<img src="https://secure.ruth8badb.com/159098.png" alt="" style="display:none;">

IT Security Newsletter - 1/15/2020

SHARE

TopNews_ITSEC

Patch Windows 10 and Server now because certificate validation is broken

Microsoft's scheduled security update for Windows includes a fix to a potentially dangerous bug that would allow an attacker to spoof a certificate, making it look like it came from a trusted source. The vulnerability, reported to Microsoft by the National Security Agency, affects Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server version 1803. Microsoft has rated the update as "important" rather than critical.

Breaches_ITSEC-1

Equifax to pay customers $380.5 million as part of final breach settlement

Equifax has agreed to pay $380.5 million to resolve allegations related to the 2017 data breach in which hackers stole information belonging to some 147 million Americans, under the terms of a settlement approved by a federal judge. A court in the Northern District of Georgia on Monday approved an agreement covering the roughly 147 million people whose information was compromised when hackers spent May 2017 through July 2017 lurking in Equifax’s system.

Malware_ITSEC

Oski Data-Stealing Malware Emerges to Target North America, China

An emergent and effective data-harvesting tool dubbed Oski is proliferating in North America and China, stealing online account credentials, credit-card numbers, cryptowallet accounts and more. Oski, likely a Finnish or Nordic variant of the word Oska, meaning “Viking warrior or god” in Samoan, began to appear in Dark Web advertisements beginning in December and possibly earlier, according to researcher Aditya K. Sood.

Exploits_ITSEC

Critical WordPress Plugin Bug Allows Admin Logins Without Password

A critical authentication bypass vulnerability allows anyone to log in as an administrator user on WordPress sites running an affected version of the InfiniteWP Client because of logical mistakes in the code. Based on the active installations tracked by the WordPress plugin library, the open-source InfiniteWP plugin is currently installed on over 300,000 websites, while the plugin's site claims that it's installed on over 513,000 sites.


Intel Fixes High-Severity Flaw in Performance Analysis Tool

Intel is warning of a high-severity vulnerability in its performance analysis tool called Intel VTune Profiler. If exploited the flaw allows an adversary to perform a privilege escalation attack, giving them elevated and unauthorized system access to a targeted system. The VTune Profiler, formerly known as the VTune Amplifier, is a software performance analysis application for serial and multithreaded application developers. 

Software_ITSEC

Patch Tuesday, January 2020 Edition

Microsoft today released updates to plug 50 security holes in various flavors of Windows and related software. The patch batch includes a fix for a flaw in Windows 10 and server equivalents of this operating system that prompted an unprecedented public warning from the U.S. National Security Agency. This month also marks the end of mainstream support for Windows 7, a still broadly-used operating system that will no longer be supplied with security updates.


Windows 7 Gets Final Monthly Rollup Update Before End Of Life

Windows 7 has just received its last set of security updates. After today, Windows 7 won't receive any security or non-security updates from Microsoft, and it is now considered an unsupported operating system. The new monthly rollup and non-security update for Windows 7 come with a couple of security fixes. Microsoft says KB4534310 for Windows 7 has resolved security issues affecting Windows Cryptography, Windows Input and Composition, Windows Management, and other components.