RubyGems 2.7.6 addresses several flaws and implements some improvements
20.2.2018 securityaffairs
Vulnerebility

The RubyGems 2.7.6 update released last week for RubyGems includes several security improvements and addresses several types of vulnerabilities.
The new RubyGems 2.7.6 release addresses several vulnerabilities in Ruby Gems and implements several security improvements.

The updates prevent path traversal when writing to a symlinked basedir outside of the root and during gem installation.

RubyGems 2.7.6

The updates also address a cross-site scripting (XSS) vulnerability in the homepage attribute when displayed via gem server and an Unsafe Object Deserialization issue in gem owner.

The new RubyGems release raises a security error when there are duplicate files in a package and enforce URL validation on spec homepage attribute.

To update to the latest RubyGems you can run:

gem update --system


Several Vulnerabilities Patched in RubyGems
20.2.2018 securityweek
Vulnerebility

An update released last week for RubyGems includes several security improvements and patches for various types of vulnerabilities.

RubyGems 2.7.6 patches path traversal vulnerabilities that exist when writing to a symlinked basedir outside of the root and during gem installation. It also fixes a cross-site scripting (XSS) vulnerability in the homepage attribute when displayed via gem server, and a possible unsafe object deserialization flaw.

This was not the only deserialization issue patched recently in RubyGems. Back in October, developers informed users that an unsafe deserialization vulnerability could have been exploited for remote code execution.

The latest version of RubyGems also includes some security improvements, such as triggering a security error when a package contains duplicate files, enforcing URL validation on the spec homepage attribute, and strictly interpreting octal fields in tar headers.

Yasin Soliman, nmalkin and plover have each been credited for two of the vulnerabilities patched in RubyGems 2.7.6.

A total of five security holes were patched in RubyGems last year. The deserialization issue, tracked as CVE-2017-0903, and an ANSI escape sequence vulnerability identified as CVE-2017-0899 were the only ones rated “high severity” based on their CVSS score.

Other vulnerabilities fixed last year included a DNS request hijacking issue, a denial-of-service (DoS) flaw, and a weakness that could have been exploited by malicious gems to overwrite arbitrary files.

Five vulnerabilities were also patched last year in Ruby itself, including command injection and memory corruption issues.


NIST Working on Global IoT Cybersecurity Standards
20.2.2018 securityweek IoT

NIST is Working Towards International Cybersecurity Standards for the Internet of Things With Draft Interagency Report (NISTIR) 8200

The Internet of Things (IoT) is here and growing. It has the potential to facilitate or obstruct the further evolution of the Fourth Industrial Revolution; largely depending upon whether it is used or abused. Its abusers will be the same criminal and aggressor state actors that currently abuse information systems. But while there are standards and frameworks for defending information networks against aggressors, there are no adequate international standards for securing the internet of things.

In April 2017, the Interagency International Cybersecurity Standardization Working Group (IICS WG) -- established by the National Security Council’s Cyber Interagency Policy Committee (NSC Cyber IPC) -- set up an Internet of Things (IoT) Task Group to determine the current state of international cybersecurity standards development for IoT.

NIST has now published the draft NISTIR document: The Status of International Cybersecurity Standardization for IoT. It is intended to assist the member agencies of the IICS WG Task Group "in their standards planning and to help to coordinate U.S. government participation in international cybersecurity standardization for IoT." NIST is seeking feedback, especially on the information about the state of cybersecurity standardization for IoT, at NISTIR-8200@nist.gov by April 18.

The scope of securing the IoT is a mammoth task. To aid the understanding of this scope, NIST describes the IoT in five separate functional areas: connected vehicles; consumer IoT; health and medical devices; smart buildings, and smart manufacturing (including ICS). There are nuanced differences between securing these functional areas and traditional cyber security. While security has traditionally prioritized confidentiality, integrity and availability (CIA) in that order of priority, for the most part 'availability' is the priority for IoT devices.

