In an already troubled year for Symantec, the company reported another major vulnerability in three of its enterprise security products.

Found in the IT Management Suite 8.0, Ghost Solution Suite 3.1 and Endpoint Virtualization 7.x products, the flaw is a dynamic link library (DLL) loading issue that can be exploited in two different ways. First, an "authorized, but nonprivileged" user could execute malicious DLL code in place of the authorized DLL code. The second way to exploit this DLL code flaw is for outside attackers to trick an authorized user to click on an email link that would download the malicious code. "Ultimately, this problem is caused by a failure to use an absolute path when loading DLLs during product boot up/reboot," Symantec said in its security advisory.

While DLL code vulnerabilities are common and thought to be a lesser threat to enterprises, Symantec rated this vulnerability as high severity. Symantec has not reported any actual exploitation of this vulnerability and has already released product upgrades that will fix the issue for all three products.

However, the discovery of this flaw, listed as CVE-2016-6590, is the latest in a growing line of Symantec security product vulnerabilities found this year. While the DLL flaw was unearthed by Himanshu Mehta, senior threat analysis engineer at Symantec, the three prior batches of flaws were reported by Google Project Zero's Tavis Ormandy.

The previous flaws include an easily exploitable one in the core scanning engine used in most Symantec and Norton antivirus products, as well as a vulnerability -- found just weeks after the first -- caused by unpatched, third-party open source software that was said to be "as bad as it gets" by Ormandy. The most recent set of Symantec bugs were in the file parser component of its antivirus decomposer engine.

In its vulnerability report for the DLL flaw, Symantec recommended several best practices for users of the affected products to reduce the threat, including restricting access to administrative or management systems to authorized privileged users, implementing the principle of least privilege and restricting remote access to only authorized systems.

In other news:

  • A gamer seeking revenge might be responsible for the Oct. 21 attack on domain name system  provider Dyn that shut down parts of the internet. In his testimony for a House Energy and Commerce Committee hearing, Level 3 Communications Inc. CSO Dale Drew said the attack was likely the work of a single individual who was specifically targeting the PlayStation Network. "We believe that in the case of Dyn, the relatively unsophisticated attacker sought to take offline a gaming site with which it had a personal grudge," Drew said. The attack used the Mirai malware to launch a distributed denial-of-service attack and gain control over more than 150,000 internet-of-things devices and overwhelm Dyn's sytems, which interrupted service to major websites, such as Twitter, Reddit and Netflix.
  • United States Director of National Intelligence James Clapper submitted his letter of resignation on Nov. 16. Clapper oversees 17 different agencies, including the CIA, FBI and National Security Agency, and he is the lead intelligence adviser to President Barack Obama. Clapper -- who is 75 years old and has held the position for six years -- announced his decision to resign in a Congressional hearing, and the Office of the DNI confirmed it on Twitter the following morning. Clapper was a central figure in the debate over government surveillance following the Edward Snowden revelations. He received criticism from lawmakers, security experts and privacy advocates for testifying before Congress in 2013 about the NSA's spying programs, claiming the agency did not engage in bulk data collection on millions of Americans. Clapper's resignation goes into effect at noon on Jan. 20, 2017.
  • Gavin Andresen, chief scientist at the Bitcoin Foundation, has regrets about getting involved in Craig Wright's attempts to prove he created the digital currency bitcoin. Andresen backed Wright's claim to be the mysterious Satoshi Nakamoto -- which he has failed to prove on multiple occasions -- and even defended Wright after his claims were debunked. Andresen has kept a relatively low profile since Wright's last failure six months ago, but posted a brief statement on his blog on Nov. 16. "So, either he was or he wasn't," Andresen wrote on whether or not Wright is Satoshi. "In either case, we should ignore him. I regret ever getting involved in the 'who was Satoshi' game, and am going to spend my time on more fun and productive pursuits."
  • The ransomware known as Crysis suffered a blow Nov. 13, when the master decryption keys were made available to the public after being posted on BleepingComputer forums. Crysis first surfaced in February 2016 when ESET researchers found it was filling in for the receding TeslaCrypt ransomware. According to ESET's report, Crysis is able to "encrypt files on fixed, removable and network drives. It uses strong encryption algorithms and a scheme that makes it difficult to crack in reasonable time." This ransomware was spread primarily through attachments to spam emails, but now its victims have an opportunity to recover what they've lost. The decryption keys -- posted by a BleepingComputer user known only as crss7777 -- cover Crysis versions 2 and 3, and Kaspersky Lab has already added them to the Rakhni decryptor.

