Got a question? Call 1800 853 276   |   

The majority of this blog post is related to Linux, but there is also an advisory regarding IIS 6.0 on Windows Server 2003 R2.

First to Linux: A kernel issue was discovered two years ago, identified as CVE-2017-1000253* by Google researcher Michael Davidson in April 2015. It was not considered serious, and as such, a patch for this flaw had not been released until now. Why now? Qualys Research Labs have found the vulnerability can be exploited as below:

Linux distributions that have not patched their long-term kernels withhttps://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86(committed on 14 April 2015) are vulnerable to CVE-2017-1000253, a Local Privilege Escalation.

Most notably, all versions of CentOS 7 before 1708 (released on 13 September 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on 1 August 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable.

The full advisory from Qualys can be found here:https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt

Now on to Windows Server 2003 R2. Not much of this around? From 14 July 2015, this version is no longer receiving security updates and as such is vulnerable to any flaws found since that date. According to Grantek:https://grantek.com/windows-server-2003-still-alive-but-not-well/

There are still around 600,000 IIS 6.0 web servers on 2003 out there facing the Internet, with a vulnerability which allows cybercriminals to generate Monero cryptocoins on these vulnerable servers. The vulnerability CVE-2017-1769 was discovered by Zhiniang Peng and Chen Wu in March 2017. The only solution? Upgrade to a supported version of Windows Server, and patch frequently!

*CVE is the abbreviation for Common Vulnerabilities and Exposures.

Stay safe,Terry Griffin, DDLS Principal Technologist: Security

Feature Articles

Our AIICT brand expands portfolio with ten new courses to help address ICT skills shortage
The Australian Institute of ICT (AIICT) has introduced a new series of industry certified bootcamp programs and nationally-recognised qualifications to meet the surging demand for skilled ICT professionals in Australia.  The bootcamps support the Morrison Government’s recently announced Digital Skills Organisation (DSO) pilot, which recognises the importance of non-accredited training to support the development of skills of the future workforce. The bootcamp programs run for six months and comprise of several vendor-specific certifications. The courses include ‘Cloud Computing Certified Professional’, ‘Certified Microsoft Full Stack Developer’, ‘Certified Artificial Intelligence Professional’, ‘Growth Marketing Professional’ and ‘Certified Project Management Professional’. The decision to introduce the bootcamps follows the VET sector’s increasing move away from nationally recognised qualifications to vendor-specific, industry-certified training. According to the National Centre for Vocational Education Research, preference for accredited training courses has declined steadily in recent years, with employers increasingly less satisfied that these courses provide their employees with the most relevant and important skills for their business. This has led many organisations to preference non-accredited training provided by private technology vendors such as Microsoft and AWS.
Read more...