STE WILLIAMS

The Dragonfire laser cannon consortium has unveiled a fullsize mockup of its shipborne blaster at the Defence and Security Exhibition International arms fair in London.

The £30m Dragonfire laser turret mockup at DSEI 2017

The £30m turret-mounted laser cannon is being developed for the Royal Navy by a consortium formed of various defence companies, the lead of which is EU missile firm MBDA.

Known formally as a Laser Directed Energy Weapon (LDEW), the Dragonfire system will be tested on UK ranges next year, according to the Defence Science and Technology Laboratory (DSTL) which is buying Dragonfire on behalf of the navy. Once those tests have ironed out any bugs, a public demo will take place in 2019.

Peter Cooper, DSTL’s project technical authority for Dragonfire, said in a canned quote: “Dragonfire is the culmination of many years of work in the area of laser directed energy weapons. We are looking forward to the 2019 demonstration and, working with our industry colleagues, we aim provide the UK Armed Forces with innovative, effective and affordable solutions to the emerging threats they face.”

Dragonfire builds on work done by MBDA’s German arm into laser weaponry. Starting in 2008, the Germans built and tested a “high energy laser weapon demonstrator”, according to MBDA’s own self-puffery, including firing it at “mini UAVs” (drones, to you and I) at distances of up to 2.5km. The laser reportedly drew 10kW during its 2010 trials, with MBDA claiming 50kW would be possible with extra funding.

Some minor industrial controversy has surrounded the award of the contract to Dragonfire. Originally awarded in July 2016, a challenge by a losing bidder delayed it until September that year, with the Ministry of Defence re-announcing the winner for good measure in January this year. As we wrote back then:

“[Dragonfire] will have to meet five criteria to satisfy defence chiefs, including tracking targets in all weathers, maintaining sustained operation over a period of time, and various safety-related criteria, mostly aimed at ensuring the laser’s operators or innocent bystanders don’t get accidentally fried.”

We intend attending DSEI tomorrow to ask about plans for procuring sharks to go with the frikkin’ laser. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/13/dragonfire_laser_turret_plans/

Apple has long been either a privacy hero or headache, depending on which side of the divide you sit.

And based on the beta versions of iOS 11, which gets its grand, official introduction on Tuesday at the Apple Special Event, along with the newest iPhone, iWatch and more, it will likely now be even more of a hero to privacy advocates and more of a headache to law enforcement.

Not that Apple has ever made it easy for the cops and intelligence services. Nicholas Weaver, a security researcher at the University of California, Berkeley, noted on the Lawfare blog last week that, “unlike Google or Facebook, which use advertising to extract value from users’ personal information, Apple focuses on selling things that protect a user’s data from all unauthorized access – including by Apple”.

That led, among other things, to the famous clash last year between Apple and the FBI over the agency’s demand that the company provide a way to unlock the iPhone of the deceased San Bernardino terrorist.

While that was “resolved” when the FBI “bought a tool”, according to former FBI director James Comey, it didn’t resolve the overall conflict over whether device makers like Apple should be required to provide a backdoor into their products for law enforcement.

And that conflict is likely to get more intense, now that iOS 11 is increasing protections against “unauthorized access”.

Until now, once an iPhone was unlocked – and law enforcement could require a person to use the Touch ID feature to do so without running afoul of the Fifth Amendment – there was no further barrier to, as Weaver put it, “connect the device to a computer running forensics software, or even just iTunes, direct the device to ‘trust’ the new computer when prompted, and download a backup that contains almost all of the relevant information stored on the phone”.

All of which, relevant or not, they could then analyze for as long as they wished, back at the office.

No more. The new iOS will now require the six-digit passcode before allowing it to sync with – or “trust” – a different computer. And giving up that number does have Fifth Amendment protection. Greg Nojeim, director of the Project on Freedom, Security and Technology at the Center for Democracy Technology, said speaking the passcode is considered “testimonial”, while providing a fingerprint is not.

So law enforcement could still manually browse through what they can find on the unlocked phone, but that amount of data will be vastly less than what they could gather from a backup and forensic software using an SQLite database engine, which would in most cases include thousands of deleted messages and call logs.

Weaver said the passcode requirement would be especially significant at border searches, where a legal “exception” allows US Customs and Border Protection to copy all the contents of electronic devices without any probable cause or even “reasonable articulable suspicion.”

Again, while agents would still be able to demand that an owner unlock an iPhone and then manually look through it, they would not be able to make a backup copy without the passcode.