Consumer IoT is one area that may be different, with the traditional need for confidentiality (as in privacy) still dominant. Patient privacy is also a consideration for medical devices. But, "In addition to data privacy and patient safety", comments Jun Du, Senior Director and Architect at ZingBox, "we must also put a heavy focus on ensuring uninterrupted service of medical devices. A cyber-attack can bring down the entire hospital by disrupting their service delivery, putting patient lives at risk."

This is the fundamental difference between traditional information security and IoT security -- it is closer to OT than to IT. "The objectives of confidentiality, integrity and availability altogether focus on information security rather than IoT security," adds Du. "When it comes to IoT security, availability of the device is more relevant to business operations than just the security of information. We should focus on availability first, then look at confidentiality and integrity."

Even in consumer IoT, there is an operational element. Many of the threat vectors are similar between IoT and information networks, but the effects of a successful attack could be more dramatic.

The biggest problem for IoT devices, comments Drew Koenig, security solutions architect at Magenic, "are IoT devices that limit or prevent updating and patching. That's the killer; a zero day -- and the only solution is to replace your fridge before someone hacks it and floods your kitchen."

That metaphor traverses NIST's five IoT functional areas: crashed cars, flooded kitchens and locked doors, malfunctioning heart pace makers, stuck elevators and power failures, and failing production lines.

To get the IICS WG Task Group started in its work to discover the current state of international IoT standardization, the NISTIR 8200 compiles a table of potentially relevant existing standards separated into eleven core cybersecurity areas. These areas range from cryptographic techniques and cyber incident management, through IAM and network security, to supply chain risk management to system security engineering.

Each one of these core cybersecurity areas will present its own IoT-specific difficulties. For example, Du comments, "While encryption is a highly recommended security trend, it isn’t without its drawbacks. Encryption can hide valuable details needed by various teams including security researchers, incident response teams, and security vendors in addition to hiding them from hackers. Insider threats may also attempt to leverage end-to-end encryption to evade detection. In order to protect against these risks, IoT vendors should provide limited visibility through exportation of logs, session stats and meta data information."

A wide range of existing and potentially relevant standards are mapped against these core areas, providing links to the standard, the standard developing organization (SDO), and a description of the standard. It becomes the raw material for a gap analysis between existing and necessary standards. Such an analysis is also provided, mapping standards to the core areas across the five functions. Only 'cryptographic techniques' https://www.securityweek.com/review-nist-crypto-standards-and-developmen... and 'IAM' have available standards applicable to four of the five categories; but always with the rider that there is slow uptake of these standards.

The fifth and missing category is medical IoT, which fares worst of all the five categories for existing applicable standards. However, the two core areas of 'IT system security evaluation' and 'network security' have no available standards applicable to any of the five IoT categories. In reality, the entire gap analysis makes depressing viewing: there are no core areas that have standards adequately adopted in any of the five IoT categories. Even where there are standards, uptake is slow.

Missing from this draft document is any standard that requires the ability for firmware updates within the IoT device build. This may be because there is no existing standard that attempts this. Where 'patching' is mentioned in the draft NISTIR document, it is solely for patch management, or remediation where patching is not possible.

"This document is a good start," comments Koenig. The reality, however, is that it will be a long time before any serious benefit comes from the work. He sees two areas of primary concern. The first is a lack of regulation. NIST doesn't regulate the private sector, although its recommendations can be required for the public sector. Even if this work eventually leads to IoT standards recommendations, it will require separate legislation to enforce the recommendations across the private sector. That still won't necessarily address the manufacture of overseas-sourced devices, or the assembly of devices with multiple foreign components.

Without regulation over device manufacture and development, Koenig's second big concern comes into play: "IoT devices that limit or prevent updating and patching. That's the killer," he says.

But even with regulation controlling the manufacture of IoT devices, that still won't necessarily solve the problems. Steve Lentz, CSO and director information security at Samsung Research America has always believed that security teams need to do their own 'due diligence' on products and processes, and not rely on what they are told by vendors. He suspects that standards and regulations "will bring out vendors claiming to provide IoT security. Again, this is where security teams need to do their due diligence and really check/test out these claims," he warns. "IoT is also Wi-Fi which is now everywhere. We need to ensure complete work infrastructure is secure just not the traditional network defenses.

