Shearwater_Logo

April 2016 Internet Security Report



April continues on a growing trend of high-profile vulnerabilities with Badlock, a man-in-the-middle vulnerability in Windows and Samba services. The author of Badlock provided a very long patch preparation time so that teams could apply the patch within the shortest possible time after release. There is a growing need for critical patches that need to be applied within the shortest possible period of time after their release, especially in open source components, however, many vendors are lagging behind in providing a quick turnaround for patch releases, if at all. Apple Quicktime for Windows is an example of a company deciding to abandon its product, rather than fixing its discovered vulnerabilities, leaving any users who may still be using the software or still have it installed, vulnerable to serious exploits.
 
PCI DSSv3.2 has now been released with new requirements. The biggest impact of these requirements is on service providers. Some of these new requirements are recommended practices until June 2018 while others must be in place by June 30, 2016. We have released an overview of the changes on our website https://www.shearwater.com.au/new-version-of-pci-dss-released-v3-2/

 

Threats

 

 

Breaches


Patches and Updates

  • Badlock is a man in the middle vulnerability that affected DCERPC traffic that allowed an attacker to impersonate an authenticated user. This vulnerability affected windows computers, and any computer using the SAMBA software. The CVE number for windows is CVE-2016-0128 and the CVE number for SAMBA is CVE-2016-2118. Patches are available for windows and SAMBA. http://rhelblog.redhat.com/2016/04/15/how-badlock-was-discovered-and-fixed/
  • US-CERT advises windows users to uninstall Apple Quicktime. The Trend Micro Zero Day Initiative have discovered two new unpatched vulnerabilities that could be used to remotely compromise Windows computers. As Apple will no longer be providing security updates for Quicktime for Windows it should be uninstalled on all systems as soon as possible.
    http://krebsonsecurity.com/2016/04/us-cert-to-windows-users-dump-apple-quicktime/
  • OpenSSL will release versions 1.0.2h and 1.0.1t that will fix a range of vulnerabilities that are rated as high severity.
    https://www.openssl.org/news/secadv/20160503.txt
  • Oracle has released a Critical Patch advisory for April 2016 which contains 136 security fixes across the various Oracle products including: Oracle Database Server, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL. It is recommended that these updates are applied as soon as possible.
    http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
  • SAMBA patched multiple vulnerabilities including denial of service and man in the middle vulnerabilities. In addition to applying these patches, they recommend that additional configuration steps be taken to protect from man in the middle vulnerabilities. The changes involve setting mandatory server signing and disable NTLMv1 authentication. Without these settings man in the middle attacks are still possible. For more information please see the following link.
    https://www.samba.org/samba/history/samba-4.4.2.html


Other