Microsoft patch for JET flaw zero-day is ‘incomplete,’ Windows still vulnerable

Microsoft's fix for the zero-day JET flaw only limits the vulnerability, doesn't eliminate it. Meanwhile, a Pentagon breach affects 30,000 workers, and a vigilante hacker is patching vulnerable MikroTik routers.

Despite Microsoft patching a zero-day vulnerability in its JET Database Engine, you are not fully protected. Researchers at 0patch warned that Microsoft’s official patch was “incomplete.”

The Zero Day Initiative first revealed the flaw, which could lead to remote code execution, in September after Microsoft failed to patch it within the 120-day disclosure timeline. Within 24 hours, 0patch released a micropatch, as all versions of Windows contain the JET Database Engine.

Microsoft released a fix on October’s Patch Tuesday, but 0patch said Microsoft’s fix “only limited the vulnerability instead of eliminating it. We promptly notified Microsoft about it and will not reveal further details or proof-or-concept until they issue a correct fix.”

In the meantime, 0patch advised deploying a micropatch until Microsoft ships a proper fix.

NSA yet to find proof of Bloomberg-reported Chinese spy chips

Bloomberg Businessweek did not back off its hotly denied claim of Chinese spy chips in motherboards used by 30 U.S. companies and government agencies, adding fire to the claims by saying the implanted microchips in Super Micro hardware had also affected the network of a “major U.S. telecommunications company.” The telecommunication company was not named. However, AT&T, Verizon, and Sprint all gave quotes denying being affected by the Chinese-inserted spy chip.

NSA official Rob Joyce, who also happens to give some pretty awesome talks about Christmas light shows, told the U.S. Chamber of Commerce that the NSA hasn’t turned up any ties to the claims made in the Bloomberg article, saying: “I have pretty great access, [and yet] I don’t have a lead to pull from the government side. We’re just befuddled.” He asked for anyone with knowledge of the Chinese implants to contact the NSA, FBI or Department of Homeland Security.

Pentagon discloses breach that affects 30,000 workers

Several days after the world learned that the Pentagon’s modern weapons systems are easy to hack, the Pentagon admitted to a breach of Department of Defense (DoD) travel records that compromised the personal information and credit card data of about 30,000 military and civilian personnel. The Associated Press said the number of people affected by the breach could increase as the investigation continues.

Vigilante hacker patching MikroTik routers

A Russian-speaking gray hat has been breaking into vulnerable MikroTik routers to patch them. Although he claimed to have disinfected and added firewall rules to as many as 100,000 routers, there are still hundreds of thousands of vulnerable MikroTik routers still infected and mining cryptocurrencies.

MikroTik released firmware patches six months ago — back in April — but Tenable Research recently revealed additional vulnerabilities, the “most critical of which would allow attackers to potentially gain fully system access.” Users were advised to upgrade to “RouterOS versions 6.40.9, 6.42.7 and 6.43,” as well as change default passwords.

More than 9 million security cameras, DVRs, and NVRs open to remote attack

Sec Consult warned that millions “security cameras, DVRs, and NVRs” manufactured by Hangzhou Xiongmai Technology Co., Ltd. contain flaws that could allow an attacker to remotely take over the devices without much effort. You might have one of the devices and not know it, since other companies put their logos on the affected products. Researchers warned that the company failed to provide proper mitigations for Xiongmai devices vulnerable to RCE via “XMeye P2P Cloud.”

Senators demand to see copy of internal Google Plux memo

After Google announced it is finally putting Google Plus out of its misery — and oh, by the way, there had been a breach that the company opted not to disclose, three senators sent Google a letter (pdf) demanding to see a copy of Google’s internal memo that discussed the breach. In addition, the senators asked for written answers to seven other questions about the vulnerability and other potentially similar incidents that Google opted not to publicly disclose.

Facebook claims only 30 million users had access tokens stolen

In an update about the “View As” bug, Facebook revealed, “Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.” The post goes on to explain how the attackers pulled it off.

Don't pull a Kanye

Kanye West accidentally showed the world his iPhone passcode while meeting with President Donald Trump. Despite cameras pointed at him from every angle, West didn’t stop to think before tapping in his passcode. Even worse than his OpSec was his idea of good security — locking his phone with 000000. Between his expressed views and showing off his passcode, people went nuts.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.