Information Security News
Eight days after developers patched a critical flaw in the Apache Struts Web application framework, there has been no let-up in the volley of attacks attempting to exploit the vulnerability, which affects a disproportionate number of high-impact websites, a security researcher said Tuesday.
As of Tuesday morning, 503 unique IP addresses were attempting to exploit the code execution bug, Jaime Blasco, chief scientist with security firm AlienVault Labs, told Ars. Based on the addresses, the attack origins were most concentrated in China (300 unique IPs), followed by the US (92), Taiwan (71), Hong Kong (15), the Netherlands (9), Russia (4), Canada (3), Italy (3), the UK, (3), and Indonesia (3). In an attempt to go undetected, the attackers in many cases have tweaked the two exploits that were being widely used in last week's wave. AlienVault has responded by updating the signatures it uses to detect the attacks.
The five-year-old vulnerability resides in Web applications that were developed using a buggy version of Apache Struts. In many cases, the use of a single such app allows attackers to inject commands of their choice into the Web server hosting it. Like the attacks seen last week, the exploits are being used to infect vulnerable servers with a wide variety of malware.
Today, Microsoft released its monthly security bulletins. Februarys delayed release was combined with this March release, which likely caused the large number of bulletins (18 total, which includes the Adobe Flash bulletin)
You can review the patch summary here:https://isc.sans.edu/mspatchdays.html?viewday=2017-03-14or via our API.
Probably the most scary set of vulnerabilities in this update are %%cve:2017-0143%%, %%cve:2017-0144%%, %%cve:2017-0145%%,%%cve:2017-0146%%,%%cve:2017-0148%% . These are remote code execution vulnerabilities that allow an unauthenticated user to execute arbitrary code. Microsoft rates the exploitability with 1, indicating that it wouldnt be terribly difficult to develop an exploit for these. Yes, you already blocked SMB at your perimeter. But further reducing your attack surface is always a good idea. You may want to consider disabling SMBv1 (which should not cause any problems if you only use currently supported Windows versions).
The other two server related bulletins, MS17-015 for Exchange and MS17-016 for IIS, are more benign in comparison. Both are XSS vulnerabilities and could be used to elevate privileges by running code in an administrators browser.
Some of the highlights:
Six of the bulletins include vulnerabilities that have either already been made public or that are already being exploited:
MS17-006: One of the Internet Explorer information disclosure vulnerabilities (%%cve:2017-0008%%) has been publicly disclosed in the past. This vulnerability applies to Internet Explorer and Edge (MS17-007).
MS17-007: In addition to %%cve:2017-0008%%, there is a remote code execution vulnerability(%cve:2017-0037%%) that has been disclosed publicly. There are also three different spoofing vulnerabilities that have been disclosed publicly.
MS17-012: A denial of service vulnerability (%%cve:2017-0016%%) has been publicly disclosed. Microsoft does not list this one as exploited, but an exploit has been publicly available for a bit over a month now. This is the SMB_TREE_CONNECT vulnerability that made quite a few headlines when it was released.
MS17-013: One of the 4 GDI elevation of privilege vulnerabilities(%%cve:2017-0005%%) has already been exploited, but details had not been disclosed publicly.
MS17-017: A privilege escalation vulnerability in the Windows Kernel (%%cve:2017-0050%%) has been publicly disclosed.
MS17-022: The XML Core Services Information Disclosure Vulnerability (%%cve:2017-0022%%) has already been exploited. This exploit would target a client, and by loading a malicious XML file and attacker may learn about the existence of files on the disk.