The Category5.TV Newsroom

Here are the stories we're following for the week of Wednesday May 15, 2019

An open source bug poses a dangerous threat to sites running Joomla, Drupal or Typo3.

An open source bug poses a dangerous threat to sites running Joomla, Drupal or Typo3.

Developers and security researchers are warning that websites running the Drupal, Joomla, or Typo3 content-management systems are vulnerable to attacks that could possibly execute malicious code until administrators install just-released patches.

The vulnerability resides in the PharStreamWrapper, a PHP component developed and open-sourced by CMS maker Typo3. The flaw stems from a path-traversal bug that allows hackers to swap a site's legitimate phar archive with a malicious one. A phar archive is used to distribute a complete PHP application or library in a single file, in much the way a Java archive file bundles many Java files into a single file.

Drupal developers rated the severity of the vulnerability affecting their CMS as moderately critical. That's well below the highly critical rating of a recent Drupal vulnerability and earlier remote-execution flaws that took on the name "Drupalgeddon." Still, the vulnerability represents enough of a risk that administrators should patch it as soon as possible.

On Drupal, where the exploit was first detected, an attacker would have to have limited administrator privileges, such as those given to marketing people or graphic designers. However, some community modules might be vulnerable because of this flaw in the Drupal Core.

Joomla developers, meanwhile, issued their own advisory that rated the severity as low. Typo3 developers didn't provide a severity rating for their own CMS.

Drupal users should update to the latest point release right away. Patches have been issued for versions 7, 8.6 and 8.7.

On Joomla, the flaw affects versions 3.9.3 through 3.9.5, and the fix is available in 3.9.6.

Typo3 CMS users should either upgrade to PharStreamWapper versions v3.1.1 and v2.1.1 manually or ensure Composer dependencies are raised to those versions.

Source: arstechnica.com

Sent to us by: Roy W. Nash

A Zero-Day Exploit in WhatsApp has been used in Targeted Spyware Attacks.

A Zero-Day Exploit in WhatsApp has been used in Targeted Spyware Attacks.

The vulnerability that allowed attackers to install spyware on victims’ phones has been patched, but it's too late for many as attackers were able to inject spyware onto phones in targeted malware campaigns.

The popular messaging app discovered in early May that attackers were installing surveillance software on iPhones and Android phones by using WhatsApp’s call function.

WhatsApp confirmed on Monday that the flaw, which has now been patched, is a buffer overflow vulnerability in WhatsApp’s VOIP stack, which allows remote code execution via specially crafted series of secure packets sent to a target phone number.

Adam Brown, manager of security solutions at Synopsys, says "Victims of this attack include journalists and activists; attackers are able to use the victims phone as a room tap, look at or change information on the phone and find the victims location among other things."

WhatsApp is owned by Facebook and is used by 1.5 billion people globally. The messaging platform touts itself as a secure end-to-end encryption app for communications.

Security experts are urging WhatsApp users to update their apps as soon as possible.

Source: threatpost.com

Sent to us by: Robbie Ferguson

Surprise! Microsoft has sent out free remote-desktop security patches for antiquated systems, from Windows XP up to Server 2008 in an effort to prevent a possible WannaCry-like attack.

Surprise! Microsoft has sent out free remote-desktop security patches for antiquated systems, from Windows XP up to Server 2008 in an effort to prevent a possible WannaCry-like attack.

It’s that time of the month again, and Microsoft has released a bumper bundle of security fixes for Patch Tuesday. But this time, they've done something outside the norm by including patches for out-of-support operating systems such as Windows XP and Server 2003.

Usually support for such aging operating systems costs big bucks for companies who want to keep running it, but Microsoft has released a freebie because of the serious nature of a critical flaw in Remote Desktop Services, or Terminal Services as it was. The vulnerability allows remote code execution with no user involvement or any authentication required, making it a gift to anyone wanting to spread malware.

Basically, find one of countless vulnerable Windows boxes facing the internet or on a network, and send carefully crafted packets to its remote desktop service, if running, to start executing malicious code on the machine. From there, other computers can be found by scanning IP ranges, and then you've got a proper old school worm on your hands.

A Microsoft advisory states that because the vulnerability can be 'wormable', any future malware that exploits it could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017 using the EternalBlue NSA exploit.

Microsoft warns that it is highly likely malicious actors will write an exploit for this vulnerability and incorporate it into their malware. It's important that affected systems are patched as quickly as possible to prevent such a scenario from happening.

It's a certainty that this will be exploited in the wild since it’s a low-cost, highly effective way of quickly distributing ransomware and trojans.

Windows 8 and 10 are unaffected, but there’s still a vast pool of older systems out there that could be hit if left unpatched, including Windows 7.

The affected operating system builds include: Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows XP.

Source: www.theregister.co.uk

Sent to us by: Roy W. Nash

San Francisco is the first US city to ban facial recognition.

San Francisco is the first US city to ban facial recognition.

The emerging technology will not be allowed to be used by local agencies, such as the city’s transport authority, or law enforcement.

Additionally, any plans to buy any kind of new surveillance technology must now be approved by city administrators.

Opponents of the measure said it will put people’s safety at risk and hinder efforts to fight crime.

Those in favour of the move said the technology as it exists today is unreliable, and represented an unnecessary infringement on people’s privacy and liberty.

In particular, opponents argued the systems are error prone, particularly when dealing with women or people with darker skin.

Matt Cagle from the American Civil Liberties Union in Northern California says that by banning facial recognition, San Francisco has declared that the technology is incompatible with a healthy democracy and that residents deserve a voice in decisions about high-tech surveillance.

The vote was passed by San Francisco’s supervisors 8-1, with two absentees. The measure is expected to be officially passed into city law after a second vote next week.

Source: www.bbc.com

Sent to us by: Roy W. Nash