AusCERT Week in Review for 16th November 2018

AusCERT Week in Review for 16th November 2018

Greetings,

This week the steady flow of speculative execution attacks continues, with researchers releasing 7 additions to the vulnerability family (thankfully some are covered by previous mitigations).

In good news for the international community, Mozilla’s Firefox Monitor, which checks your email addresses against Troy Hunt’s Have I Been Pwned platform, is now multilingual! Firefox Quantum will also begin displaying alerts on pages which have suffered a data breach in the last 12 months. This should go a long way to increasing user-visibility of such events, especially for those sites which have to be dragged kicking and screaming to proper user notification.

In further good news, Ubuntu is putting the L in LTS, as 18.04 will be receiving 10 years of support. Recognising that IoT, scientific, and industrial devices traditionally have service lives far greater than the OSes that power them, Ubuntu is doing its best to keep our increasingly networked ecosystem from becoming an unsecurable mess (moreso than it already is).

Lastly, we were once again reminded that BGP is not a secure routing protocol, in the form of a Nigerian ISP rerouting Google (and other) traffic through itself via Russia and China, seemingly by accident. The advertised routes were not prepared to handle the volume of traffic, resulting in a DoS to Google services for over an hour.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Spectre, Meltdown researchers unveil 7 more speculative execution attacks
Date: 14 November
https://arstechnica.com/gadgets/2018/11/spectre-meltdown-researchers-unveil-7-more-speculative-execution-attacks/
Author: Peter Bright
Excerpt: “A research team—including many of the original researchers behind Meltdown, Spectre, and the related Foreshadow and BranchScope attacks—has published a new paper disclosing yet more attacks in the Spectre and Meltdown families. The result? Seven new possible attacks. Some are mitigated by known mitigation techniques, but others are not. That means further work is required to safeguard vulnerable systems.”

——

Microsoft closes actively exploited Windows zero-day
Date: 14 November
https://www.itnews.com.au/news/microsoft-closes-actively-exploited-windows-zero-day-515531
Author: Juha Saarinen
Excerpt: “Admins and Windows users have been urged to apply the November 2018 round of security patches urgently, to close off vulnerabilities, one of which is under active exploitation currently.

This is the Kaspersky Labs-reported CVE-2018-8589 vulnerability in the win32k.sys kernel, a privilege elevation bug that allows attackers to run arbitrary code in the local system security context, Microsoft warned.”

——

Firefox Monitor Launches in 26 Languages and Adds New Desktop Browser Feature
Date: 14 November
https://blog.mozilla.org/blog/2018/11/14/firefox-monitor-launches-in-26-languages-and-adds-new-desktop-browser-feature/
Author: Nick Nguyen
Excerpt: “Introducing Firefox Monitor Notifications

Along with making Monitor available in multiple languages, today we’re also releasing a new feature exclusively for Firefox users. Specifically, we are adding a notification to our Firefox Quantum browser that alerts desktop users when they visit a site that has had a recently reported data breach. We’re bringing this functionality to Firefox users in recognition of the growing interest in these types of privacy- and security-centric features. This new functionality will gradually roll out to Firefox users over the coming weeks.”

——

Cloudflare launches Android and iOS apps for its 1.1.1.1 service
Date: 11 November
https://www.zdnet.com/article/cloudflare-launches-android-and-ios-apps-for-its-1-1-1-1-service/
Author: Catalin Cimpanu
Excerpt: “Cloudflare launched today official mobile apps for its 1.1.1.1 privacy-first DNS resolver service. Mobile apps for Android and iOS are now available on their respective app stores.

The company first launched the 1.1.1.1 service to great fanfare on April 1, earlier this year. The service is a basic DNS server, but one for which Cloudflare has guaranteed user privacy and improved look-up speed.”

——

How a Nigerian ISP Accidentally Knocked Google Offline
Date: 15 November
https://blog.cloudflare.com/how-a-nigerian-isp-knocked-google-offline/
Author: Tom Paseka
Excerpt: “Last Monday evening – 12 November 2018 – Google and a number of other services experienced a 74 minute outage. It’s not the first time this has happened; and while there might be a temptation to assume that bad actors are at work, incidents like this only serve to demonstrate just how much frailty is involved in how packets get from one point on the Internet to another.”

——

Mark Shuttleworth reveals Ubuntu 18.04 will get a 10-year support lifespan
Date: 15 November
https://www.zdnet.com/article/mark-shuttleworth-reveals-ubuntu-18-04-will-get-a-10-year-support-lifespan/
Author: Steven J. Vaughan-Nichols
Excerpt: “‘I’m delighted to announce that Ubuntu 18.04 will be supported for a full 10 years,’ said Shuttleworth, ‘In part because of the very long time horizons in some of industries like financial services and telecommunications but also from IoT where manufacturing lines for example are being deployed that will be in production for at least a decade.'”

——

Here are this week’s noteworthy security bulletins:

ASB-2018.0288 – [Win] Microsoft Windows: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/71754

Patch Tuesday brings with it the usual slew of vulnerability fixes.

ESB-2018.3542 – [Win][Linux][Ubuntu] gettext: Execute arbitrary code/commands – Remote with user interaction
https://www.auscert.org.au/bulletins/71698

Maliciously formatted messages could cause RCE in GNU internationalisation package gettext.

ESB-2018.3535 – [Virtual] VMware ESXi, Workstation and Fusion: Execute arbitrary code/commands – Existing account
https://www.auscert.org.au/bulletins/71670

VMWare has fixed a couple of vulnerabilities, including a guest-to-host RCE.

Stay safe, stay patched and have a good weekend!

Tim