"We need to ensure we thoroughly research solutions that fit our environments," he continued. "The government can give oversight and make recommendations, but we need to find the solution that works best for us."


Macro-Based Multi-Stage Attack Delivers Password Stealer
20.2.2018 securityweek
Vulnerebility  Attack

A malicious attack uses a multi-stage infection to deploy malware that is capable of stealing passwords from various applications on a victim’s computer, Trustwave reports.

The attack starts with spam emails distributed from the Necurs botnet to deliver macro-enabled documents, such as Word docs, Excel spreadsheets, or PowerPoint presentations, to the targets.

As part of this infection campaign, DOCX attachments containing an embedded OLE object that has external references was used. Thus, external access is provided to remote OLE objects to be referenced in the document.xml.rels, Trustwave explains.

As soon as the user opens the file, a remote document is accessed from the URL hxxp://gamestoredownload[.]download/WS-word2017pa[.]doc. Although it has a .doc extension, the file is actually a RTF document.

Once executed on the victim’s system, the file attempts to exploit the CVE-2017-11882 vulnerability that Microsoft patched last November in the Office’s Equation Editor tool, and which has been already abused in a wide range of attacks.

The RTF file executes an MSHTA command line to download and execute a remote HTA file. In turn, the HTA file contains VBScript with obfuscated code which decodes to a PowerShell Script designed to fetch and run a remote binary file.

This binary is the final payload that turns out to be a password stealer malware family capable of gathering credentials from email, FTP, and browsers installed on the victim’s machine. For that, it concatenates available strings in the memory and uses the RegOpenKeyExW and PathFileExistsW APIs to check if registry or paths of various programs exist.

The malware was observed sending the harvested data to its command and control (C&C) server via a HTTP POST request.

The most interesting aspect of this attack is the use of multiple stages to deliver the final payload, an approach that Trustwave calls unusual. The security researchers also point out that this long infection chain is more likely to fail compared to other, more straightforward attacks.

“Indeed, this approach can be very risky for the malware author. If any one stage fails, it will have a domino effect on the whole process. Another noticeable point is that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF,” Trustwave concludes.


SIM Hijacking – T-Mobile customers were victims an info disclosure exploit
20.2.2018 securityaffairs Hacking  Mobil

Lorenzo Franceschi-Bicchierai published an interesting post on SIM hijacking highlighted the risks for the end users and their exposure to this illegal practice.
In 2017, hackers stole some personal information belonging to T-Mobile customers by exploiting a well-known vulnerability.

A video tutorial titled ‘T-Mobile Info Disclosure exploit’ showing how to use the flaw was also published on the Internet.

Exploiting the vulnerability it is possible to access certain customers’ data, including email addresses, billing account numbers, and the phone’s IMSI numbers.

Such kind of info could be used by hackers in social engineering attack against T-Mobile’s customer support employees with the intent of stealing the victim’s phone number.

SIM hijacking

The attackers can use them to impersonate the target customer, crooks call the T-Mobile customer care posing as the victim with the intent to trick the operator to issue a new SIM card for the victim’s number.

The crooks activate the new SIM and take control of your phone number, then they can use is to steal the victim’s identity. This is the beginning of the nightmare for the victims that suddenly lose their service.

Many web service leverage on user’s phone number to reset their password, this means that the attackers once activated the new SIM can use it to carry on password reset procedures and take over the victims’ accounts on many web services.

Lorenzo reported many stories of SIM hijacking victims, this is the story of the T-Mobile customer Fanis Poulinakis

“Today I lived a nightmare.

My phone all of the sudden stopped working – I tried to contact T-Mobile through twitter—no phone right?—It took them an hour to let me know that someone must have transferred my number to another carrier and they asked me to call my bank to let them know.

I immediately log in on my bank account and voila! $,2000 were gone.

I’ve spent the whole day between T-Mobile, Chase Bank and trying to understand what happened. What a nightmare.

