Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Apple Updates Everything, Again

Published: 2018-01-23
Last Updated: 2018-01-23 22:14:44 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Apple Patch Summary

Component CVE MacOS/OS X  iOS watchOS tvOS
Core Bluetooth CVE 2018-4095   X X X
Security CVE 2018-4086 X X X X
QuartzCore CVE 2018-4085 X X X X
curl CVE 2017-8817 X      
Audio CVE 2018-4094 X X X X
Kernel CVE 2017-5754 (Meltdown) X      
Kernel CVE 2018-4097 X      
LinkPresentation CVE 2018-4100 X X X  
Kernel CVE 2018-4090 X X X X
Core Bluetooth CVE 2018-4087   X X X
IOHIDFamily CVE 2018-4098 X      
WebKit CVE 2018-4088 X X X X
WebKit CVE 2018-4089 X X   X
Kernel CVE 2018-4082 X X X X
Wi-Fi CVE 2018-4084 X      
Kernel CVE 2018-4093 X X X X
Sandbox CVE 2018-4091 X      
Kernel CVE 2018-4092 X X X X
WebKit CVE 2018-4096 X X X X

 

MacOS 10.13.2

Component Impact Description CVE(s)
Audio Processing a maliciously crafted audio file may lead to arbitrary code execution A memory corruption issue was addressed through improved input validation. CVE 2018-4094
Core Bluetooth An application may be able to execute arbitrary code with system privileges A memory corruption issue was addressed with improved memory handling. CVE 2018-4087,CVE 2018-4095
Kernel An application may be able to read restricted memory A memory initialization issue was addressed through improved memory handling. CVE 2018-4090
Kernel An application may be able to read restricted memory A race condition was addressed through improved locking. CVE 2018-4092
Kernel A malicious application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed through improved input validation. CVE 2018-4082
Kernel An application may be able to read restricted memory A validation issue was addressed with improved input sanitization. CVE 2018-4093
LinkPresentation Processing a maliciously crafted text message may lead to application denial of service A resource exhaustion issue was addressed through improved input validation. CVE 2018-4100
QuartzCore Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue existed in the processing of web content. This issue was addressed through improved input validation. CVE 2018-4085
Security A certificate may have name constraints applied incorrectly A certificate evaluation issue existed in the handling of name constraints. This issue was addressed through improved trust evaluation of certificates. CVE 2018-4086
Wi-Fi An application may be able to read restricted memory A validation issue was addressed with improved input sanitization. CVE 2018-4084

iOS 11.2.5

Component Impact Description CVEs
Audio Processing a maliciously crafted audio file may lead to arbitrary code execution A memory corruption issue was addressed through improved input validation. CVE 2018-4094
Core Bluetooth An application may be able to execute arbitrary code with system privileges A memory corruption issue was addressed with improved memory handling. CVE 2018-4087,CVE 2018-4095
Kernel An application may be able to read restricted memory A memory initialization issue was addressed through improved memory handling. CVE 2018-4090
Kernel An application may be able to read restricted memory A race condition was addressed through improved locking. CVE 2018-4092
Kernel A malicious application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed through improved input validation. CVE 2018-4082
Kernel An application may be able to read restricted memory A validation issue was addressed with improved input sanitization. CVE 2018-4093
LinkPresentation Processing a maliciously crafted text message may lead to application denial of service A resource exhaustion issue was addressed through improved input validation. CVE 2018-4100
QuartzCore Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue existed in the processing of web content. This issue was addressed through improved input validation. CVE 2018-4085
Security A certificate may have name constraints applied incorrectly A certificate evaluation issue existed in the handling of name constraints. This issue was addressed through improved trust evaluation of certificates. CVE 2018-4086
WebKit Processing maliciously crafted web content may lead to arbitrary code execution Multiple memory corruption issues were addressed with improved memory handling. CVE 2018-4088,CVE 2018-4089,CVE 2018-4096

 

watchOS 4.2.2

Component Models Impact Description CVEs
Audio All Apple Watch models Processing a maliciously crafted audio file may lead to arbitrary code execution A memory corruption issue was addressed through improved input validation. CVE 2018-4094
Core Bluetooth All Apple Watch models An application may be able to execute arbitrary code with system privileges A memory corruption issue was addressed with improved memory handling. CVE 2018-4087,CVE 2018-4095
Kernel All Apple Watch models An application may be able to read restricted memory A memory initialization issue was addressed through improved memory handling. CVE 2018-4090
Kernel All Apple Watch models An application may be able to read restricted memory A race condition was addressed through improved locking. CVE 2018-4092
Kernel All Apple Watch models A malicious application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed through improved input validation. CVE 2018-4082
Kernel All Apple Watch models An application may be able to read restricted memory A validation issue was addressed with improved input sanitization. CVE 2018-4093
LinkPresentation All Apple Watch models Processing a maliciously crafted text message may lead to application denial of service A resource exhaustion issue was addressed through improved input validation. CVE 2018-4100
QuartzCore All Apple Watch models Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue existed in the processing of web content. This issue was addressed through improved input validation. CVE 2018-4085
Security All Apple Watch models A certificate may have name constraints applied incorrectly A certificate evaluation issue existed in the handling of name constraints. This issue was addressed through improved trust evaluation of certificates. CVE 2018-4086
WebKit All Apple Watch models Processing maliciously crafted web content may lead to arbitrary code execution Multiple memory corruption issues were addressed with improved memory handling. CVE 2018-4088,CVE 2018-4096

