Patching, Patching and More Patching – This is Ridiculous

Last Tuesday I said patching is critical and it still is.

Maybe this is a weekly post, but I hope not.

Today’s episode:

#1 – Zero day exploit for Oracle’s Virtual Box

A security researcher got mad at how Oracle treated him in the past and so, when he found a new exploit, basically gave Oracle the middle finger and published the exploit and sample code.  All the amateur hackers now have the recipe to escape from guest virtual machine and run code in the host machine.  If you use virtual box, you should patch this quickly since it came with sample code to run the exploit.  Source:  The Hacker News .

#2 – WooCommerce plugin WordPress

WooCommerce, the eCommerce tool that is used on millions of websites can be used to gain full control over a website that has not been patched.  Again, pretty easy to exploit.  The good news is that there are patches for both WordPress and WooCommerce, but you have to  install them.  Source: The Hacker News .

#3 – Apache Struts Critical Vulnerability

Yes, THAT Apache struts.  The same one from Equifax fame.  A flaw in the file upload routine in versions earlier than 2.5.12 allows a hacker to upload and execute arbitrary code.

Here is the bad news.  There is a fix.  You have to drop in a replace JAR file with the new code.  There is no new install or version update, so this will be a pain in the ………

Vendors like Cisco and VMWare, among thousands of others, who use Struts will have to update and re-release their products, so users won’t be safe until all of these vendors have updated their code.

Hackers, of course, will try to take advantage of this flaw to attack your systems knowing that it will likely take years to get rid of all the affected code.  Source: The Register .

#4 – Microsoft Edge Browser Zero Day About to be Revealed

As, apparently, the stressed relation between security researchers and vendors continues, two researchers are about to release sample code and details of an unknown (zero day) remote code execution flaw in Microsoft Edge (shades of item 1 above).  The researchers are also trying to get hacker nirvana by elevating to system level privileges as part of the exploit.

To stick their finger in the eye of Microsoft, the researcher released a video showing the hack where they got Edge to launch Firefox and have it load the Chrome download page.  (Source: Bleeping Computer).

This is but a tiny sample of this week’s high profile bugs.  Gee Wiz!

Leave a Reply

Your email address will not be published.