[…] It is unbelievable—and i think it’s also a negligence from T-Mobile’s side that they don’t make it mandatory to have a password connected to the phone number rather than the social number. […] It’s the first time I’m realizing how vulnerable our information is.”

SIM Hijacking could be a true nightmare for the victims, let me suggest reading the other witnesses reported by Lorenzo in his blog post.


City Union Bank is the last victim of a cyber attack that used SWIFT to transfer funds
20.2.2018 securityaffairs Cyber

The Indian bank Kumbakonam-based City Union Bank announced that cyber criminals compromised its systems and transferred a total of US$1.8 million.
During the weekend, the Russian central bank revealed a new attack against the SWIFT system, unknown hackers have stolen 339.5 million roubles (roughly $6 million) from a Russian bank last year.

Even if the SWIFT international bank transfer system enhanced its security after the string of attacks that targeted it since 2016, the news of a new attack made the headlines.

The victim is the Indian bank Kumbakonam-based City Union Bank that announced that criminals compromised its systems and transferred a total of US$1.8 million.

Taiwan bank hach

On Sunday, February 18, the Kumbakonam-based City Union Bank issued a statement after local media reported that three unauthorized transactions were initiated by staff. The Indian bank confirmed that it has suffered a security breach launched “international cyber-criminals and there is no evidence of internal staff involvement”.

“During our reconciliation process on February 7, it was found out that 3 fraudulent remittances had gone through our SWIFT system to our corespondent banks which were not initiated from our bank’s end. We immediately alerted the correspondent banks to recall the funds,” reads the statement issued by City Union Bank.

The three transactions took place before February 7, when they were discovered during the reconciliation processes.

One transaction of $500,000 that was made through Standard Chartered Bank, New York, to a Dubai based bank was immediately blocked.

A second transaction $372,150 was made through a Standard Chartered Bank account in Frankfurt to a Turkish account, and the third transaction of 1 million dollars was sent through a Bank of America account in New York to a China-based bank.

The City Union Bank confirmed it was working with the Ministry of External Affairs and officials in Turkey and China to recover the funds.

“With the help of Ministry of External Affairs through Consulate General of Shanghai and Istanbul and office of the National Cyber Security Council (PMO) all possible efforts through diplomatic and legal channels are being taken to repatriate the money,” continues the statement.

Summarizing the security features implemented for the SWIFT were able to detect only the transfer to Dubai.

The SWIFT system is now back in operation with “adequate enhanced security”.

At the time of writing the root source of the problem is still unclear


Record-Breaking Number of Vulnerabilities Disclosed in 2017: Report
19.2.2018 securityweek
Vulnerebility
Vulnerability QuickView 2017 Vulnerability Trends

A record-breaking number of vulnerabilities were disclosed in 2017, with a total of 20,832 such security flaws, a new report from Risk Based Security shows.

According to the company’s VulnDB QuickView report, last year saw a 31.0% year-on-year increase in the number of vulnerabilities disclosed. The number of flaws recorded by the National Vulnerability Database (NVD) increased as well.

Of all the issues published by Risk Based Security in 2017, 7,900 weren’t documented by MITRE’s Common Vulnerability Enumeration (CVE) and NVD, and 44.5% of these issues had a CVSSv2 score between 7.0 and 10. This, the security firm notes, represents a major risk for organizations worldwide, as they might not even be aware of the fact that those vulnerabilities exist.

In 2017, 39.3% of all published vulnerabilities have CVSSv2 scores above 7.0, 48.5% of them can be exploited remotely, and public exploits exist for 31.5% of the vulnerabilities, the security firm’s report (PDF) reveals. Half (50.6%) of the 2017 vulnerabilities are web-related and 28.9% of these web-related issues are Cross-Site Scripting (XSS) bugs.

The list of top ten vendors with vulnerabilities featuring CVSS scores between 9.0 and 10.0 includes Google (503 flaws), SUSE (301), Canonical (285), Red Hat (274), SGP – a subsidiary of Silent Circle (257), Adobe (256), Mozilla (246), Samsung (228), Oracle (201), and Xerox (198).