tvOS 11.2.5

Component Impact Description CVEs
Audio Processing a maliciously crafted audio file may lead to arbitrary code execution A memory corruption issue was addressed through improved input validation. CVE 2018-4094
Core Bluetooth An application may be able to execute arbitrary code with system privileges A memory corruption issue was addressed with improved memory handling. CVE 2018-4087,CVE 2018-4095
Kernel An application may be able to read restricted memory A memory initialization issue was addressed through improved memory handling. CVE 2018-4090
Kernel An application may be able to read restricted memory A race condition was addressed through improved locking. CVE 2018-4092
Kernel A malicious application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed through improved input validation. CVE 2018-4082
Kernel An application may be able to read restricted memory A validation issue was addressed with improved input sanitization. CVE 2018-4093
QuartzCore Processing maliciously crafted web content may lead to arbitrary code execution A memory corruption issue existed in the processing of web content. This issue was addressed through improved input validation. CVE 2018-4085
Security A certificate may have name constraints applied incorrectly A certificate evaluation issue existed in the handling of name constraints. This issue was addressed through improved trust evaluation of certificates. CVE 2018-4086

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

0 comment(s)

Life after GDPR: Implications for Cybersecurity

Published: 2018-01-23
Last Updated: 2018-01-23 21:16:25 UTC
by John Bambenek (Version: 1)
2 comment(s)

It’s not much discussed in the United States, but the EU’s landmark General Data Privacy Regulation will soon become the law that governs how data must be protected, stored, and processed for European citizens. This, of course, has great effect for those organizations doing business in Europe but it has had and will have a myriad of side-effects that we’ll be dealing with for years to come. This is especially true for cybersecurity professionals and those who investigate crime on the internet.

For almost 2 years, debate has gone on at an ICANN working group on the future of Whois, the protocol that allows anyone to see registrant information for any domain on the internet (unless otherwise protected). Whois has been under fire from time to time by privacy activists and data protection authorities and now that conflict has reached a boiling point over GDPR. On the one hand, in a subset of cases personal information (unless you buy privacy protection) is published with phone numbers, emails, and mailing addresses. On the other hand, security investigators, researchers, and data scientists use this data in a variety of ways to find malicious domains and protect their constituents.

The debate at times has been heated with a registrar infamously calling anti-spam groups “blackhats” but after spending months in this group, it’s pretty clear that free and meaningful access to full whois data is going away. So the question becomes, now what? And what does this mean for other forms of data useful for threat research?

Whois, and certainly the commercial services built on top of that data, are useful for correlating malicious activity. During the French Presidential campaign (and the upcoming midterm elections in the United States), it is possible to find other domains with the same registrant details to identify multiple resources used by the adversary. It makes it possible to identify if domains are owned by who they purport to be, or provide essential contact information to resolve problems.

One of the problems I have, from time to time, is how to contact victims when I see their resources are compromised as often they won’t list data on their website. Whois data can, of course, be wrong… but even in those situations it is useful.

Luckily, for the broader class of threat data, it seems others are taking a more nuanced approach. This guide from the MISP Project talks about the implications in detail and points out recital 49 of GDPR encourages these kinds of sharing arrangements to continue.

If Whois does go away, how will it impact your organization and what plans do you have to accommodate those needs if it does?

--
John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

HTTPS on every port?
Jan 22nd 2018
1 day ago by DidierStevens (1 comment)

Retrieving malware over Tor
Jan 21st 2018
2 days ago by DidierStevens (2 comments)

An RTF phish
Jan 20th 2018
3 days ago by DidierStevens (0 comments)

Followup to IPv6 brute force and IPv6 blocking
Jan 19th 2018
4 days ago by Jim (1 comment)

Comment your Packet Captures!
Jan 18th 2018
5 days ago by Xme (2 comments)

Reviewing the spam filters: Malspam pushing Gozi-ISFB
Jan 17th 2018
6 days ago by Brad (3 comments)

View All Diaries →

Latest Discussions

Work logs for hunting
created Jan 18th 2018
5 days ago by Anonymous (0 replies)

What is airbnb doing?
created Jan 9th 2018
2 weeks ago by Mike (0 replies)

Convert OST Emails to PST Files
created Jan 4th 2018
2 weeks ago by Anonymous (0 replies)

Windows Client what the hell is this?
created Jan 2nd 2018
3 weeks ago by Anonymous (0 replies)

My log Reports not displaying reported entries
created Dec 22nd 2017
1 month ago by Tony (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
6 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
5 months ago by Johannes (12 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 month ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
4 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
5 months ago by Xme (2 comments)