Tag Archives: Apache Struts

Patching, Patching and More Patching – This is Ridiculous

Last Tuesday I said patching is critical and it still is.

Maybe this is a weekly post, but I hope not.

Today’s episode:

#1 – Zero day exploit for Oracle’s Virtual Box

A security researcher got mad at how Oracle treated him in the past and so, when he found a new exploit, basically gave Oracle the middle finger and published the exploit and sample code.  All the amateur hackers now have the recipe to escape from guest virtual machine and run code in the host machine.  If you use virtual box, you should patch this quickly since it came with sample code to run the exploit.  Source:  The Hacker News .

#2 – WooCommerce plugin WordPress

WooCommerce, the eCommerce tool that is used on millions of websites can be used to gain full control over a website that has not been patched.  Again, pretty easy to exploit.  The good news is that there are patches for both WordPress and WooCommerce, but you have to  install them.  Source: The Hacker News .

#3 – Apache Struts Critical Vulnerability

Yes, THAT Apache struts.  The same one from Equifax fame.  A flaw in the file upload routine in versions earlier than 2.5.12 allows a hacker to upload and execute arbitrary code.

Here is the bad news.  There is a fix.  You have to drop in a replace JAR file with the new code.  There is no new install or version update, so this will be a pain in the ………

Vendors like Cisco and VMWare, among thousands of others, who use Struts will have to update and re-release their products, so users won’t be safe until all of these vendors have updated their code.

Hackers, of course, will try to take advantage of this flaw to attack your systems knowing that it will likely take years to get rid of all the affected code.  Source: The Register .

#4 – Microsoft Edge Browser Zero Day About to be Revealed

As, apparently, the stressed relation between security researchers and vendors continues, two researchers are about to release sample code and details of an unknown (zero day) remote code execution flaw in Microsoft Edge (shades of item 1 above).  The researchers are also trying to get hacker nirvana by elevating to system level privileges as part of the exploit.

To stick their finger in the eye of Microsoft, the researcher released a video showing the hack where they got Edge to launch Firefox and have it load the Chrome download page.  (Source: Bleeping Computer).

This is but a tiny sample of this week’s high profile bugs.  Gee Wiz!

Security News Bites for the Week Ending Aug 24, 2018

FBI Asks Google for Information on ALL People Near Certain Crimes

Now that we know that Google tracks you even if you ask nicely for it not to, this news from BBC becomes more interesting.

The FBI issued a search warrant to Google for information on all people within a 100 acre block around a couple of crimes they were investigating in Portland.

Not only did they want location, but they also wanted full names and addresses, telephone numbers, records of session times and durations, date on which the account was created, length of service, IP address used to register the account, login IP addresses, email addresses, log files and means and source of payment.

Needless to say, all people within a 100 acre block of land is a lot of people and who are not particularly suspected of any crime.

Google declined the request and after about 6 months, the FBI withdrew the warrant request.  Source: BBC .

Maybe Apple’s Security is Not Perfect

A 16 year old Australian kid has been charged with hacking into Apple’s network multiple times over the course of a year successfully, downloading 90 gig of secure files and accessed customer data.

Because the kid is a minor and also because Apple is slightly embarrassed, the police are not saying much.  Source: The Age

Russians Target Senate Races and Conservative Think Tanks

While the President continues to say that the Russians are not targeting our political process, Microsoft has convinced our court system that they are and has seized several domains that were posing as Microsoft domains and were being run by the Russian spy agency GRU and created by the Russian hacker organization known as APT28/Fancy Bear/Strontium (everyone has to create the own name for the same group).  Microsoft claimed that the web sites could be used as a launch pad for attacks since they looked like official Microsoft web properties.  While the article doesn’t say so, I suspect that Microsoft detected actual attacks, otherwise why would they be so specific as to the targets?

The think tanks in question have been critical of Russia.

Russia, of course, is acting dumb and said what web sites and what do you mean impacting the elections.  No surprise there.

One of the think tanks is the Hudson Institute where Trump’s Director of National Intelligence recently said, in a speech, that the lights were “blinking red” like they were just before 9-11.  He was specifically referring, in this case, to Russian interference in the elections.

Microsoft is offering special security services to all political candidates. Source: CNN)

Another Nasty Apache Struts Vulnerability

Remember the Equifax breach?  The root cause of that was an unpatched computer running Apache Struts software.  Now there is another Apache Struts bug and this one is being called critical.   The common vulnerability risk score is 10 out of a possible 10.  Hard to get more critical than that.

Don’t use Struts?

Do you use Atlassian products?  Cisco?  Hitachi?  IBM?  Oracle?  VMWare?  Well then, you  might be using Struts (depends on exactly which product from those companies that you use). (Source: Risk Based Security )