Update now! Microsoft fixes 49 bugs, 12 are critical

By John E Dunn

Microsoft’s October Patch Tuesday update made its scheduled appearance yesterday with fixes for 49 security flaws across its family of products, 12 of which are listed as ‘critical’.

Curiously, one of this month’s most interesting flaws hides itself among a further 35 rated merely ‘important’, namely the elevation-of-privilege flaw identified as CVE-2018-8453 affecting all Windows versions.

This is reportedly being exploited by a nation state hacking group nicknamed ‘FruityArmor’ whose highly targeted use of the flaw might explain its slightly lower rating.

A second CVE rated ‘moderate’ that stands out as unusual is CVE-2010-3190, the zombie flaw that refuses to die. A remote code execution (RCE) flaw first revealed eight years ago, this one has had at least two patches since then. Microsoft now says the flaw extends to Exchange Server 2016 too.

Public domain

Three other flaws rated ‘important’ are worth mentioning because they are in the public domain. The standout is CVE-2018-8423, a remote code execution vulnerability in the JET database engine, which means it’s in lots of software including Office. No exploits have been detected but it’s been in the public domain since a security company released details as it passed a 120-day patching deadline last month.

Read more at https://nakedsecurity.sophos.com/2018/10/11/update-now-microsoft-fixes-49-bugs-12-are-critical/

How a WhatsApp call could have taken over your phone

By Paul Ducklin

Google just unsealed information about an apparently exploitable bug in WhatsApp that could have allowed a malevolent caller to take over your device.

Just answering a call could have been enough to land you in trouble.

Project Zero researcher Natalie Silvanovich found a buffer overflow that could be triggered by data transmitted as part of the audio and video stream during a call.

WhatsApp, along with many other online calling apps, uses RTP, short for Real Time Protocol, for transmitting voice and video.

RTP was designed to be efficient – for example, it uses UDP instead of TCP, so that data arrives faster but less reliably. (UDP packets aren’t checked to see if they made it to the other end, and can arrive in a mixed-up order; TCP packets are verified and delivered in the order they were sent, which means more network overhead.)

If you lose some data packets from an app you are downloading, the entire download will be corrupted and useless; if you drop occasional voice packets, you’ll just have some inaudible moments in the call.

Unfortunately, RTP also squeezes its data into a binary packet format that needs careful unravelling at the other end to work out what sort of data was sent, how to deconstruct it, and how much data to expect.

Read more at https://nakedsecurity.sophos.com/2018/10/10/how-a-whatsapp-call-could-have-taken-over-your-phone/

Google+ wakes up to what the rest of us already knew

By Lisa Vaas

After months of hiding a relative pipsqueak of a data breach that happened through a Google+ API, Google on Monday ‘fessed up, said it was shuttering its Facebook-wannabe-but-never-gonna-happen social media platform, and was looking at a potential class action lawsuit that got filed within hours of the breach disclosure.

Busy day!

Google said in its blog post that at the beginning of this year, it began a review – dubbed Project Strobe – of third-party developer access to its data and thus came to a conclusion that everybody already knew: close to nobody likes Google+ and just about nobody uses it:

The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.

OK, so… Action No. 1: shut down Google+ for consumers. Project Strobe had showed that Google+ APIs, and the associated consumer controls, were both tough to develop and a bear to maintain, Google said.

Oh, and by the way, there was a bug in the Google+ People API that affected half a million accounts… a bug that it discovered in March, immediately fixed, and only mentioned on Monday.

Read more at https://nakedsecurity.sophos.com/2018/10/10/google-wakes-up-to-what-the-rest-of-us-already-knew/