Threats This Week
A digest of threats made headline this week
8 New HTTP/2 Implementation Flaws Expose Web Sites to DoS Attacks
Some facts about HTTP/2.0
- Launched in May 2015, designed to be more secure and faster than the previous version
- Currently, 40% of all sites on the Internet are running HTTP/2.0
Netflix team found 7 vulnerabilities and Google found 1.
The following are the CVEs filed:
- CVE-2019–9511 — HTTP/2 “Data Dribble”
- CVE-2019–9512 — HTTP/2 “Ping Flood”
- CVE-2019–9513 — HTTP/2 “Resource Loop”
- CVE-2019–9514 — HTTP/2 “Reset Flood”
- CVE-2019–9515 — HTTP/2 “Settings Flood”
- CVE-2019–9516 — HTTP/2 “0-Length Headers Leak”
- CVE-2017–9517 — HTTP/2 “Internal Data Buffering”
- CVE-2019–9518 — HTTP/2 “Request Data/Header Flood”
The following are the affected systems:
- NGINX
- Apache
- Microsoft IIS
- Nghttp2
- Cloudflare
- Akamai
- Apple SwiftNIO
- Amazon
- Facebook Proxygen
- Node.js
- Envoy proxy
Many of the above have already released patches. Please patch your systems as soon as possible.
4 New BlueKeep-like ‘Wormable’ Windows Remote Desktop Flaws Discovered
Windows operating system contains four new critical wormable, remote code execution vulnerabilities in Remote Desktop Services, similar to the recently patched ‘BlueKeep’ RDP vulnerability.
Microsoft security team itself found these vulnerabilities and the following are the CVEs filed:
- CVE-2019–1181
- CVE-2019–1182
- CVE-2019–1222
- CVE-2019–1226
Just like BlueKeep RDP flaw, all four newly discovered vulnerabilities are also wormable and could be exploited by potential malware to propagate itself from one vulnerable computer to another automatically.
“It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these,” Microsoft strongly recommended.
You can access Notes on the MS Security update for August here.
For installing the latest security updates, you can head on to Settings → Update & Security → Windows Update → Check for updates on your computer, or you can install the updates manually.
Google Discloses 20-Year-Old Unpatched Flaw Affecting All Versions of Windows
A Google security researcher, Ormandy, has just disclosed details of a 20-year-old unpatched high-severity vulnerability affecting all versions of Microsoft Windows, back from Windows XP to the latest Windows 10.
The vulnerability resides in the way MSCTF clients and server communicate with each other, allowing even a low privileged or a sandboxed application to read and write data to a higher privileged application.
The researcher has also released a custom open-source “CTF Exploration Tool” on Github that he developed and used to discover many critical security issues in the Windows CTF protocol.
Ormandy responsibly reported his findings to Microsoft in mid-May this year and released the details to the public today after Microsoft failed to address the issue within 90 days of being notified.
Cerberus: A New Android ‘Banking Malware For Rent’ Emerges
After a few popular Android Trojans like Anubis, Red Alert 2.0, GM bot, and Exobot, quit their malware-as-a-service businesses, a new player has emerged on the Internet with similar capabilities to fill the gap, offering Android bot rental service to the masses.
Dubbed “Cerberus,” the new remote access Trojan allows remote attackers to take total control over the infected Android devices and also comes with banking Trojan capabilities like the use of overlay attacks, SMS control, and contact list harvesting.
Once infected, Cerberus first hides its icon from the application drawer and then asks for the accessibility permission by masquerading itself as Flash Player Service. If granted, the malware automatically registers the compromised device to its command-and-control server, allowing the buyer/attacker to control the device remotely.
Cerberus also uses some interesting techniques to evade detection from antivirus solutions and prevent its analysis, like using the device accelerometer sensor to measure movements of the victim.
