New old Windows bug emerges, your 'strong' password is anything but, plus plenty more

What you need to know from infosec land lately

Roundup Here is a brief look at some of the other security stories floating around right now.

Ruby gem strong_password tarnished

Earlier this month, an alert went out to Ruby on Rails developers after it was discovered that a popular package had been hijacked and injected with malicious code.

Tute Costa was going through the gems used for his Ruby application and checking for updates when he noticed that something was amiss with the strong_password package.

It was eventually concluded that the GitHub account managing the gem had been hijacked from its original owner and then had a bit of malicious code inserted. Costa alerted both the original owner and the Ruby on Rails security team.

"While waiting for their answers, I tried to understand the code," Costa explained.

"If it didn’t run before (checking for the existence of the Z1 dummy constant) it injects a middleware that eval‘s cookies named with an ___id suffix, only in production, all surrounded by the empty exception handler _! function that’s defined in the hijacked gem, opening the door to silently executing remote code in production at the attacker’s will."

Eventually, order was restored and the package was put back in control of the original developer. Devs who use the strong_password gem are advised to update to version 0.0.8 or downgrade to version 0.0.6 to make sure the malicious code is removed.

Malware group exploits zero-day in antiquated versions of Windows

Normally, an active attack on an unpatched Windows vulnerability is going to be headline news. This one, however, warrants far less attention.

Researchers with ESET say that an Eastern European group known as Buhtrap has been launching targeted attacks aimed at CVE-2019-1132, a privilege execution flaw in the win32k.sys component.

This sounds bad, but fortunately it's a non-issue for most anyone with even a relatively up-to-date PC. The vulnerable version of win32k.sys is only present in Windows 7 SP1 or earlier. This means anyone running Windows 10, Windows 8, or Windows 7 SP2 is in no danger.

"The exploit only works against older versions of Windows, because since Windows 8 a user process is not allowed to map the NULL page. Microsoft back-ported this mitigation to Windows 7 for x64-based systems," ESET said.

Microsoft also included a fix in the SSU update accompanying this month's Patch Tuesday bundle.

Full Brazilian (compromise) for routers

Avast is sounding the alarm after uncovering a massive compromise of routers in Brazil.

The security house estimates that 180,000 users have been hit with a malware attack that attempts to change the DNS setting on their routers, allowing the attackers to re-route traffic requests to sites of their choosing.

Users are advised to update their router firmware and run an antivirus scan to check for any additional malware infections.

New reports on Lake City ransomware fiasco

Another week, another piece of news about the town of Lake City and its battle with a nasty ransomware infection.

A report from local news station WINK finds that despite paying the demanded ransom last month, the city was not able to decrypt all of its locked files. Perhaps that was why one of the city's IT managers was dismissed recently.

Color us shocked: criminals aren't particularly trustworthy.

Microsoft slips telemetry files into security update, people lose their minds

A minor stir was raised on Patch Tuesday when the Windows 7 "security only" version of the monthly update was found to contain a telemetry component called Compatibility App. This lead to outcry that Microsoft was trying to sneak tracking tools into what should only be a security fix.

As Luta Security CEO Katie Moussouris notes, however, there are plenty of legitimate reasons for this.

In other words, relax nerds. ®

Other stories you might like

Biting the hand that feeds IT © 1998–2022