First, Patch Tuesday. Now, Oh Hell, Monday: Microsoft emits bonus fixes for Visual Studio, Windows 10 security bugs

Plus: A warning to SharePoint operators


In brief Just days after issuing fixes for scores of bugs in its products for this month's Patch Tuesday, Microsoft has issued two more patches for security holes that can be exploited by maliciously crafted files to run malware on victims' computers.

The first, CVE-2020-17023, is a Visual Studio issue that allows for remote code execution after getting the target to click on a specially crafted package.json file.

As for the second, CVE-2020-17022, that's a memory-handling bug in the Windows 10 Codecs Library, allowing an attacker to inject and execute code by getting a victim to open or view a maliciously crafted image. It affects 32 and 64-bit x86 and Arm builds of Windows 10.

The US government's cyber-security agency emitted an alert about these two vulnerabilities, urging people to patch ASAP. In happier news, Redmond also released Azure Defender for IoT devices, which should keep the botnets slightly more under control.

Patches needed for Jira leak

Jira installations need an update to close CVE-2020-14181, a bug found by Positive Technologies' Mikhail Klyuchnikov that can be exploited to leak sensitive user data. Atlassian addressed the flaw in versions 7.13.6, 8.5.7, and 8.12.0, and above.

UK warns of attacks in the wild against Sharepoint

If you haven't installed the latest Patch Tuesday fixes from Microsoft, and you're operating a SharePoint installation, there's one update you really should apply: CVE-2020-16952.

Britain's National Cyber Security Center issued an alert on Friday, saying it had "seen a large number of exploitations" of this flaw in systems belonging to several UK companies. Test and install the patch before you fall victim next.

To the point...

  • McAfee has technical details on the ICMPv6 remote-code-execution-or-crash bug (CVE-2020-16898) in the Windows TCP/IP stack that Microsoft patched this week.
  • Serious vulnerabilities in Qualcomm's chipsets for mobile access points were revealed this month and apparently patched in 2019 and October 2020.
  • A flaw (CVE-2020-12351) in Linux kernel 4.8 and higher can be triggered via nearby Bluetooth devices to cause a crash or possible code execution;
  • Intel also released an advisory.

State shenanigans

It's not just Russian hackers targeting American politicians: Google's Threat Analysis Group warns Chinese and Iranian government-backed spies are on the prowl as the US elections approach.

In a report, the Googlers warn hackers in the Middle Kingdom and Middle East state have been using a variety of methods, including imitating antivirus vendors, to compromise staffers on the Biden and Trump campaigns.

In addition, the Google cloud security team has blamed China for the biggest denial of service attack it has yet seen against its servers. The attack, which took place in 2017 but has only just been detailed, saw data rates of over 2.5 Tbps slamming the Chocolate Factory's servers.

Norway blames Russia for parliament hacking attack

And while we're on the topic of state hacking, in a rather forthright statement, the Norwegian Minister of Foreign Affairs, Ine Eriksen Søreide, accused the Russian government of hacking email servers used by Norway's parliamentarians. "This is a very serious incident, affecting our most important democratic institution," she said.

The Russian embassy in Oslo denied the allegations, calling them a "serious and wilful provocation."

Scammer crack-down

And just to show that it's not all gloom and doom, the Indian and US governments have issued injunctions against five companies and one individual over claims they run tech support scams preying on the IT-illiterate and gullible.

Which Pit has been been pwned?

Dickey’s Barbecue Pit, a US chain selling BBQ meals, appears to have been compromised. Security shop Gemini Advisory claimed it has found a cache of three million compromised credit cards that it backtraced to Dickey's.

And finally...

Floating hotel (and occasional COVID-19 hotspot) biz Carnival has shed more light on its August malware infection. The malware hit three of its operations – Carnival Cruise Line, Holland America Line and Seabourn – and it'll get around to telling those affected what personal data may have been accessed by the software nasty's masterminds over the next month or two. ®


Biting the hand that feeds IT © 1998–2020