Monthly Archives: March 2018

Microsoft Rushes Out Fix for Major Hole Caused by Previous Meltdown Patch

Microsoft Rushes Out Fix for Major Hole Caused by Previous Meltdown Patch

Issue affects Windows 7 x64 and Windows Server 2008 R2 x64 systems.

Microsoft has rushed out an out-of-cycle security patch to address problems created by what were supposed to be fixes for the Meltdown vulnerability that it had previously issued for 64-bit Windows 7 and Windows Server 2008 systems.

In an advisory Thursday, the company urged anyone running Windows 7 for x64 systems or Windows Server 2008 R2 for x64-based systems to immediately install the new update. The advice applies to all organizations and users that have installed any of Microsoft’s security updates during or after January 2018.

The update for CVE-2018-1038 stems from a warning by Swedish penetration tester Ulf Frisk that Microsoft’s Meltdown patch for Windows 7 and Windows Server 2008 created a bigger hole than the one the patch was designed to fix.

The patch basically allowed any running process on these systems to read the complete contents in memory and to write to it as well. “Exploitation was just a matter of read and write to already mapped in-process virtual memory,” Frisk said. “No fancy APIs or syscalls required — just standard read and write.” The problem stemmed from a permission bit in a key memory table being set in “user” mode rather than “supervisor” mode.

“This made the page tables available to user-mode code in every process,” rather than only by the kernel itself, Frisk said.

Chris Goetti, director of product management at Ivanti, says the vulnerability created by the Microsoft patch is pretty significant and something that needs to be addressed with haste, if possible.

“When Microsoft issued a fix for Windows 7 and Windows Server 2008, they made a mistake and ended up opening up read and write access in RAM so anybody could access anything in memory and write to it,” he says. “It is a significant vulnerability and leaves those systems pretty much exposed” without the update.

At this point, those with affected systems should test the new patch quickly and roll it out. Another option for those that don’t have the time to test the new patch will be to roll back the March update and wait for Microsoft’s April update, which is due April 11.

“We are close to the April update,” Goetti says. “Our guidance is to either apply the new update or roll back the March update,” for Windows 7 x64-bit systems and Windows Server 2008 x64-bit systems, he says.

Organizations should not make the mistake of assuming the issue is related to Meltdown/Spectre and wait for things to settle down, cautions Jack Danahy, CTO and co-founder of Barkly. “This is an easy-to-exploit zero-day vulnerability and a much more probable attack vector that the original problem that Microsoft was trying to correct.”

Unlike problems created by Spectre and Meltdown, “this isn’t just a cleanup exercise. Microsoft accidentally distributed a new zero-day vulnerability of their own design.”

The error is an example of the kind of issues that can crop up when things are rushed, he says. Fixing bugs is akin to serious software development, and it creates the same opportunities for mistakes, Danahy notes.

“I think that this will only serve to further deteriorate organizational willingness to apply patches automatically and without their own testing,” he says. “I’m personally hoping that everyone deploys this patch to CVE-2018-1038, because this vulnerability is so easy to exploit that there are already exploit toolkits integrating it.”

Related Content:


Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories

Microsoft Fixes Bad Patch That Left Windows 7, Server 2008 Open to Attack

Microsoft released an out-of-band fix on Thursday for a Windows vulnerability introduced earlier this year as a patch. If exploited, the bug could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines. No other Windows OS version is impacted.

The bad patch was delivered via Microsoft’s January Patch Tuesday update. The fix was meant to protect Windows’ system from memory vulnerabilities associated with Intel’s CPU bug Meltdown.

Researcher Ulf Frisk, credited for first identifying the flaw, said Microsoft’s botched patch “stopped Meltdown but opened up a vulnerability way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well.”

As part of his research, Frisk created a proof-of-concept exploiting the bug, publishing his findings in a technical  break down.

“We released a security update for Windows 7 Service Pack 1 (x64) and Windows Server 2008 R2 Service Pack 1 (x64). Customers who apply the updates, or have automatic updates enabled, are protected,” Microsoft said in a statement Thursday.

Microsoft said the bug (CVE-2018-1038) is a Windows kernel elevation of privilege vulnerability. It said:

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

In order for an attacker to exploit this vulnerability they would first have to log on to the targeted PC and then run a “specially crafted” application to hijack the system, according to Microsoft. “The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory,” the advisory states.

Frisk had originally stated Microsoft’s March Patch Tuesday update corrected the issue. On Thursday, Frisk now says Microsoft’s March Patch Tuesday update did not fix the vulnerability. Frisk has made his proof-of-concept available via a PCILeech direct memory access attack toolkit, hosted on GitHub.

from Threatpost – English – Global – thr…

Accused LinkedIn, DropBox Hacker Appears in US Court After Diplomatic Battle

Accused LinkedIn, DropBox Hacker Appears in US Court After Diplomatic Battle

Russian national indicted for the 2012 LinkedIn hack that led to the theft of 117 million passwords has been extradited from the Czech Republic to the US.

