March 14, 2019
Update now! Microsoft’s March 2019 Patch Tuesday is here
By John E Dunn
If you were among the millions of users who updated Chrome last week to dodge a zero-day exploit, Microsoft has something for you in this month’s Patch Tuesday – a fix for a separate flaw targeting Windows 7 that is being used as part of the same attacks.
To recap, the Chrome flaw (CVE-2019-5786) was first advised on 1 March with a ‘hurry up and apply the update’ follow-up a few days later when news of exploits emerged. The patch for that took Chrome to 72.0.3626.121.
Microsoft’s part of the twofer is a fix for a local elevation of privilege (EoP) vulnerability in Win32k (CVE-2019-0808), which in addition to Windows 7 also affects Window Server 2008.
As Google’s Clement Lecigne pointed out, another way to achieve the same end is for Windows 7 users to upgrade:
As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows.
Zero day 2
Among a total of 64 CVEs, including 17 rated ‘critical’, is a second zero-day affecting all Windows versions identified as CVE-2019-0797, believed to have been deployed by middle-eastern APT groups. According to Microsoft’s description, that too is an EoP flaw requiring local access:
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
A further four vulnerabilities earn ‘important’ status because they are now in the public domain, namely CVE-2019-0683 (active directory EoP), CVE-2019-0754 (Windows denial-of-service), CVE-2019-0757 (NuGet Package Manager tampering), and CVE-2019-0809 (Visual studio remote code execution/RCE).
Read more at https://nakedsecurity.sophos.com/2019/03/14/update-now-microsofts-march-2019-patch-tuesday-is-here/
“FINAL WARNING” email – have they really hacked your webcam?
By Paul Ducklin
Sextortion is back!
In fact, it never went away.
Some of us get dozens of sextortion scam emails every month to our work and personal accounts, demanding us to PAY MONEY OR ELSE!!
In the crime of sextortion, the “OR ELSE” part is a threat to release a video of a sexual nature in which you are visible.
For example:
FINAL WARNING. You have the last chance to save your social life. I am not kidding. I give you the last 72 hours to make the payment before I send the video to all your friends and associates.
How did the crooks obtain this X-rated film in which you’re the star?
They typically claim to have filmed you using malware planted on your computer in some way, for example:
I’ve been watching you for a while because I hacked you through a trojan virus in an ad on a porn website. If you are not familiar with this, I will explain this. A trojan virus gives you full access and control over a computer, or any other device. This means that I can see everything on your screen and switch on your camera and microphone without you being aware of it.
The good news is that it’s all a pack of lies, so you can relax.
Read more at https://nakedsecurity.sophos.com/2019/03/13/final-warning-email-have-they-really-hacked-your-webcam/
Chrome will soon block drive-by-download malvertising
By Danny Bradbury
Google is tooling up in the war against malvertisers. Developers of its Chrome browser are introducing a feature that they hope will choke off one of the most malicious forms of malware infection: drive-by advertising downloads.
Automatic downloads via advertising frames are a popular cause of drive-by downloads. In these attacks, a malicious party will rent space from an online advertising network, which pays for banners on participating websites. The network serves up ads from its clients through those banners, usually based on information compiled about the website visitor. This is how websites can creepily show you ads for things you were searching for elsewhere.
In this case, things get creepier still. The attacker’s ad includes a download – usually a JavaScript executable – that takes advantage of a browser vulnerability and infects the victim’s computer.
The feature that Chrome will add is, in reality, more of a removal. Google is planning to deprecate a feature that automatically downloads any content from an advertiser.
The update comes from Yao Xiao, a developer on the Chromium open-source browser project that feeds Chrome. It isn’t his first attack on drive-by downloaders. He introduced a similar update in a January document that targets the same behavior in IFrames – an HTML element which effectively creates a window from the host webpage into another webpage. Attackers quickly began using IFrames to spray malicious content through websites to infect users’ browsers. That update takes effect in Chrome 74, which ships in April.
Read more at https://nakedsecurity.sophos.com/2019/03/13/chrome-will-soon-block-drive-by-download-malvertising/
Update now! WordPress abandoned cart plugin under attack
By John E Dunn
Hackers have been spotted targeting websites running unpatched versions of the WordPress plugin Abandoned Cart for WooCommerce.
According to a blog written by Mikey Veenstra of WordPress firewall company Defiant (formerly Wordfence), the attacks exploit a cross-site scripting (XSS) flaw in version 5.1.3, a plug-in designed to help site admins analyze and recover sales lost when shoppers abandon carts.
Affecting both paid and free versions of the software, the vulnerability is used to install two backdoors that compromise the site, the second a sneaky backup in case the site owners detect and disable the first.
The attack involves the hackers creating a cart containing bogus contact information, which is then abandoned. When the data in these fields is viewed by a site admin, a lack of output sanitization means that the billing_first_name and billing_last_name fields become a single customer field containing an injected JavaScript payload.
This uses the admin’s browser session to deploy the backdoors, starting with a rogue admin account added using a hidden iframe which triggers new account creation, at which point a notification of success is sent via the attacker’s command and control.
The second backdoor is then added by opening another iframe to the plugin’s menu, which is scanned for any with an ‘activate’ link denoting that they are inactive. This is injected with a PHP backdoor script and lies dormant until the attackers decide to activate it.
Read more at https://nakedsecurity.sophos.com/2019/03/13/update-now-wordpress-abandoned-cart-plugin-under-attack/
Misconfigured Box accounts leak terabytes of companies’ sensitive data
By Lisa Vaas
If your company uses Box for cloud-based file sharing, security researchers are advising you to stop reading right now and immediately disable public file sharing: vanity-named subdomains and URLs are “easily brute-forceable,” leaving companies’ publicly shared data open to extremely easy attacks.
Security firm Adversis published a report on Monday after using a “relatively large” wordlist to uncover hundreds of Box customers’ subdomains, through which they could access hundreds of thousands of documents and terabytes of extremely sensitive data.
A sampling of what the researchers found:
- Hundreds of passport photos
- Social Security and bank account numbers
- High-profile technology prototype and design files
- Lists of employees
- Financial data, invoices, internal issue trackers
- Customer lists and archives of years’ worth of internal meetings
- IT data, VPN configurations, network diagrams
Adversis says its initial impulse was to reach out to all the affected companies, but the scale of the task ruled that out. After finding that a large percentage of Box customer accounts that it tested had thousands of exposed, sensitive documents, the firm alerted some of those companies, gave Box a heads-up – that was on 24 September – and published its report.
As Box Chief Customer Officer Jon Herstein said in a blog post on Sunday, Box offers various ways for its customers to allow content sharing both between employees and outside the company.
Read more at https://nakedsecurity.sophos.com/2019/03/13/misconfigured-box-accounts-leak-terabytes-of-companies-sensitive-data/