Security Newsletter

16 April 2018

Warning: Your Windows PC Can Get Hacked by Just Visiting a Site

Can you get hacked just by clicking on a malicious link or opening a website? — YES.

Microsoft has just released its April month's Patch Tuesday security updates, which addresses multiple critical vulnerabilities in its Windows operating systems and other products, five of which could allow an attacker to hack your computer by just tricking you visit a website.

An attacker can exploit these issues by tricking an unsuspecting user to open a malicious file or a specially crafted website with the malicious font, which if open in a web browser, would hand over control of the affected system to the attacker.

Windows Microsoft Graphics is also affected by a denial of service vulnerability that could allow an attacker to cause a targeted system to stop responding. This flaw exists in the way Windows handles objects in memory. Besides this, Microsoft has also patched multiple remote code execution vulnerabilities in Microsoft Office and Microsoft Excel, which could allow attackers to take control of the targeted systems.

The security updates also include patches for six flaws in Adobe Flash Player, three of which were rated critical.

Users are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

 

Flaw in Microsoft Outlook Lets Hackers Easily Steal Your Windows Password

A security researcher has disclosed details of an important vulnerability in Microsoft Outlook for which the company released an incomplete patch this month—almost 18 months after receiving the responsible disclosure report.

The Microsoft Outlook vulnerability (CVE-2018-0950) could allow attackers to steal sensitive information, including users' Windows login credentials, just by convincing victims to preview an email with Microsoft Outlook, without requiring any additional user interaction.

If you have already installed the latest Microsoft patch update, that's great, but attackers can still exploit this vulnerability. So, Windows users, especially network administrators at corporates, are advised to follow the below-mentioned steps to mitigate this vulnerability. Block specific ports (445/tcp, 137/tcp, 139/tcp, along with 137/udp and 139/udp) used for incoming and outgoing SMB sessions. Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication. Always use complex passwords, that cannot be cracked easily even if their hashes are stolen (you can use password managers to handle this task). Most important, don't click on suspicious links provided in emails.

 

Practical passwordless authentication comes a step closer with WebAuthn

Three major browser makers —Google, Microsoft, and Mozilla—have put their official backing behind a new W3C API called Web Authentication (WebAuthn) that is advertised as a reliable alternative to passwordless online authentication.

WebAuthn is a specification to allow browsers to expose hardware authentication devices—USB, Bluetooth, or NFC—to sites on the Web. These hardware devices enable users to prove their identity to sites without requiring usernames and passwords. The spec has been developed as a joint effort between FIDO, an industry body that's developing secure authentication systems, and W3C, the industry group that oversees development of Web standards.

With WebAuthn-enabled browsers and sites, users can sign in using both integrated biometric hardware (such as the fingerprint and facial-recognition systems that are widely deployed) and external authentication systems such as the popular YubiKey USB hardware. With WebAuthn, no user credentials ever leave the browser and no passwords are used, providing strong protection against phishing, man-in-the-middle attacks, and replay attacks.

With WebAuthn in place, widespread adoption of passwordless authentication will be much more practical. We're certainly not going to see the end of the password overnight, but this is the kind of infrastructure that needs to be in place before it can credibly be replaced.

#Facebook

Cutting room floor

 

#Tech and #Tools

This content was created by Kindred Group Security. Please share if you enjoyed!

Kindred Group in brief

Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and as an innovation driven company that builds on trust.