Weekly Security Brief: April 21 2015


Welcome! When the best offense is a good defense, you’ve come to the right place. Given the ever-changing landscape of technology threats, that couldn’t be more true. Each week, we’ll cover current security threats, patches and issues that affect you and your business. And when something really big happens, we’ll post on Twitter and update this page with all the details you need to stay safe. Read on!

The BIG Story: Apple Rootpipe Vulnerability Still NOT Fixed! Tens of Millions of Apple Users at Risk

Apple claimed to have fixed it, but they haven’t. Note that this vulnerability was discovered last October, and had existed since 2011 in version 10.7. This leaves a dangerous backdoor open to attackers on any MACs with an operating system below 10.10. Yosemite. If you can, upgrade to 10.10.3. Thomas Brewster in his analysis of the situation painted the picture by numbers: there are over 3 billion internet users. Roughly 2% are on Macs, putting 60 million at risk. Attackers can gain admin privileges without proper authentication, execute code remotely and potentially compromise a machine. This hidden backdoor opens up root access, or control over the system, too widely. A patch will definitely need to be issued for older systems as well, but there is doubt being expressed if Apple will invest the time and effort to support. According to Emil Kvarnhammar, the TrueSec Security software engineer who reported the vulnerability to Apple last year:

“Fixing buffer overflows and similar is one thing (they usually back port that kind of issues), but fixing architectural issues like rootpipe will mean more work in dev and verification…I think (and hope) Apple might be reconsidering, knowing that users of older versions are upset and that even low-privileged guest accounts on Mavericks can be used to exploit the issue and become root.”

Apple has a lot to answer for, in light of the severity of this current threat, but so far neither solutions nor explanations are forthcoming.

Get Your Security Patches On!

Last week featured several critical security patch updates from Microsoft, but there were also urgent patches issued by Adobe.. Attackers have used the week that has passed to their advantage, building exploits against the Zero-Day Windows vulnerability, and utilizing a vulnerability in Adobe Flash to aid and assist. US Security firm FireEye claims Russian attackers have been using these new vulnerabilities to boost their ongoing efforts to spy on American diplomats and the White House.

The take-away here is that issuing security patches does not make vulnerabilities disappear. They will be re-used and deployed as often as attackers find opportunities. And those opportunities are typically systems left unpatched. According to Verizon’s recently issued 2015 Data Breach Investigations Report, they found that

“99.9 percent of the exploited vulnerabilities in 2014 had been compromised more than a year after the associated CVE (Common Vulnerabilities and Exposures) was published”.

Oracle Ends Publicly Available Security Fixes for Java this Month

These public updates that included bug and security fixes could impact millions of applications. Instead, customers will need to sign on for long-term support deals or migrate to Java 8, which was released March of last year. Given that people are slow to change, this move to be forward-thinking may have serious long-term costs. Per Waratek security CTO John Holt Matthew, “there is a dangerous tradeoff; now millions of Java 7 applications will have to defend themselves against code-level vulnerabilities without the benefit of future fixes.” Users are advised to upgrade if they can, or use RASP, Java Run-time Application Self Protection.

With that in mind, be sure to install the latest series of critical patch updates for Java. There are 98 new fixes. The link is below.

XSS Security Advisory for WordPress Plugins

There doesn’t seem to be a week without a warning for WordPress users. Per the current advisory, numerous WordPress Plugins are vulnerable to Cross-site Scripting (XSS). This is largely because of two functions, add_query_arg() and remove_query_arg(), which are used by developers to modify and add query strings to URLs within WordPress. The problem stems from a lack of clarity in the official WordPress Official Documentation (Codex) for these functions so that plugin developers used them insecurely, assuming that these functions would escape the user input for them, when it does not. Sucuri security recommends that developers check that they are escaping them before use. They recommend using the esc_url() (or esc_url_raw())functions with them.

A list of affected plugins is currently on the Sucuri Blog and includes Jetpack, WordPress SEO, Google Analytics by Yoast, Gravity Forms among many.


Spyware: New Browser Hack

Any computer running a late-model Intel microprocessor and a Web browser using HTML5 (i.e., 80% of all PCs in the world) is vulnerable to this attack. Dubbed “Spy in the Sandbox”, this tactic comes with little cost or time to the attacker. They lure the victim to an untrusted web page which contains content controlled by the attacker. Bogus software on the page launches a program to manipulate how data moves in and out of victim’s PC cache. Because this is spyware, NO data theft occurs. However, it can record details about browser history, keystrokes, mouse movements utilizing a classic side-channel attack to read the activity of processors, memory, and networking ports.


Ransomware: What Would You Pay?

Sorry. Clearly Ransomware isn’t going away so let’s get smarter about what’s going on out there. If your files were jacked, would you pay? Desperation times call for desperate measures and at least 30% of security professionals – yes, security – say they would pay. That’s according to a recent survey by ThreatTrack Security.


A realistic expectation is that panic mode will set in. An episode of “The Good Wife” earlier this year accurately depicted the ensuing chaos and desperation that follows when an office discovers they can’t get to the files they need. The reality is that nobody is working on anything other than the immediate problem at hand. That’s a direct lost, impacting sales and profits. But the truth is that even if you do pay that ransom, you won’t get your files back. Because as the saying goes “There is no honour among thieves”, and there is even less among those conducting extortion in the cyberworld. Not when the game has become so easy and so lucrative.


This is cross-posted from the JIG Technologies Inc weekly website piece at  http://www.jigitsupport.com/company/yoursecuritymatters/

As always – Thanks for reading!
Cheryl Biswas, InfoSec Co-ordinator and Editor JIG Technologies Inc

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s