Category Archives: Security Alert

Critical Microsoft Security Updates June 2017

Microsoft, as part of their regular Update Tuesday schedule, have provided additional critical security updates to address vulnerabilities that are at heightened risk of exploitation due to past nation-state activity and disclosures.

Affected Platforms

  • Microsoft Windows: XP, Vista, 7, 8, 8.1 and 10
  • Microsoft Windows Server, 2003, 2008, 2008 R2, 2012, 2012 R2 and 2016

Some of the releases are new and some are for older platforms that are out of support – they are making these publicly available for the first time.

Microsoft security teams actively monitor for emerging threats to help organisations protect themselves against potential attacks. Those on older platforms (such as Windows XP) should prioritise applying these critical updates which can be found in the Download Center (or alternatively in the Update Catalog).

The patches for out of support operating systems include protection against the EsteemAudit, ExplodingCan and EnglishmanDentist exploits – these exploits target flaws in the Windows remote desktop protocol, IIS 6.0 and Microsoft Exchange servers.

Microsoft made the following statement:

“Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies. Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly. As always, we recommend customers upgrade to the latest platforms. The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.

As usual, customers on supported platforms with automatic updates enabled, like Windows 10 or Windows 8.1, are protected and do not need to take additional action.”

Further Resources:

    • Microsoft June 2017 security updates release:
    • A detailed list of the updates released due to heightened risk can be found on Microsoft Security Advisory 4025685, along with Frequently Asked Questions
    • For customers using Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8.1, Windows 8.1 RT, Windows Server 2012 R2, Windows 10, or Windows Server 2016 see Microsoft Knowledge Base Article 4025686 for guidance.
    • For customers using Windows XP, Windows Vista, Windows 8, Windows Server 2003, or Windows Server 2003 R2 see Microsoft Knowledge Base article 4025687 for guidance.
    • For customers using Windows Embedded versions see Microsoft Knowledge Base article 4025688 for guidance.

Computers configured with automatic updates enabled are protected and there is no additional action required.

Microsoft Issues Patches And Guidance For WannaCrypt Ransomware Attacks

Microsoft have issued patches for previously unsupported operating systems alongside the following statement :-

Many of our customers around the world and the critical systems they depend on were victims of malicious “WannaCrypt” software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).  This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.

In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.

Download Links

Download English language security updates:

Windows Server 2003 SP2 x64,

Windows Server 2003 SP2 x86,

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Windows 8 x86, Windows 8 x64

To download localized versions for the security update for Windows XP, Windows 8 or Windows Server:

General information on ransomware:

MS17-010 Security Update:


Ransomware Infections Reported Worldwide

Multiple organizations around the world including hospitals and telecommunications companies, reported falling victim to ransomware, and researchers said a worldwide campaign of attacks was ongoing. However, the full extent of the hacks, and whether all of them were connected to one another, is unclear.

Among the organisations affected are the NHS, Spanish telecoms firm Telefónica, and logistics firm FedEx.

Pictures posted on social media showed screens of NHS computers with images demanding payment of $300 worth of the online currency Bitcoin, saying: “Ooops, your files have been encrypted!”

The reason for the malware’s virulent spread appears to be its use of an exploit of Windows software developed by the National Security Agency (NSA), the American spy agency. The exploit was leaked online months ago and patched by Microsoft — but those affected seem not to have updated their software to install the fix.

Cyber security experts say it is WanaCrypt0r 2.0, a new version of the WCry or WannaCry ransomware. Although it is early days and experts are battling to figure out how it works, some are suggesting what’s new about it is that it may exploit a vulnerability that was made public by a group called The Shadow Brokers that hacked the National Security Agency in the US, stole its hacking tools and then dumped them on the internet. Microsoft subsequently published a patch for the vulnerability.

Here is  a link to the Microsoft patch to preotect yourself from this attack  –


Spotting Fake Web Addresses

To most people at quick glance at the above address will look genuine, even if you look in detail you may say its Primark in the US, wrong !

It’s a fake site, what we have here is a well constructed fake web address.  Most people associate the www with the start of a web address and com as part of the address and the company name in the middle.

What we have here really is a site with 2 subdomains setup.  The first www is just a subdomain, the primark is a subdomain and the is the actual domain name.  Typically criminals and others setting up fake sites are using this method more often in order to trick people in to thinking the web address is genuine.

