Each week, Wipfli’s cybersecurity professionals review the latest breaches, vulnerabilities, patches and updates.
- A ransomware attack affected computers at California-based National Veterinary Associates (NVA), causing problems at roughly 400 of the company’s veterinary practices and animal boarding facilities around the world. NVA discovered the attack on October 27 and hired two companies to help with the recovery. The attack affected patient records, payment systems, and office management software. The company did not say if it paid the ransom.
- An open Elasticsearch server has exposed the rich profiles of more than 1.2 billion people to the open internet. First found on October 16, the database contains more than 4 terabytes of data. It consists of scraped information from social media sources like Facebook and LinkedIn, combined with names, personal and work email addresses, phone numbers, Twitter and Github URLs, and other data commonly available from data brokers – i.e., companies which specialize in supporting targeted advertising, marketing and messaging services.
- An unsecure database belonging to PayMyTab, a company that provides U.S. restaurants with mobile payment apps and devices, left payment card and other customer data exposed. The exposed data includes the last four digits of payment card numbers; the customer name, email address and telephone number; the date, time and location of the restaurant visited; and even details about the meal order.
- A pair of critical vulnerabilities in Oracle’s E-Business Suite (EBS) could be exploited to print checks and conduct electronic funds transfers. Oracle released fixes for the flaws in its April 2019 Critical Patch Update. It is estimated that about half of Oracle EBS customers have not yet applied the fixes.
- The open-source Virtual Network Computing (VNC) project, often found in industrial environments, is plagued with 37 different memory-corruption vulnerabilities – many of which are critical in severity and some of which could result in remote code execution (RCE). They potentially affect 600,000 web-accessible servers in systems that use the code.
- US-CERT Vulnerability Summary for the week of November 18, 2019.
Patches & Updates
- Google has fixed a cross-site scripting flaw in the AMP4Email feature. AMP4Email, also known as dynamic email, makes it easier for email to display dynamic content. The feature was made generally available in July. The researcher who found the vulnerability said it “is an example of a real-world exploitation of well-known browser issue called DOM Clobbering.” He notified Google of the flaw in August, and a fix was made available before the issue was publicly disclosed.
- Facebook has patched a vulnerability in WhatsApp that could be used to launch remote code execution attacks or cause denial-of-service conditions. The stack-based buffer overflow flaw could be exploited by sending a specially-crafted MP4 video file to a targeted user.
- Microsoft has released an update for Microsoft Outlook for Android that fixes a spoofing vulnerability in the application that could allow an attacker to compromise the device. This new vulnerability is titled "CVE-2019-1460 | Outlook for Android Spoofing Vulnerability" and it allows potential attackers to create specially crafted emails that could launch scripts on the device in the security context of the user when opened.