GitHub recent published their findings on a vulnerability that has been in Linux for at least 7 years. This vulnerability is a local privilege escalation and may be the first of it’s kind found in what is a new class of vulnerabilities affecting all Linux systems using dbus. From a user shell and attacker can gain root privileges through dbus using polkit. This affects the following popular Linux distros: Ubuntu 20.04 and Debian “Bullseye”, and RHEL 8.
Looks like our big-brother friends at Google are creating a new invasive tracking technology. Beginning with Chrome version 89 Google has added a feature that will generate a unique identifier that will be sent with every web page request, when it is enabled. This new identifier is called Federated Learning of Cohorts (“FLoC”) and they are currently beta-testing it in 0.5% of browser installs in select regions and includes the US. It’s so invasive that even if a user has cookies disabled or are using an ad blocking plug-in your browsing activities can be track and associated with your Google Chrome installation.
If you don’t want the virtual white van following you around the Internet, I’d recommend moving to an alternate browser such as Firefox or the New Edge from Microsoft which is based on Chromium, the same as Google Chrome.
Researchers at TrendMicro recently discovered a bug (CVE-2021-31166) in Microsoft Internet Information Server (IIS) that affects Windows Server 2019 and Windows 10. It’s a bug in a driver that IIS utilizes: HTTP.sys. Microsoft has issued patches already so if you are using IIS on Windows Server 2019 in your infrastructure you should patch because this doesn’t require any sort of authentication and can easily be turned into a worm.
I’m sure you have all most likely heard about a ransomware attack that has shutdown Colonial Pipeline, a major US fossil fuel pipeline that provides 45% of fuels to the US east coast which is causing gas prices to spike. The malware is suspected to be of Russian origins but is not suspected to be a state-sponsored attack and appears to be purely financially motived.
The hacker group calling themselves “DarkSide” claimed responsibility for the attack, but surprisingly they also issued an apology as well. They apologized for taking down a public utility and they will do research in the future to ensure that they don’t affect any critical infrastructure in future campaigns.
Gee thanks guys.
This vulnerability is in the base engine of Google Chrome, MS Edge, Opera and any other browser based on Chromium. To have a complete kill chain all an attacker needs now is a sandbox escape.
Census Labs announced they have found some bugs in the most recent version of WhatsApp on Android v9 that could lead to remote code execution by using two different bugs. One is an information disclosure bug that allows the adversary to remotely collect TLS data for a session and the second is in the Chrome URL parser by taking advantage of the “content://” URL scheme.
Security researchers at the cybersecurity firm Qualys have discovered a heap overflow in the sudo command on Linux. According to their blog posting about it:
“The vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.”
Qualys blog post: http://bit.ly/36kZHsL
Security researchers at Armis have taken the NAT Slipstreaming technique to a new level. The original technique let you access a single host behind a NATed firewall, this technique could expose ALL devices to the Internet: http://bit.ly/3clM0xy
Google’s Project Zero recently published information on a series of exploits that is actively being used to gain privileged access on Windows via the Chrome browser as well as any browser based off of the Chromium engine. There is a vulnerability (CVE-2020-15999) in Chrome that allows for remote code execution and the code then takes advantage of a vulnerability (CVE-2020-17087) in Windows cryptographic device driver (cng.sys) to escape the Chrome sandbox. The vulnerability in Chrome has already been patched, however the vulnerability in Windows won’t be patched until November’s Patch Tuesday which will be on November 10th.
Microsoft just released a critical patch this month that addresses CVE-2020-1472, which is better known to the hacker community as ZeroAuth. This capability has already been integrated with mimikatz and it affects Windows Server 2012-2019.