Hello, welcome to the Wednesday, June 19th, 2019 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Washington, D.C.

Quick update on the TCP selective acknowledgement of vulnerability patches should be available now for all the major Linux distributions.

I'm just finishing up a diary post with some more details.

Should be made live early on Wednesday tomorrow.

If you can't apply the patch, then probably do want to make sure that selective

acknowledgments are disabled on your Linux machines. This is also in part

triggered by TCP segment offloading in network cards, which is another feature

that you could consider turning off. Now, when you turned off selective

acknowledgement on your system, make sure it is actually turned off. So take some packet

captures and make sure that in the Syn and Synx, you don't see the Selective Acknowledgement

okay option from the system. I've run into a couple systems

so far that actually needed to be rebooted in order for this change to become effective.

At this point, I have not seen any code actually exploiting this vulnerability, so we probably

still have a little bit time left.

But talking about vulnerabilities that are currently being exploited, Firefox released a critical

patch to Firefox 67.0.3 or 60.7.1. This fixes CVE 2019 11707, type confusion in array. Pop. By manipulating JavaScript objects, according to Firefox, this can be used to exploit Firefox. Now Firefox will crash if it runs into

this vulnerability but apparently this particular issue has already been used in attacks in the

wild so make sure you are updating Firefox today if you are using this browser.

And in a win for the good guys, Bit Defender released a decryptor for all versions of Gant

Crab.

...