Computer News & Safety – Harry Waldron Rotating Header Image

July 26th, 2018:

Microsoft Security – July 2018.NET Framework security patches removed

Microsoft removed the .NET Framework security updates from the JULY 2018 Patch Tuesday updates after some corporate users were impacted by server application issues.  Replacement security patches will likely be introduced in future, after further testing & refinement to ensure issues don’t materialize again.

Microsoft’s Friday announcement specifically pointed to an “Important” security patch to the .NET Framework (CVE-2018-8356). It contains a flaw that affects applications that “initialize a COM component and run with restricted permissions,” according to the announcement. Specifically, it can affect users of SharePoint, BizTalk Server Administration Console and Internet Information Services (IIS) with “classic” ASP, as well as other .NET applications that use “COM and impersonation.”

In response to the problems, Microsoft has stopped distributing the July .NET Framework patches from its Windows Update service and is working on correcting and reshipping the July patch releases. Organizations should apply this reshipped July patch, when it arrives, even if they weren’t affected initially.  “If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is but closely monitor them and ensure that you apply upcoming .NET Framework updates,” the announcement explained.

Malware – Advanced Emotet banking trojan JULY 2018

US CERT, SANS Internet Storm center, and other security firms are sharing awareness of increased malicious spam (malspam) featuring Emotet malware. As noted in these warnings, Emotet continues to evolve with new capabilities:

Overview Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans.  Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.

Description — Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.

Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules.