Security Bulletin: Latest exploits makes Windows and WordPress updates particularly urgent.
Nerd Cave Security News for January 16th, 2020
A Microsoft "crypto-spoofing" vulnerability allows attackers to make a malicious application look like it is from a trusted source.
An "exploit" is a method of taking advantage of a vulnerability in a program, website or other system in order to make it do something it was not intended to do. For example, a hacker could send a special command to a vulnerable website which gives them access to parts of the website they normally would not have access to.
"Spoofing" is the process of making a malicious process look like a valid and trusted one. For example, a malicious log-in web page can be made to look like a valid log-in page, thus fooling a user to enter their log-in credentials and exposing their password to hackers.
Microsoft's latest "Patch Tuesday" security bulletin noted a vulnerability that would allow an attacker to submit false credentials for a malicious application making it look like it came from a trusted source. The vulnerability was discovered by the U.S. National Security Agency, who informed Microsoft of the issue. In essence, a user could be convinced that an application installation is "okay" and approved for installation when it actually is NOT. There are more specifics regarding this vulnerability, such as, for it to work the user has to be accessing a particular website that takes advantage of this vulnerability.
This vulnerability affects Windows 10 users and Windows Server 2016/2019. Other versions of Windows seem unaffected.
According to Microsoft, the latest updates fix some 50 additional security holes discovered in Windows products.
The recommendation to handle these issues is to make certain your Windows Operating System and other Microsoft products are up-to-date with the latest updates.
WordPress users need to be aware of possible password by-pass flaws in certain plugins.
I've used WordPress often in the past and I know other users that use it as well, so this information goes in the "good-to-know" pile.
WordPress is a software package that can be installed on a website which allows users to post articles, images and other information on that website. The software can be custom installed on a specific website or a user can create an account at [WordPress.com] and utilize the software without using their own website.
In an article released by [Sophos.com], researchers discovered password by-pass flaws in two WordPress plugins. The first plugin allows administrators to manage multiple WordPress sites from the same interface. The second is a backup and staging tool ("staging" allows a user to make changes and experiment with a site without making it available to the public until the site is ready).
Fortunately patches were released to fix the issue within a day of being informed about it. So naturally, users of this software should update as soon as possible.
On a more positive note:
If you're an older Windows aficionado and don't much care for the new Windows 10 Settings panel, you can access the old-school control panel pretty easily. For details on how to do this check out my video on the [Classic Control Panel] for Windows 10.
If you're interested in more videos and tutorials, check out the [Nerd Cave Video Page].
If you need computer service feel free to call. Aside from repair and web development, I offer basic maintenance services which include:
- Checking for slow start-up programs.
- Removing unwanted background programs that could be slowing down your computer.
- Virus and malware scanning.
- Making sure effective Anti-Virus software is installed and working.
- Scanning for a corrupt file system that could lead to damaged or missing files in the future.
- Checking for possible hardware upgrades that could improve PC performance.
Jeffrey Cobb (Owner/Operator)