Microsoft’s December 2020 Patch Tuesday fixes 58 vulnerabilities
With the December 2020 Patch Tuesday security updates release, Microsoft has released fixes for 58 vulnerabilities and one advisory for Microsoft products. Of the vulnerabilities fixed yesterday, nine are classified as Critical, 48 as Important, and two as Moderate. There are no zero-day or previously disclosed vulnerabilities fixed in the December 2020 updates. Of note was an advisory for a DNS cache poisoning vulnerability discovered by security researchers from Tsinghua University and the University of California.
Critical, unpatched bugs open GE radiological devices to remote code execution
A CISA alert is flagging a critical default credentials issue that affects more than 100 types of devices found in hospitals, from MRI machines to surgical imaging. A pair of critical vulnerabilities has been discovered in dozens of GE Healthcare radiological devices that could allow an attacker to gain access to sensitive personal health information, alter data, and even shut the machine’s availability down. The flaws affect CT and PET scanners, molecular imaging and MRI devices, mammography, X-Ray, and ultrasound devices. The bugs carry a CVSS severity score of 9.8. Patches are forthcoming.
Cloudflare and Apple design a new privacy-friendly internet protocol
Oblivious DNS-over-HTTPS, or ODoH, is a protocol that makes it more difficult for internet providers to know which websites a user visits. Whereas the earlier protocol, DNS-over-HTTPS added encryption to DNS queries, making it harder for attackers to redirect victims to malicious websites, the new ODoH encrypts the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. This technology will likely take months or years before it is included in standard browsers.
Amnesia:33 – a critical flaw in millions of IoT devices
Research from the IoT security firm Forescout highlights 33 flaws in open source internet protocol bundles that potentially expose millions of embedded devices to attacks including information interception, denial of service, and total takeover. The affected devices include smart home sensors and lights, barcode readers, enterprise network equipment, building automation systems, and even industrial control equipment. Many of the bugs are “memory corruption” flaws—hence the name Amnesia:33. Forescout will be elaborating on the risks at the Black Hat Europe security conference today.
(Wired)
Thanks to our episode sponsor, Code42
Zero-click wormable RCE vulnerability reported in Microsoft Teams
The bug, in Microsoft Teams desktop apps, could allow an adversary to execute arbitrary code without any user interaction by simply sending a specially-crafted chat message. It does this by exploiting a cross-site scripting (XSS) flaw present in the Teams ‘@mentions’ functionality. This delivers access to private chats, files, internal network, private keys and personal data outside MS Teams. The RCE is cross-platform, affecting versions of Microsoft Teams for Windows, Linux, macOS, and the web (teams.microsoft.com) and could be made wormable to other channels. Microsoft has not assigned a Common Vulnerabilities and Exposures ID to this vulnerability, stating that it’s currently Microsoft’s policy to not issue CVEs on products that automatically updates without user’s interaction.
Most victim organizations suffer second intrusion within a year
Security experts at Crowdstrike are warning victims of sophisticated cyberattacks not to think of intrusions as a one-off event, as a majority of organizations end up getting hit again within the year. Their recent report shows that in 68% of cases where an organization had experienced an intrusion, it is targeted again within 12 months. They also point out that improperly deployed anti-malware and endpoint detection and response (EDR) tools remain a significant factor in the success of repeated attacks.
All Kubernetes versions affected by unpatched MiTM vulnerability
The Kubernetes Product Security Committee has provided advice on how to temporarily block attackers from exploiting a vulnerability that could enable them to intercept traffic from other pods in multi-tenant Kubernetes clusters in man-in-the-middle (MiTM) attacks. It can be exploited remotely by attackers with basic tenant permissions (such as creating or editing services and pods) without user interaction as part of low complexity attacks. “If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster,” Tim Allclair, a software engineer working on Kubernetes security at Apple, explained in a security advisory published on Monday.
Spearphishing attack spoofs Microsoft.com to target 200M Office 365 users
The attack has targeted 200 million Microsoft Office 365 users in a number of key vertical markets, including financial services, healthcare, manufacturing and utility providers, telecom and insurance. Researchers at Ironscales state the attack is particularly deceiving because it deploys an exact domain spoofing technique, comprised of a realistic-looking email that attempts to persuade users to take advantage of a relatively new Office 365 capability that allows for them to reclaim emails that have been accidentally marked as spam or phishing messages.