Next Steps

Learn more about the critical Symantec vulnerabilities found this year

Find out how bad all these vulnerabilities are for Symantec

Discover more about the Mirai IoT botnet attacks

Dig Deeper on Enterprise Vulnerability Management

  • All
  • News
  • Get Started
  • Evaluate
  • Manage
  • Problem Solve



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News

Internet giant Google has signed up to the Privacy Shield, a framework designed to facilitate the transfer of personal data between the EU and US by businesses.

Data storage and software provider Dropbox has also self-certified under the Privacy Shield. The companies are the latest major US technology businesses to sign up to the scheme. Google's certification was registered on 22 September and Dropbox's on 23 September.

Microsoft self-certified under the Privacy Shield in August. >Amazon also announced that it was in the process of self-certifying last month, but it appears that it has still to complete that process as its certification is not yet listed.

Since 1 August, US businesses have been able to self-certify their compliance with a set of privacy principles that make up part of the Privacy Shield.

Data protection law expert Cerys Wyn Davies of Pinsent Masons, the law firm behind, previously explained that businesses that sign up to the Privacy Shield within the first two months of it becoming operational can do so without first having to update arrangements for sharing data with others. Wyn Davies said, though, that those businesses then only have a limited time in which to put new contracts in place.

The European Commission has set out its view that businesses that transfer personal data from the EU to the US in line with the Privacy Shield principles and self-certify under the framework will adhere to EU data protection law requirements regarding the transfer of personal data outside the European Economic Area (EEA).

However, Hamburg's data protection authority has said it is considering raising a legal challenge against the European Commission's endorsement of the Privacy Shield.

Earlier this summer the Article 29 Working Party, a committee representing national data protection authorities from across the EU, stated that it retains some concern about aspects of the Privacy Shield, including in respect of "mass and indiscriminate collection of personal data" by US authorities as well as on some "commercial aspects" of the framework. It said it "regrets … the lack of specific rules on automated decisions and of a general right to object" and said it "also remains unclear how the Privacy Shield Principles shall apply to [data] processors".

Despite its concerns, however, the Working Party indicated that the watchdogs will not challenge the legitimacy of data transfer arrangements under the new Privacy Shield during the first year of its operation.

Copyright © 2016, is part of international law firm Pinsent Masons.

Sponsored: Optimizing the hybrid cloud

The Register - Security

Another month means another double bundle of security vulnerability patches for Android.

Google is sticking to the twin-release pattern it used last month: the first batch addresses flaws in Android's system-level software that everyone should install, and the second squashes bugs in hardware drivers and kernel-level code that not everyone needs.

The first patch set closes holes in Android 4.4.4 to the current build. Owners of Nexus gear will get these patches over-the-air very soon; everyone else will have to wait for their gadget makers and cellphone networks to issue them.

These holes include programming blunders in Mediaserver that can be exploited by a specially crafted MMS or an in-browser media file to potentially execute malicious code on a device. Getting a bad text or visiting an evil webpage could be enough to slip spyware onto your device, provided it is able to defeat ASLR and other defense mechanisms.

Mediaserver has other bugs, including four elevation-of-privileges holes allowing installed apps to gain more control of a device than they should, and code cockups that can crash a handheld.

The remaining patches address information leakages in the Wi-Fi, camera, SurfaceFlinger and Mediaserver code, and OpenSSL, all of which can be abused by installed apps to "access sensitive data without permission." The full list is here:

Issue CVE Severity Affects Nexus?
Remote code execution vulnerability in Mediaserver CVE-2016-3819, CVE-2016-3820, CVE-2016-3821 Critical Yes
Remote code execution vulnerability in libjhead CVE-2016-3822 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2016-3823, CVE-2016-3824, CVE-2016-3825, CVE-2016-3826 High Yes
Denial of service vulnerability in Mediaserver CVE-2016-3827, CVE-2016-3828, CVE-2016-3829, CVE-2016-3830 High Yes
Denial of service vulnerability in system clock CVE-2016-3831 High Yes
Elevation of privilege vulnerability in framework APIs CVE-2016-3832 Moderate Yes
Elevation of privilege vulnerability in Shell CVE-2016-3833 Moderate Yes
Information disclosure vulnerability in OpenSSL CVE-2016-2842 Moderate Yes
Information disclosure vulnerability in camera APIs CVE-2016-3834 Moderate Yes
Information disclosure vulnerability in Mediaserver CVE-2016-3835 Moderate Yes
Information disclosure vulnerability in SurfaceFlinger CVE-2016-3836 Moderate Yes
Information disclosure vulnerability in Wi-Fi CVE-2016-3837 Moderate Yes
Denial of service vulnerability in system UI CVE-2016-3838 Moderate Yes
Denial of service vulnerability in Bluetooth CVE-2016-3839 Moderate Yes

The second patch bundle contains fixes for driver-level code, and whether or not you need each of them depends on your hardware: if you have a chipset that introduces one of these vulnerabilities, you'll need to install a fix.

Nexus owners will get these automatically as necessary; other phone and tablet manufacturers may roll them out as and when they feel ready. That could be never in some cases.

The bundle predominantly fixes problems with Qualcomm's driver software – Qualy being a dominant phone system-on-chip designer, and its Snapdragon SoCs are used all over the place. These Qualcomm bugs are definitely ones to watch as these kinds of low-level flaws were used to blow apart Android's full-disk encryption system last month.

The patches includes fixes for Qualcomm's bootloader, and Qualcomm drivers for cameras, networking, sound, and video hardware. A malicious app on a Qualcomm-powered phone or tablet could exploit these to gain kernel-level access – completely hijacking the device, in other words. An app could use these holes to root a Nexus 5, 5X, 6, 6P and 7 so badly it would need a complete factory reset to undo the damage.

There are other bugs fixed in this batch because they can be exploited by malicious applications on Qualcomm-powered devices to access "sensitive data without explicit user permission." The full list is below:

