From Paul's Security Weekly
Hack Naked News #121
Recorded April 27, 2017 at G-Unit Studios in Rhode Island!
- ColdFusion Hotfix Resolves XSS, Java Deserialization Bugs - Adobe released patches for ColdFusion this week. Customers are encouraged to upgrade ColdFusion from Update 3 and earlier versions of ColdFusion’s 2016 release, Update 11 and earlier versions of ColdFusion 11, and Update 22 of ColdFusion 10. The fixes include remediation for Apache BlazeDS Java deserialization bug covered by CVE-2017-2066. This bug also had to be updated by VMware and Atlassian, as they include this in their product lines. Deserialization bugs are nothing new, but an often forgotten-about class of bugs. OWASP has some great materials on the subject if you'd like to do some further reading.
- NSA backdoor detected on >55,000 Windows boxes can now be remotely removed - On Tuesday, security firm Countercept released an update to the DoublePulsar detection script it published last week. It now allows people anywhere on the Internet to remotely uninstall the implant from any infected machine. Estimates on just how many machines are infected with the NSA backdoor are controvertial, with the latest numbers coming in at around 30,000.
- Script Kiddies Pwn Thousands Of Windows Boxes Using NSA Tools - DOUBLEPULSAR is a backdoor used to inject and run malicious code on an infected system, and is installed using the ETERNALBLUE exploit that attacks SMB file-sharing services on Windows XP to Server 2008 R2. That means to compromise a computer, it must be running a vulnerable version of Windows and expose an SMB service to the attacker. The fix has been available since 2010, and Dan Tentler from the Phobos group had the most colorful commentary on the subject, quotes as saying "The polite term for what's happening is a bloodbath. The impolite version is dumpster fire clown shoes shit show," Tentler said. "I'm hopeful this is the wakeup moment for people over patching Windows machines."
- Ashley Madison blackmail roars back to life | ZDNet - A group threatening to leak the personal information of those found with Ashley Madison accounts is set to release details next month. Or, you can pay $500 to be excluded (in Bitcoin). Thing is, the data is already available to those who know where to look, so best bet is to not pay, and even better not to cheat, and other such immoral stuff like that.
- Tales Of SugarCRM Security Horrors - Those considering a SugerCRM implementation should read the article from Egidio Romano titled "Tales of SugarCRM Security Horrors", where he states in conclusion: I can say that SugarCRM is one of the most insecure web applications I’ve ever seen in my life (and believe me, I tested and reviewed a lot of web applications): I’ve been quite lucky in choosing SugarCRM as target for my experimental thesis, it made me reach some successful results by discovering lots of security issues in it. However, I think there are still room for improvements with regards to SugarCRM security: I’m pretty sure there are still dozens of 0-day vulnerabilities probably affecting commercial versions as well, so I would say that SugarCRM could be the right choice for Capture the Flag (CTF) competitions
- FalseGuide Malware Dupes 600,000 Android Users Into Joining Botnet - More warnings for Android users: An estimated 600,000 users have mistakenly downloaded malware from Google Play, the official app store for Android devices.The malware attempts to build a botnet which delivers fraudulent mobile adware and earns money for the cybercriminals who created it. Good thing Google is on the case: A Google spokesperson told ZDNet that "we're still making improvements to our system" and said the company "tries to take immediate action whenever whenever a questionable app is brought to our attention". Uhm, yea, by then, its too late.
- Samsung Smart TV Pwnable Over Wi-Fi Direct - Samsung has stated they have no plans to fix the following bug as: A security researcher is complaining that Samsung isn't making a serious response to a vulnerability in its Smart TVs. The bug, discovered by pen-test outfit Neseso, concerns the televisions' implementation of Wi-Fi Direct authentication. An attacker only needs to sniff out the MAC address of a trusted device to connect to the TV. From there they potentially enjoy a jump-off point to a target's network.