Nojeim applauded the impending change.

We have long said that there has to be reasonable suspicion to access everything on a phone. These devices carry your life – they’re a treasure trove of private information.

In addition to the passcode barrier, iOS 11 also provides an “SOS” feature – press the power button five times rapidly and it will let the user make an emergency call, but also disables the fingerprint reader. To unlock the phone would then require the passcode. The feature is, of course, being sold as a way to get help quickly in an emergency, but it obviously could be used to lock the phone down to prevent law enforcement access.

And, as software forensic firm Elcomsoft noted in a blog post last week, law enforcement can’t tell if a potential suspect used that feature to disable Touch ID:

There is no way to tell that Touch ID has been disabled by using the SOS feature. Once the sequence is completed and the user cancels the menu, the iPhone prompts for a passcode in the same manner it uses after Touch ID naturally times out.

Weaver doesn’t see that as a big deal, saying:

There are already a number of ways to rapidly disable the fingerprint reader, such as powering off the phone, using the wrong finger four times, or just waiting long enough for the feature to disable itself. So this is more hype than substance.

Even a locked iPhone doesn’t lock everything out, as Naked Security’s Maria Varmazis noted when she took the beta iOS 11 for a test drive. In fact, it actually allows a bit more access than iOS 10:

iOS 11 adds viewing the Control Center (the menu that you can pull up from the bottom of the screen) and returning missed calls to options that work despite the lockscreen, in addition to features that were already available on iOS 10. All of these options are turned on by default.

 

Of course, a user can turn them off as well. But the bottom line is that the personal privacy vs protection-of-society debate is likely to get more intense, and make its way into the courts.

Comey, back in March when he was still FBI director, said at a conference in Boston that while “I love privacy,” there has always been a “bargain” in the US that government can invade privacy, “with probable cause and a warrant … The general principle is that there is no such thing as absolute privacy.”

Weaver would agree only in part. He wrote that the iOS 11 upgrades “will have some impact on lawful investigations”. But he added: “That isn’t necessarily a problem – the benefits here outweigh the costs.”

Nojeim agreed with that last part, saying:

We are in the golden age of surveillance. There has never been larger or richer collection of data about the private activities and thoughts of people who have committed no crime and done nothing to bring suspicion. Something like this starts to level the playing field just a bit.

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dVi8K70kQ2E/

North Korea appears to have commenced online attacks aimed at acquiring Bitcoin so it can evade sanctions.

South Korea’s Cyber Warfare Research Center alleged a few weeks ago that at least one Bitcoin exchange had been targeted by a Nork hack, and now FireEye threat researcher Luke McNamara writes that “since May 2017, we have observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds”.

FireEye operatives say they’ve observed spearphishing that often “targets personal email accounts of employees at digital currency exchanges, frequently using tax-themed lures and deploying malware (PEACHPIT and similar variants) linked to North Korean actors suspected to be responsible for intrusions into global banks in 2016.”

North Korea is subject to United Nations sanctions that freeze any assets it holds offshore and forbid members from providing financial services, financial support or allowing banks to do business with the oppressive, nukes-and-missiles-capable hermit kingdom.

Sovereign nations regulate financial services organisations, but few have figured out how to oversee production of or transactions conducted in Bitcoin and other cryptocurrencies.

McNamara therefore offers a scenario in which “If actors compromise an exchange itself (as opposed to an individual account or wallet) they potentially can move cryptocurrencies out of online wallets, swapping them for other, more anonymous cryptocurrencies or send them directly to other wallets on different exchanges to withdraw them in fiat currencies”. The researcher worries that “some exchanges in different jurisdictions may have lax anti-money laundering controls easing this process and make the exchanges an attractive tactic for anyone seeking hard currency.”

And boy does North Korea need hard currency – its trade with the outside world is small and new sanctions imposed this week will reduce it further by banning its textiles trade and capping the number of guest workers it is allowed to send abroad.

If McNamara is correct and North Korea is acquiring Bitcoin to make up for its lack of access to more conventional types of currency, it’s likely that authorities will become even more interested in ending anonymous trades. Bitcoin’s anonymity has, however, been called into question since at least 2014, so it may be that North Korea’s efforts are already traceable. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/13/north_korea_swells_war_chest_with_bitcoin/

Kaspersky Lab has laughed off attempts to have its wares banned from US government computers by saying it hardly sold to the Feds anyway.

“Given that U.S. government sales have not been a significant part of the company’s activity in North America, Kaspersky Lab is exploring opportunities to better optimize the Washington D.C. office responsible for threat intelligence offerings to U.S. government entities,” the company says in a statement.