Yevgeniy Nikulin, the Russian hacker accused of being responsible for breaching DropBox and the 2012 LinkedIn attack that saw 117 million passwords stolen, has been extradited to the US in a process that has implications for the larger relationship between the US and Russia.

Detained in the Czech Republic since October 2016, Nikulin had requested asylum there after warrants for his arrest were issued by both Russia and the US. The Czech government denied his bid for asylum and turned him over the USm where he appeared in a federal courtroom on Friday morning.

During his initial court appearance in San Francisco, Nikulin’s attorney told the judge that his client has severe medical issues that require immediate attention. A medical evaluation has been ordered by the court.

Russia’s government has expressed its displeasure with the decision to turn him over to the US, saying that the Czech government reached its conclusion without considering all the available facts.

According to a report on CNN, the Czech minister of justice made the decision after considering the seriousness of the charges leveled by the US and Russia and the two countries’ intensity of desire to extradite and prosecute Nikulin.

For more, read here and here.

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories

Coinhive Exposé Prompts Cancer Research Fundraiser

A story published here this week revealed the real-life identity behind the original creator of Coinhive — a controversial cryptocurrency mining service that several security firms have recently labeled the most ubiquitous malware threat on the Internet today. In an unusual form of protest against that story, members of a popular German language image-posting board founded by the Coinhive creator have vented their dismay by donating tens of thousands of euros to local charities that support cancer research.

On Monday KrebsOnSecurity published Who and What is Coinhive, an in-depth story which proved that the founder of Coinhive was indeed the founder of the German image hosting and discussion forum pr0gramm[dot]com (not safe for work). I undertook the research because Coinhive’s code primarily is found on tens of thousands of hacked Web sites, and because the until-recently anonymous Coinhive operator(s) have been reluctant to take steps that might curb the widespread abuse of their platform.

One of countless pages of images posted about this author by pr0gramm users in response to the story about Coinhive.

In an early version of its Web site, Coinhive said its service was first tested on pr0gramm, and that the founder(s) of Coinhive considered pr0gramm “their platform” of 11 years (exactly the length of time pr0gramm has been online). Coinhive declined to say who was running their service, and tried to tell me their earlier statement about Coinhive’s longtime affiliation with pr0gramm was a convenient lie that was used to helped jump-start the service by enlisting the help of pr0gramm’s thousands of members.

Undeterred, I proceeded with my research based on the assumption that one or more of the founders of pr0gramm were involved in Coinhive. When I learned the real-life identities of the pr0gramm founders and approached them directly, each deflected questions about their apparent roles in founding and launching Coinhive.

However, shortly after the Coinhive story went live, the original founder of pr0gramm (Dominic Szablewski, a.k.a. “cha0s”) published a blog post acknowledging that he was in fact the creator of Coinhive. What’s more, Coinhive has since added legal contact information to its Web site, and has said it is now taking steps to ensure that it no longer profits from cryptocurrency mining activity after hacked Web sites owners report finding Coinhive’s code on their sites.

Normally, when KrebsOnSecurity publishes a piece that sheds light on a corner of the Internet that would rather remain in the shadows, the response is as predictable as it is swift: Distributed denial-of-service (DDoS) attacks on this site combined with threats of physical violence and harm from anonymous users on Twitter and other social networks.

While this site did receive several small DDoS attacks this week — and more than a few anonymous threats of physical violence and even death related to the Coinhive story — the response from pr0gramm members has been remarkably positive overall.

The pr0gramm community quickly seized on the fact that my last name — Krebs — means “crab” and “cancer” in German. Apparently urged by one of the pr0gramm founders named in the story to express their anger in “objective and polite” ways, several pr0gramm members took to donating money to the Deutsche Krebshilfe (German Cancer Aid/DKMS) Web site as a way to display their unity and numbers.

The protest (pr0test?) soon caught on in the Twitter hashtag “#KrebsIsCancer,” promoted and re-tweeted heavily by pr0gramm members as a means to “Fight Krebs” or fight cancer. According to a story on Wednesday about the effort in Germany’s biggest news portal, German Cancer Aid had at that point received some 4,100 small donations totaling more than 103,000 Euros (~ USD $126,000). The publication said another organization, the German Cancer Research Center, reported 74 small donations likely connected to the effort.

In a statement via Twitter, DKMS Germany said it could not say for sure the total amount the #KrebsIsCancer movement raised, but that it did achieve “above average levels” of donations several days this week. “Last Tuesday alone, a total of over € 50,000 was received. “The amounts can not be assigned directly to the action, but are largely the result” of the #KrebsIsCancer campaign, DKMS said.

Tags: , , , , , , ,

from Krebs on Security

10 Women in Security You May Not Know But Should

10 Women in Security You May Not Know But Should

The first in a series of articles shining a spotlight on women who are quietly changing the game in cybersecurity.


1 of 11


Kelly Jackson Higgins contributed to this article.

Cybersecurity doesn’t have enough people.

