Security Week 41: Good News
This is enough in the information security industry for dramas. The latest means of hacking, grandiose failures in the protection systems of programs and hardware - or the complete absence of these same systems. The daily routine of spam with malicious appendages and phishing, cryptographers and stuff is not as interesting as the most complex cyber attacks, but they have to be dealt with the most. 3r3398.
3r3398.
Finding out that the password does not fit your router - it's about how to detect a broken lock in the front door. And yet, although cyber threats should be taken seriously, the real work on security begins at the moment when everyone stopped waving their hands and speaking unprintable words and started doing business. They updated the router, conducted a training on phishing with employees, installed protection from cryptographers. Even at the moment when everything is bad with information security, it makes sense to imagine how it should be good, and not rushing to move towards a beautiful future. Today is a digest of good news: Google fixed Android security, Cisco fixed Webex, Wordpress fixed Wordpress. 3r3398.
3r311. 3r3386. 3r3398.
Let's start with the uncomplicated news : as reported by The Verge , Google has complemented the contractual obligations of smartphone manufacturers based on the Android operating system with a separate item on security. Beginning January 3? 201? all new phones, sold in more than one hundred thousand copies, should receive security patches regularly within two years of release. Accordingly, manufacturers of more or less popular phones will be required to prepare and distribute these patches. 3r3398.
3r3398.
3r3391. 3r3108. 3r3398.
The practice of delivering security patches was introduced r3r386. in 201? first for Google’s own phones, and later other manufacturers pulled up. Three years ago, Google began to move away from the traditional scheme of preparing updates for smartphones, when priority was given to new features, and security holes were tackled “as lucky”. In the version of Android 8.? Oreo was
introduced r3r386. Project Treble, designed to improve the situation with the fragmentation of the code base. If before this vendors were in no hurry to roll patches, fearing conflicts with their own code, now functionality and security have been completely (or something) separated. Closing vulnerabilities made easy. 3r3398.
3r3398.
3r3391. 3r3108. 3r3398.
Not everyone benefited from these benefits. First, active devices based on the eighth (or higher) version of Android are still in the minority. Secondly, not all vendors regularly send out monthly security patches, like 3r-341. found out in April, Security Research Labs. It is time for organizational measures. Of course, the ideal way to improve security is to develop technology so that it works more or less by itself. But this is not always the case, so now vendors will be required to support devices for at least two years. Another good news about Android: the fight against malicious applications on Google Play continues. Almost has been removed from the official Google store. three dozen applications with relatively useful functionality and appendages in the form of SMS interception. 3r3398.
3r3398.
More good news. Cisco removed dangerous bug in the Webex newsgroup system. Webex usually requires the installation of client software, which intercepts requests from the browser and provides the video stream, the contents of the desktop speaker and other things to the user’s computer. The client works constantly, even when you are not using a conference call, and more than once 3r-351. It turned out
that he can add a couple of extra attack vectors to the system. Back in September, a vulnerability was discovered and closed, in which the WebExService.exe process was used to elevate privileges (if you already had access to the system in the rank of a regular user). And last week, a researcher known as SkullSecurity found a similar bug. He studied how WebExService launches the client update process, and was able to redirect this functionality to launch any process with system privileges, and even with the theoretical possibility of remote operation. I recommend reading the original study 3r3386. , it describes in detail the process picking studying code with IDA Pro, full of tears and disappointments, but with the successful launch of the calculator at the end. 3r3398.
3r3398.
3r3391. 3r362. 3r3108. 3r3398.
Finally, good news about Wordpress: 96% of sites on this engine 3r3666. use modern version of the software. Just last week, we are Viewed Wordpress version statistics and came to similar conclusions. Or did not come. 96% of the sites on Wordpress really use version 4.x, but the most current version 4.9 is used by a little more than 70%, and this release, for a minute, is already a year. At the DerbyCon conference, Wordpress developers decided, apparently, to also focus on the positive and told how they achieved (in any case) a very good indicator. The automatic update system of the engine also helped (far from all implementations working normally - it depends on the admin user), and the security notifications in the Google Search Console, and a rating of 3r370. Tide
. 3r3398.
3r3398.
3r3391. 3r3108. 3r3398.
Tide is an automated test suite that evaluates plug-in security. It is assumed that the Tide rating will eventually be displayed next to the plug-in user rating (as in the screenshot), which motivates the developers of 3r30000. It is safer to code [/i] . So far, the rating has not been demonstrated, the system is in development, and, judging by the notes on the project website, release 1.0 is coming. Automated tests by definition can not find all the vulnerabilities, but their task is not in this. Quickly assessing the code for well-known security problems is a good start. Moreover, the real cases of hacking sites on Wordpress most often occur through vulnerable extensions. In addition, Wordpress will now alert users if their site uses 3r3383.
no longer supported. PHP version 5.6. Useful feature for customers of companies that provide "Wordpress out of the box." And topical:
according to the site 3r3386. W3Techs, at the time of publication, the fifth version of PHP was used by more than 60% of sites. 3r3398.
3r3398.
3r3391. 3r33939. 3r3108. 3r3398.
All good! 3r3398.
3r3398.
3r3-300. Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with a healthy skepticism. [/i] 3r3108.
3r3105. ! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e.parentNode.insertBefore (r, e)}; "[object Opera]" == e.opera? a.addEventListener? a.addEventListener ("DOMContentLoaded", d,! 1): e.attachEvent ("onload", d ): d ()}}} t ("//mediator.mail.ru/script/2820404/"""_mediator") () ();
3r3108.
It may be interesting
weber
Author29-10-2018, 17:20
Publication DateDevelopment / Information Security
Category- Comments: 0
- Views: 281
entegrasyon programları
entegrasyon programları
Corvus Health provides medical training services as well as recruiting high quality health workers for you or placing our own best team in your facility. Check Out: Health Workforce Recruitment
I.T HATCH offers a wide range of IT services including remote access setup, small business servers, data storage solutions, IT strategy services, and more. Check Out: IT strategy services