Microsoft March 2020 Patch Tuesday fixes 115 vulnerabilities

TagCVE IDCVE Title Azure CVE-2020-0902 Service Fabric Elevation of Privilege Azure DevOps CVE-2020-0758 Azure DevOps Server and Team Foundation Services Elevation of Privilege Vulnerability Azure DevOps CVE-2020-0815 Azure DevOps Server and Team Foundation Services Elevation of Privilege Vulnerability Azure DevOps CVE-2020-0700 Azure DevOps Server Cross-site Scripting Vulnerability Internet Explorer CVE-2020-0824 Internet Explorer Memory Corruption Vulnerability Microsoft Browsers CVE-2020-0768 Scripting Engine Memory Corruption Vulnerability Microsoft Dynamics CVE-2020-0905 Dynamics Business Central Remote Code Execution Vulnerability Microsoft Edge CVE-2020-0816 Microsoft Edge Memory Corruption Vulnerability Microsoft Exchange Server CVE-2020-0903 Microsoft Exchange Server Spoofing Vulnerability Microsoft Graphics Component CVE-2020-0774 Windows GDI Information Disclosure Vulnerability Microsoft Graphics Component CVE-2020-0788 Win32k Elevation of Privilege Vulnerability Microsoft Graphics Component CVE-2020-0791 Windows Graphics Component Elevation of Privilege Vulnerability Microsoft Graphics Component CVE-2020-0690 DirectX Elevation of Privilege Vulnerability Microsoft Graphics Component CVE-2020-0853 Windows Imaging Component Information Disclosure Vulnerability Microsoft Graphics Component CVE-2020-0877 Win32k Elevation of Privilege Vulnerability Microsoft
Read More

VAT software supplier exposed data of millions

A MongoDB database containing the personal data of millions of UK residents was left exposed to the public internet for almost a week after its owner neglected to secure the Amazon Web Services (AWS) server that housed it.

The company in question, an unnamed software supplier, pulled records including names, email addresses, shipping addresses, purchase details, and redacted credit card numbers from the marketplace and payment system application programming interfaces (APIs) of Amazon, Ebay, PayPal, Shopify and Stripe to help merchants using these platforms calculate VAT.

It also contained Amazon Marketplace Web Services (MWS) queries including authentication tokens, API queries, AWS access key IDs and secret keys.

However, according to Comparitech threat researcher Bob Diachenko, who uncovered the exposed server on 3 February, the owner left the records visible to the web without any password or authentication needed to access it.

Because Diachenko was at first unable to identify

Read More

Modern RAM used for computers, smartphones still vulnerable to Rowhammer attacks


Image: Harrison Broadbent

According to new research published today, modern RAM cards are still vulnerable to Rowhammer attacks despite extensive mitigations that have been deployed by manufacturers over the past six years.

These mitigations, collectively referred to as Target Row Refresh (TRR), are a combination of software and hardware fixes that have been slowly added to the design of modern RAM cards after 2014 when academics disclosed the first-ever Rowhammer attack.

A short history of Rowhammer attacks

On modern RAM cards, every time your computer handles data inside its memory, the actual data is saved inside memory cells, and each of these memory cells are arranged in a table-like grid pattern on the card’s plastic base.

While this neatly-arranged design has helped engineers cram as many memory cells on a RAM card as possible, it has also enabled the possibility of electrical interference between memory cells.

This is, quintessentially, what

Read More

Molotov.tv streams 24/7 with Dell EMC and Scality object storage

Three years. That’s the time that it took the IT team at French TV provider Molotov to put in place the infrastructure needed to broadcast 170 channels in 30 formats to several hundred thousand users simultaneously.

Fundamental to the platform is Scality object storage and Dell EMC server hardware.

“The big challenge was to achieve real-time encoding of 30 standard formats for every channel, each one suited to different bandwidths to suit the different device types and internet connections of our users,” says Alexandre Ouicher, technical director at Molotov.

“We set ourselves the requirement to tolerate three minutes between a channel streaming and us being able to distribute it. The key challenge is to allow our users to move from one channel to another in less than 200 milliseconds,” adds Ouicher, who is head of a team of 40, around half of the total at the company.

Molotov’s aim

Read More