June 11, 2020

Microsoft squishes 129 bugs with Patch Tuesday updates

By Danny Bradbury

Whoosh. You hear that? It’s the sound of Microsoft’s security fire hose spraying out a river of CVE fixes. That’s right – Patch Tuesday was this week and the software giant released patches to fix 129 CVEs.

The lion’s share of the bugs are rated important, but there are 11 CVEs rated critical. They are remote code execution flaws, enabling attackers to execute their code on victims’ systems. These bugs require user interaction, though, meaning that the bad guys would have to persuade the victim to do something like opening a file or visiting a website. They’re very serious, but don’t quite reach the klaxon-sounding, flashing-red-light level of the wormable Bluekeep bug.

CVE-2020-1286 is a Windows shell RCE triggered by improper file path validation, while CVE-2020-1299 is an RCE bug that an attacker could exploit using a malicious .LNK file and associated binary. They’d put it in a removable drive or network share, warns Microsoft, adding that clicking on the .LNK file would run the binary’s malicious code.

CVE-2020-1281 is a vulnerability in the Windows Object Linking and Embedding (OLE) code stemming from poor input validation and it’s exploitable via a malicious website, file, or email message. CVE-2020-1248 is a memory object handling bug in the Graphics Device Interface (GDI), deliverable via a website, instant message, or document file.

These are all bugs affecting Windows 10, and many also affected the latest 2004 build. Internet Explorer had its own gaggle of critical vulnerabilities too. Versions 9 and 11 were susceptible to the RCE bug in CVE-2020-1216, which is another memory handling error affecting VBScript, as were CVE-2020-1213 and CVE-2020-1260.

Read more at https://nakedsecurity.sophos.com/2020/06/11/microsoft-squishes-129-bugs-with-patch-tuesday-updates/

Babylon mobile health app mixes up patient consultation videos

By Paul Ducklin

Mobile health app Babylon, which states its company mission as putting “an accessible and affordable health service in the hands of every person on earth”, has admitted to a software bug that went one step further than that.

According to a BBC report, an app user in the UK ended up with other people’s health service data in his hands.

The user, named by the BBC as Rory Glover from Leeds in England, apparently used the app to check up on a prescription of his own, only to find that the “Consultation Replays” feature of the app contained a list of 50 videos for him to review.

As you can imagine, he went to check out what the videos were about – a screenshot shared by the BBC shows that they were identified only as “Replay N”, where N is a counter, so there was nothing to suggest that the data belonged to someone else.

Clicking on one of them made the nature of the unexpected videos clear: it was a recording of someone else’s video chat with a doctor made via the service.

Glover contacted someone he knew who used to work at Babylon, and that person did the right thing by alerting the company to the breach.

As far as we can tell, Babylon acted quickly to remove the rogue videos from Glover’s “Replays” gallery, as well as reporting itself to the Information Commissioner’s Office (ICO), the UK’s privacy and data protection authority.

Read more at https://nakedsecurity.sophos.com/2020/06/10/babylon-mobile-health-app-mixes-up-patient-consultation-videos/

Billions of devices affected by UPnP vulnerability

By John E Dunn

Stop us if you’ve heard this before but a researcher has uncovered a new security vulnerability affecting many devices running the Universal Plug and Play (UPnP) protocol.

Named CallStranger by discoverer Yunus Çadirci, the potential for trouble with this flaw looks significant for a whole menu of reasons, starting with the gotcha that it’s UPnP.

UPnP was invented back in the mists of time to graft the idea of plug-and-play onto the knotty world of home networking.

UPnP meant users didn’t have to know how to configure router ports – if the device and the home router supported UPnP (often turned on by default), connectivity happened automagically.

But UPnP also allowed more and more devices inside the network to connect to external entities on the internet with no authentication, which is where the trouble started.

Enter CallStranger (CVE-2020-12695), technically a vulnerability in UPnP’s SUBSCRIBE function that makes possible what Çadirci describes as a “Server Side Request Forgery (SSRF)-like vulnerability.”

An attacker able to exploit this flaw could use it to co-opt vulnerable devices for DDoS attacks, bypass data loss prevention security to sneak data out of networks, and possibly carry out port scanning to probe for exposed UPnP devices.

Read more at https://nakedsecurity.sophos.com/2020/06/10/billions-of-devices-affected-by-upnp-vulnerability/


Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation