Last May, Ars reported that a critical vulnerability in a widely used image-processing application left a huge number of websites open to attacks that allowed hackers to execute malicious code on the underlying servers. More than five months later, Facebook paid a $40,000 bounty after discovering it was among those at risk.

On Tuesday, researcher Andrey Leonov, said he was able to exploit the vulnerability in the ImageMagick application by using a tunneling technique based on the domain name system that bypassed Facebook firewalls. The firewalls had successfully protected against his earlier exploit attempts. Large numbers of websites use ImageMagick to quickly resize images uploaded by users.

"I am glad to be the one of those who broke the Facebook," Leonov wrote in a blog post that gave a blow-by-blow account of how he exploited the ImageMagick vulnerability. Two days after the researcher privately shared the exploit with Facebook security personnel, they patched their systems. Ten days after that, they paid Leonov $40,000, one of the biggest bounties Facebook has ever paid.

Read 4 remaining paragraphs | Comments


=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
GeniXCMS CVE-2017-5515 Multiple Cross Site Scripting Vulnerabilities
EMC Isilon OneFS CVE-2016-9870 Local LDAP Injection Vulnerability

A newly discovered family of Mac malware has been conducting detailed surveillance on targeted networks, possibly for more than two years, a researcher reported Wednesday.

The malware, which a recent Mac OS update released by Apple is detecting as Fruitfly, contains code that captures screenshots and webcam images, collects information about each device connected to the same network as the infected Mac, and can then connect to those devices, according to a blog post published by anti-malware provider Malwarebytes. It was discovered only this month, despite being painfully easy to detect and despite indications that it may have been circulating since the release of the Yosemite release of OS X in October 2014. It's still unclear how machines get infected.

"The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac," Thomas Reed, director of Mac offerings at Malwarebytes, wrote in the post. "This led to the discovery of a piece of malware unlike anything I've seen before, which appears to have actually been in existence, undetected for some time, and which seems to be targeting biomedical research centers."

Read 4 remaining paragraphs | Comments

GeniXCMS CVE-2017-5516 Multiple Cross Site Scripting Vulnerabilities
Citrix Provisioning Services Remote Code Execution and Information Disclosure Vulnerabilities
BlackBerry Enterprise Server CVE-2016-3128 Spoofing Vulnerability
Multiple EMC Products CVE-2016-8213 HTML Injection Vulnerability

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
ESA-2016-143: EMC Documentum Webtop and Clients Stored Cross-Site Scripting Vulnerability
ESA-2016-161: EMC Isilon OneFS LDAP Injection Vulnerability

Microsoft regards Windows 10 is the most secure version of Windows out of the box, and I do have to agree thats the case.

Which is all well and good, but the question that folks seem to continually ask me is various versions of How can I reduce how much personal information I send to Microsoft. Or in other words - why is Windows 10 so creeping me, and how do I dial back that creep factor?

Ive put a short list together of various features that people might consider to be at the big brother end of the spectrum, and how to script your way out of them - and yes, you knew thered be PowerShell involved! Note that if you are looking to disable these features in an Active Directory domain, these settings are all front-and-center in Group Policy, so are easily updated centrally.

First, lets look at Windows Telemetry. This is basic information on what applications run, search information, Cortana activity, gaming patterns and so on. Specific search terms arent sent, but for me this is well in to creep territory anyway. The resulting information gets sent to Microsoft, and they do resell it after its anonymized. But its not all bad - a very complete description of what telemetry does can be found here A privacy specific discussion can be found here: ) The Microsoft page covers the GUI adjustments for this, or changing three registry keys kills that datastream (Powershell command shown). Note that telemetry can">Computer Configuration Administrative Templates Windows Components Data Collection and Preview Builds ">Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection -Name AllowTelemetry -Type DWord -Value 0
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection -Name AllowTelemetry -Type DWord -Value 0
Set-ItemProperty -Path HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection -Name AllowTelemetry -Type DWord -Value 0

Smartscreen Filter has a solid business use - it monitors your browser activity, and will give you a warning or block if you browse to known malicious sites, phishing or otherwise suspicous sites, or if you are downloading known malicious files. More info on this service can be found here: and here:

This sounds great, except that Microsoft is pretty cagey about how this works and what data is sent where - from most of their docs its not clear if your activity is sent to them, or if they download a database of malicious sites to you. Since that malicious sites thing never shows up in Windows Udpate, I know where I land on this question. All that being said, it *is* a useful feature, especially if you are in the support friends and family role. Since I dont generally use IE or Edge, this isnt a setting I normally worry about on my own gear. If you do want to disable this, its a toggle in Privacy Settings,">Control Panel / Internet Properties / Advanced / Enable SmartScreen Filter . ">Computer Configuration Administrative Templates Windows Components File Explorer ">Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer -Name SmartScreenEnabled -Type String -Value Off
Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\AppHost -Name EnableWebContentEvaluation -Type DWord -Value 0

Wi-Fi Sense connects you to Open hotspots that are greenlighted through crowdsourcing. This setting is disabled in current versions of Windows (Anniversary Edition or newer) - if you have not updated, today is a good day to do that! If for some reason you cant, more information on the various levels of trust you might have in this can be found at: For me, what crowdsourcing equates to is the mom-proverb if all of your friends jumped off a bridge .... - yes, your mom was right.

To disable this feature - in Group Policy it">Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots - set this to Disabled">Allow Windows to automatically connect to networks shared by contacts">Allow Windows to automatically connect to hotspots offering paid services">Set-ItemProperty -Path HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting -Name Value -Type DWord -Value 0
Set-ItemProperty -Path HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots -Name Value -Type DWord -Value 0
(note - these keys may not be there, you should check for the key being present first).

Searching the start menu seems like an innocuous thing, except that Microsoft pairs it with search suggestions, which means that this is part of the telemetry stream as well.">Computer Configuration Policies Administrative Templates Windows Components Search
Set Dont search the web or display web results in search to Enabled">Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Search -Name BingSearchEnabled -Type DWord -Value 0
Set-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager -Name SystemPaneSuggestionsEnabled -Type DWord -Value 0

Cortana is a cool thing, and is just as useful as Sira and Echo, but your interactions are processed in the cloud. Because of this, were starting to see noise about voice systems such as Siri, Echo and Cortana having interactions subpoenad in criminal cases. ">Computer Configuration Administrative Templates Windows Components Search Allow Cortana, set to Disabled">Set-ItemProperty -Path HKCU:\SOFTWARE\Policies\Microsoft\Windows\Windows Search -Name AllowCortana -Type DWord -Value 0

Location tracking? Great if youre asking how far do I need to walk for donuts or help, Im almost out of gas, but otherwise maybe not so much. Id like to see this enabled app by app (as is iOS), Windows makes a start at this, but win Windows there are only 5 granular picks for this, one being App Connector (which looks like it means any other app not listed">Computer Configuration Administrative Templates Windows Components Search Allow search and Cortana to use location, set to Disabled">Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44} -Name SensorPermissionState -Type DWord -Value 0
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\lfsvc\Service\Configuration -Name Status">Windows Feedback is more of an annoyance feature, its more or less a periodic pop-up How is Microsoft doing today? survey. In a corporate setting especially, youll likely look on this as a productivity-eater, plus people will confuse things and think that theyre providing feedback to your internal IT Group rather than Microsoft.

In the UI, you">Settings / Privacy / Feedback ">Settings / System / Notifications and Actions / Windows Feedback
you can adjust the frequency or turn this off. ">Computer Configuration Administrative Templates Windows Components Data Collection and Preview Builds ">Set-ItemProperty -Path HKCU:\Software\Microsoft\Siuf\Rules -Name NumberOfSIUFInPeriod -Type DWord -Value 0

These settings cover the adjustments I normally set - have I missed any that you might consider important? Please use our comment form to add any settings you enable or disable.

Rob VandenBrink

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Apache Tomcat CVE-2015-5351 Cross Site Request Forgery Vulnerability
Internet Storm Center Infocon Status