Table of Contents
Microsoft addresses CVE-2020-0601 flaw, the first issue ever publicly reported by NSA
Microsoft Patch Tuesday updates for January 2020 address a total of 49 vulnerabilities in various products, including a serious flaw, tracked as CVE-2020-0601, in the core cryptographic component of Windows 10, Server 2016 and 2019 editions. The CVE-2020-0601 vulnerability is different from any other previously addressed flaws because it was reported by the NSA and this is the first time that the US intelligence agency has reported a bug to the tech giant. The flaw, dubbed 'NSACrypt' and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various 'Certificate and Cryptographic Messaging functions' used by the Windows Crypto API for data encryption. This is a serious vulnerability and patches should be applied immediately. An attacker could exploit this vulnerability by using a spoofed code-signing certificate, meaning an attacker could let you download and install malware that pretended to be something legit, such as software updates, due to the spoofed digital signature. CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information. It is unclear how long the NSA knew about the flaw before reporting it to Microsoft. The cooperation, however, is a departure from past interactions between the NSA and major software developers such as Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the U.S. tech arsenal. Sources say this disclosure from NSA is planned to be the first of many as part of a new initiative at NSA dubbed 'Turn a New Leaf,' aimed at making more of the agency's vulnerability research available to major software vendors and ultimately to the public
Intel Patches High Severity Flaw in VTune Performance Profiler
Intel patched six security vulnerabilities during the January 2020 Patch Tuesday, including a high severity vulnerability in VTune and a bug affecting the Intel Processor Graphics drivers for Windows and Linux. The security issues addressed today are detailed in the six security advisories published on Intel's Product Security Center. According to Intel, these vulnerabilities could allow authenticated users to potentially trigger denial of service states and escalate privileges via local access, while others could lead to information disclosure.
Critical WordPress Plugin Bug Allows Admin Logins Without Password
A critical authentication bypass vulnerability allows anyone to log in as an administrator user on WordPress sites running an affected version of the InfiniteWP Client because of logical mistakes in the code. Based on the active installations tracked by the WordPress plugin library, the open-source InfiniteWP plugin is currently installed on over 300,000 websites, while the plugin's site claims that it's installed on over 513,000 sites. Upon installation, InfiniteWP Client is designed to allow its users to manage an unlimited number of WordPress sites from a central location with "one-click updates for WordPress, plugins, and themes across all your sites" and "one-click updates for WordPress, plugins and themes across all your sites."
europa.jobs - 226,095 breached accounts
In August 2019, the European jobs website europa.jobs suffered a data breach. The incident exposed 226k unique email addresses alongside extensive personal information including names, dates of birth, job applications and passwords. The data was subsequently redistributed on a popular hacking forum.
The security risks inherent in Chinese-made 5G networking equipment are easy to understand. Because the companies that make the equipment are subservient to the Chinese government, they could be forced to include backdoors in the hardware or software to give Beijing remote access. Eavesdropping is also a risk, although efforts to listen in would almost certainly be detectable. More insidious is the possibility that Beijing could use its access to degrade or disrupt communications services in the event of a larger geopolitical conflict. Since the internet, especially the "internet of things," is expected to rely heavily on 5G infrastructure, potential Chinese infiltration is a serious national security threat.
Even Google forgets to renew its domains
Google forgot to renew a domain used in their documentation. It was mildly embarrassing for them. And possibly a minor security concern for some new G-Suite domain administrators