I’m going to be pushing my security column out on at least a bi-monthly basis from now on – a 2016 resolution! ; )
This past week’s Patch Tuesday from Microsoft was quite a serious affair – 9 security advisories covering 25 vulnerabilities of which 6 advisories address critical level flaws in IE, Office, Windows and others. Keep them updated!
Also in the Microsoft camp, IE 8 through 10 will no longer get security support from this week – considering that those versions account for more than 20% of worldwide browser usage, this is going to be a big problem – think unsecured drive-bys, cross-site-scripting and remote code execution. Juicy times for attackers. There’s a couple of issues here for folks wanting to migrate to IE11:
- application compatibility and upgrade/migration
- corporate policy
- about 2/3rds of issues affecting IE11 also affect previous releases giving lots of clues to malicious code writers
The other big security news of the week is the detection of multiple critical bugs in Trend Micro’s Password Manager component. Specially crafted urls can cause the the PM to leak passwords or allow arbitrary command execution on the local machine – for a security package, this is a significant problem but at least Trend have already released a patch for this. Update!
The Juniper ScreenOS issue (CVE-2015-7755) continues to rear its ugly head with Juniper denying collaborated involvement with the NSA in putting the “possibly NSA-sponsored” DUAL_EC and ANSI x9.31 RNG’s into ScreenOS. Juniper will be sorting this mess out over the next 2 months so that still gives a very long window for exploit. For some clients, there may be little choice but to migrate their firewall infrastructure to other kit to maintain security.
For those not in the know, the ( known ) weak RNGs and “unauthorized code” in ScreenOS could allow unauthorized admin access to ScreenOS devices and real-time VPN traffic decryption. Considering news of the NSA intercepting shipments of Cisco ( and other kit ) to replace firmware with NSA-encumbered code, this does not come as that much of a surprise; suffice it to say, the US auths still seem to be either working hand in hand with certain US networking companies or exploiting weaknesses in those companies products. Either way, this is as bad as it gets … and they complain about Hauwei?!?!! Pot? Kettle?
In related ( firewall ) news, an administration access bug from 2014 and earlier in FortiGate products seems to have reared its head this week. I’m not sure about the delay in reporting but this is a bit of a moot point now seeing as the issue was sorted out a long time ago. Possibly the Juniper news has everyone on edge …
Juniper was not alone this week with critical issues; Cisco has released patches for multiple products including 2 for the (ISE) Identity Services Engine software (cve-2015-6323) and (WLC) Wireless Lan Controller software (cve-2015-6314) – both are deemed critical and have a maximum CVSS score of 10.
In the wake of the Juniper backdoor revelations, Cisco Systems announced that they will be reviewing the software running on their devices and look “for backdoors, hardcoded or undocumented account credentials, covert communication channels and undocumented traffic diversions.” So it looks like all firewall and security networking vendors are going to have some work in store for themselves over the next few months.
