IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Weekly threat roundup: Zero-days in Windows, Adobe, Google Chrome

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

FBI warns against Windows 7 usage following Oldsmar hack

One of the most alarming scares of the week came about in the City of Oldsmar, Florida, in which hackers infiltrated a water treatment facility and jacked the Sodium Hydroxide (NaOH) levels to potentially lethal amounts.

It’s since emerged that they infiltrated the facility thanks to a potent combination of using the now-retired Windows 7 operating system, password-sharing, and use of the remote desktop software TeamViewer without a firewall.

While TeamViewer is itself entirely legitimate and used by businesses for remote IT support, the FBI has warned organisations to stay vigilant of unauthorised remote access to their systems through this service.

Microsoft fixes actively-exploited Windows 10 zero-day

The latest Patch Tuesday round of fixes from Microsoft saw 56 bugs fixed, including a dangerous vulnerability being actively exploited in the wild.

Tracked as CVE-2021-1732, the critical flaw affects the win32k component of Windows 10 and has been exploited in a handful of incidents to escalate privileges on a targeted device. The zero-day vulnerability has been exploited in China by BITTER APT, according to researchers with DBAPPSecurity, allowing hackers to run malicious code on a targeted system having escalated privileges.

This “sophisticated” exploit has been patched alongside ten additional ‘critical’ flaws, 43 ‘important’ bugs, two moderately severe bugs.

Google fixes actively exploited Chrome zero-day

Google has urged Chrome users to upgrade to the latest iteration, version 88.0.4324,150, following reports of a zero-day vulnerability that’s been successfully exploited in the wild.

The update fixed a memory corruption bug in Chome’s V8 JavaScript engine, tagged CVE-2021-21148, which has been actively exploited by attackers. This was reported by a researcher named Mattias Buelens to Google on 24 January.

While the exact attack mechanism hasn’t been disclosed, Microsoft also incidentally warned of North Korean hackers exploiting a Chrome zero-day on 28 January. Google hasn’t tied these two incidents together, although the overwhelming consensus is that they’re linked in some way.

Firefox users could fall victim to $i30 bug

Firefox has also updated its browser to protect users against a Windows 10 drive corruption vulnerability discovered in January that can be triggered by exploiting shortcomings in widely-used web browsers.

Hackers can crash targeted Windows 10 devices by simply getting them to access the $i30 new technology file system (NTFS) attribute through a web browser, according to findings published by security researcher Jonas L.

NTFS corruption could be remotely triggered by accessing “c:\:$i30:$bitmap” through the address bar, according to Tech Radar, before the update, although the issue has been fixed with version 85.0.1. Microsoft is still reportedly working on a core fix, although until this arrives, web browsers will need to individually patch their services to prevent exploitation.

Adobe software zero-day under attack

Adobe has released updates for multiple versions of its Adobe Acrobat and Reader services after receiving reports that attackers have exploited a critical flaw to target Windows users.

Tracked as CVE-2021-21017, the heap-based buffer overflow vulnerability has allowed hackers to conduct remote code execution attacks against victims running affected versions on their Windows machines. Affected software includes Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017 and Acrobat Reader 2017, with Mac users also vulnerable.

This bug has been patched alongside 22 other flaws deemed both critical and important as part of Adobe’s Patch Tuesday round of bug fixes. They include information disclosure, arbitrary code execution and privilege escalation vulnerabilities, but have been patched with the latest versions of the affected software.

Critical flaws in Cisco VPN routers for businesses

Related Resource

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

cost of a data breach report 2020 - whitepaper from IBMDownload now

Cisco has patched several critical vulnerabilities in its web-based management platform for internet routers marketed at small businesses. By exploiting these flaws, an attacker could execute arbitrary code remotely as the root user.

The seven critical flaws - tracked as CVE-2021-1289 through to CVE-2021-1295 - exist because HTTP requests are not properly validated, meaning an attacker could send a crafted HTTP request to the web management interface. Successful exploitation could allow an attacker to conduct remote code execution attacks.

Users of Cisco Small Business RV160, RV160W, RV260P and V260W VPN routers are advised to immediately upgrade their software to resolve any potential issues.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide
Whitepaper

CIAM buyer’s guide

6 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Delivery firm Yodel disrupted by cyber attack
cyber attacks

Delivery firm Yodel disrupted by cyber attack

21 Jun 2022
Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022