Newsletter Archives

• TPM 2.0, required by Windows 11, is hackable. Upgrade now?

  Posted on March 20, 2023 at 02:43 CDT by B. Livingston • Comment in the Forums

  PUBLIC DEFENDER

  

  By Brian Livingston

  Researchers have discovered flaws in TPM 2.0, a security microcontroller that Microsoft requires on a device (with exceptions) before Windows 11 will install. If your computer is affected, a hacker could bypass TPM’s security to read some of your data or overwrite cryptographic keys that the microcontroller is expected to contain safely.

  The news isn’t all bad. There are many ways you and your devices may be immune.

  Read the full story in our Plus Newsletter (20.12.0, 2023-03-20).

  Public Defender Newsletters, Security, TPM, TPM 2.0, Trusted Platform Module, Vulnerability

• Win10 cumulative update gets an update. Don’t panic!

  Posted on March 16, 2020 at 01:05 CDT by Tracey Capen • Comment in the Forums

  PATCH WATCH

  By Susan Bradley

  Even in the best of times, we almost always expect to get Windows-updating surprises. And these are far from normal times.

  Still, it was a bit shocking that two days after Microsoft released the expected March cumulative update for Windows 1903 and 1909, it released another cumulative patch.

  Read the full story in AskWoody Plus Newsletter 17.11.0 (2020-03-16).

  Patch Watch AskWoody Plus Newsletter, Deferring patching, Vulnerability, Windows 10 Cumulative Updates

• Google Project Zero: 90-day disclosure is working, with 97.5% of reported vulns being fixed within 90 days

  Posted on August 2, 2019 at 10:12 CDT by woody • Comment in the Forums

  The details are a little more complicated, but not much. Google’s Project Zero has turned up 1,434 security vulnerabilities in the past four and a half years:

  Of these, 1224 were fixed within 90 days, and a further 174 issues were fixed within the 14-day grace period [granted when it looks like the manufacturer is going to release a patch shortly]. That leaves 36 vulnerabilities that were disclosed without a patch being available to users, or in other words 97.5% of our issues are fixed under deadline.

  Realize that Google has a vested interest in saying that their disclosure policy is good for all of us — debatable, but I strongly agree — and they come to the conclusion:

  If most bugs are fixed in a reasonable timeframe (i.e. less than 90 days), then we are only enforcing the deadline on a very small number of unfixed cases. And if disclosing a handful of unfixed vulnerabilities doesn’t substantially help attackers in the short-term, but does lead to the demonstrated long term benefits of shortened patch timelines and more frequent patching cycles, then it would follow that a deadline based disclosure policy is good for user security overall.

  Interesting report. Thank to Catalin Cimpanu, who has additional observations on ZDNet.

  Windows Patches/Security Project Zero, Vulnerability, Windows patches

• Microsoft’s Malware Protection Engine Vulnerable

  Posted on December 7, 2017 at 02:23 CST by Kirsty • Comment in the Forums

  Gunter Born has posted a new topic here on a vulnerability in Defender & Security Essentials:

  I received this night (Germany) a notification from Microsoft about a critical vulnerability in Microsoft’s Malware Protection Engine (CVE-2017-11937). All Windows versions using either Defender or Microsoft Security Essentials or Forefront are affected. But there are no updates available – and the link within Microsoft’s Update Catalog are broken.

  He is calling for information and insights. Can you help?

  Check it out here:
  Critical vulnerability in Microsoft’s Malware Protection Engine (CVE-2017-11937)

  UPDATE:

  Defender and MSE are updating itself – and it seems that yesterday the Security module has been updated.

  Windows Patches/Security CVE, CVE-2017-11937, Forefront, Microsoft Security Essentials, Vulnerability, Windows Defender

• Intel Firmware Security Bulletin issued

  Posted on November 21, 2017 at 01:46 CST by Kirsty • Comment in the Forums

  Six months on from the initial vulnerability disclosure on Intel Management Engine, Intel have issued a follow-up disclosure today, on a firmware vulnerability.

  Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk. Systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted

  The details have been posted in the Code Red forum, but as we are missing the right panel widgets, you might not find that by navigating! Here’s the link

  Other Firmware, Firmware Update, Intel, Vulnerability

• Is Wi-Fi security irretrievably broken?

  Posted on October 15, 2017 at 19:45 CDT by woody • Comment in the Forums

  There’s a lot of buzz this weekend about a flaw that’s purported to break security on most Wi-Fi connections, allowing an eavesdropper to snoop or use the connection without permission.

  Said to involve CVE-2017-13077, 13078, 13079, 13080, 13081, 13082, 13084, 13086, 13087, 13088, when they’re posted.

  See this thread from @campuscodi and be watching Bleepingcomputer tomorrow for details.

  Security CVE, Vulnerability, Wi-Fi, WPA2, WPS

• New cyber attack is a ransomware worm

  Posted on June 27, 2017 at 15:00 CDT by Kirsty • Comment in the Forums

  Details are still sketchy as to the nature of today’s cyber attack, but it is a ransomware worm from details currently available.

  However, what its actual nature of this threat is is still being discovered and debated, much like Wannacry’s was last month.

  The latest from @kaspersky researchers on #Petya: it’s actually #NotPetya pic.twitter.com/uTVBUul8Yt

  — Kaspersky Lab (@kaspersky) 27 June 2017

  @MrBrian posted about this on Code Red – security alerts – information and discussion topic page:
  Variant of Petya ransomware is spreading fast

  Windows Patches/Security Petya, Ransomware, Vulnerability

• Google Chrome Browser Vulnerability – check your “where to save file” settings

  Posted on May 20, 2017 at 19:16 CDT by Kirsty • Comment in the Forums

  Last week, a new topic was posted on a vulnerability on Google Chrome Browser over on Code Red – security advisories.

  Kirsty wrote:

  From Catalin Cimpanu, on bleepingcomputer.com:

  Just by accessing a folder containing a malicious SCF file, a user will unwittingly share his computer’s login credentials with an attacker via Google Chrome and the SMB protocol.
  …
  Users can do this by visiting:
  Settings -> Show advanced settings -> Ask where to save each file before downloading

  More advanced protection measures include blocking outbound SMB requests via firewalls, so local computers can’t query remote SMB servers.

   
  Bosko Stankovic, on defense.com said:

  With its default configuration, Chrome browser will automatically download files that it deems safe without prompting the user for a download location but instead using the preset one. From a security standpoint, this feature is not an ideal behavior
  …
  In order to disable automatic downloads in Google Chrome, the following changes should be made: Settings -> Show advanced settings -> Check the Ask where to save each file before downloading option. Manually approving each download attempt significantly decreases the risk of NTLMv2 credential theft attacks using SCF files.

   
  scmagazine.com discussed this issue in Greg Masters’ article – see today’s post on this over on Google Chrome Flaw Could Allow Windows Credential Theft

  Now would be a good time to check that your browser is set to ask where to save downloads, even if you use another brand.

  Security Google Chrome, NTLMv2, SCF, Vulnerability