This Week in Security: Patch Monday Mysteries, CentOS 8 and CentOS Stream, Russian Surveillance, and CSRF

So first off this week is something of a mystery. Microsoft released an out-of-cycle patch for Internet Explorer. The exploitability assessment from Microsoft indicates that this bug is under active exploitation, but not many details are available. Let’s take a look at what information has been released, and see what we can learn.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.

It’s a remote code execution vulnerability, it affects Internet Explorer, it’s in the scripting engine, and it happens due to objects in memory being mishandled. We could take some guesses, but later in this document we’re given a few other clues. The workaround is to disable jscript.dll, and the impact is limited, as jscript9.dll is the default JavaScript engine. jscript.dll is apparently a legacy JavaScript engine that a website can request.

“Jscript” is what Microsoft called their shameless copy implementation of JavaScript. The older jscript.dll seems to be present in newer versions of Internet Explorer for compatibility reasons. So it’s a problem in how the older JavaScript library handles objects. Any website can request this legacy engine, so the attack vector is basically unlimited.

The urgency implied by the out-of-cycle patch, combined with the otherwise eery silence surrounding this patch, suggests this 0-day was possibly being used in a targeted attack. We hope the details will eventually be revealed.

CentOS 8 and CentOS Stream

CentOS 8 was released this week, the community repackage of Red Hat Enterprise Linux (RHEL) 8. In 2014, Red Hat announced that CentOS was officially becoming a Red Hat sponsored project. This week, CentOS Stream was also announced.

The Fedora distribution has long served as a test-bed for upcoming RHEL releases, with RHEL 8 being based on Fedora 28. CentOS Stream will serve as a “midstream” distribution, a rolling release that pulls updates from Fedora, and will eventually become future RHEL/CentOS releases. It remains to be seen exactly how far ahead of the main CentOS distribution Stream will stay. A long-standing problem with CentOS is that by the time a release hits end-of-life, some of the software versions are very old. Even though security fixes are quickly backported to these older versions, there are security issues that arise as a result. For example, CentOS 7 contains PHP 5.4 with no official path to installing a newer version of PHP. WordPress now requires PHP 5.6.20 as the oldest supported PHP version. Red Hat may backport fixes to PHP 5.4, but that doesn’t help the out-of-date installs of WordPress, running on otherwise up-to-date CentOS machines.

Hopefully CentOS Stream will provide the much needed middle-ground between the bleeding-edge pace of Fedora, and the frustratingly slow march of CentOS/RHEL.

Russian Surveillance

A Nokia employee accidentally backed up a company drive to his home storage device, which was unintentionally Internet accessible. The data contained on this drive was detailed information on Russia’s SORM (System for Operative Investigative Activities), the government’s wiretapping program. The amount of data revealed is staggering, 1.7 terabytes. Passwords, administrative URLs, and even precise physical locations were included. The breadth of information makes one wonder if it was actually an accident, or if this was intended to be another Snowden style data leak. Just an aside, it’s not clear that the revealed wiretapping effort is as broad or onerous as the one Snowden revealed.

PHPMyAdmin CSRF

Running PHPMyAdmin on one of your servers? You should probably go update it. Version 4.9.1 was released on Saturday the 21st, and contains a fix for CVE-2019-12922. This vulnerability is a Cross Site Request Forgery, or CSRF. A CSRF attack can be as simple as an image link on one site, that links to another site, and triggers an action on that second site. Let’s look at the PHPMyAdmin example:

img src="
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1";
style="display:none;"

A hidden image will actually trigger an HTTP GET request, which asks for the server’s page, and tries to remove the first entry. If a user is logged in to the PHPMyAdmin server that the link is targeting, the command will silently complete. This is one of the reasons that HTTP GET requests should never make state changes, and only ever retrieve information. An HTTP POST message is much harder to generate in this way, though not impossible.



from Hackaday https://ift.tt/2naGA0M

Comments

Post a Comment

Popular posts from this blog

Fleksy + GIF Keyboard v9.0.0 [Premium] [Latest]

Fleksy is the most fun, customizable way to type, and officially the fastest keyboard in the world. Find and send GIFs & Stickers, and customize your keyboard with powerful extensions & colorful themes.. Use Extensions like: GIFs, Hotkeys, Number Row, Cursor Control, One-Handed Typing, Stickers, Rainbow Key Pops and more. • “This is much better than your standard input methods and predictive text engines.” – TechCrunch • Killer text prediction that works with even the sloppiest of writing – TIME MAGAZINE Really awesome app and best keyboard in whole playstore Please remain like this forever and don’t become like other app which gives so much advertisement and gives so much of trouble so be good like present. It is the The post Fleksy + GIF Keyboard v9.0.0 [Premium] [Latest] appeared first on APK4Free . from APK4Free http://ift.tt/2uy8jbp
Read more

Clipboard Manager : Clipo Pro v8.19-pro [Paid] [Latest]

Clipo creates quick and smart actions for your copied text and shows them as a notification or a intuitive and beautiful list in the app! Features: Cloud Backup and Sync across multiple devices! See all your clips, in a clean and intuitive materially designed list! You can quickly copy an older clip to the Clipboard for using! Search: Get a quick action to search the copied text on the search engine of your choice – Google, Bing, Baidu, AOL, DuckDuckGo! Call: Filters your clips and detects phone numbers to give you a one tap to call experience! Add to Contacts: Filter phone numbers and quickly add to contacts! Open Link: Quickly open a link in your clip! Shorten Link: Quickly The post Clipboard Manager : Clipo Pro v8.19-pro [Paid] [Latest] appeared first on APK4Free . from APK4Free http://ift.tt/2wGr9ht
Read more

VPN 365 – Free Unlimited VPN Proxy & WiFi VPN v1.6.0 [Ad-Free] [Latest]

VPN 365, the best free high-speed WiFi VPN with unlimited proxy connection time. Offers you the freedom to access your favorite content, websites, apps, videos from anywhere and encrypts your internet activities to protect you from hackers. Why use a VPN? To view websites restricted in your region For a more secure internet environment: When connected to a VPN, your IP Address will be hidden when you surf the internet, so no one can track your browsing activities. If you are on a business trip or studying abroad, a VPN is your great tool to use. How to use VPN 365? Tap the Connect button in the app, accept permission request if it shows up, and wait for the connection The post VPN 365 – Free Unlimited VPN Proxy & WiFi VPN v1.6.0 [Ad-Free] [Latest] appeared first on APK4Free . from APK4Free https://ift.tt/2yZWC0o via
Read more