A serious vulnerability in Microsoft Internet Information Server (IIS) 6.0 was publicized last week when someone posted proof-of-concept exploit code to GitHub. The vulnerability was apparently known to some hacker groups previously, and has been exploited in attacks since last summer, but its existence was not well-known and the ability to exploit it was not widespread. IIS 6.0 runs on Windows 2003 Server, which is no longer supported by Microsoft, so no patch for this flaw is expected to be released. Still, there are hundreds of thousands of publicly-accessible websites still running on IIS 6.0, so this is a serious issue.
Critical Vulnerability Discovered in IIS 6.0 Web Services
Since virtual computing technology was popularized in the 2000s, the greatest security concern has been the possibility of "virtual machine escape," or the ability for an intruder to access one virtual machine from another, or to access the host layer from a virtual machine, via the virtualization platform rather than through the virtualized network. This would provide an attack route unique to virtualized environments that does not exist in conventional networks of physically separate computers networked together. While this has been a fear for a long time, few practical exploits of this type have been developed. During this year's "Pwn20wn" contest, hackers discovered vulnerabilities in several VMWare products that may constitute the most serious virtual machine escape vulnerabilities to date. The vulnerabilities, CVE-2017-4902 and CVE-2017-4903, are found in VMWare's flagship ESXi product, as well as their desktop virtualization products, VMWare Workstation/Player and Fusion (for PCs and Macs, respectively). VMWare promptly issued updates to fix the issues. Organizations are advised to upgrade to version 12.5.5 (8.5.6 for Fusion) as soon as possible. Given the centrality of ESXi in many organizations, testing prior to a full upgrade is recommended.
Last Monday (March 20th), Google's Project Zero researchers reported to LastPass some serious vulnerabilities that could have allowed attackers to steal users' passwords or possibly even run malicious code on their machines. The vulnerabilities were in the browser plug-ins that allow LastPass to automatically fill users' passwords into the blanks on web pages.
In continuing fallout from a controversy that began in the fall of 2015, Google is taking action in its popular Chrome browser to limit the trust provided to certificates issued by Symantec's commercial certificate authorities, principally purchased from Verisign in 2010. Google's action will immediately results in Symantec-issued certificates will no longer be recognized as extended-validation certificates, even if they were originally issued as such (extended validation certificates are intended to denote a higher degree of trustworthiness.) The "maximum age" of Symantec-issued certificates will also be limited to end at the end of 2019, regardless of the expiration date on the certificates themselves. These actions are promising in that at least one browser maker is truly holding a major certificate authority responsible for failing to properly secure the certificate-issuance process; without that type of accountability, the usefulness of the entire certificate authority system is quite little.
Google issued their annual report on Android security, and it is very much a mixed bag. The good news is that security updates are being issued and installed in a much more timely fashion than in the past. The bad news is that that news applies only to about half of deployed devices. Ultimately, if you want to run Android, and do so securely, your best bet is a Google-branded device (currently their Pixel phones). Google has a commitment to release security updates for these devices as soon as they are available. Samsung is the next best bet, as they have redoubled their efforts to issue timely updates, and are generally updating within a month. Google's report also says that malware is making its way into the official store less frequently than in the past, so in either case ensuring that applications are installed only from the official Google Play store is essential. A few bad apps continue to slip in there, but the vast majority of Android exploits and malware have come through other installation routes.