NYU Wordpress Theme

Adobe releases patches for 60+ vulnerabilities

On November 14, Adobe released patches to fix numerous security flaws, including serious issues with Adobe Flash and Reader. These vulnerabilities affect Mac, PC and Chrome OS. In order to protect against these and future vulnerabilities, you should make sure that automatic updates are set:

https://helpx.adobe.com/flash-player/kb/flash-player-background-updates.html

and remember to restart your browser on a regular basis to ensure that any updates are fully applied.

This is just the latest reminder of the serious security issues associated with running Flash. NYU IT recommends that you uninstall it completely by downloading and running the Uninstaller from adobe.com. If you enabled Flash to complete the Benefits Annual Enrollment process, this is a good time to remove it. In addition, Adobe has announced that Flash is being retired by 2020 and replaced with newer interactive media, such as HTML5.

If you need to run Flash, require permission before the plugin runs, so that you can control the circumstances in which it is used. You can set this up via the Adobe Settings Manager website (which, ironically, requires Flash to run) to “Always Ask” before performing functions.

https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html

or check the instructions for your browser below:

If you would like more information on the specific vulnerabilities addressed by these updates, see:

WordPress SQL injection vulnerability, patch ASAP to 4.8.3

A security researcher has disclosed a SQL injection vulnerability in WordPress 4.8.2, so any WordPress installs should be updated to 4.8.3 asap. This is particularly important for groups which run their own version(s) of WordPress, which is an extremely common target for attackers. If you support web servers where clients perform their own WP installs, please make sure that they receive this notification.

SQL injection attacks consist of creating an SQL query embedded the input data from a client to the application. That is, the code is “injected” into the input. If successful, the exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

wp.nyu.edu is externally hosted and is planned to be updated as soon as testing is complete.

 

Resources

https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html

https://www.welivesecurity.com/2017/11/01/wordpress-update-now/

https://www.owasp.org/index.php/SQL_Injection

Important VMware update

VMware has issued a critical security alert for

  • VMware ESXi (ESXi)
  • VMware vCenter Server
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

regarding a number of issues. The most important is an out-of-bounds write vulnerability in VMware’s products allows guests to break out of their isolation. This means a malicious actor who has compromised a virtual host could escape the constraints of the virtual machine and execute malicious code on the machine the VM is running on. Anyone running these applications should check VMware’s site (below) and apply the appropriate patches as soon as possible.

 

References:

https://www.vmware.com/security/advisories/VMSA-2017-0015.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4924

Update 5/16/2017 Re: WannaCry (also known as WannaCrypt, WanaCrypt0r 2.0, and Wanna Decryptor) Malware/Ransomware

  1. Most critical to combating this strain of malware is to patch your Windows machine to the most current level. Refer to: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 or http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012212 to find the appropriate patch level for your operating system.  This is especially important if you are running a version of Windows which is no longer supported, like XP or Windows Server 2003.
  2. Regardless of the patching steps you take, it is possible to be infected by WannaCry—subsequent to patching—if you click on a malicious email link or attachment. Please review our instructions on how to handle phishing messages and messages with odd attachments: http://www.nyu.edu/servicelink/KB0014438.
  3. After an initial machine is infected, WannaCry is spread via a vulnerability with SMB, the protocol which manages Windows file sharing. This vulnerability was patched by Microsoft in March. See https://technet.microsoft.com/en-us/library/security/ms17-010.aspx for more information.  So, if you’ve patched since March, you are not vulnerable to MS 17-010 unless you execute a malicious email attachment or link, so likelihood of infection is lower.
  4. We strongly recommend that machines with out-of-date operating systems be updated or retired. If you must use them, then they should be run in Standalone Mode, unconnected to the network. If you have questions about running an unsupported OS and how to transition your business process to a modern system, please contact the IT Service Desk at AskIT@nyu.edu.

WannaCry and Generic Ransomware Advice for Shared Network Drives  / NYU Box / Google Drive / DropBox

Since the WannaCry malware encrypts your data, the encrypted data can move to your backup or cloud-based file sharing service like Box, DropBox, Drive, and others, if you sync to those services.  The sequential steps to follow if you are the victim of the encryption via ransomware is:

  1. Talk to your local IT group or NYU IT Office of Information Security (security@nyu.edu)
  2. Wipe your device
  3. Patch system to an up-to-date level
  4. Recover files from a backup or a sync performed prior to the encryption.
  5. Disconnect backups by dismounting backup devices or disconnecting from file sharing services

As an example, in March an NYU user encountered ransomware, on a Windows machine, that encrypted files on computers, USB drives, and shared network drives. To recover from this event, they were able to recover files from Google Drive, NYU Box, and the respective system administrator’s departmental network drive backups.

For more information, see:

Widespread Phishing Attack on Google Docs

Beware of Emails Saying Someone Wants to Share a Google Doc with You

A phishing attack has been deployed at many universities (and possibly beyond) that use Google. You may see a message purporting to share a Google Doc with you that comes from someone you know.  It shows you a button to click. DO NOT Click on this button. If you do then the email will be shared with those in your contact list.

We are blocking the originating email address, and have blocked several domains involved.
Google is working to mark the email as spam.

WHAT YOU SHOULD DO IF YOU CLICKED ON IT:
1. Go to https://myaccount.google.com/security#connectedapps
2. Click on Manage Apps
3. If you see “Google Docs”, click Delete
4. Change your NYU password as soon as possible via https://start.nyu.edu (this should not be necessary but as we are still gathering information about the severity of this, it will be wise)

NOTE: Step 3 does NOT delete your Google documents. “Google Docs”, if it shows up on this list of apps, it is not a real app.

Please call the IT Service Desk at 212/998-3333 or email AskIT@nyu.edu if you need assistance.

WordPress Critical Vulnerability (Versions 4.7.0 & 4.7.1)

For Staff, Faculty and Students running personal or departmental installations of WordPress:
If you have not already done so, it is critical that you upgrade to WordPress version 4.7.2, which was released on 1/26/17. This upgrade fixes a bug (in the REST API) allowing hackers to bypass authentication systems and edit the titles and content of WordPress pages. The web security firm WordFence reports that over 1.5 million WordPress pages have been defaced by 20 hacking groups. 800,000 sites have been defaced in the last 48 hours alone.

For people using NYU’s central version of WordPress on http://wp.nyu.edu, the version is already up to date, and you do not need to take additional action.

You can confirm the version of WordPress that you are running in the administrative view. The Dashboard view will display the version running as follows:

Screenshot shows Dashboaard At a Glance view and encircled in red is the text "WordPress 4.7.2 running"

If you are not running NYU’s central version of WordPress, and have questions concerning the version you are running or upgrading to version 4.7.2, please consult your local tech support.

For more information, please see:

1) https://www.bleepingcomputer.com/news/security/attacks-on-wordpress-sites-intensify-as-hackers-deface-over-1-5-million-pages/
2) http://www.welivesecurity.com/2017/02/08/100000-wordpress-webpages-defaced-recently-patched-vulnerability-exploited/

Critical AppleOS updates

Following last week’s announcement of iOS critical vulnerabilities and their patches, Apple has issued similar patches for OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6. See details on the vulnerabilities in our last post and below for links to the updates and more details.

More info here: https://support.apple.com/en-us/HT207130

https://www.grahamcluley.com/2016/09/mac-users-vulnerable-state-sponsored-trident-attack-fixed-ios-week-patch/