Windows Zero-Day vital patch, and other titbits

Just waiting for today's WUs - will they include this vital patch for Zero-Day, I wonder?

Per Qualys here: https://blog.qualys.com/news/2018/09/10/british-airways-hack-triggers-gdpr-concerns-as-world-awaits-windows-0-day-patch#more-24974

 

I probably only understand 1% of Qualys stuff but at least I keep up with end-of-word stuff! Hoping this helps

Macromedia Shockwave Player, Flash, QuickTime, Java, RealPlayer, MusicMatch Jukebox, RegCure on and on garbage ALL. (laughs) ;-)  Then again, maybe the MMJB wasn’t so bad… (laughs again)  Although i think i just updated Java recently, i still don’t really like it and feel as though some of the aforementioned could serve as launchpads for exploits, thus, i think i’m with Soul on this one.    

Regards,

H.B.     

All: the JAVA reference is that I have it disabled since it is, and has been, an avenue for exploit. Both are OOP and not dependent on the other as object models. I suggest to my customers to remove JAVA and disable JavaScript on the browser as well as use a non-admin account to keep possible privilege escalation to a minimum.

Microsoft patched this CVE , and a total of 62 vulnerabilities.

Cheers

Updated today. I see that Norton has emailed an alert about the BA hacking. I've still no idea why the links have gone awry!

SoulAsylum:

Hello Taffy. The link you posted directs back to this thread unfortunately. Here is a like article on the hack. It appears this was carried out via JAVA scripts and an inserted FAKE SSL certificate on their website. Replicated on the airlines mobile app. Speaks volume about how companies vet and QA their garbage these days. Hope JAVA and MS do get around to mitigation if indeed its something that can be prevented by MS lets hope sooner than later. I have the JAVA console and functionality disabled on all my systems due to the continued issues with it.

Cheers

The article says a JavaScript file was modified and planted on the site. This has no connection to JAVA as it is a different program. 

Jim cool

Taffy_078:

Just waiting for today's WUs - will they include this vital patch for Zero-Day, I wonder?...

According to the Microsoft Security Response Center (MSRC) security update guide for CVE-2018-8440 | Windows ALPC Elevation of Privilege Vulnerability at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440, this zero-day was patched today with the 11-Sep-2018 Patch Tuesday updates. All affected Windows OSs (Win 7 and higher) and KB numbers that patch this vulnerability are listed in that security update guide.

From yesterday's Qualys blog entry Windows zero-day flaw awaits patch, as hackers exploit it that Taffy_078 referenced:
 

"A security researcher disclosed publicly on Twitter a Windows 10 zero-day vulnerability, along with proof-of-concept exploit code, and hackers wasted little time using it for attacks in the wild. The researcher later acknowledged he should have notified Microsoft and given it a chance to create a patch before announcing the flaw....

The local privilege escalation bug resides on the Windows task scheduler’s Advanced Local Procedure Call (ALPC) interface, potentially allowing a local user to obtain system privileges, according to the CERT advisory....The vulnerability was disclosed on Aug. 27, and attacks exploiting it began a couple of days later."

Um, no kidding.  Most responsible people who find these types of security vulnerabilities will give companies like Microsoft a minimum of 90 days to release a patch before going public.

Taffy_078:

Per Qualys here: 

https://blog.qualys.com/news/2018/09/10/british-airways-hack-triggers-gdpr-concerns-as-world-awaits-windows-0-day-patch#more-24974 

Hello Taffy. The link you posted directs back to this thread unfortunately. Here is a like article on the hack. It appears this was carried out via JAVA scripts and an inserted FAKE SSL certificate on their website. Replicated on the airlines mobile app. Speaks volume about how companies vet and QA their garbage these days. Hope JAVA and MS do get around to mitigation if indeed its something that can be prevented by MS lets hope sooner than later. I have the JAVA console and functionality disabled on all my systems due to the continued issues with it.

Cheers