Zero Day Weekly: Oracle kills Java, Microsoft 0day, D-Link snafu, more DHS cyber-negligence
Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending April 17, 2015. Covers enterprise, controversies, reports and more.
- A Microsoft Windows Patch Tuesday zero-day bug is being exploited in the wild: Windows and Office got four Critical updates for Patch Tuesday earlier this week - including a critical remote code execution vulnerability affecting the Windows HTTP protocol stack that is being actively exploited in the wild, according to the SANS Internet Storm Center. As attacks mount, over 70 million websites remain vulnerable. Sophos has taken the rare step of citing the issue as a must-fix.
- Oracle is to end publicly available security fixes for Java 7 this month: Public updates for Java 7 - including bug and security fixes - will end this month, a situation that one security advocate says could impact millions of applications. The Critical Patch Update released by Oracle on Tuesday includes 98 security fixes for a wide range of product families.
D-Link patches buffer overflow issue stemming from a sprintf call by adding another vulnerable sprintf call. http://t.co/X4zjlc30zI
- Chris Wysopal (@WeldPond) April 16, 2015
- D-Link has failed to properly fix vulns affecting several router models. The networking equipment manufacturer says it's currently addressing the issues. The vulnerabilities, related to the Home Network Administration Protocol (HNAP), were reported earlier this year by Samuel Huntley and Zhang Wei of Qihoo360.
- CoinVault ransomware decryption keys were released for free by Kaspersky after the National High Tech Crime Unit (NHTCU) of the Netherlands police and the Netherlands National Prosecutors Office obtained a database from a CoinVault command-and-control server.
- Cybercrime and law enforcement was key at Interpol World 2015. During the opening address Tuesday at Interpol World 2015, Singapore's Second Minister for Home Affairs and Trade and Industry S. Iswaran said tech advancements, globalization, and urbanization had enabled criminals and terrorists to pose a new wave of threats that could shake the security foundation of local and global markets.
So someone at @sony downloaded a pirated copy of my book. You guys couldn't afford to buy a copy? https://t.co/KNT5ZvUdhU
- Jeffrey Carr (@jeffreycarr) April 17, 2015
- IBM has a new threat sharing platform: IBM on Thursday launched a new threat intel tool that allows enterprise security teams and researchers to collaborate on security incidents and sift through threat intel data. Through IBM's X-Force Exchange, the company said Thursday it will offer companies its massive 700-terabyte (and growing) database of raw cyber-threat data and intelligence.
- Department of Homeland (in)Security: Sensitive docs and computer passwords left unsecured after-hours at five DHS agencies. Nearly a third of employee desks checked after the close of business by a government watchdog at five Department of Homeland Security agencies had sensitive materials, laptops, cell phones and "For Office Use Only" documents left unsecured.
Apparently just made front page Fox News..... pic.twitter.com/zS8uijWpYu
- Chris Roberts (@Sidragon1) April 17, 2015
This was a stupid thing to tweet. Don't blame the feds for looking hard into this. https://t.co/v9CbwMIUPg
- ✊Free Kyle Maxwell✊ (@kylemaxwell) April 16, 2015
- Verizon's new DBIR (Data Breach Investigations Report 2015) says we've "got 99 problems, and mobile malware isn't even less than 1 percent of them." This backs up Google's findings in its Android 2014 Security Year in Review, which found that fewer than 1 percent of Android devices had a "potentially harmful app (PHA)" installed in 2014. The report also found that organized crime has become the most frequently seen threat actor for web app attacks, and the cost per record formula for breaches is no longer an accurate measure.
- Researchers try to hack the economics of zero-days: At next week's RSA Conference, a team of researchers at MIT, Harvard, and the security firm HackerOne (Internet Bug Bounty program) will present a study on the economics of the marketplace for "zero-day" vulnerabilities in software and networks, showcasing a model for how that market behaves. In a paper titled "The Wolves of Vuln Street," the team found that the vuln market is not controlled by price alone.
- Target, MasterCard settle over data breach: Target and MasterCard have settled on a fund so the credit card issuer can pay its customers over the retailer's 2013 data breach. In a statement, Target said that it will fund up to $19 million in pre-tax alternative recovery payments, which are offers MasterCard will make to its customers affected by the data breach.
I need these. https://t.co/efXGilRU9n pic.twitter.com/yWh6OyMjpz
- Paul Reinheimer (@preinheimer) April 16, 2015