The statement goes on to say that “North America remains a strategic market for Kaspersky Lab”. So strategic, in fact, that it plans to open offices in Los Angeles, Chicago and Toronto Canada during 2018.

“Expanding the company’s presence in the region will better enable Kaspersky Lab to provide its customers with the best cybersecurity solutions and services,” the statement said.

Company founder Eugene Kaspersky’s Tweeted take on the topic is below.

Despite geopolitical turbulence we remain committed to N.American customers: 3 reg.offices to be opened in 2018 https://t.co/51OURGHnCc pic.twitter.com/I11gtktXjx

— Eugene Kaspersky (@e_kaspersky) September 12, 2017

Kaspersky Lab’s statements ignore the fact that it faces a wider backlash after retailer Best Buy withdrew its products from its shelves. Best Buy did not link its decision to US Senator Jeanne Shaheen’s attempt to have Kaspersky banned on government computers, but didn’t explain it either.

Senator Shaheen argued for the ban on grounds that Kaspersky products chat to servers in Russia, which she characterises as a “hostile country”. That allegation is made possible by findings that Russia interfered in the United States 2016 election season, spreading misinformation and possibly abetting hackers of the Democratic National Congress and/or making sure the results of that heist made it to Wikileaks.

Vendors have survived this sort of thing before: Huawei remains forbidden from selling to the US and Australian governments, but its consumer handset business is doing very well in both markets and its enterprise business is a contender in many industries. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/13/kaspersky_shrugs_off_us_ban/

Security watchers have given Apple’s introduction of facial recognition technology a cautious welcome.

The newly unveiled iPhone X smartphone débuts an advanced facial recognition technology, called Face ID, which relies on Apple’s TrueDepth camera system. The technology features seven sensors and machine learning algorithms that quell previous fears that something as unsophisticated as a stolen Instagram selfie might be harnessed to defeat the technology.

A “secure enclave” is used to store the detailed mathematical model of a user’s face. All processing is on-device only, allaying concerns related to sensitive data being processed in the cloud. Users will be able to use the tech to either unlock their smartphone or make purchases.

The feature has the potential to shape the future of biometric authentication, according to some. Others caution that authentication via facial recognition is not new and that no security measure alone is a silver bullet.

“While it is difficult to replicate the facial features of a user, early attempts at this technology in consumer devices were easily defeated by simply placing a picture of the users face in front of the camera,” said Stephen Cox, chief security architect at SecureAuth. “The iPhone X has 3D capabilities that can judge distance, a mitigation for this vulnerability. It remains to be seen how effective it is, but you can bet that the hacker community will fervently try to defeat it.”

“Still, no single authentication technique is beyond the reach of attackers. Devices will be hacked and sensors will be tricked. It is important to layer such technology with adaptive authentication methods, such as IP reputation, phone number fraud prevention capabilities or behavioural biometrics,” he added.

As a replacement for fingerprint authentication, this feature has only one advantage: it is unlikely to be able to unlock the phone when the owner is asleep

Other researchers saw little advantage in facial recognition beyond what was already offered by fingerprint recognition.

“Fingerprint scanning, facial recognition, Bluetooth, geolocation and even a short PIN are all ways to simplify access not only for yourself, but also for a potential attacker,” said Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies. “Even if the new Apple algorithm for facial recognition cannot be fooled by photography, vertical self-videos can easily be found in the public domain – for example, on Instagram – and could be used to crack the device.

“As a replacement for fingerprint authentication, this feature has only one advantage: it is unlikely to be able to unlock the phone when the owner is asleep,” she added.

Hackers have defeated the Touch ID technology that has been superseded by Face ID. Galloway reckons it’s only a matter of time before attacks against Apple’s latest authentication technology is bypassed.

Simon Migliano, head of research at Top10VPN.com, struck a more upbeat note. “From its court battle with the FBI over the contents of a private phone to the popularisation of the secure Touch ID and its role in contactless payments, Apple has earned our trust when it comes to security, and I don’t see this being any different.”

Data breaches, password reuse and related issues have spurred interest in biometrics as a way of offering stronger two-factor authentication.

Passwords and PIN numbers can be copied, stolen, guessed or shared easily. Biometrics are not without their drawbacks while presenting the potential to offer customers and businesses alike a more secure choice of authentication and verification. The wider availability of an ever-increasing array of biometric technologies with the latest generation of smartphones is likely spur more widespread adoption.

