Security Roundup - 2018-05-18
Incorrect handling of HTML leads to security problems. eFail is the latest named vulnerability going around. Initially hyped as a PGP failure, what actually is happening is that systems interpreting HTML can be abused to exfiltrate data. If you combine this with automatic decryption of PGP data in your email client, you potentially have your client decrypt the text and then handily send it to an external source. The EFF has an extensive FAQ.
Remote code injection in DHCP client. RedHat Linux and variants have released patches for a bug that caused the dhcp client to parse responses like commands allowing for remote code execution. The PoC exploit fit into a tweet.
Active zero day for Internet Explorer. Discovered by two seperate security companies investigating attacks, make sure you upgrade and/or move to more modern browsers.
IBM bans thumb drives. IBM has recently reviewed their security standards and has decided that thumb drives are no longer to be used. Given their history as an attack vector, as well as a common method to lose/leak data this seems like a smart (though perhaps hard to enforce/implement) strategy.
Subliminal IoT. Students at UC Berkley have demonstrated that voice assistants can be controlled by subliminal messages.
This photocopier contains secrets. Getting rid of old photocopiers/scanners at work? Make sure they aren’t storing secrets, like maybe social security numbers, contracts, or medical records.
People Don’t Patch. I actually talked to members at Sonatype about this, where they see thousands of organizations downloading vulnerable software packages, like the Struts vulnerability that resulted in huge news stories when it was the cause of the Equifax breach.