Joomla takes the cake for most serious exploits doing the rounds this month, with a combination of account creation and privilege escalation vulnerabilities proving an easy way to take complete control of various versions of Joomla. The diagnosis is grim for anyone who was not paying enough attention to patch within 24 hours as mass exploitation of these vulnerabilities have been reported, if you have not patched you should assume your Joomla site is already compromised.
- Joomla 3.6.4 was released to address account creation, elevation, and modification vulnerabilities that are being actively exploited in mass across the web just days after the vulnerabilities were disclosed. Anyone who has not already updated should consider their site compromised.
- Microsoft patched 45 security flaws in their October 2016 patches, one of which is being actively exploited as part of a malvertising campaign. This also being Microsoft first month with their new patching approach, removing the ability to pick-and-choose patches to apply. This new system puts much more pressure on software maintainers to push out patches for their applications that break due to patching, as companies would otherwise have to choose with being vulnerable to exploits, or have a functional application.
- Google has released some unpatched 0-day vulnerabilities in Windows after the time limit of responsible disclosure of actively exploited vulnerabilities ran out. This vulnerability has no patch available and is “local privilege escalation in the Windows kernel that can be used as a security sandbox escape”. Windows 10 Anniversary update is not vulnerable and Microsoft reports that older versions of Microsoft will provide patches on Tuesday, November 8.
- Linux Kernel local privilege escalation vulnerability known as Dirty COW has been patched 9 years after its introduction. As this vulnerability has existed for so long, it will affect practically all Linux-powered devices, from cars, to android phones, routers, etc… Cleaning up this Dirty COW is not going to be easy, with many devices simply no longer supported, or patches take months to be released.
- DNS hosting provider DynDNS has been hit by a huge DDoS attack that shook much of their services offline. Being a DNS provider this had very long reaching effects with many major websites being brought offline because users were unable to perform DNS lookups for websites using DynDNS services.
Read more on Krebs on Security website
- Spam has been found to be delivered through a calendar invite file “.ics” that contained a cancellation request with many recipients. Depending on how the calendar invite is managed it could cause the spam email to be forwarded to all the recipients from your email address.
- 1,300,000 records have been lost by the Red Cross Blood Service in what is the largest data breach of Australian medical records to date. A database backup was discovered on a public web facing web server of a technology partner, however, it is believed that there is no evidence that the database backup was accessed.
- Netflix is alerting users who have had their usernames or passwords circulated in data-breach lists to check their security, and in some cases have their passwords reset.
- A Japanese Nuclear research facility has been hacked by what is believed to be a nation-state hacker. 55,000 files have been stolen, including world-leading research on tritium, a radioactive hydrogen isotope key in nuclear fusion. The point of entry was a spear-phishing attack in November 2015, where an attacker posed as a Tokyo university student.
- The Privacy Amendment (Notifiable Data Breaches) Bill 2016 has passed its second reading in the Australian House of Representatives. If passed, this bill will require entities subject to the Privacy Act 1988 to issue a notification in case personal information (that may result in serious harm) gets lost.
- The Register has published an interesting post on the potential liabilities of being hacked.