Daily NCSC-FI news followup 2020-09-08

Microsoft September 2020 Patch Tuesday fixes 129 vulnerabilities

www.zdnet.com/article/microsoft-september-2020-patch-tuesday-fixes-129-vulnerabilities/ Twenty critical remote code execution bugs have been patched this month, including in Windows and SharePoint enterprise servers. See also: isc.sans.edu/diary/rss/26544

Critical Adobe Flaws Allow Attackers to Run JavaScript in Browsers

threatpost.com/critical-adobe-flaws-attackers-javascript-browsers/159026/ Adobe patched 11 bugs overall in its Experience Manager; five of those are rated critical severity, and the rest are “important” severity. The critical flaws are all XSS glitches

Intel fixes critical flaw in corporate remote management platform

www.bleepingcomputer.com/news/security/intel-fixes-critical-flaw-in-corporate-remote-management-platform/ Intel today addressed nine security vulnerabilities with the release of the September 2020 Platform Update, one of them being a critical flaw impacting the Active Management Technology (AMT) and Intel Standard Manageability (ISM) platforms. See also:

www.intel.com/content/www/us/en/security-center/default.html

Researcher reveals Google Maps XSS bug, patch bypass

www.zdnet.com/article/researcher-reveals-google-maps-xss-bug-patch-bypass/ The bounty was doubled after the bug bounty hunter realized the original fix had failed.

France, Japan, New Zealand warn of sudden spike in Emotet attacks

www.zdnet.com/article/france-japan-new-zealand-warn-of-sudden-spike-in-emotet-attacks/ N.B. In addition to the countries mentioned in the article Finland and Norway have also released warnings about Emotet activity in recent weeks. NCSC-FI:

www.kyberturvallisuuskeskus.fi/en/emotet-malware-actively-spread-finland. NorCERT:

nsm.no/fagomrader/digital-sikkerhet/nasjonalt-cybersikkerhetssenter/varsler-fra-ncsc/varsel-om-pagaende-emotet-kampanje

DoppelPaymer ransomware hits Newcastle University, leaks data

www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-hits-newcastle-university-leaks-data/

Cryptobugs Found in Numerous Google Play Store Apps

threatpost.com/cryptobugs-found-in-numerous-google-play-store-apps/159013/ A new dynamic tool developed by Columbia University researchers flagged cryptography mistakes made in more than 300 popular Android apps. Academics from Columbia University developed a custom tool, CRYLOGGER, that analyzes Android applications for unsafe use of cryptographic code according to 26 basic cryptography rules. Those rules include avoiding the use of: broken hash functions, bad passwords, reusing passwords multiple times, HTTP URL connections or a “badly-derived” key for encryption.

You might be interested in …

Daily NCSC-FI news followup 2020-12-12

Adobe releases final Flash Player update, warns of 2021 kill switch www.bleepingcomputer.com/news/software/adobe-releases-final-flash-player-update-warns-of-2021-kill-switch/ After 24 years of fun games and abuse by threat actors, Adobe has released their final Flash Player update and thanked everyone for the fantastic content that they have released over the years. Starting in January 2021, all browser developers will remove Adobe […]

Read More

Daily NCSC-FI news followup 2020-04-26

Hackers are exploiting a Sophos firewall zero-day www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/ Read also: community.sophos.com/kb/en-us/135412 and www.theregister.co.uk/2020/04/26/security_roundup_240420/. As well as: www.bleepingcomputer.com/news/security/hackers-exploit-zero-day-in-sophos-xg-firewall-fix-released/ Reopen Domains: Shut the Front Dorr www.domaintools.com/resources/blog/reopen-domains-shut-the-front-dorr Update: We noticed that while working on this piece Brian Krebs posted an excellent article on the same. What can we say, but great minds think alike? Since we dug into […]

Read More

Daily NCSC-FI news followup 2019-07-24

Low Barr: Don’t give me that crap about security, just put the backdoors in the encryption, roars US Attorney General www.theregister.co.uk/2019/07/23/us_encryption_backdoor/ While speaking today in New York, Barr demanded eavesdropping mechanisms be added to consumer-level software and devices, mechanisms that can be used by investigators to forcibly decrypt and pry into strongly end-to-end encrypted chats, […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.