Computer Security

Oracle VirtualBox Zero-Day Vulnerability Leaked by Annoyed Researcher



Written by David Marshall

An independent researcher has discovered what he reports to be a zero-day vulnerability in VirtualBox, a popular general-purpose virtualization platform targeted at server, desktop and embedded use.

What's interesting here is that the researcher chose to publicly disclose the security hole rather than privately inform the vendor, which in the case of VirtualBox is Oracle.  He justified this act by calling it a reaction to his previous bad experience with Oracle.  Last year, he found and reported a vulnerability that took almost 15 months for the vendor to release a fix.  So this time, he took a different path of notification. 

Sergey Zelenyuk, the Russian researcher, said he discovered a security flaw in Oracle's VM VirtualBox that would allow someone to escape from the virtual environment of the guest machine to reach the Ring 3 privilege layer used for running code from most user programs with the least privileges.  The zero-day vulnerability could allow an attacker with root access to then gain access to the underlying OS.

The vulnerability is reported to exist in VirtualBox 5.2.20 and prior versions.


Stratodesk and Imprivata Partnership Brings Security and Convenience to Healthcare VDI

Grazed from Stratodesk and Imprivata

Stratodesk, the creator of NoTouch Desktop and long-time partner of Imprivata, has announced an updated, feature-complete integration with Imprivata OneSign. NoTouch enables users to leverage the power of Imprivata OneSign to access workstations and applications by simply tapping their proximity badges, scanning their fingerprints, swiping their smart cards, or using a wide array of additional authentication modalities.

The integration also supports Imprivata OneSign Fast User Switching (FUS), which allows multiple users to quickly and securely log in to shared workstations. Secondary authentication, which is increasingly becoming necessary for the prescription of controlled substances, is also supported in both Citrix and VMware VDI environments. By combining the ease and power of NoTouch OS with healthcare's leading single sign-on and virtual desktop access platform from Imprivata, NoTouch customers will have unparalleled secure access to clinical information and applications across all endpoints, PCs, Thin Clients, laptops, and the new Citrix Workspace Hub.

Intel Issues Updates to Protect Systems From Security Exploits

Grazed from Intel

Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems -- including personal computers and servers -- that render those systems immune from both exploits (referred to as "Spectre" and "Meltdown") reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates.

Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.

RapidFire Tools Launches New Tool That Enables MSPs to Deliver Internal IT Security Services

Grazed from RapidFire

RapidFire Tools Inc. today launched Detector™, a new software appliance that enables managed services providers (MSPs) to more easily identify internal threats to client networks, which according to industry reports, account for more than half of all breaches. Detector is the only software appliance that automatically scans a company's network on a scheduled basis for suspicious anomalous user behaviors, unexpected network changes and internal threats; and sends out daily alerts to the MSP regarding the detected issues. The security tool incorporates "machine learning" that allows it to become "smarter" the longer it is attached to a network. It also employs a proprietary "SMART-TAG"™ feature that allows the MSP to fine-tune the tool with additional information to identify relationships and dramatically reduce false-positives. This comprehensive approach delivers more detailed and relevant information about the client's network, allowing the MSP to better mitigate risk and offer a meaningful internal IT security service.

VMware Patches XSS Vulnerabilities in vRealize for Linux

By David Marshall

The stored XSS flaws in vRealize only affect some versions, but could lead to the compromise of user workstations

VMware has patched two cross-site scripting issues this week in several editions of the company's vRealize software.  The flaws reportedly could be exploited in stored XSS attacks and lead to remote code execution and the compromise of business workstations.  

A VMware security advisory was posted on Tuesday, citing issues with Linux versions of VMware vRealize Automation 6.x prior to 6.2.4, and VMware vRealize Business Advanced and Enterprise 8.x prior to 8.2.5.

Linux users operating affected versions are urged to patch their environments as soon as possible to address the problem.  According to the National Institute of Standards and Technology (NIST), the vulnerability could allow "remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."

Cloud Computing: In 2015, agency IT security and operations converge

Grazed from GCN. Author: William Jackson.

Two powerful trends will shape the government cybersecurity agenda in the coming year, say security experts, but they have more to do with how government security is managed than what technologies will better defend agency systems.

First, cybersecurity will increasingly be integrated from the start into the platforms and software being acquired and developed by agencies. This means that perimeter defenses – already abandoned to the realm of what is necessary but inadequate – will receive less attention as cybersecurity becomes more integrated into the government infrastructure.

Also, cybersecurity will no longer be considered the exclusive province of the CISO or the CSO, but will become a professional requirement for everyone responsible for IT services to the agency. “As a security vendor, we are ending up in conversations with the IT shop,” rather than just the security shop, said Ken Ammon, chief strategy officer for Xceedium, an identity management company. “Next year will be the year of convergence.”...