The top ten products with vulnerabilities featuring CSSv2 Scores 9.0 - 10.0 include Google Pixel/Nexus devices (354 issues), Ubuntu (285), SilentOS (257), Red Had Enterprise Linux (253), Firefox (246), SUSE Linux Enterprise Desktop (226), Samsung Mobile Devices (226), SUSE Linux Enterprise Server (197), OpenSUSE Leap (196), and FreeFlow Print Server (191).

Last year, at least 44.8% (9,335) of vulnerabilities disclosed were coordinated with the vendor and only 18.6% (3,875) of them were uncoordinated disclosures. Only 5.9% of 2017 vulnerabilities were disclosed as part of vendor or third-party bug bounty programs, the report reveals.

While most of the vulnerabilities disclosed last year (72.8%) have updates or some form of a patch available for them, 23.2% of the issues currently have no known solution. However, 443 of the vulnerabilities reported in 2017 were found to have no risk due to inaccurate disclosures, meaning that no mitigation was necessary for them.

The report also reveals that only 1.7% of all reported vulnerabilities in 2017 were found in SCADA products, down from 2.8% in 2016. 52.2% of the SCADA vulnerabilities were remotely exploitable, 73.5% had an impact on the integrity of the product, and 61.3% were related to improper input validation.

“Organizations that track and triage vulnerability patching saw no relief in 2017, as it was yet another record-breaking year for vulnerability disclosures. The increasingly difficult task of protecting digital assets has never been so critical to businesses as we continue to see a rise in compromised organizations and data breaches. If your vulnerability intelligence solution didn’t offer information on the more than 20,000 vulnerabilities disclosed in 2017, your organization is at an increased risk”, said Brian Martin, VP of Vulnerability Intelligence for Risk Based Security.


Millions Stolen From Russian, Indian Banks in SWIFT Attacks
19.2.2018 securityweek
Attack

Malicious hackers attempted to steal millions of dollars from banks in Russia and India by abusing the SWIFT global banking network.

A report published last week by Russia’s central bank on the types of attacks that hit financial institutions in 2017 revealed that an unnamed bank was the victim of a successful SWIFT-based attack.

A copy of the report currently posted on the central bank’s website does not specify how much the hackers stole, but Reuters said they had managed to obtain 339.5 million rubles (roughly $6 million).

According to the organization, the number of targeted attacks aimed at lenders increased in 2017 compared to the previous year. Attackers used widely available tools such as Metasploit, Cobalt Strike, Empire, and Mimikatz to achieve their goals – Cobalt Strike was reportedly used to steal more than 1 billion rubles (roughly $17 million).SWIFT attacks hit Indian, Russian banks

The news comes after Russia’s Globex bank admitted in December that hackers had attempted to steal roughly $940,000 through the SWIFT system. The attackers reportedly only managed to steal a fraction of the amount they targeted.

In India, City Union Bank issued a statement on Sunday saying that it had identified three fraudulent transfers abusing the SWIFT payments messaging system. One transfer of $500,000 through a Standard Chartered Bank account in New York to a bank in Dubai was blocked and the money was recovered.

The second transfer of €300,000 ($372,000) was made to an account at a bank based in Turkey via a Standard Chartered Bank account in Germany. The funds were blocked at the Turkish bank and City Union hopes to recover the money.

The third transfer was for $1 million and it went to a Chinese bank through a Bank of America account. City Union Bank said the funds were claimed by someone using forged documents.

The news comes after reports that India’s Punjab National Bank was the victim of a massive $1.7 billion fraud scheme involving the company’s employees. City Union, however, clarified that this was a “cyber attack initiated by international cyber criminals and there is no evidence of internal staff involvement.”

SWIFT-based attacks made many headlines in the past years ever since hackers successfully stole $81 million from Bangladesh’s central bank in early 2016.

The organization behind the SWIFT system, the Society for Worldwide Interbank Financial Telecommunication, has taken measures to prevent attacks, but malicious actors have continued to target financial institutions in sophisticated campaigns.

Hackers attempted to steal $60 million from a bank in Taiwan, $12 million from a bank in Ecuador, and $1.1 million from a bank in Vietnam.


