(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

GarageBand 10.1.6 is released today, fixing an arbitrary code execution bug in Yosemite 10.10 and later (CVE-2017-2374)

Theres also second patch for Logic Pro X 10.3.1. Unfortunately, its got the text for the Garageband patch in its notes, so its not clear what is fixed in this update.

As always, all Apple security patches are hosted here: https://support.apple.com/kb/HT201222

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Microsoft released the patch for MS017-005 today, to patch a remote code execution vulnerability inWindows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016. The MS Bulletin is posted here: https://technet.microsoft.com/en-us/library/security/MS17-005, but is not yet posted on the main feed (https://technet.microsoft.com/en-us/security/bulletins.aspx)

The matching Adobe technote is APSB17-04, found here: https://helpx.adobe.com/security/products/flash-player/apsb17-04.html

This is a remote code execution issue, so its a definite PATCH NOW issue.

** Update: the Microsoft feed has caught up now with the patch release, https://technet.microsoft.com/en-us/security/bulletins.aspx is now correct.

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
APPLE-SA-2017-02-21-2 Logic Pro X 10.3.1
 

Last week, I was working with a client on a web-filtering solution, using one of their organizations laptops. We happened to notice the long-long-LONG list of SSIDs that were on this machine, may of them open SSIDs. The host we were looking at had the default dlink and linksys SSIDs as auto-connect, so not a great situation. Coincidentally, this was the same day Xavier posted his diary about collecting this same information (the ssid list) from live machines (https://isc.sans.edu/forums/diary/How+was+your+stay+at+the+Hotel+La+Playa/22069/). It really seems like people still have a pathological need to connect up to free WiFi.

I got to thinking about how to collect this information in an Active Directory domain using PowerShell. Its quite easy for Windows 10, but not so much for Windows 7 clients. For the older environment case, I ended up falling back to:
netsh wlan show profiles to get the list of wireless profiles
netsh wlan show profiles name=PROFILENAME to get the details for the profile PROFILENAME
Combine that up with psexec (because psexec *always* works - well, almost always), and some text manipulation, and you have the code below.
Yes, I do know that this could have been done by pulling everything out of the registry, but in this case perfect is the enemy of done - I had a few clients who wanted this done quickly, and this approach got it done in that quickly time frame.

The resulting script will list all wireless profiles across an AD domain. I did have a test connection line in there, but enough organizations have ping disabled now that I took that out.

How to use this information? For most organizations, this is a chance to do some outreach, some end-user education about safer computing. In most cases, this means that we recommend that they tether to their phone rather than connect to random free SSIDs.

In a more security conscious environment, say if its a bank or if clearances are involved, what this can be used for is as a simple audit. In higher security shops, its more common to see Group Policy be used to say only this short list of SSIDs are permitted, where the list is the organizations real wireless networks, as well as (in some cases) a pre-configured cell phone tethered network.

As always, let us know how this code works out. There are a few errors Im still trying to suppress, and it can take quite a long time to run this, but the clients that Ive used this with have gotten good use out of the information.


The code (recommend PowerShell 4.0 or better):
$nodenets = @()
$domainmembers = get-adcomputer -filter *
foreach ($node in $domainmembers) {
$netlist = iex (./psexec /accepteula \\+$node.name + netsh wlan show profiles) 2./a | Select-String -Pattern :
if(($netlist -like *was not found*) -or ($netlist.length -eq 0)) { write-host No Wireless on host $node.name }
else {
write-host Assessing Wireless on host $node.name
foreach ($net in $netlist) {
[console]::write(.)
$netprf = ($net -split(: ))[1]
$cmd = ./psexec /accepteula \\+$node.name + netsh wlan show profiles name=+ `+$netprf+`
$netparmlist = iex $cmd 2./a
$netparmlist2 = $netparmlist | select-string -pattern : | select-string -pattern Applied -NotMatch | select-string -pattern Profile -NotMatch
$x = New-Object psobject
$x | add-member -membertype NoteProperty -name Node -Value $node.name
foreach($parm in $netparmlist2) {
$t1 = $parm -split :
$x | add-member membertype NoteProperty name ($t1[0].trim( ))
}
$nodenets += $x
}
}
}
$nodenets | select Node, Name, Connection Mode, SSID Name, Authentication, Cipher, Security Key | Out-GridView

(watch for updates over the next few days at https://github.com/robvandenbrink/opw )

width:724px" />

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

=============== Rob VandenBrink Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Some five months after Yahoo disclosed a security breach that exposed sensitive data for 500 million accounts, some of its systems remained compromised, according to a report published Tuesday. The report said that in light of the hacks, Verizon would knock $350 million off the price it would pay to acquire Yahoo's Internet business.

"A recent meeting between technical staff of the two companies revealed that some of Yahoo’s systems were compromised and might be difficult to integrate with Verizon’s AOL unit," The Wall Street Journal reported, citing unnamed people. Verizon remains concerned that the breaches may hamper user engagement and in the process make the assets less valuable. Yahoo responded by cutting $350 million from the original $4.83 billion price tag, bringing the deal value to about $4.48 billion. It wasn't clear precisely when the meeting occurred.

In a release issued jointly by Yahoo and Verizon, the companies said neither the breaches nor any losses arising from them will be taken into account in determining whether a "Business Material Adverse Effect" has occurred or whether certain closing conditions have been satisfied. In addition to the $350 million price cut, the companies agreed to split the costs of responding to the breaches.

Read 3 remaining paragraphs | Comments

 
Internet Storm Center Infocon Status