Macromedia Shockwave Player, Flash, QuickTime, Java, RealPlayer, MusicMatch Jukebox, RegCure on and on garbage ALL. (laughs) ;-) Then again, maybe the MMJB wasn’t so bad… (laughs again) Although i think i just updated Java recently, i still don’t really like it and feel as though some of the aforementioned could serve as launchpads for exploits, thus, i think i’m with Soul on this one.
All: the JAVA reference is that I have it disabled since it is, and has been, an avenue for exploit. Both are OOP and not dependent on the other as object models. I suggest to my customers to remove JAVA and disable JavaScript on the browser as well as use a non-admin account to keep possible privilege escalation to a minimum.
Hello Taffy. The link you posted directs back to this thread unfortunately. Here is a like article on the hack. It appears this was carried out via JAVA scripts and an inserted FAKE SSL certificate on their website. Replicated on the airlines mobile app. Speaks volume about how companies vet and QA their garbage these days. Hope JAVA and MS do get around to mitigation if indeed its something that can be prevented by MS lets hope sooner than later. I have the JAVA console and functionality disabled on all my systems due to the continued issues with it.
Cheers
The article says a JavaScript file was modified and planted on the site. This has no connection to JAVA as it is a different program.
Just waiting for today's WUs - will they include this vital patch for Zero-Day, I wonder?...
According to the Microsoft Security Response Center (MSRC) security update guide for CVE-2018-8440 | Windows ALPC Elevation of Privilege Vulnerability at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440, this zero-day was patched today with the 11-Sep-2018 Patch Tuesday updates. All affected Windows OSs (Win 7 and higher) and KB numbers that patch this vulnerability are listed in that security update guide.
"A security researcher disclosed publicly on Twitter a Windows 10 zero-day vulnerability, along with proof-of-concept exploit code, and hackers wasted little time using it for attacks in the wild. The researcher later acknowledged he should have notified Microsoft and given it a chance to create a patch before announcing the flaw....
The local privilege escalation bug resides on the Windows task scheduler’s Advanced Local Procedure Call (ALPC) interface, potentially allowing a local user to obtain system privileges, according to the CERT advisory....The vulnerability was disclosed on Aug. 27, and attacks exploiting it began a couple of days later."
Um, no kidding. Most responsible people who find these types of security vulnerabilities will give companies like Microsoft a minimum of 90 days to release a patch before going public.
Hello Taffy. The link you posted directs back to this thread unfortunately. Here is a like article on the hack. It appears this was carried out via JAVA scripts and an inserted FAKE SSL certificate on their website. Replicated on the airlines mobile app. Speaks volume about how companies vet and QA their garbage these days. Hope JAVA and MS do get around to mitigation if indeed its something that can be prevented by MS lets hope sooner than later. I have the JAVA console and functionality disabled on all my systems due to the continued issues with it.