Over 30 Lawsuits Filed Against Intel for CPU Flaws
19.2.2018 securityweek
Vulnerebility

More than 30 lawsuits have been filed by Intel customers and shareholders against the chip giant following the disclosure of the Meltdown and Spectre attack methods.

Three class action lawsuits were filed against Intel within a week of the Meltdown and Spectre flaws being disclosed, but the number had reached 32 by February 15, according to an annual report submitted by Intel to the U.S. Securities and Exchange Commission (SEC).

Lawsuits have been filed in the United States and other countries, and some complaints also target Intel’s directors and executives.

The company faces 30 class action lawsuits filed by customers who claim to have been harmed by Intel’s actions and/or omissions in connection to Meltdown and Spectre. Two securities class action lawsuits claim the company violated securities laws by making false or misleading statements, which had a negative impact on entities that acquired Intel stock between July 27, 2017 and January 4, 2018, when the processor vulnerabilities were disclosed.

“We dispute the claims described above and intend to defend the lawsuits vigorously,” Intel said. “Given the procedural posture and the nature of these cases, including that the proceedings are in the early stages, that alleged damages have not been specified, that uncertainty exists as to the likelihood of a class or classes being certified or the ultimate size of any class or classes if certified, and that there are significant factual and legal issues to be resolved, we are unable to make a reasonable estimate of the potential loss or range of losses, if any, that might arise from these matters.”

Three shareholder derivative lawsuits have also been filed in California against certain Intel officers and members of the company’s board of directors.

“The complaints allege that the defendants breached their duties to Intel in connection with the disclosure of the security vulnerabilities and the failure to take action in relation to alleged insider trading. The complaints seek to recover damages from the defendants on behalf of Intel,” Intel said.

While lawsuits and negative publicity may change the situation in the future, Intel currently does not expect Meltdown and Spectre to have a material financial impact on its business or operations.

AMD, ARM and Apple, whose processors rely on ARM technology, also face lawsuits over the Meltdown and Spectre vulnerabilities.


90 days have passed, Google discloses unpatched flaw in the Microsoft Edge browser
19.2.2018 securityaffairs
Vulnerebility

Google Project Zero disclosed details of an unpatched flaw in the Edge browser because Microsoft failed to address it within a 90-day deadline.
White hackers at the Google Project Zero have disclosed details of an unpatched vulnerability in the Edge browser because Microsoft failed to address it within a 90-day deadline according to the Google’s disclosure policy.

The flaw could be exploited by attackers to bypass the Arbitrary Code Guard (ACG) that was implemented in Windows 10 Creators Update alongside Code Integrity Guard (CIG).

The security features allow preventing Edge browser exploits from loading and executing malicious code.

“An application can directly load malicious native code into memory by either 1) loading a malicious DLL/EXE from disk or 2) dynamically generating/modifying code in memory. CIG prevents the first method by enabling DLL code signing requirements for Microsoft Edge. This ensures that only properly signed DLLs are allowed to load by a process. ACG then complements this by ensuring that signed code pages are immutable and that new unsigned code pages cannot be created.” states the description published by Microsoft.

Microsoft Edge browser flaw

Google Project Zero researcher Ivan Fratric who discovered the vulnerability demonstrated that the ACG feature can be bypassed. The expert reported the issue to Microsoft on November 17, but the tech giant had initially planned to include a fix in the February Patch Tuesday updates, but evidently, something went wrong because “the fix is more complex than initially anticipated.”

The vulnerability was classified as having “medium” severity, Project Zero has published details of the issue in a blog post.

“If a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can: 1. Unmap the shared memory mapped above above using UnmapViewOfFile() 2. Allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there. 3. When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.” reads the analysis shared by Google.

In February 2017, Fratric published technical details related to a high severity type confusion vulnerability, tracked as CVE-2017-0037, that could have been exploited by attackers to crash Internet Explorer and Edge browser, and under certain circumstance to execute arbitrary code.


