Security Alerts & News
by Tymoteusz A. Góral

#2219 OWASP Top 10 - 2017 RC1 - the ten most cirtical web application security risks (PDF)
Welcome to the OWASP Top 10 2017! This major update adds two new vulnerability categories for the first time: (1) Insufficient Attack Detection and Prevention and (2) Underprotected APIs. We made room for these two new categories by merging the two access control categories (2013-A4 and 2013-A7) back into Broken Access Control (which is what they were called in the OWASP Top 10 - 2004), and dropping 2013-A10: Unvalidated Redirects and Forwards, which was added to the Top 10 in 2010.

The OWASP Top 10 for 2017 is based primarily on 11 large datasets from firms that specialize in application security, including 8 consulting companies and 3 product vendors. This data spans vulnerabilities gathered from hundreds of organizations and over 50,000 real-world applications and APIs. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact.

The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.
#2218 Android O no! Android O causes problems for mobile ransomware developers
The first developer preview of Google’s latest mobile operating system, Android O, has been released. As usual, the newest version of Android has several new features and updates. One of those updates has a direct impact on many Android ransomware threats.

Android ransomware using system-type windows will no longer work on devices running Google’s latest mobile operating system, even if the relevant permission has been granted by the device’s user.
#2217 Five inmates built two PCs and hacked a prison from within
Five inmates from the Marion Correctional Institution (MCI) built two computers from spare parts, hid them in the ceiling of a training room closet, and used them to hack into the prison's network.

Their actions were discovered in July 2015, when the prison's IT staff switched internal proxy servers from Microsoft to WebSense (now part of Forcepoint).

These servers, designed to monitor and report suspicious traffic, immediately started reporting issues.
#2216 Microsoft kills off security bulletins after several stays
Microsoft this week retired the security bulletins that for decades have described each month's slate of vulnerabilities and accompanying patches for customers -- especially administrators responsible for companies' IT operations.

One patch expert reported on the change for his team. "It was like trying to relearn how to walk, run and ride a bike, all at the same time," said Chris Goettl, product manager with patch management vendor Ivanti.
#2215 CVE-2017-0199 Used as 0day to distribute FINSPY espionage malware and LATENTBOT malware
FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the technical details of this vulnerability as soon as a patch was made available.

In this follow-up post, we discuss some of the campaigns we observed leveraging the CVE-2017-0199 zero-day in the days, weeks and months leading up to the patch being released.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12