Feedback & Followups
- 🇺🇦 🇷🇺 To comply with international sanctions on Russia over its invasion and annexation of Ukraine, Apple have removed a major Russian app from VK from all app stores — appleinsider.com/…
Deep Dive — A Pair of Microsoft Exchange Zero-days
If your organisation runs its own Exchange server, it’s time to buy your sysadmin another coffee! ☕️
A pair of zero-day bugs have been found that can be chained together to allow an attacker to turn an Exchange username and password into arbitrary code execution on the Exchange server. Note that if 2FA is enabled, it’s bypassed!
When you log in to a system with 2FA the system first verifies your username and password, and then it runs some code to challenge the user for their second factor. All code is written by humans, and all humans make mistakes, so it’s possible for a bug to sneak into this code that sits between the first and second factors. This is called a mid-authentication vulnerability, and that’s what we’re dealing with here.
What this means is that the vulnerability is nowhere near as catastrophic as it would be if it didn’t require authentication at all, but it’s still a lot worse than you might think at first glance because all an attacker needs to compromise a server is one valid username and password pair. When you think about how many people reuse passwords, how many password breaches there have been, and how many people fall for phishing scams, suddenly having the entire security of your mail infrastructure resting on your weakest username+password combination doesn’t feel so secure after all!
These are true zero-day bugs. They were reported to Microsoft a month ago, and because there is still no fix, the security researcher released some basic details to alert the world to the problem, and Microsoft then released an advisory recommending a temporary workaround while they work on a patch.
Any organisation running their own Exchange server needs to apply the workaround ASAP!
Links
- Microsoft’s Official Advice: Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server — msrc-blog.microsoft.com/…
- URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different” — nakedsecurity.sophos.com/…
- Microsoft: Two New 0-Day Flaws in Exchange Server — krebsonsecurity.com/…
❗ Action Alerts
- WhatsApp “zero-day exploit” news scare – what you need to know — nakedsecurity.sophos.com/… (Not zero-days, patched before exploitation, so just make sure you’re patched!)
Worthy Warnings
- 🇦🇺 The large Australian telco Optus has suffered a massive data breach, with 20M records (name, DOB, cellphone number & government-issued ID (serial) number) being stolen by the attackers — nakedsecurity.sophos.com/… (No payment details so biggest threats are ID theft and targeted phishing)
Notable News
- Adware on Google Play and Apple Store installed 13 million times — www.bleepingcomputer.com/… (10 iOS apps, 75 Android apps)
- 🇺🇸 🇮🇷 From Allison: How the CIA failed Iranian spies in its secret war with Tehran — www.reuters.com/…
- Cloudflare have released the first beta of Turnstile, their new free CAPTCHA alternative. For iOS 16 & MacOS 13 Ventura users the experience will be completely seamless because it supports Private Access Tokens — www.cultofmac.com/… & www.macobserver.com/…
- Related: 🎦 WWDC video explaining Private Access Tokens — developer.apple.com/…
Top Tips
- How to build a tech emergency kit — appleinsider.com/…
- How to view and manage compromised passwords on iOS 16 — appleinsider.com/…
- How to use Safety Check in iOS 16, and what it does — appleinsider.com/…
Interesting Insights
- Yet another way iOS is a little safer than Android: Developers are abandoning Android apps, and users may be at risk — appleinsider.com/… (iOS abandoned apps down 29% last quarter because Apple did a big cleanup, while Android up 16%)
Palate Cleansers
- We hit an Asteroid 😀
- 🎦 Video from DART as it raced towards Dimorphos — apod.nasa.gov/…
- The view from LICIACube, DART’s little companion trailing behind — apod.nasa.gov/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |