Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
It's That Day Again . . .
It's Microsoft Patchday - the second Tuesday of the month (Wednesday for those of us on the leading side of the International Date Line) - and the Redmondites have served up a major update this month, fixing 74 CVE's and two advisories and requiring a heart-stoppingly-long no-video-out reboot of my Windows 11 machine.
The first of the two advisories is termed a 'defense-in-depth' update for Office which prevents exploitation of a remote code execution vulnerability leading to the Windows Search security feature bypass vulnerability (CVE-2023-36884) which was being actively exploited in the wild. The other fixes a missing resource section for a module of the hypervisor-protected code integrity tool (hvciscan_amd64.exe and hvciscan_arm64.exe).
There are also fixes for four vulnerabilities with CVSS 3.1 base scores of 9.8:
- a privilege escalation vulnerability in Exchange Server (CVE-2023-21709)
- a remote code execution vulnerability in MSMQ (CVE-2023-35385)
- another remote code execution vuln in MSMQ (CVE-2023-36910)
- a third (!) remote code execution vulnerability in MSMQ (CVE-2023-36911)
You know what to do . . .
MSRC, August 2023 Security Updates, security update guide, 9 August 2023. Available online at https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug.
Adobe Releases Security Updates, Too
While you're updating, Adobe has released a number of updates to address multiple vulnerabilities. The relevant security bulletins are:
- Adobe Acrobat and Reader: APSB23-30
- Adobe Commerce: APSB23-42
- Adobe Dimension: APSB23-44
- Adobe XMP Toolkit SDK: APSB23-45
Adobe Commerce is, of course, based on the open-source Magento e-commerce merchant server, so users of that protidct should plan to update too.
UK Voter Information Leaked
The UK's Electoral Commission has disclosed a massive breach which occurred almost two years ago - and then wasn't discovered for a year. The attack was discovered in October 2022 and was reported almost immediately to the Information Commissioner's Office and the National Crime Agency. For a year prior, the still-unidentified threat actor had access to the names and addresses of 40 million voters in the UK who were registered from 2014 onwards.
However, the breach was only publicly disclosed this week, and has done enormous damage to the reputation of the Electoral Commission, although it would not have affected vote-counting, which remains a manual, paper-based process. On the other hand, if the responsible threat actor was associated with a nation state, the information gained could conceivably have been used in influence campaigns.
Asked why it took so long to disclose the breach, an Electoral Commission spokesperson said the Commission had needed to "remove the actors and their access to our system, assess the extent of the incident, liaise with the National Cyber Security Centre and ICO, and put additional security measures in place before we could make the incident public", adding that the attack "used a sophisticated infiltration method, intended to evade our checks" - which explains why it had evaded detection for so long, and reinforces suggestions of a state-affiliated advanced persistent threat.
Mason, Rowena and Hibaq Farah, Electoral Commission apologises for security breach involving UK voters’ data, The Guardian, 9 August 2023. Available online at https://www.theguardian.com/technology/2023/aug/08/uk-electoral-commission-registers-targeted-by-hostile-hackers.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.