Marcel Brown: August 16th, 1995. Microsoft introduces Internet Explorer, which at the time was a modified version of Spyglass Mosaic, which Microsoft had licensed. Later, when Microsoft began including Internet Explorer for free with Windows, Spyglass sued Microsoft for not paying what they felt were the proper royalties. Microsoft settled for $8 million.

Edwin Kwan: A two-decade-old vulnerability has been discovered, which results in exposing encrypted VPN traffic. Academic researchers have called the attack Tunnel Crack and published proof of concept exploit code.

Hillary Coover: Microsoft will finally stop renewing licenses for Russian companies. Approximately 90% of Russian corporate clients currently rely on Microsoft products.

Trac Bannon: On August 3rd, 2023, CISA released a report of the top exploited vulnerabilities of 2022. At the top of the list for 2022 is a set of three Microsoft Exchange vulnerabilities referred to as ProxyShell.

Katy Craig: A serious security issue has been discovered in the FortiProxy SSL VPN web portal. Fortinet knows that a malicious person shared access details for around 87,000 FortiGate SSL-VPN devices. These access details come from systems that were not protected against this known exploited vulnerability, despite wide availability of the patch.

Olimpiu Pop: What can be worse than a critical vulnerability? Twin critical vulnerabilities. Where did I find them? In the top recurrent exploited vulnerabilities report. Does this particular pair affect you? Well, it depends, but the probability of affecting your organization is high.

 

The Stories Behind the Headlines

 

Edwin Kwan: How leaky is your VPN?

A two-decade-old vulnerability has been discovered, which results in exposing encrypted VPN traffic and every VPN product is vulnerable on at least one device.

This is Edwin Kwan from Sydney, Australia.

The Academic researchers have called the attack ” Tunnel Crack and published proof of concept exploit code. They tested 67 VPN providers on Windows, MacOS, iOS, Linux, and Android, and they found that all VPN apps for iPhones, iPads, MacBooks, and MacOS are extremely vulnerable. A majority of VPNs on Windows and Linux are vulnerable, and Android is the most secure with roughly one quarter of VPN apps being vulnerable. With Android, the built -in VPN was found to be more vulnerable than the VPN apps.

There are two types of TunnelCrack attacks: LocalNet and ServerIP. With LocalNet attacks it leverages the two conditions when the VPN client allows traffic to be sent in clear. They are when it is being sent to a local network, and when the destination is a VPN server. The latter rule is to prevent routing loops, according to the researchers Mozilla VPN.

Surfshark, Malwarebytes, Windscribe, and Cloudflare’s WARP have already been patched against this vulnerability.

Resources
– https://papers.mathyvanhoef.com/usenix2023-tunnelcrack.pdf
– https://github.com/vanhoefm/vpnleaks
– https://www.theregister.com/2023/08/10/tunnelcrack_vpn/

 

Hillary Coover: Microsoft stops renewing licenses for Russian companies

Microsoft will finally stop renewing licenses for Russian companies.

Hi, this is Hillary Coover reporting from Washington, DC.

After September 30th, Microsoft will cease renewing licenses for Russian companies due to payment constraints. Although existing subscriptions will remain functional, they won’t be extendable.

This strategic move aligns with the sanctions imposed by the European Union, United States, and United Kingdom. While Microsoft initially suspended sales in Russia following the Ukraine conflict, it recently extended license offers to non-sanctioned Russian branches of international firms.

Remarkably, approximately 90% of Russian corporate clients currently rely on Microsoft products. Migrating to alternative Russian software solutions won’t be a seamless transition. Users will need to acclimate to new interfaces and IT specialists will have to reconstruct the technological infrastructure.

Resources
– https://www.svoboda.org/a/microsoft-prekratit-prodlevatj-litsenzii-rossiyskim-kompaniyam/32543000.html
– https://www.rferl.org/a/russia-microsoft-suspends-licenses/32543751.html

 

Trac Bannon: Break out of the Chains: Microsoft ProxyShell

On August 3rd, 2023, CISA released a report of the top exploited vulnerabilities of 2022. The report demonstrates that once vulnerabilities are detected, they continue to be exploited heavily for at least two to three years.

At the top of the list for 2022 is a set of three Microsoft Exchange vulnerabilities that when chained together give a bad actor the perfect glidepath for cyber breach. The trio is referred to as ProxyShell.

Hello, this is Trac Bannon reporting from Camp Hill, Pennsylvania.

The ProxyShell set of vulnerabilities allow an unauthenticated attacker to execute arbitrary code on the vulnerable exchange server. Here’s a brief overview of each vulnerability:

-CVE-2021-34473 is a pre-authentication arbitrary-file-write vulnerability in the Autodiscover service of Exchange. An attacker can exploit it without any authentication, allowing them to write a file to any path on the server.

-CVE-2021-34523 is an elevation of privilege. This vulnerability exists because of an improper validation of cmdlet arguments in the Exchange PowerShell backend. It can be exploited post-authentication, and allows an attacker to run arbitrary commands with system privileges on the Exchange server.

-CVE-2021-31207 is a post-authentication arbitrary-file-write vulnerability. Discovered during a hacking contest, this vulnerability exists due to an insecure deserialization flaw in the Unified Messaging service. Once an attacker has authentication, they can exploit this to execute arbitrary code with system privileges.

When chained together, an actor can first exploit CVE-2021-34473 to bypass authentication, then use CVE-2021-34523 to elevate privileges, and finally, they leverage CVE-2021-31207 to execute arbitrary commands. This allows a full remote compromise of the affected Exchange server without needing any user interaction.

Organizations can break out of the chains by applying the patches released by Microsoft ASAP and regularly monitoring and updating systems.

Something to noodle on.

Resources
– https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a
– https://nvd.nist.gov/vuln/detail/CVE-2021-34473
– https://nvd.nist.gov/vuln/detail/CVE-2021-31207
– https://nvd.nist.gov/vuln/detail/CVE-2021-34523

 

Katy Craig: Fortinet Critical Flaw

A serious security issue has been discovered in the FortiProxy SSL VPN web portal. This flaw might allow unauthorized access by attackers. They can do this by manipulating the way certain web requests are made, potentially letting them download important system files from FortiProxy. The problem is, we’ve known about this for three years.

This is Katy Craig in San Diego, California.

Fortinet, a big player in cybersecurity, knows that a malicious person shared access details for around 87,000 FortiGate SSL-VPN devices. These access details come from systems that were not protected against this known exploited vulnerability, despite wide availability of the patch. Even worse, though some systems might now be patched, the passwords linked to them might still be the same, and this could give attackers a way back in.

If your organization uses FortiProxy SSL VPN, it’s important to act quickly. Check your systems for vulnerabilities, patch them up and change your passwords.

One important thing to remember: resetting passwords after making upgrades is crucial. This can help guard against the vulnerability, especially if your credentials have been compromised.

This is Katy Craig. Stay safe out there.

Resources
– https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a
– https://nvd.nist.gov/vuln/detail/CVE-2018-13379#vulnCurrentDescriptionTitle
– https://www.fortiguard.com/psirt/FG-IR-20-233
– https://www.fortiguard.com/psirt/FG-IR-18-384

 

Olimpiu Pop: Hackers need Jira, too

What can be worse than a critical vulnerability? Twin critical vulnerabilities. Where did I find them? In the top recurrent exploited vulnerabilities report published recently by CISA and a bunch of their foreign friends.

The report shows which are the already-known vulnerabilities exploited the most today. Does this particular pair affect you? Well, it depends, but the probability of affecting your organization is high. Atlassian’s Jira has a staggering 48.10% of the DevOps market.

The twin vulnerabilities had a score of 9.8 out of 10 and they are affecting a huge span of versions of the Confluence server and data center.

Both are taking advantage of an Object Graph Notation Language flaw that would permit an unauthenticated user to execute arbitrary code. Sending a special-crafted URI in the aforementioned expression language allows the execution of arbitrary code on the given box.

One of them affects the span of at least six major versions, the other affecting multiple versions too. Yes, exactly. It was in the code for a long time. What can you do? Block internet traffic towards the products and apply patches. I know, I know. You don’t like Confluence and you prefer Markup. I feel you, sister, but you have to give it a try. Even hackers use Jira.

On 505updates.com you can find more perspectives about cyberspace today.

Olimpiu Pop reported from the beautiful island of Sardegna, Italy

Resources
– https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a
– https://nvd.nist.gov/vuln/detail/CVE-2022-26134
– https://nvd.nist.gov/vuln/detail/CVE-2021-26084

 

Marcel Brown: This Day, August 15 and 16, in Tech History

This is Marcel Brown serving you up some technology history for August 15th and 16th,

August 15th, 1998. After three months of anticipation, the original iMac G3 goes on sale. The Bondi Blue iMac became well-known for its colorful case, which bucked the industry norm beige. However, it is also known for being the first commercially successful computer to eliminate the use of legacy ports and the floppy drive.

Widely criticized at the time for not including the older technologies, by only featuring USB ports for peripheral connectivity, the iMac helped popularize the emerging standard even on Windows PCs.

And when was the last time anyone saw a beige PC?

Looking back now, this original iMac was a clear indicator that the old Apple under Steve Jobs was back and innovation would once again be had in the PC market.

Apple continued to create new and interesting varieties of the iMac through the years, and as the iPod and iTunes helped bolster their fortune and eventually changing the world again with the iPhone and the iPad, the iMac remained a symbol of this new era of the personal computer.

I recall helping my uncle purchase one of the first IMAX at a CompUSA store on that first day. There were only 15 available and we were there early enough to grab one before they quickly sold out. Yeah, I was totally jealous, but at least I got to help set it up.

August 16th, 1995. Microsoft introduces Internet Explorer, which at the time was a modified version of Spyglass Mosaic, which Microsoft had licensed.

Later, when Microsoft began including Internet Explorer for free with Windows, Spyglass sued Microsoft for not paying what they felt were the proper royalties. Microsoft settled for $8 million.

That’s your technology history for today. For more, tune in tomorrow and visit my website ThisDayInTechHistory.com.

Resources
– http://thisdayintechhistory.com/08/16