When you visit the site it maybe layed out to give the impression you are on a genuine site for that company.  In reality the site may have infected your computer with a virus or spyware, or maybe they want you to login to the site in order to get your login or bank details.

Note :- The above example web address is known to be fake, please do not visit that site.

IIS Zero Day Vulnerability Will Never Be Patched

Affected Platforms

Microsoft Internet Information Services 6.0


A vulnerability found in Microsoft’s Internet Information Services (IIS) web server technology has been publicly detailed along with proof of concept exploit code. It is understood to have been under attack since July 2016. The flaw itself is found on IIS version 6.0. It reached end of life in July 2015 meaning it will likely not be patched which will leave all remaining servers that are yet to upgrade with the potential of a complete system compromise.

The vulnerability is a buffer overflow in the ScStoragePathFromUrl function in the WebDAV service for IIS 6. The flaw itself is found within the WebDAV service, an extension to the [http] protocol designed to simplify sharing and content authoring.

An attack launched against a vulnerable server can cause a denial of service event but it could also result in a full remote code execution exploit.. With many IIS deployments running on a full Windows server installation often hosting other services for internal services, a break of this nature is capable of allowing a threat actor to gain a serious foothold in the network.


  • Either upgrade IIS or disable WebDAV as soon as possible (see below how to disable WebDAV in IIS6)
  • Conduct scans of your own address space either internally or with the use of a third party to discover any previously forgotten deployments that may be left vulnerable.
  • Where vulnerable deployment have been available from the internet, access logs and other log data source should be analysed for unusual activity that may indicate a previous compromise.

How To Disable WebDAV In Microsoft IIS6

  • Click the Windows “Start” button, select “Administrative Tools,” and then click “Internet Information Services (IIS) Manager.”
  • Select the “Web Service Extensions” folder on the left side of the IIS Manager window.
  • Select the “Extended” tab near the bottom of the window.
  • Select the “WebDAV” item below the “Web Service Extension” heading on the right side of the window.
  • Click the adjacent “Prohibit” button.

Cisco Wireless Security Updates

Cisco has issued the following security alert for a range of Wireless products :-

Affected Platforms

Aironet 1830 Series and 1850 Series Access Points
Wireless LAN Controller 802.11 WME
Wireless LAN Controller IPv6
Wireless LAN Controller Management GUI


Cisco has released several updates to address vulnerabilities affecting multiple products. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.


Cisco encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates :-

Aironet 1830 Series and 1850 Series Access Points Mobility Express Default Credential Vulnerability cisco-sa-20170405-ame (Full details here)

Wireless LAN Controller 802.11 WME Denial-of-Service Vulnerability cisco-sa-20170405-wlc (Full details here)

Wireless LAN Controller IPv6 UDP Denial-of-Service Vulnerability cisco-sa-20170405-wlc2 (Full details here)

Wireless LAN Controller Management GUI Denial-of-Service Vulnerability cisco-sa-20170405-wlc3 (Full details here)

The Scammers Who Warn You Of Scammers

We had to share this one with you.  Alongside the daily intake of spam we spotted this one.  All the rest wanted our money, but this guy is warning us that there is scammers about ! But he does want $240, have a read.


I am Mardiani Nasution, I am an Indonasia Citizen living in the USA ,62 years Old. I reside in New Jersey. My residential address is 35 romney road Bound brook NJ ,USA 08805 United States, I am one of those that took part in the Compensation in Nigeria many years ago and they refused to pay me, I had paid over $28,000 while in the United States of America, trying to get my payment all to no avail.

So I decided to travel down to Nigeria with all my compensation documents, and I was directed to meet Mr Phillip Uba, who is the heads member of COMPENSATION AWARD COMMITTEE with the UNITED NATIONS, and I contacted him and he explained everything to me. He said whoever has been contacting us through emails are fake and I saw your name (in the Central Computer among the list of unpaid beneficiaries, contractors,Internet Dating Scam, lottery winners, inheritance next of kin, that was originated from West Africa, United Kingdom, Asia and US .Please i will want to advice you to stop all further communication with any parties ,bank or group of people claiming to be in charges of your fund,

