Saturday, March 4, 2017

Cyber Updates - 04/03

Hey all,

Here are this week's cyber updates:

(1) When organizations install an anti-virus appliance on their servers and workstation, they expect their environment to become more secure. This has not been the case for ESET anti-virus, which was found to be vulnerable to remote code execution if installed on  macOS (CVE-2016-9892). 
In particular, the esets_daemon uses a vulnerable XML parsing library (POCO XML Parser), which is vulnerable to remote code execution. An attacker, who intercept a GET request to https://edf.eset.com/edf (while conducting a MiTM attack), can change the XML content in order to execute code with root permissions. The attack is also made possible because the antivirus does not properly validate the server’s certificates, allowing a self-signed certificate to be used in MiTM attacks.

Organization that use ESET antivirus for macOS are urgently requested to update their product.

Here are all the details:
http://seclists.org/fulldisclosure/2017/Feb/68


(2) Amazon S3 servers in the N. Virginia region were partially unavailable last Tuesday.
It turns out that Amazon intended to remove a small numbers of servers, but a typo has caused Amazon to remove more servers than intended. This has caused a 5 hours outage to their S3 service. 
Since numerous clients rely on S3, this has affected an extensive amount of organizations. Time will tell whether clients will remain with Amazon or choose an alternative such as Google.

Here are all the details:
https://aws.amazon.com/message/41926/


(3) Google has discovered and published a new client-side vulnerability for Windows GDI library (CVE-2017-0037). Internet Explorer and Microsoft Edge are vulnerable to a “type confusion flaw”, which can result in remote code execution when visiting a malicious website.
This does not come in a good timing for Microsoft, which is yet to patch the new SMBv3 vulnerability (also resulted in Microsoft not publishing their famous Patch Tuesday updates).

Here are all the details and a PoC exploit:
http://thehackernews.com/2017/02/google-microsoft-edge-bug.html
https://bugs.chromium.org/p/project-zero/issues/detail?id=1011
https://www.exploit-db.com/exploits/41454/

Stay tuned for more updates,

Dan Gurfinkel
Head of Offensive Security & Response Unit