NYU Wordpress Theme

Adobe releases patches for 60+ vulnerabilities

On November 14, Adobe released patches to fix numerous security flaws, including serious issues with Adobe Flash and Reader. These vulnerabilities affect Mac, PC and Chrome OS. In order to protect against these and future vulnerabilities, you should make sure that automatic updates are set:

https://helpx.adobe.com/flash-player/kb/flash-player-background-updates.html

and remember to restart your browser on a regular basis to ensure that any updates are fully applied.

This is just the latest reminder of the serious security issues associated with running Flash. NYU IT recommends that you uninstall it completely by downloading and running the Uninstaller from adobe.com. If you enabled Flash to complete the Benefits Annual Enrollment process, this is a good time to remove it. In addition, Adobe has announced that Flash is being retired by 2020 and replaced with newer interactive media, such as HTML5.

If you need to run Flash, require permission before the plugin runs, so that you can control the circumstances in which it is used. You can set this up via the Adobe Settings Manager website (which, ironically, requires Flash to run) to “Always Ask” before performing functions.

https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html

or check the instructions for your browser below:

If you would like more information on the specific vulnerabilities addressed by these updates, see:

New Wireless Vulnerabilities: KRACK

A security researcher recently demonstrated that there are fundamental flaws in WPA2, the protocol that manages encryption for wireless connections. These flaws, if exploited properly, allow an attacker to see all the traffic passing between a target computer/phone/smart device and their destination.

This attack is not easy to execute and is not yet being widely used, but it impacts any device that connects using WPA2, including phones, computers, and other devices, such as wireless tvs, game consoles, Amazon Echo, etc.

How does this affect NYU?

We use Cisco equipment and have already enabled the recommended workaround. Patches will be applied as soon as they are available

What can I do?

As always, the most important thing is to apply updates for your computer and mobile devices promptly. Last month’s Windows patch already included its fix for this vulnerability and Apple released their fixes this week.

Vendors were informed of this vulnerability before it was made public and have been working on fixes. Here are some that have been released:

Can you explain the hack in more detail?

When an individual initially connects to Wi-Fi, before they visit any websites, their laptop or phone will do something called a four-way handshake. This is a process that checks that the password the user has provided is correct, and establishes the encrypted connection between the wireless router and the device.  However, the researcher was able to show a way to interfere with that initial handshake between your device and the WiFi router in a way that allows them to decrypt the traffic you exchange over WiFi.  In order for this to work, the attacker must be physically close to the victim

Once the attack is successful, the hacker can do many malicious things, for example, inject malware into otherwise ok sites. Using other widely-available tools, the hacker could also break web encryption, meaning that they would be able to see all of your sensitive traffic, including for example, banking information or credit card transactions.

References:

Full explanation of vulnerability: https://www.krackattacks.com/

Vulnerability Notes DB: https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

List of Updates available:

https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

https://char.gd/blog/2017/wifi-has-been-broken-heres-the-companies-that-have-already-fixed-it

WordPress SQL injection vulnerability, patch ASAP to 4.8.3

A security researcher has disclosed a SQL injection vulnerability in WordPress 4.8.2, so any WordPress installs should be updated to 4.8.3 asap. This is particularly important for groups which run their own version(s) of WordPress, which is an extremely common target for attackers. If you support web servers where clients perform their own WP installs, please make sure that they receive this notification.

SQL injection attacks consist of creating an SQL query embedded the input data from a client to the application. That is, the code is “injected” into the input. If successful, the exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

wp.nyu.edu is externally hosted and is planned to be updated as soon as testing is complete.

 

Resources

https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html

https://www.welivesecurity.com/2017/11/01/wordpress-update-now/

https://www.owasp.org/index.php/SQL_Injection