CISA releases free scanner to spot Log4j exposure
CISA posted the Log4j Scanner to GitHub yesterday, describing it as a “project derived from other members of the open-source community” which has been designed to help find vulnerable web services impacted by the two flaws in the Log4j tool. CISA said the scanning tool would help security teams “look for a limited set of currently known vulnerabilities in assets owned by their organization.” It warned that there may be “as yet unknown ways for threat actors to leverage the vulnerabilities” and confirmed that it is monitoring community chatter “to ensure its advice is current.”
Researchers disclose unpatched vulnerabilities in Microsoft Teams software
Researchers from from Berlin-based cybersecurity firm Positive Security have discovered four vulnerabilities in Microsoft Teams business communication platform. These relate to the implementation of a link preview feature which they found was susceptible to a number of issues that could “allow accessing internal Microsoft services, spoofing the link preview, and, for Android users, leaking their IP address, and imposing Denial of Service on their Teams app/channels.” Microsoft said it would delay patches for three of the four vulnerabilities to a later date. Microsoft has, however addressed the IP address leakage from Android devices.
Microsoft Office patch bypassed to allow malware distribution
According to researchers at Sophos, cybercriminals have apparently discovered a method for bypassing a patch for a recent Microsoft Office vulnerability, and are using this bypass to distribute Formbook malware. The original defect, tracked as CVE-2021-40444, can allow remote code execution on vulnerable systems. The flaw was publicly disclosed on September 7, after attacks exploiting it were identified, and the error was addressed as part of the September 2021 Patch Tuesday updates. The patch that the criminals were able to get around was “meant to prevent the execution of code to download a Microsoft Cabinet (CAB) archive containing a malicious executable.” The attackers were able to bypass this by “incorporating a Word document in a specially crafted RAR archive” delivered via a spam email campaign that ran on October 24 and 25. The researchers have assessed this short campaign as a “dry run” experiment.
New Dell BIOS updates cause laptops and desktops not to boot
Some recently released Dell BIOS updates are reportedly causing boot problems on certain laptop and desktop models such as Latitude 5320 and 5520, Inspiron 5680 and Alienware Aurora R8 desktops. Customers’ comments on social media state that the latest BIOS version (version 1.14.3 for Latitude laptops, 2.8.0 for Inspiron, and 1.0.18 for Aurora R8) go straight to a blue screen of death followed by shutdown. “Until Dell releases an update to address the bugs leading to boot, experts recommend downgrading to a previous firmware version if possible.”
Thanks to our episode sponsor, Lookout
Why CISOs shouldn’t report to CIOs
An opinion piece written by Eric Jeffery, Senior Solutions Architect at IBM, and posted at Security intelligence.com Suggests that CISOs should no longer report to CIOS but instead should have their own seat at the executive table. He writes, “we are at a crossroads today where we need to move security out from under IT and treat it as a business risk rather than a technical problem.” According to the IBM Cost of a Data Breach study, it takes an average of 287 days to identify and contain a data breach. This number illustrates how vulnerable businesses are. He adds, inherent tension between CISOs and others that report to the CIO frequently occurs due to the trade-off between security and efficiency, which impacts business units throughout an enterprise. The full article is available at Security intelligence.com/posts.
4-year-old bug in Azure app service exposed hundreds of source code repositories
A security flaw has been identified in Microsoft’s Azure App Service that “resulted in the exposure of source code of customer applications written in Java, Node, PHP, Python, and Ruby for at least four years since September 2017.” Researchers at Wiz discovered the vulnerability, named “NotLegit,” and reported it to Microsoft on October 7. Actions have now been taken to fix the information disclosure bug. Microsoft has stated that a “limited subset of customers” are at risk, adding, “customers who deployed code to App Service Linux via Local Git after files were already created in the application were the only impacted customers.”
Meta (Facebook) sues operators of 39,000 phishing sites
Meta has filed a lawsuit in a California court “against the operators of more than 39,000 phishing sites that have been hosted through the Ngrok service.” Meta is seeking a court injunction and damages of at least $500,000 from the operators of these sites, even before they are identified. “The lawsuit alleged that the group created phishing sites on their local systems and then used Ngrok, a localhost-to-internet relay service that allows developers to expose their local sites on the ngrok.io domain. The group then spread links to these ngrok.io domains to victims and collected their account credentials.”
Fisher Price’s Bluetooth reboot of pre-school play phone has privacy flaw
The Fisher Price Bluetooth, a replica of the brightly colored plastic phone you likely played with as a child, has been found to instead present the more sobering prospected of being spied on. The Fisher Price Chatter Special Edition, that we first reported on in September, adds Bluetooth and a speaker to the familiar smiling rotary dial phone and can connect to a smartphone in order to make real calls. Unfortunately, according to PenTest Partners, the Chatter “uses Bluetooth classic without secure pairing, which means it agrees to any pairing request. Anyone within range could therefore hook up a Bluetooth device, and tune in to whatever is said within range of the Chatter’s microphone.”