Why the World Needs OCSY....
Microsoft Rushes Out Fix for Major Hole Caused by Previous Meltdown Patch
Issue affects Windows 7 x64 and Windows Server 2008 R2 x64 systems.
Microsoft has rushed out an out-of-cycle security patch to address problems created by what were supposed to be fixes for the Meltdown vulnerability that it had previously issued for 64-bit Windows 7 and Windows Server 2008 systems.
In an advisory Thursday, the company urged anyone running Windows 7 for x64 systems or Windows Server 2008 R2 for x64-based systems to immediately install the new update. The advice applies to all organizations and users that have installed any of Microsoft's security updates during or after January 2018.
The update for CVE-2018-1038 stems from a warning by Swedish penetration tester Ulf Frisk that Microsoft's Meltdown patch for Windows 7 and Windows Server 2008 created a bigger hole than the one the patch was designed to fix.
The patch basically allowed any running process on these systems to read the complete contents in memory and to write to it as well. "Exploitation was just a matter of read and write to already mapped in-process virtual memory," Frisk said. "No fancy APIs or syscalls required — just standard read and write." The problem stemmed from a permission bit in a key memory table being set in "user" mode rather than "supervisor" mode.
"This made the page tables available to user-mode code in every process," rather than only by the kernel itself, Frisk said.
Chris Goetti, director of product management at Ivanti, says the vulnerability created by the Microsoft patch is pretty significant and something that needs to be addressed with haste, if possible.
"When Microsoft issued a fix for Windows 7 and Windows Server 2008, they made a mistake and ended up opening up read and write access in RAM so anybody could access anything in memory and write to it," he says. "It is a significant vulnerability and leaves those systems pretty much exposed" without the update.
At this point, those with affected systems should test the new patch quickly and roll it out. Another option for those that don't have the time to test the new patch will be to roll back the March update and wait for Microsoft's April update, which is due April 11.
"We are close to the April update," Goetti says. "Our guidance is to either apply the new update or roll back the March update," for Windows 7 x64-bit systems and Windows Server 2008 x64-bit systems, he says.
Organizations should not make the mistake of assuming the issue is related to Meltdown/Spectre and wait for things to settle down, cautions Jack Danahy, CTO and co-founder of Barkly. "This is an easy-to-exploit zero-day vulnerability and a much more probable attack vector that the original problem that Microsoft was trying to correct."
Unlike problems created by Spectre and Meltdown, "this isn't just a cleanup exercise. Microsoft accidentally distributed a new zero-day vulnerability of their own design."
The error is an example of the kind of issues that can crop up when things are rushed, he says. Fixing bugs is akin to serious software development, and it creates the same opportunities for mistakes, Danahy notes.
"I think that this will only serve to further deteriorate organizational willingness to apply patches automatically and without their own testing," he says. "I'm personally hoping that everyone deploys this patch to CVE-2018-1038, because this vulnerability is so easy to exploit that there are already exploit toolkits integrating it."
Panera Website Data Leak
(April 2, 2018)
The Panera Bread restaurant website was leaking customer data for at least eight months until it was taken offline on Monday, April 2. The compromised data include names, email and physical addresses, birth dates, and the last four numbers of payment cards. The leak affected customers who had signed up for an account to order food online. The data were accessible in part because "Panera Bread uses sequential integers for account IDs."
Editor's Note
[Williams]
The corporate response to this vulnerability (which was actually the same vulnerability class repeated over and over throughout the Panera site) could literally be used as a case study of "what not to do." But more importantly, insecure user id generation and lack of authentication controls is web app penetration test 101. It would be very difficult to convince me that any penetration test has been performed on Panera's site as the sequential user IDs would have been found by any competent penetration tester in minutes. Organizations should examine the PR damage done to Panera and use this to justify penetration tests and security playbooks - both of which appear to be lacking here.
Upscale Department Store Payment System Breached
(April 1 & 2, 2018)
Payment systems at some brick-and-mortar Saks Fifth Avenue and Lord & Taylor department stores have been breached. As many as five million payment card numbers allegedly stolen from the stores' systems are being offered for sale online. The breach does not appear to affect online transactions. Both stores are owned by The Hudson's Bay Company, which says that steps have been taken to contain the breach.
Read more in:
- www.reuters.com: Saks, Lord & Taylor hit by payment card data breach
- www.scmagazine.com: Saks, Lord & Taylor breached, 5 million payment cards likely compromised
- www.theregister.co.uk: Hacks Fifth Avenue: Crooks slurp bank cards from luxury chain Saks
- www.nytimes.com: Card Data Stolen From 5 Million Saks and Lord & Taylor Customers
Under Armour Breach Affects 150 Million MyFitnessPal Accounts
(March 29, 30, & April 2, 2018)
Late last week, Under Armour disclosed that its MyFitnessPal app and website had been breached, exposing personal Account information of as many as 150 million accounts. The incident occurred in February 2018. The breach did not affect payment account data, as Under Armour processes that information separately.
Editor's Note
[Honan]
Under Armour was quick to respond to media queries and informed affected users in a timely manner. Well done. In today's threat landscape companies will not be judged on the fact they have a breach but rather how they respond to it.
Read more in:
- investor.underarmour.com: Under Armour Notifies MyFitnessPal Users Of Data Security Issue
- www.scmagazine.com: Under Armour deftly manages breach, dodges GDPR scrutiny
- www.zdnet.com: Under Armour says 150 million MyFitnessPal accounts hit by data breach
- threatpost.com: Under Armour Reports Massive Breach of 150 Million MyFitnessPal Accounts
