It's now 2019, and your Windows DHCP server can be pwned by a packet, IE and Edge by a webpage, and so on

Hefty load from Microsoft, Adobe, with special guest star Cisco


Patch Tuesday Microsoft and Adobe have teamed up to give users and sysadmins plenty of work to do this week.

The February edition of Patch Tuesday includes more than 70 CVE-listed vulnerabilities from each vendor – yes, each – as well as a critical security fix from Cisco. You should patch them as soon as it is possible.

OMG, DHCP!

For Redmond, the February dump covers 77 CVE-listed bugs across Windows, Office, and Edge/IE.

Among the most potentially serious was CVE-2019-0626, a remote code execution vulnerability in the Windows Server DHCP component.

While the bug won't be much of a risk to everyday PCs, admins running Windows networks will want to make this fix a top priority, says Trend Micro ZDI's Dustin Childs.

"If you have a DHCP server on your network, and chances are you do, this patch should be at the top of you lists," Childs explained.

"The bug allows attackers to take over your DHCP server just by sending it a specially crafted packet. Code execution through a network service that executes with high privileges definitely put this in the wormable category, although it would only be wormable to other DHCP servers."

Another priority should be to address the month's sole in-the-wild exploit, for CVE-2019-0676, an information disclosure flaw in Internet Explorer that would allow an attacker to check for the presence of specific files on a computer via a specially crafted webpage.

panic

Everyone screams patch ASAP – but it takes most organizations a month to update their networks

READ MORE

This bug would be particularly useful for targeted attacks, as it would, for example, help a cybercriminal pinpoint the machine they wanted to go after within a targeted company or group.

Exploits for four other vulnerabilities, CVE-2019-0636, CVE-2019-0686, CVE-2019-0646, and CVE-2019-0647 have also been publicly disclosed, but none have been found to allow for remote code execution (RCE).

Of the 36 RCE vulnerabilities patched this month, 16 were programming blunders in Microsoft's IE and Edge browsers, either via the browsers themselves or their scripting engines. In those situations, an attacker would be able to carry out the attack by convincing the user to visit a webpage booby-trapped with exploit code.

As such, the IE and Edge updates are always a top priority for admins to test and apply as soon as possible.

Another popular RCE target, Office, was the subject of seven remote code fixes. Two (CVE-2019-0594, and CVE-2019-0604) were found in SharePoint, while another five were spotted in the Office Access Connectivity Engine. In each case, the attacker would need to convince the victim to manually open a maliciously crafted file (this is not particularly hard to do with Office Docs, which are sent back and forth between and within companies every single day).

Five further remote code execution bugs were patched for Jet Database Engine, a built-in component of Windows and Windows Server. Those vulnerabilities would also be exploited by convincing the mark to open a specially crafted file.

Adobe delivers PDF patch bonanza

Adobe has once again delivered a patch load to rival that of Microsoft, addressing 75 CVE entries of its own.

The overwhelming majority of those are the 39 arbitrary code execution vulnerabilities in Acrobat and Reader. In each case, the attacker could execute code on the target machine by convincing the user to open up a poisoned PDF file. In total, 71 of this month's patches were for vulnerabilities in Acrobat/Reader for Windows, Mac, and Linux boxes.

Flash Player is getting off easy this month, as just one CVE entry, an information disclosure bug via and out of bounds read error.

Creative Cloud received a patch for an elevation of privilege (DLL hijacking) flaw while Cold Fusion has seen one remote code execution and one information disclosure vulnerability cleaned up.

Cisco gets in on the fun with NAE fix

Companies that use Cisco's Network Access Engine (NAE) tool to manage their networks and datacenters will be well advised to look over Switchzilla's Tuesday advisory and make sure they have their software up-to-date.

The advisory explains that someone left the default password active on NAE, meaning that anyone who had local or command-line access to a vulnerable to login using the default admin credentials and take over control of the server. ®


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022