Security Week 25: Microsoft’s record-breaking patch set
Last Tuesday, June 9, Microsoft released another set of patches for its solutions (overview article, release notes, news on Habré). The update broke the record for the number of closed vulnerabilities: 129 pieces, including 11 critical. According to of this of the review, the June “Tuesday of patches” brought the number of problems closed this year to 616, which is slightly less than the result for the whole of 2017.The update immediately fixes three vulnerabilities in the SMB protocol: all of them are not as dangerous as previously discovered problems (for example, the infamous hole Eternalblue) But in two cases out of three, denial of service and data leakage are possible. Another “deja vu” –problemdetected in the .LNK file handler may lead to the execution of arbitrary code with user rights. Critical vulnerability also closed in handler .Cab files. In this scenario, attackers could convince the user to install “prepared” printer drivers, and then take control of the system.
Microsoft update also solves the problem with Adobe Flash Player. This product was once a regular contributor to security news digests. As users and the manufacturer refuse from this technology (since 2017), the number of detected problems decreases along with the interest of attackers. Nonetheless critical vulnerability type use-after-free had to be closed both on the Adobe side and on the Microsoft side, as it affects the implementation included with the Edge and Internet Explorer browsers. Finally, Microsoft closed a serious hole in SharePoint Serverproviding interception of control by an unauthorized user.
The timely detection of vulnerabilities is rather a positive development. Judging the quality of software by the number of bugs is not worth it, especially if they do not sit there for years, but close. For the second month in a row, Microsoft has not fixed zero-day vulnerabilities: none of the problems were used in real attacks. Unfortunately, patches sometimes bring new problems. In the case of the June patch set, users report missing ports for USB printers.
What else happened:
Very ambiguous story Facebook struggles with a California resident who systematically harassed teenagers on the net. The culprit used the Tails protected Linux distribution and hid his real IP address through the Tor network. To combat it, the social network built a system of behavioral detection of new accounts, which he constantly created. But it was possible to identify and arrest the attacker only after developing an exploit for the media player built into the distribution kit. The exploit cost Facebook a “six figure” and helped calculate the real IP. In an official comment, Facebook representatives point to the exceptional situation and insist that they will not use such methods in other cases.
Journalistic Investigation (article Reuters, report on the organization’s website CitizenLab) talks about a company from India that offers everyone “hacking for money” services. This service was also used to monitor politicians, businessmen and journalists.
Representatives of Microsoft, Amazon and IBM announced on the voluntary restriction of work on face recognition. This decision was caused by political events in the USA, but its effectiveness is not clear. History shows that it is difficult to “close” any technical innovation. The refusal of IBM to develop recognition systems or Amazon to sell them to government agencies may slow down the development of technology, but they are unlikely to be able to stop it: there are always others who want it.
An interesting bug on the Windows command line. Description available at the link, but the pictures above are enough: we enter the ping command with the “add-on”, the calculator is launched instead.
The British company KeepNet Labs has lost the database of leaked passwords. A database of more than five billion records was collected from public leaks and, apparently, was used to protect the company’s customers, but the organization’s contractor accidentally posted it to the public. The peculiarity of this story is threats court bloggers and reporters reporting the leak, and the requirement to remove the name of the company. As a result, I had to acknowledge the problem officially.
Researcher Scott Helme writes about the expiration of a number of root certificates. Such events most often affect devices that have not been updated for a long time. In particular, Smart TV and Internet refrigerators are mentioned, which may unexpectedly for the owner lose contact with the outside world.
Research (Pdfarticle Zdnet) describes the method of eavesdropping at a distance through the light bulbs. Researchers found that sound vibrations cause microscopic changes in lamp brightness (modern LED lights were tested). Using a telescope and an optical sensor, the brightness changes were converted into sound at a distance of up to 25 meters.
