker to take advantage of the bug, victims would have to be using the Chrome or Opera browser with the LastPass extension … LastPass v4.33.0 went live for all browsers on Friday and contains the fix for the bug. 

CIS Security has just released a “Security Event Malware primer” that shares important prevention controls & awareness for the latest malware attacks

Security Event Primer – Malware

2.1 Maintain Inventory of Authorized Software
2.2 Ensure Software is Supported by Vendor
2.7 Utilize Application Whitelisting
3.4 Deploy Automated Operating System Patch Management Tools
3.5 Deploy Automated Software Patch Management Tools
4.1 Maintain Inventory of Administrative Accounts
4.3 Ensure the Use of Dedicated Administrative Accounts
4.4 Use Unique Passwords
4.8 Log and Alert on Changes to Administrative Group Membership
7.1 Ensure Use of Only Fully Supported Browsers and Email Clients
7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins
9.4 Apply Host-based Firewalls or Port Filtering
16.8 Disable Any Unassociated Accounts
16.9 Disable Dormant Accounts

Below are key resources documenting this recent monthly Microsoft Patch Tuesday release

https://isc.sans.edu/forums/diary/Microsoft+September+2019+Patch+Tuesday/25310/

https://blog.talosintelligence.com/2019/09/microsoft-patch-tuesday-sept-2019.html

https://www.thezdi.com/blog/2019/9/10/the-september-2019-security-update-review

https://patchtuesdaydashboard.com/

https://portal.msrc.microsoft.com/en-us/security-guidance/summary

This month, Microsoft released security patches for 80 CVEs plus two advisories. The updates cover Microsoft Windows, Internet Explorer, Microsoft Edge, ChakraCore, Office and Microsoft Office Services and Web Apps, Skype for Business and Microsoft Lync, Visual Studio, .NET Framework, Exchange Server, Microsoft Yammer, and Team Foundation Server. Of these 80 CVEs, 17 are listed as Critical, 62 are listed as Important, and one is listed as Moderate in severity.

https://www.us-cert.gov/ncas/current-activity/2019/09/09/fbi-safe-online-surfing-challenge

The Federal Bureau of Investigation (FBI) has launched the Safe Online Surfing (SOS) Challenge, encouraging educators to promote web literacy and safety for students during the 2019-20 school year.  The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the FBI SOS Challenge Announcement and the CISA Tip Keeping Children Safe Online.

The Cybersecurity and Infrastructure Security Agency (CISA) warns to be vigilant of Hurricane Dorian scams and malware attacks actively circulating.  It is a best practice to always use well established charities like Red Cross or Salvation Army rather than brand new sites for example.

https://www.us-cert.gov/ncas/current-activity/2019/09/04/potential-hurricane-dorian-cyber-scams

The Cybersecurity and Infrastructure Security Agency (CISA) warns users to remain vigilant for malicious cyber activity targeting Hurricane Dorian disaster victims and potential donors. Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites. Users should exercise caution in handling any email with a hurricane-related subject line, attachment, or hyperlink. In addition, users should be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events.

To avoid becoming victims of malicious activity, users and administrators should review the following resources and take preventative measures:

• • Staying Alert to Disaster-related Scams
  • Before Giving to a Charity
  • Staying Safe on Social Networking Sites
  • Avoiding Social Engineering and Phishing Attacks

If you believe you have been a victim of cybercrime, file a complaint with the Federal Bureau of Investigation Internet Crime Complaint Center at www.ic3.gov.

The Wi-Fi 6 standard support is now starting to appear in new devices.   Also Wi-Fi 7 designs are now starting for possible implementation around 2024.

https://www.cnet.com/news/wi-fi-6-and-what-it-means-for-you-wifi-routers/

https://www.cnet.com/news/wi-fi-6-is-barely-here-but-wi-fi-7-is-already-on-the-way/

Wi-Fi 6 is just now arriving in phones, laptops and network equipment. But engineers are already turning their attention to what’ll come next: Wi-Fi 7. With speeds as high as 30 gigabits per second, the next generation of Wi-Fi promises better streaming video, longer range and fewer problems with traffic congestion — with expected arrival of Wi-Fi 7 in 2024.

Microsoft’s Extended File Allocation Table (exFAT) features supports huge files that are over 4GB and this extension is being added as part of the official Linux kernel in future

https://redmondmag.com/articles/2019/08/30/microsoft-exfat-in-linux-kernel.aspx

https://cloudblogs.microsoft.com/opensource/2019/08/28/exfat-linux-kernel/

Microsoft has agreed to the addition of its Extended File Allocation Table (exFAT) technology to the Linux kernel, according to a Wednesday announcement.

The exFAT code was submitted for “staging” on the Linux kernel, according to this August 28 Linux kernel maintainers post.  Microsoft’s exFAT technology, introduced in 2006, is code that serves as a file system for handling files larger than 4GB. It’s typically used in portable storage devices, such USB drives and Secure Digital memory cards.