Google Discloses Unpatched Edge Vulnerability
19.2.2018 securityweek
Vulnerebility

Google Project Zero has made public the details of an unpatched vulnerability affecting the Edge web browser after Microsoft failed to release a patch within a 90-day deadline.

Google Project Zero researcher Ivan Fratric has found a way to bypass Arbitrary Code Guard (ACG), a feature added by Microsoft to Edge in Windows 10 Creators Update alongside Code Integrity Guard (CIG).

The features, introduced in February 2017, are designed to prevent browser exploits from executing malicious code.

“An application can directly load malicious native code into memory by either 1) loading a malicious DLL/EXE from disk or 2) dynamically generating/modifying code in memory,” Microsoft explained. “CIG prevents the first method by enabling DLL code signing requirements for Microsoft Edge. This ensures that only properly signed DLLs are allowed to load by a process. ACG then complements this by ensuring that signed code pages are immutable and that new unsigned code pages cannot be created.”

Fratric showed that the ACG feature can be bypassed and informed Microsoft of his findings on or around November 17. The company had initially planned on patching the vulnerability with its February Patch Tuesday updates, but later determined that “the fix is more complex than initially anticipated.”

Microsoft now expects to release a fix on March 13, but the date exceeds Google Project Zero’s 90-day disclosure deadline so the details of the vulnerability have been made public. Project Zero has classified the flaw as having “medium” severity.

This is not the first time Project Zero has disclosed an unpatched vulnerability found by Fratric in Microsoft’s web browsers. In February 2017, it made public details and proof-of-concept (PoC) code for a high severity type confusion issue that could have been exploited to crash Internet Explorer and Edge, and possibly even execute arbitrary code.

The security hole, tracked as CVE-2017-0037, was fixed by Microsoft in March 2017, roughly two weeks after it was disclosed.

Fratric is the creator of a fuzzer named Domato, which last year helped him uncover tens of vulnerabilities in popular web browser engines.


Cybersecurity Plagued by Insufficient Data: White House
19.2.2018 securityweek BigBrothers

Cyberattacks Are Costly, and Things Could Get Worse: US Report

Cyberattacks cost the United States between $57 billion and $109 billion in 2016, a White House report said Friday, warning of a "spillover" effect for the broader economy if the situation worsens.

A report by the White House Council of Economic Advisers sought to quantify what it called "malicious cyber activity directed at private and public entities" including denial of service attacks, data breaches and theft of intellectual property, and sensitive financial and strategic information.

It warned of malicious activity by "nation-states" and specifically cited Russia, China, Iran, and North Korea.

The report noted particular concern over attacks on so-called critical infrastructure, such as highways, power grids, communications systems, dams, and food production facilities which could lead to important spillover impacts beyond the target victims.

"If a firm owns a critical infrastructure asset, an attack against this firm could cause major disruption throughout the economy," the report said.

It added that concerns were high around cyberattacks against the financial and energy sectors.

"These sectors are internally interconnected and interdependent with other sectors as well as robustly connected to the internet, and are thus at a highest risk for a devastating cyberattack that would ripple through the entire economy," it said.

The report offered little in the way of new recommendations on improving cybersecurity, but noted that the situation is hurt by "insufficient data" as well as "underinvestment" in defensive systems by the private sector.

The document was issued a day after US officials blamed Russia for last year's devastating "NotPetya" ransomware attack, calling it a Kremlin effort to destabilize Ukraine which then spun out of control, hitting companies in the US, Europe and elsewhere.

It said Russia, China, North Korea and other nation-states "often engage in sophisticated, targeted attacks," with a specific emphasis on industrial espionage.

"If they have funding needs, they may conduct ransom attacks and electronic thefts of funds," the report said.

But threats were also seen from "hacktivists," or politically motivated groups, as well as criminal organizations, corporate competitors, company insiders and "opportunists."

In an oft-repeated recommendation, the White House report said more data sharing could help thwart some attacks.

"The field of cybersecurity is plagued by insufficient data, largely because firms face a strong disincentive to report negative news," the report said.

"Cyber protection could be greatly improved if data on past data breaches and cyberattacks were more readily shared across firms."