Ollie Hayler, business development director for PalmSecure Biometrics at Fujitsu Cyber Security Enterprise, commented: “While we don’t expect biometric adoption to happen overnight, the proliferation of biometric technologies in consumer devices such as the Apple iPhone will result in consumers becoming more familiar and comfortable with the technology. As such, biometric verification of identity on a personal device will, in one way or another, become a standard identification process.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/13/apple_iphonex_facial_recognition/

SAP admins, there’s an e-mail system bug that could give your HR department headaches, by blocking peoples from registering their e-mail with its E-Recruiting system.

The problem is that a registration URL provided to job-seekers is predictable, meaning an attacker could put other peoples’ e-mails into the system and guess the “e-mail confirmation” link. It could be blocked by adding a pre-registration nonce to the confirmation link, but that wasn’t done in release versions 605, 606, 616 or 617.

As described by SEC Consult here, when someone registers with SAP’s E-Recruiting solution, they get a confirmation e-mail containing an incremental (and therefore predictable) object called candidate_hrobject.

For an attacker, then, the process would be:

The SEC Consult post notes that some business processes assume people can be contacted by e-mail.

There’s an unexpected upside to this bug: imagine you see a rival advertising a job that some of your people would fit. With minimal effort you could pre-register your team’s e-mail addresses – including personal addresses if you know them – and because those addresses can only be used once in SAP’s application, effectively prevent your people from applying for that job! Unless of course they whip up a new address …

The advisory says SAP has addressed the issue in SAP Security Note 2507798. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/13/sap_erecruiting_email_bug/

A security researcher has shamed D‑Link by publicly disclosing 10 serious, as-yet unpatched vulnerabilities in a line of consumer-grade routers without notifying the vendor first.

Security researcher Pierre Kim went public on a series of flaws in D‑Link DIR 850L wireless AC1200 dual-band gigabit cloud routers without disclosing the issue to D‑Link beforehand because of a previous negative experience with the firm. He disclosed nine vulnerabilities to D‑Link back in February, but only one of them resulted in a patch from the manufacturer.

The D‑Link 850L zero-day flaws disclosed this week include a lack of adequate protection of firmware images, a shortcoming that means hackers could push malicious copies containing a backdoor onto targeted devices, flaws in the custom mydlink cloud protocol, and more. In an advisory, the security researcher also found remote code execution flaws, default private keys and a DDoS risk. Cross-site scripting (XSS), credentials stored in cleartext, and a Lan backdoor also feature.

“The D‑Link 850L is a router overall badly designed with a lot of vulnerabilities,” Kim offers in a somewhat dismissive summary seemingly borne out of exasperation with the networking kit maker.

“Basically, everything was pwned, from the Lan to the Wan.”

El Reg approached D‑Link for comment both via Twitter and through its web form, but we’re yet to hear back from the manufacturer. It’s therefore unclear whether or not the vendor acknowledges the bugs much less whether it plans to patch them or not.

Kim concludes by referencing his previous negative experiences with D‑Link in explaining why he had gone public this time before advising punters of the vulnerable equipment and to use other kit instead:

Due to difficulties in previous exchange with D‑Link, full disclosure is applied. Their previous lack of consideration about security made me publish this research without coordinated disclosure. I advise to IMMEDIATELY DISCONNECT vulnerable routers from the internet.

Kim has form for err, routing out router vulnerabilities (previous coverage here), as well as flaws in other forms of IoT devices such as webcams (here). ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/12/dlink_router_security_fail/

Security experts have long complained that complexity is the enemy of security, but the designers of the Bluetooth specification have evidently failed to pay attention.

Bluetooth is a wireless communication protocol for connecting devices over short ranges. It’s used in mobile phones, wireless speakers, smartwatches, printers, and a variety of appliances, among other things.

It’s also, according to Armis, a Palo Alto, California-based IoT security firm, too complicated. The Bluetooth specification runs over 2,800 pages compared to 450 pages to describe the Wi-Fi specification.

The spec’s complexity, Armis contends, has prevented researchers from thoroughly investigating its various implementations for flaws, leaving it full of holes.

“The complications in the specifications translate into multiple pitfall junctions in the various implementations of the Bluetooth standard,” the company says in a paper [PDF] describing a set of flaws referred to as BlueBorne.

“BlueBorne is a name we gave for eight vulnerabilities found in the common Bluetooth stacks of all the major vendors,” said Armis co-founder and CTO Nadir Izrael in a phone interview with The Register.