He took me to the paying bank for my Compensation payment of $5,400,000.00 and he showed me the full list of EMAIL ADDRESS of those that are yet to receive their payments were I saw your EMAIL ADDRESS as one of the beneficiaries. This is why I decided to email you to stop dealing with wrong people, they are not with your fund, they are only making money out of you. I will advise you to contact Mr Phillip Uba

Name: Mr Phillip Uba
TEL:+234 9075009131
You really have to stop dealing with those people that are contacting you telling you that your fund is with them, it is not in anyway with them, they are only taking advantage of you and they will dry you up until you have nothing. The only money I paid after I met Mr Phillip Uba was just $240 for the paper work which you have to pay once you contact him and he’ll work it out for you, take note of that. Once again stop contacting those people, I will advise you to contact Mr Phillip so that he can help you to transfer your Fund into your account, instead of dealing with those liars that will be turning you around asking for different kind of money to complete your transaction.

Thank You


This e-mail had the subject “GOOD NEWS BENEFICIARY” and it was from

Whatsapp Hackers Can Now Steal Your Internet Banking Details

WhatsApp users should be made aware of a new scam that attempts to steal your bank account login details. Hackers are now targeting unsuspecting users with a mobile virus that is distributed via legitimate-looking Word document sent inside the application.

These documents are capable of seizing sensitive information from the users’ phone, such as online banking credentials and other personal data.  The documents that circulate via the messages are typically in Excel format, although Word and PDF files have been reported as well. The documents are able to access personal data on the phone, including banking credentials and PIN codes.

At the moment it is not known what else this virus does on a phone or tablet, or whether WhatsApp is taking any action to prevent the scam.

The best way to protect your phone or tablet is to avoid clicking on dubious links, no matter how, or who you receive them from, and limit app use to applications downloaded from official app stores.

Thousands Have Money Stolen In Tesco Bank Hack

Around 20 000 of Tesco Bank’s online customers accounts have had money stolen in a hacking attack over the weekend.  The exact amount stolen has not been disclosed. However, customers on online forums and on social media are reporting that several thousands of pounds have gone missing after checking their current accounts.

Tesco Bank has said that it has sent a text message to all those with accounts which have seen “suspicious activity”. Even if you haven’t received a text message, given the scale of the hack it may be worth checking your account for any unusual transactions.   According to reports in the media a lot of people have received the text message and amounts missing from accounts appears to vary, some have lost a few hundred pounds while others have lost a few thousand pounds.

If you see something suspicious about a transaction on your account or are unsure please call Tesco Bank on 0345 835 3353.

It appears that Tesco Bank credit card accounts or savings accounts have not been hacked, the issue appears to be only affecting current accounts.

Facts :-

Tesco Bank  has 7.8 million customer accounts.

At least 20,000 Tesco Bank customers have had money stolen over the weekend following the attack.

Around 40,000 reported ‘suspicious activity’ as the fraudsters accessed confidential account information.

The Financial Conduct Authority says banks must refund unauthorised payments immediately, unless they have evidence that the customer was at fault or the payment was more than 13 months ago. The banks are also required to refund any charges or interest added to your bank account as a result of the fraudulent payments.  So if you have been affected by this then you will get your money back, according to Tesco that should happen in the next day or so.

The Treasury Committee chairman and Tory MP Andrew Tyrie has said that he will be writing to Tesco’s chief executive to find out what went wrong and what steps are being taken to reduce the likelihood of a similar hack happening again. He said: “This is just the latest in a long list of failures and breaches of banking IT systems, exposing many thousands of customers to uncertainty and disruption.”

Back in 2014 there was an issue when 2,239 user accounts with email addresses, passwords and Clubcard voucher balances was posted online (details here).  That security breach did not appear to have come from Tesco’s end. They said the data must have been compiled by taking user details obtained from breaches at other websites. presumably users who had reused email addresses and passwords across multiple accounts.

It is not yet known exactly how the accounts were hacked this weekend.

On a statement on their website Tesco bank said :-

Tesco Bank can confirm that, over the weekend, some of its customers’ current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently.

We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts. That is why, as a precautionary measure, we have taken the decision today to temporarily stop online transactions from current accounts. This will only affect current account customers. While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal. We are working hard to resume normal service on current accounts as soon as possible.

We continue to work with the authorities and regulators to address the fraud and will keep our customers informed through regular updates on our website, Twitter and direct communication.

We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible.

Benny Higgins, Chief Executive