Two CERT Alerts, Only One With Known Solution

Six days after researchers discovered and publicly disclosed a vulnerability that affects the Ghostscript suite of software, a CERT alert was issued for a vulnerability found in the Microsoft windows task scheduler that allows hackers to gain elevated system privileges.

The latest Microsoft Windows task scheduler contains a local privilege escalation vulnerability. “With the latest Windows OS vulnerability made public, IT professionals need to be extra vigilant regarding their network users’ behaviors,” said Justin Jett, director of audit and compliance for Plixer.

“The PoC released by researcher, SandboxEscaper, on Twitter gives malicious actors leverage needed to break into organizations to steal valuable information. Network traffic analytics should continue to be used to detect anomalous traffic going across the network and to spot where users are behaving in a way that they historically don’t," Jett continued.

“We’ll have to wait for Microsoft to respond, but if nothing is released until the scheduled September 11 Patch Tuesday, hackers will have a two-week window to take advantage of this vulnerability.”

In a different vulnerability, an advisory from the eSentire Threat Intelligence team noted a flaw in Ghostscript software whereby implementing the –dSAFER sandbox, which is intended to validate content, can circumvent the sandbox to allow malicious content through. By sending a malformed file (PDF, PostScript, XPF or EPS), a malicious actor is able to carry out the attack so that when the file reaches the Ghostscript interpreter, it infects the host machine by automatically executing.

“If exploited the vulnerability could allow a remote, unauthenticated threat actor to run commands, create files and delete or extract data. The exploitation of this vulnerability has not been seen in the wild at this time, but proof of concept code has been released. It is likely that more widespread exploitation attempts will be seen in the near future,” researchers wrote in a post today.

A patch was released on Friday 24 August. For those not able to immediately update, researchers wrote, “a potential short term fix for this vulnerability is to disable PS, EPS, PDF, and XPS coders. This is not recommended due to the high potential for business disruption. Due to the wide range of programs that rely on Ghostscript this vulnerability should be taken seriously and patches should be applied.”

Some of the several systems known to be infected include Artifex Software Inc., CentOS, LinkUs, Ubuntu, SUSE Linux, and Red Hat Inc. There is potential that Apple, Arch Linux, Arista Networks Inc. and ASP Linux are also affected. eSentire advised that patches should be applied as quickly as possible once the patches are released.

*This story has been updated to correct the original statement that a patch for the Ghostscript vulnerability was not yet available.

What’s Hot on Infosecurity Magazine?