The eight Bluetooth-related vulnerabilities affect an estimated 5.3 billion Android, iOS, Linux, and Windows devices, according to Izrael.

“Just having Bluetooth on puts you at risk,” said Izrael.

Bluetooth is often turned on by default, or left on. And devices running Bluetooth turn out to be fairly easy to identify with network sniffing tools, even when set to be non-discoverable. This becomes a problem in light of the bugs in various parts of the Bluetooth stack, found in L2CAP, BlueZ, SDP, SMP, BNEP, PAN Profiles, and Apple’s proprietary LEAP implementation.

Armis disclosed the flaws in April to Apple, Google, Linux maintainers, and Microsoft. Tuesday’s announcement marks the agreed-upon coordinated disclosure date, with one exception: Armis says it attempted to contact Samsung – which makes the Linux-based Tizen OS and also uses Android extensively – on three separate occasions about the vulnerabilities, but did not hear back.

Ben Seri, head of research at Armis, offered a potential explanation for Samsung’s non-responsiveness by noting that the company is a downstream vendor of patches issued by Google and Linux maintainers, which shapes how they respond to security issues.

All Android phones, tablets, and wearables, apart from those using only Bluetooth Low Energy, are potentially vulnerable to the four Android flaws. Google issued a patch to its partners on August 7, which it released as part of its September Security Update and Bulletin for Android 6.0 (Marshmallow) and Android 7.0 (Nougat). It’s unclear when its partners will distribute the patch, however.

Seri acknowledged that some Android vendors may be slow to deploy the fixes. “We are concerned about this,” he said. “We tried to make this as coordinated as possible.”

A video posted by Armis demonstrates how a Google Pixel can be compromised.

Armis offers a Google Play app to test whether Android devices are at risk.

All iPhone, iPad and iPod touch devices running iOS 9.3.5 or earlier, as well as AppleTV devices running version 7.2.2 or earlier are potentially vulnerable to the iOS remote code execution vulnerability. Devices running iOS 10 and later should not be affected.

Linux devices running BlueZ are affected by the information leak flaw and those from version 3.3-rc1, released in October 2011, are affected by the remote code execution flaw. Among potentially vulnerable products are Samsung Gear S3 watches, Smart TVs, and Family Hub devices.

Every Windows computer since Windows Vista is potentially vulnerable to the “Bluetooth Pineapple” flaw, which can be used to conduct a man-in-the-middle attack.

Microsoft is expected to issue its regular set of patches on Tuesday, including a notification about an already deployed Bluetooth fix, which according to Seri was issued in July without any notice, to allow other vendors time to respond.

Given that some of these flaws have been present in Bluetooth for a decade, Izrael said, “We do fear that in some sense these vulnerabilities might have been found before by some actors and used.”

However, he said he’s not aware of any exploitation of these holes.

“We really encourage researchers and security experts to learn from them how these bugs were found and to find them in other stacks we have not studied,” he said. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/12/bluetooth_bugs_bedevil_billions_of_devices/

Microsoft has downplayed the risks of running a Linux Bash shell command line on Windows 10 via its Windows Subsystem for Linux (WSL) feature after security researchers said the technology could help hackers smuggle malware past security scanners and onto Windows 10 machines.

Researchers at Check Point say that a potential hacking technique, which they call “Bashware,” takes advantage of the new Windows 10 feature WSL, which is now out of beta and will arrive in the Windows 10 Fall Creators Update.

Issues arise because existing security software packages have not been modified to monitor processes of Linux executables running on Windows OS.

Check Point warns that the technology introduces a way for malware to hide from security products that have not yet integrated the proper detection mechanisms. Potential attacks – as yet unknown – would only be possible against technology that only tech-savvy developers have, something that makes the whole attack vector a non-threat to general Windows 10 users.

In response to queries from El Reg, Microsoft offered a statement downplaying the significance of the attack vector.

We reviewed and assessed this to be of low risk. One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default.

The WSL feature goes beyond having the Linux “Bash” shell on Windows OS. WSL contains both user mode and kernel mode components, which together create a complete compatibility layer for running an environment that looks and behaves just like Linux, without having to fire up any virtual machine.

Microsoft has implemented this by introducing so-called Pico processes – containers that allow running ELF binaries on the Windows OS. By placing unmodified Linux binaries in Pico processes, WSL enables Linux system calls to be directed into the Windows kernel.

“Bashware is a generic and cross-platform technique that uses WSL in order to allow running both ELF and EXE malicious payloads in a stealthy manner that could bypass most current security solutions,” Check Point argues in a blog post.

