Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
Actively exploited Windows zero-day flaw
Microsoft patched 112 vulnerabilities as part of its routine Patch Tuesday wave of fixes, including an actively exploited zero-day flaw in Windows.
This bug, tagged CVE-2020-17087, was a privilege escalation vulnerability in the Windows Kernel Cryptography Driver (cng.sys), and was successfully exploited in combination with another flaw, tagged CVE-2020-15999. This second bug is a buffer overflow vulnerability in the FreeType 2 library used by Google Chrome.
This bug was being used to escape Google Chrome’s sandbox in order to elevate privileges on the exploited system, according to Tenable staff research engineer Satnam Narang, and is the second chained exploit involving Google and Microsoft flaws within a year.
‘Platypus’ Intel CPU side-channel attacks
Security researchers have uncovered a series of vulnerabilities in Intel CPUs, dubbed Platypus, which can be exploited to access sensitive data using power side-channel attacks.
These attacks exploit fluctuations in a device’s power consumption to extract sensitive material including cryptographic keys. These are normally difficult to exploit as they require accurate power measurements, which are hard to secure using just malware and usually require a hacker gaining physical access.
Intel processors were found to be vulnerable to such attacks which could be conducted with unprecedented accuracy, even without physical access. The two approaches include configuring the 'running average power limit' (RAPL) interface to log power consumption without administrative rights, and moving data by misusing Intel’s software guard extensions (SGX) security functions.
Ubuntu 20.04 vulnerable to privilege escalation flaw
GitHub researcher Kevin Blackhouse found flaws in Ubuntu 20.04, now patched, that could have allowed any desktop user to gain root access to the operating system.
Two separate issues may be exploited to allow hackers to escalate user privileges in an “astonishingly straightforward” manner, using a few simple commands in the terminal and a few mouse clicks.
The first element involves exploiting the daemon which manages user accounts, known as AccountsService, while the second element involves a component of the Gnome desktop, which triggers system setup. This would allow somebody running the exploit to create a new user account with root privileges.
Actively exploited Chrome zero-days
Google has patched two zero-day vulnerabilities in its Chrome web browser, representing the fourth and fifth actively exploited flaws to be patched in recent weeks.
The two flaws, tagged CVE-2020-16013 and CVE-2020-16017 respectively, are considered to be highly severe and will be fixed as part of Chrome version 86.0.4240.198 for Windows, Mac, and Linux over the coming days.
The first involves inappropriate implementation in the V8 JavaScript engine, whereas the second is a use-after-free memory corruption flaw located in Site Isolation, a Chrome security feature that isolates websites into sandboxes.
-
Security experts claim the CVE Program isn’t up to scratch anymoreNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
Gartner says 40% of enterprises will experience ‘shadow AI’ breaches by 2030News Staff need to be educated on the risks of shadow AI to prevent costly breaches
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updated
News CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
