Weekly threat roundup: Apple, AMD, and Google

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

‘Unpatchable’ flaws in Apple’s T2 security chip

A certain iteration of Apple’s T2 security-centric co-processing unit is embedded with two critical flaws that can be exploited in combination to grant hackers full access to targeted MacOS devices.

'Checkm8', originally an iPhone vulnerability, and 'Blackbird' can be exploited in the T2 security chips built on Apple’s A10 architecture, present in some, but not the newest, Macs.

The CheckM8 bug allows hackers to circumvent the activation lock, and ‘jailbreak’ targeted devices. Once this happens, the T2 chip would normally exit with a fatal error if it recognised that the Device Firmware Update (DFU) mode was enabled. With the Blackbird exploit, however, hackers are able to bypass this critical security check, and gain full root access to the device.

Alarmingly, according to Iron Peak, the core vulnerability is can't be patched through software updates as the T2 operating system is classed in read-only memory for security reasons. The bugs currently affect Mac devices shipped with Intel CPUs, and may not affect units fitted with Arm-based processors, although there’s no guarantee.

85 flaws in Android and Google Chrome

Google has released patches to fix severe bugs in both its Chrome web browser and its Android operating system this week. The firm fixed 35 flaws in the former, and more than 50 vulnerabilities in the latter.

With the release of Chrome 86, Google has patched a critical flaw in the browser’s payments component, tagged CVE-2020-15967. This is a use-after-free memory corruption vulnerability that would give rise to various problems, including scope for a programme to crash or the execution of arbitrary code.

The pick of the Android flaws, of which 22 were rated critical, includes two escalation of privilege bugs that exist in the core of the operating system. These two, tagged CVE-2020-0215 and CVE-2020-0416, can be exploited remotely by an attacker using a specially crafted transmission.

Common flaws in widely-used anti-malware tools

Cyberark has disclosed a series of vulnerabilities present in the widely-used products developed by many cyber security vendors, including McAfee, Kaspersky, Checkpoint and Fortinet, among others.

These bugs, of which there are at least 12, often allow hackers to execute a privilege escalation attack of the local system, with anit-virus software targeted specifically because of their high privileges. One example of an exploitable flaw is the Shared Log File bug, which is present in Avira’s antivirus software, while another is DLL hijacking, which researchers demonstrated as being exploitable in TrendMicro’s antivirus software

Cyberark has estimated that “probably every Windows machine” has had at least one software that could be abused to gain elevated privileges using file manipulation attacks.

IoT botnet Ttint exploiting unpatched Tenda routers

Attackers are exploiting two flaws in routers manufactured by Tenda to spread a remote access troject (RAT) heavily based on the Mirai malware to create a sophisticated botnet.

Two zero-day flaws tagged as CVE-2018-14558 and CVE-2020-10987, as highlighted by Netlab, are being exploited by the malware to not only create this botnet, but also conduct remote code execution attacks.

In addition to ten distributed denial of service (DDoS) attack instructions, there are also 12 different remote access methods embedded in the RAT, according to analysis. This additional functionality stands it apart from most other botnets.

When running, Ttint deletes its own files, manipulates the watchdog, and prevents an affected route from restarting. The malware also runs on a single instance by binding to the port, and modifies the process name to confuse the user. Neither flaw has been patched to date, Netlab claims.

AMD glitch that could cause BSOD

A denial-of-service vulnerability exists in AMD-manufactured graphics card drivers that may result in a user’s system to crash, and produce the dreaded blue screen of death (BSOD).

The flaw lies in the way a specially-crafted D3DKMTCreateAllocation API request may cause an out-of-bounds read and denial of service, and can be triggered from non-privileged user accounts. Cisco Talos researchers, who discovered the vulnerability, claim an attack can influence the read address when this function is triggered by modifying the payload, and cause such a system crash deliberately.

The bug, tagged as CVE-2020-12911, has been rated 7.1 on the CVSS scale, but won’t be patched until early in the first quarter of 2020.