Although WSL is not enabled by default, the researchers reckon the technology can be switched on in the background using privilege escalation. No malware has yet been seen that abuses the method. Third-party experts reckon there are much more straightforward ways to introduce malware, while not entirely dismissing Check Point’s concerns when describing the threat as less than credible, at least for now.

Independent security consultant Kevin Beaumont commented: “The research is valid, in that adding more subsystems to Windows will increase attack surface – but I don’t see it as a credible threat yet.”

“I’ve seen no ‘bashware’ in wild. That feature is new, this stuff isn’t by default enabled, setting Dev mode needs admin rights,” he added.

Potential abuse of WSL technology creates a means for malware to bypass security products, many of which have not been rejigged to look for abuse of the feature.

“Microsoft has already taken steps that should assist the security vendors to deal with the new security considerations presented by WSL, including Pico APIs that can be used by AV companies in order to monitor these types of processes,” according to Check Point.

The Israeli security firm said that it had updated its SandBlast Threat Prevention products to protect its customers from Bashware. It wants other security vendors to follow suit and modify their products, something that is yet to be rolled out in most if not all cases.

Youtube Video

Check Point researchers tested this technique on most of the leading anti-viruses and security products in the market, successfully bypassing them all. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/12/microsoft_downplays_bashware_malware_threat/

While much of the tech world is still fixating on Apple’s $1,000 face-reading iPhone, administrators are going to be busy testing and deploying this month’s Patch Tuesday load.

Microsoft, Adobe, and Google have all released patches to mark the second Tuesday of the month. The updates include fixes for Flash, Edge, Internet Explorer, and Android.

From Microsoft

Redmond’s September patch dump addresses a total of 81 CVE-listed vulnerabilities, 39 of which would allow for remote code execution. Four of the flaws are already publicly known and one has been actively exploited.

The targeted bug is CVE-2017-8759, a vulnerability in .NET framework’s handling of input data. Dustin Childs of Trend Micro’s Zero Day Initiative notes the vulnerability is most likely to be targeted through PDF files or other malicious document attachments.

“Another vector would involve executing a malicious application as a low-privileged user,” Childs explained.

“Either way, this patch should be your top priority this month since .NET is deployed just about everywhere, and it’s already being exploited – just likely in a limited fashion.”

Childs notes that server admins should pay special attention to CVE-2017-0161, a NetBIOS remote code execution flaw in the Windows NetBT Session Service.

“In this scenario, one guest OS could execute code on the others if NetBIOS is enabled,” he explained. “Another factor in this bug is that it’s a race condition. That fact significantly lowers the reliability of any exploit that may be created.”

As usual, Microsoft’s Edge and Internet Explorer browsers are prime locations for security vulnerabilities. Microsoft said that 22 of the critical flaws this month are found in the browsers. They include nine memory corruption vulnerabilities in the browsers themselves and 10 in the scripting engine component.

Of the three publically disclosed flaws (not including CVE-2017-8759), one is found in Windows (CVE-2017-8746, a Device Guard security code bypass), the second is present in Edge (CVE-2017-8723, a content security policy bypass), and the third is a remote code execution vulnerability in the Hololens augmented reality gear’s Broadcom chipset (CVE-2017-9417).

Also patched this month were five information disclosure and one denial of service flaws in Hyper-V, as well as two cross-site scripting bugs in SharePoint. Office will receive fixes for four memory corruption flaws and two remote code execution vulnerabilities.

Adobe plugs a pair of Flash holes

This month’s Flash Player update covers two CVE-listed bugs, CVE-2017-11281 and CVE-2017-11282. Both would allow remote code execution by way of a memory corruption exploit.

Adobe has also posted an update for RoboHelp for Windows to patch a cross-site scripting vulnerability (CVE-2017-3104) and a URL redirect vulnerability (CVE-2017-3105).

Four flaws patched in ColdFusion would allow for remote code execution (CVE-2017-11283, CVE-2017-11284) and information disclosure (CVE-2017-11285, CVE-2017-11286).

Android’s monthly maintenance

The September update bundle for Google’s mobile OS brings with it fixes for 81 bugs in various Android components, including 21 CVE-listed flaws in Qualcomm components, 10 in MediaTek, and 8 in Broadcom.

Also patched were 11 vulnerabilities in the Android kernel, five in the system, and 24 in the media framework.

None of the Android flaws have been reported as exploited in the wild. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/12/september_2017_patch_tuesday/