The industry is expected to have 1.8 million unfilled positions by 2020, a 20% increase from 2015 and signs of a skill shortage continue to plague the industry. Businesses don’t have enough security professionals in-house, and many lack the necessary skillsets.

Gender inequality pervades the male-dominated tech space, meanwhile, where only 49% of female employees feel both genders are treated equally, according to a new report from Indeed. The lack of diversity extends into cybersecurity, where women make up only 11% of the workforce, reports (ISC)². There is no clear-cut answer for the massive gender gap, but a number of factors seem to be at play. Consider salary, for instance: women earn lower salaries than their male counterparts in cybersecurity and women who identify as minorities make even less.

In an effort to celebrate and shine a light on some of the work women are doing in cybersecurity, Dark Reading is publishing a series of articles that identify women who may not be as well-known in the industry (yet), but who are making key contributions. This first installment includes ten women in various sectors of cybersecurity, who were selected based on recommendations and research. The list is in no particular order.

This is just the first in a series on women you may not know about, but whose work you might see more of in the future. If you know someone who fits the bill, please send us their names and any information about them and their work, to [email protected] We expect to see the list get much longer.



Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio


1 of 11


More Insights

from Dark Reading – All Stories

Under Armour App Breach Exposes 150 Million Records

Under Armour App Breach Exposes 150 Million Records

A breach in a database for MyFitnessPal exposes information on 150 million users.

Tracking your fitness goals is good for you. It can be worrying, though, if the information from your fitness tracker is exposed to criminals. That’s the state some fitness buffs find themselves in after a breach of 150 million user accounts from the MyFitnessPal app from Under Armour.

The company has said that they have seen no evidence that any accounts have been logged into by an unauthorized user or that any illicit login attempts have been made. In an email to those affected they suggest that all MyFitnessPal users immediately change their passwords, a step that will ultimately be required for all users.

According to a statement from the company, on Feb. 25 Under Armour became aware that someone had gained access to the file in February, with the ability to see usernames, email addresses, and hashed passwords for the users. Under Armour stated that no Social Security numbers were seen because they don’t collect them, and no credit card numbers were stolen because that information is stored in a different system.

Under Armour says that they do not know the hacker’s identity, though they are continuing to work with law enforcement agencies on the investigation.

For more, read here and here.

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories

Under Armour Reports Massive Breach of 150 Million MyFitnessPal Accounts

Fitness apparel firm Under Armour said 150 million users of its MyFitnessPal app are victims in a breach exposing user names, email addresses and hashed passwords.

The company said personal identifiable information such as credit card numbers and social security numbers were not part of the breach. Under Armour purchased MyFitnessPal, a diet, nutrition and exercise tracking website and app, in 2015 for $475 million.

In a statement sent to customers on Friday the company said on March 25, 2018 Under Armour became aware that in February of 2018 “an unauthorized party acquired data associated with MyFitnessPal user accounts.”

“Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information,” Under Armour said in a statement.

“What Under Armour did different was they came clean about the breach almost immediately. And they are getting a lot of kudos for this,” said George Avetisov, CEO of security firm HYPR. “It should prove that whether there’s regulatory enforcement or not, companies have a duty to their customers and fiduciary responsibility to reveal these breaches as soon as possible.”

By comparison it took LinkedIn four years to discover and disclose its breach of 117 million email and passwords. With Yahoo, it took three years to investigate and disclose a massive data breach of account information tied to 3 billion users. It took Dropbox four years to report details of more than 68 million user accounts that leaked in 2012.

“The affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords,” according to an email sent to customers signed by Paul Fipps, chief digital officer at Under Armour.

Bcrypt is 19-year-old security algorithm designed for hashing passwords and is based on the Blowfish symmetric block cipher cryptographic algorithm. The algorithm is considered secure and uses technique called Key Stretching, designed to make brute force attacks more difficult.

However, according to noted breach expert Troy Hunt, who runs the data breach repository, some of MyFitnessPal account data was protected by the SHA-1, an older, weaker hashing function.

“This echoes what happened with Dropbox. It had about half their hashes as SHA-1 and half their hashes as Bcrypt,” Hunt said in his weekly video blog. “What a lot of companies do is they have a legacy hashing algorithm approach and time goes by and they say ‘SHA-1 isn’t any good anymore and we should use Bcrypt.’”

He argues the window of time to port millions of SHA-1 protected credentials (as users log on one at a time) to Bcrypt is too long, leaving millions of credentials vulnerable to cracking.

Under Armour did not return requests for comment for this article.

Fipps said customers will be required to change their passwords in the coming days.

“Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities,” Fipps wrote to MyFitnessPal users.

The MyFitnessPal breach is the largest breach of 2018, so far.

“This is an old story and shows we are still not learning from the last mammoth breach. The fact that matter is whether it’s passwords or medical data, what these companies are doing is putting all these pieces of data in one place creating a single point of failure,” Avetisov said.

from Threatpost – English – Global – thr…