Log4j flaw: Thousands of applications are still vulnerable, warn security researchers
Log4j flaw: Thousands of applications are still vulnerable, warn security researchers
The flaw allows hackers to remotely execute code using an external name, even if he or she has no identity or login credentials.
Malwarebytes security researchers have noted the flaw for at least six years, but now plans to closely examine it, and give further details about how it could affect older versions of Windows, Microsoft Security Essentials and Microsoft Edge.
The vulnerability in Microsoft Edge includes a plug-in called the “Manage Layer 2” toolkit with the vulnerability listed on Microsoft’s disclosure website, which has been switched off in the process of updating it with a new version.
Malwarebytes researchers first identified the flaw in January 2014. When they found it in May 2015, they switched it off.
The vulnerability has now been patched. It should give the Microsoft Edge team a better understanding of what would happen if the flaw were.
Malwarebytes testers who were working on Microsoft Edge had a list of those affected by the flaw on their site.
Malwarebytes said they searched for flaws before, and found at least 10,000 that were found to be vulnerable.
“The potential for this flaw to cause a denial of service or malicious activity in a Windows environment is very small, but there’s no way to know for certain with certainty,” Malwarebytes security researcher Lewis Zeid said in a statement.
“But we also know that multiple vulnerabilities could be exploited within the Windows environment.”
Microsoft Edge has been in the works for more than two years at a time, and has been undergoing a close review since 2009, according to a Microsoft spokesperson.
OS Defender was also used in the patched version. This has already been added to the update list on Windows Server 2008 R2, Microsoft said.
Microsoft reviewed OS Defender before deciding it was safe, according to a security researcher who has been working on the flaw.
“OS Defender doesn’t and won’t corrode any of the protective layers of the OS architecture,” he said.
“If you use OS Defender for OS installations, it’s highly recommended that you use the OS Defender toolkit to manually update the OS. In the meantime, you can download the latest version of OS Defender from Microsoft’s website.”
Windows Defender was removed from Windows 10 for security reasons.
“During the review of how OS Defender works, we realized that OS Defender could be used to gain root access on Windows 10 which might allow malicious applications to execute code,” an OS Defender spokesperson told the BBC.
“We are also looking for ways to make sure that when the update is installed that it’s not only updated but is also updated from a ‘pre-configured’ or ‘pre-installed’ state.
“We are working with the company to get OS Defender working on OS 10 before coming to a decision about whether or not to revoke it.”
A network-connected browser was also developed that worked it’s way around the vulnerabilities, but it was kept ad-supported until the end of 2015.
Many of the settings on Windows 10 are best suited for small applications, such as Word on a computer.
The company has also identified seven vulnerabilities in the McAfee app, which were used to try and prevent attackers from leveraging inbound network traffic.
Among the findings:
- The Activity Index was able to brute force the user’s page.
-
Scrolling by a large amount was not allowed.
-
It was unable to track the location of a user’s stay-at-home address.
-
Intentional site visits were not detected.
It was unable to track the location of a user’s stay-at-home address. The security filter was not enabled.
- Users could search on 3rd party sites
šALL TEXT IN THIS POST IS COMPLETELY FAKE AND AI GENERATEDš
Read more about how it’s done here.
