The Ivanti Threat Thursday Update for November 30, 2017: Big Mac Attack?

Greetings and welcome. This week, newly identified vulnerabilities in Apple’s macOS High Sierra, and new data leaks at a U.S. federal government agency. Got relevant opinions, reactions, and/or suggestions? Feel free to share. Thanks in advance.

Vulnerabilities Found in Latest macOS Release

As AppleInsider reported this week, a significant, new vulnerability was discovered in Apple’s macOS High Sierra. The flaw “can grant users access to the system administrator account on a target machine, enabling access to the account without requiring a password.”

  • Once empowered with System Administrator access, a user can “view all files stored on the computer in all user accounts, edit the credentials of other users, and alter other settings on the device.” The vulnerability “requires relatively few steps to accomplish, and takes advantage of a section within the System Preferences menu.”
  • Exploitation of the vulnerability “requires access to the computer either locally or with a Remote Access connection. It also needs an authorized user to be logged in to generate the Root account with no password.” “The ultimate protection against the exploit is to disable Guest access.”
  • Yesterday, Apple issued Security Update 2017-001, apparently intended to address this vulnerability. In an accompanying description of the Update, Apple said this: “For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.”
  • Ivanti partner Nine41 Consulting has published a blog post with links to a script that can remediate the vulnerability. It does so by setting a new password for the root account on a macOS system and disabling console access to that root account. The post also offers guidance for using the Autofix feature of Ivanti Endpoint Manager to remediate the vulnerability on all connected macOS systems during a security scan.

What We Say: Malefactors get faster and better at exploiting vulnerabilities in operating systems, applications, and networks every day. At the same time, macOS systems are growing in popularity at many organizations. Your organization must have in place tools and processes that help you and your team to identify and isolate new vulnerabilities and test and deploy corrective patches and updates as quickly as possible. Those tools and processes must be sufficiently agile and flexible to protect all of your critical systems, whatever operating systems and applications they are running. (See “Mac Users Be Aware: High Sierra Flaw Exposes Root” and “The Equifax Breach, Patch Management, and Your Cybersecurity.”)

Sensitive U.S. Government Data Exposed – Again

Another U.S. government agency inadvertently made sensitive data easily available online. This time, the information was the responsibility of a division of the National Security Agency (NSA).

  • As ZDNet reported, “The virtual disk image contains over 100 gigabytes of data from an Army intelligence project, codenamed ‘Red Disk.’ The disk image belongs to the US Army’s Intelligence and Security Command, known as INSCOM, a division of both the Army and the NSA.”
  • “The disk image was left on an unlisted but public Amazon Web Services storage server, without a password, open for anyone to download.” “Chris Vickery, director of cyber risk research at security firm UpGuard, found the data and informed the government of the breach in October. The storage server was subsequently secured, though its owner remains unknown.”
  • “Vickery noted that the disk image also contains other sensitive files, including private keys used for the system to access other servers on the intelligence community’s network. The keys belong to a third-party firm, Invertix, a working partner of INSCOM and a key developer of Red Disk,” a program designed to enable “sharing intelligence across the battlefield.”
  • “Unprotected [cloud-based] storage buckets have become a recurring theme in recent data leaks and exposures. In the past year alone, Accenture, Verizon, and Viacom, and several government departments, were all dinged by unsecured data.”

What We Say: The General Data Protection Regulation (GDPR) is due to come into effect on May 25, 2018. GDPR is motivating IT and cybersecurity decision makers at organizations of all sizes and types to look more closely at how and how well they are protecting the data upon which those organizations rely. This is particularly true for organizations that handle or store so-called personally identifiable information, or PII. Under GDPR, companies that fail to protect the personal information of European Union (EU) citizens will be subject to fines as high as four percent of global annual revenues or €20 million ($23.5 million), whichever is higher. Whether or not your organization does business with EU citizens, there is never a bad time to re-examine your data protection solutions and processes. (See our GDPR blog posts, and take our interactive, online GDPR readiness assessment.)

Ivanti: Your Partner for Multi-Layered Cybersecurity

Ivanti has the solutions, the expertise, the ecosystem, and the commitment to make effective, multi-layered cybersecurity a reality at your organization, today and tomorrow. We can help you keep your client and server system patches up to date, combat and remediate malware and other attacks, and gain flexible, non-disruptive control over your users’ applications, devices, and admin rights. Check out our cybersecurity solutions online. Then, contact Ivanti, and let us help you bring multi-layered cybersecurity to your organization. (And do please keep reading, sharing, and commenting on our security blog posts, especially our Patch Tuesday and Threat Thursday updates.)