The last 2 weeks have really been a bad time for security news and one has to hope things will change for the better; if not, the headline says it all!
BlueKeep
Microsoft released a security patch 2 weeks ago related to Windows Remote Desktop Protocol (RDP) which is used to remote access Windows systems. I’ve long said RDP was inherently insecure and the chickens are coming home to roost now – RDP was found to be vulnerable to a recently disclosed critical, wormable, remote code execution vulnerability.
Dubbed BlueKeep and tracked as CVE-2019-0708, the vulnerability affects Windows 2003, XP, Windows 7, Windows Server 2008 and 2008 R2 editions and could spread automatically on unprotected systems. The vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code and take control of a targeted computer just by sending specially crafted requests to the device’s Remote Desktop Service (RDS) via the RDP—without requiring any interaction from a user.
So to summarise:
- no authentication required
- remotely triggered
- full control over target devices
- no interaction required
The issue is so critical that Microsoft took the unusual step of pushing out patches for older unsupported versions of Windows including XP, Server 2003 and Vista. Time to patch?
MDS
As mentioned in a special blog entry a few days ago, new Intel side channel attacks have come to light, 4 of them collectively known as MDS or more colloquially, ZombieLoad. Yip, time for a stiff whiskey.
The 4 attacks are:
- CVE-2018-12126 – Microarchitectural Store Buffer Data Sampling (MSBDS) [codenamed Fallout]?
- CVE-2018-12127 – Microarchitectural Load Port Data Sampling (MLPDS)
- CVE-2018-12130 – Microarchitectural Fill Buffer Data Sampling (MFBDS) [codenamed Zombieload, or RIDL]?
- CVE-2018-11091 – Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
Remediation includes both firmware (or microcode) and OS patches. Performance impact is expected to be around 10-15% for these patches. When you take this into consideration, along with performance impacts of previous remediations relating to Spectre/Meltdown, we’re starting to get Celeron performance in Xeon chips. Nice – $200 performance for $2000+ prices. Pay more, get less : )
On the bright side, you’re not affected if running AMD CPUs. And seeing the performance improvements in AMD’s latest Ryzen and EPYC chips, along with Intel’s chip shortage, that’s looking like a very good platform bet for the future.
In a case of “yet another online service breached” – let’s call it YAOSB, Flipboard advised that they were the unlucky (smile) recipient of 2 attacks last and this year, during which “an unauthorized party infiltrated some of its databases more than once and “potentially obtained copies” of the user information they contained.”
Besides usernames, email addresses and passwords, the miscreants also got hold of tokens used to connect Flipboard to other social media services such as Facebook.
Do NOT connect 1 social media service to another. Don’t do it. Ever. Even if they ask. With a pretty please.
So all in all, tough times for service providers all round. Patch, patch, patch. Change passwords. You know the drill.