Archive

Archive for July 9, 2019

Twitter Backs Off Broad Limits on ‘Dehumanizing’ Speech by KATE CONGER


By KATE CONGER

After a year of debate and criticism, an effort to add to a policy on banned speech led to a narrower restriction that applies only when religious groups are targeted.

Published: July 8, 2019 at 07:00PM

from NYT Technology https://ift.tt/2LMWzw7
via IFTTT

Categories: Internet Tags: ,

Patch Tuesday Lowdown, July 2019 Edition

Microsoft today released software updates to plug almost 80 security holes in its Windows operating systems and related software. Among them are fixes for two zero-day flaws that are actively being exploited in the wild, and patches to quash four other bugs that were publicly detailed prior to today, potentially giving attackers a head start in working out how to use them for nefarious purposes.

Zero-days and publicly disclosed flaws aside for the moment, probably the single most severe vulnerability addressed in this month’s patch batch (at least for enterprises) once again resides in the component of Windows responsible for automatically assigning Internet addresses to host computers — a function called the “Windows DHCP client.”

The DHCP weakness (CVE-2019-0785) exists in most supported versions of Windows server, from Windows Server 2012 through Server 2019.

Microsoft said an unauthenticated attacker could use the DHCP flaw to seize total, remote control over vulnerable systems simply by sending a specially crafted data packet to a Windows computer. For those keeping count, this is the fifth time this year that Redmond has addressed such a critical flaw in the Windows DHCP client.

All told, only 15 of the 77 flaws fixed today earned Microsoft’s most dire “critical” rating, a label assigned to flaws that malware or miscreants could exploit to commandeer computers with little or no help from users. It should be noted that 11 of the 15 critical flaws are present in or are a key component of the browsers built into Windows — namely, Edge and Internet Exploder Explorer.

One of the zero-day flaws — CVE-2019-1132 — affects Windows 7 and Server 2008 systems. The other — CVE-2019-0880 — is present in Windows 8.1, Server 2012 and later operating systems. Both would allow an attacker to take complete control over an affected system, although each is what’s known as an “elevation of privilege” vulnerability, meaning an attacker would already need to have some level of access to the targeted system.

CVE-2019-0865 is a denial-of-service bug in a Microsoft open-source cryptographic library that could be used to tie up system resources on an affected Windows 8 computer. It was publicly disclosed a month ago by Google’s Project Zero bug-hunting operation after Microsoft reportedly failed to address it within Project Zero’s stated 90-day disclosure deadline.

The other flaw publicly detailed prior to today is CVE-2019-0887, which is a remote code execution flaw in the Remote Desktop Services (RDP) component of Windows. However, this bug also would require an attacker to already have compromised a target system.

Mercifully, there do not appear to be any security updates for Adobe Flash Player this month.

Standard disclaimer: Patching is important, but it usually doesn’t hurt to wait a few days before Microsoft irons out any wrinkles in the fixes, which sometimes introduce stability or usability issues with Windows after updating (KrebsOnSecurity will endeavor to update this post in the event that any big issues with these patches emerge).

As such, it’s a good idea to get in the habit of backing up your system — or at the very least your data — before applying any updates. The thing is, newer versions of Windows (e.g. Windows 10+) by default will go ahead and decide for you when that should be done (often this is in the middle of the night). But that setting can be changed.

If you experience any problems installing any of the patches this month, please feel free to leave a comment about it below; there’s a better-than-even chance that other readers have experienced the same and may even chime in with some helpful advice and tips.

Further reading:

Qualys Patch Tuesday Blog

Rapid7

Tenable [full disclosure: Tenable is an advertiser on this blog].

from Krebs on Security https://ift.tt/2JwSucN
via IFTTT

IBM Bets $34 Billion That Red Hat Can Help It Catch Amazon and Microsoft by STEVE LOHR


By STEVE LOHR

With the acquisition of a leading business software company, IBM is presenting itself as an open, impartial player in the cloud computing industry.

Published: July 8, 2019 at 07:00PM

from NYT Technology https://ift.tt/2JvuiaG
via IFTTT

Categories: Internet Tags: ,

Organizations Are Adapting Authentication for Cloud Applications

Companies see the changing demands of cloud identity management but are mixed in their responses to those demands.

from Dark Reading: https://ift.tt/30sp71U
via IFTTT

Financial Impact of Cybercrime Exceeded $45B in 2018

Cybersecurity analysts explore a range of industry research to examine trends around cyber incidents and their financial impact.

from Dark Reading: https://ift.tt/2LccbK6
via IFTTT

Coast Guard Warns Shipping Firms of Maritime Cyberattacks

A commercial vessel suffered a significant malware attack in February, prompting the US Coast Guard to issues an advisory to all shipping companies: Here be malware.

from Dark Reading: https://ift.tt/2xKginP
via IFTTT

Zoom Client for Mac Exposing Users to Serious Risks

Videoconferencing software maker downplays risks and says mitigations are on the way.

from Dark Reading: https://ift.tt/2LJgtbn
via IFTTT