IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Weekly threat roundup: Windows, Intel, and Ubuntu

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Actively exploited Windows zero-day flaw

Microsoft patched 112 vulnerabilities as part of its routine Patch Tuesday wave of fixes, including an actively exploited zero-day flaw in Windows.

This bug, tagged CVE-2020-17087, was a privilege escalation vulnerability in the Windows Kernel Cryptography Driver (cng.sys), and was successfully exploited in combination with another flaw, tagged CVE-2020-15999. This second bug is a buffer overflow vulnerability in the FreeType 2 library used by Google Chrome.

This bug was being used to escape Google Chrome’s sandbox in order to elevate privileges on the exploited system, according to Tenable staff research engineer Satnam Narang, and is the second chained exploit involving Google and Microsoft flaws within a year.

‘Platypus’ Intel CPU side-channel attacks

Security researchers have uncovered a series of vulnerabilities in Intel CPUs, dubbed Platypus, which can be exploited to access sensitive data using power side-channel attacks.

These attacks exploit fluctuations in a device’s power consumption to extract sensitive material including cryptographic keys. These are normally difficult to exploit as they require accurate power measurements, which are hard to secure using just malware and usually require a hacker gaining physical access.

Intel processors were found to be vulnerable to such attacks which could be conducted with unprecedented accuracy, even without physical access. The two approaches include configuring the 'running average power limit' (RAPL) interface to log power consumption without administrative rights, and moving data by misusing Intel’s software guard extensions (SGX) security functions.

Ubuntu 20.04 vulnerable to privilege escalation flaw

GitHub researcher Kevin Blackhouse found flaws in Ubuntu 20.04, now patched, that could have allowed any desktop user to gain root access to the operating system.

Two separate issues may be exploited to allow hackers to escalate user privileges in an “astonishingly straightforward” manner, using a few simple commands in the terminal and a few mouse clicks.

The first element involves exploiting the daemon which manages user accounts, known as AccountsService, while the second element involves a component of the Gnome desktop, which triggers system setup. This would allow somebody running the exploit to create a new user account with root privileges.

Actively exploited Chrome zero-days

Google has patched two zero-day vulnerabilities in its Chrome web browser, representing the fourth and fifth actively exploited flaws to be patched in recent weeks.

The two flaws, tagged CVE-2020-16013 and CVE-2020-16017 respectively, are considered to be highly severe and will be fixed as part of Chrome version 86.0.4240.198 for Windows, Mac, and Linux over the coming days.

The first involves inappropriate implementation in the V8 JavaScript engine, whereas the second is a use-after-free memory corruption flaw located in Site Isolation, a Chrome security feature that isolates websites into sandboxes.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

What is hacktivism?
hacking

What is hacktivism?

27 May 2022
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022