Issue CVE Severity Affects Nexus?
Remote code execution vulnerability in Qualcomm Wi‑Fi driver CVE-2014-9902 Critical Yes
Remote code execution vulnerability in Conscrypt CVE-2016-3840 Critical Yes
Elevation of privilege vulnerability in Qualcomm components CVE-2014-9863, CVE-2014-9864, CVE-2014-9865, CVE-2014-9866, CVE-2014-9867, CVE-2014-9868, CVE-2014-9869, CVE-2014-9870, CVE-2014-9871, CVE-2014-9872, CVE-2014-9873, CVE-2014-9874, CVE-2014-9875, CVE-2014-9876, CVE-2014-9877, CVE-2014-9878, CVE-2014-9879, CVE-2014-9880, CVE-2014-9881, CVE-2014-9882, CVE-2014-9883, CVE-2014-9884, CVE-2014-9885, CVE-2014-9886, CVE-2014-9887, CVE-2014-9888, CVE-2014-9889, CVE-2014-9890, CVE-2014-9891, CVE-2015-8937, CVE-2015-8938, CVE-2015-8939, CVE-2015-8940, CVE-2015-8941, CVE-2015-8942, CVE-2015-8943 Critical Yes
Elevation of privilege vulnerability in kernel networking component CVE-2015-2686, CVE-2016-3841 Critical Yes
Elevation of privilege vulnerability in Qualcomm GPU driver CVE-2016-2504, CVE-2016-3842 Critical Yes
Elevation of privilege vulnerability in Qualcomm performance component CVE-2016-3843 Critical Yes
Elevation of privilege vulnerability in kernel CVE-2016-3857 Critical Yes
Elevation of privilege vulnerability in kernel memory system CVE-2015-1593, CVE-2016-3672 High Yes
Elevation of privilege vulnerability in kernel sound component CVE-2016-2544, CVE-2016-2546, CVE-2014-9904 High Yes
Elevation of privilege vulnerability in kernel file system CVE-2012-6701 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2016-3844 High Yes
Elevation of privilege vulnerability in kernel video driver CVE-2016-3845 High Yes
Elevation of privilege vulnerability in Serial Peripheral Interface driver CVE-2016-3846 High Yes
Elevation of privilege vulnerability in NVIDIA media driver CVE-2016-3847, CVE-2016-3848 High Yes
Elevation of privilege vulnerability in ION driver CVE-2016-3849 High Yes
Elevation of privilege vulnerability in Qualcomm bootloader CVE-2016-3850 High Yes
Elevation of privilege vulnerability in kernel performance subsystem CVE-2016-3843 High Yes
Elevation of privilege vulnerability in LG Electronics bootloader CVE-2016-3851 High Yes
Information disclosure vulnerability in Qualcomm components CVE-2014-9892, CVE-2014-9893, CVE-2014-9894, CVE-2014-9895, CVE-2014-9896, CVE-2014-9897, CVE-2014-9898, CVE-2014-9899, CVE-2014-9900, CVE-2015-8944 High Yes
Information disclosure vulnerability in kernel scheduler CVE-2014-9903 High Yes
Information disclosure vulnerability in MediaTek Wi-Fi driver CVE-2016-3852 High Yes
Information disclosure vulnerability in USB driver CVE-2016-4482 High Yes
Denial of service vulnerability in Qualcomm components CVE-2014-9901 High Yes
Elevation of privilege vulnerability in Google Play services CVE-2016-3853 Moderate Yes
Elevation of privilege vulnerability in Framework APIs CVE-2016-2497 Moderate Yes
Information disclosure vulnerability in kernel networking component CVE-2016-4578 Moderate Yes
Information disclosure vulnerability in kernel sound component CVE-2016-4569, CVE-2016-4578 Moderate Yes
Vulnerabilities in Qualcomm components CVE-2016-3854, CVE-2016-3855, CVE-2016-3856 High No

Based on past experience, Nexus users are going to get both sets of patches within the next seven days. Other Android users may have to wait an awful lot longer. ®

Sponsored: The Nuts and Bolts of Ransomware in 2016

The Register - Security

In January I posted Why a War Studies PhD? I recently decided to revise my title and abstract to include attention to both offensive and defensive aspects of intrusion campaigns.

I thought some readers might be interested in reading about my current plans for the thesis, which I plan to finish and defend in early 2018.

The following offers the title and abstract for the thesis.

Network Intrusion Campaigns: Operational Art in Cyberspace 

Campaigns, Not Duels: The Operational Art of Cyber Intrusions*

Intruders appear to have the upper hand in cyberspace, eroding users' trust in networked organizations and the data that is their lifeblood. Three assumptions prevail in the literature and mainstream discussion of digital intrusions. Distilled, these assumptions are that attacks occur at blinding speed with immediate consequences, that victims are essentially negligent, and that offensive initiative dominates defensive reaction. 

This thesis examines these assumptions through two research questions. First, what characterizes network intrusions at different levels of war? Second, what role does operational art play in network intrusion campaigns? 

By analyzing incident reports and public cases, the thesis refutes the assumptions and leverages the results to improve strategy.  

The thesis reveals that strategically significant attacks are generally not "speed-of-light" events, offering little chance for recovery.  Digital defenders are hampered by a range of constraints that reduce their effectiveness while simultaneously confronting intruders who lack such restrictions. Offense does not necessarily overpower defense, constraints notwithstanding, so long as the defenders conduct proper counter-intrusion campaigns. 

The thesis structure offers an introduction to the subject, and an understanding of cybersecurity challenges and trade-offs. It reviews the nature of digital intrusions and the levels of war, analyzing the interactions at the levels of tools/tactics/technical details, operations and campaigns, and strategy and policy. The thesis continues by introducing historical operational art, applying lessons from operational art to network intrusions, and applying lessons from network intrusions to operational art. The thesis concludes by analyzing the limitations of operational art in evolving digital environments.

*See the post Updated PhD Thesis Title for details on the new title.