Weekly threat roundup: SolarWinds-style hack, macOS Big Sur, Telegram

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Irretrievable data loss in macOS Big Sur

Apple has patched a programming bug in its flagship macOS Big Sur operating system that could lead to users being locked away from their data during a major software upgrade.

Usually, before any Mac device undergoes a significant OS update, the installation software performs a check for how much free hard disk space is available. In versions 11.2 and 11.3 of Big Sur, however, the check didn’t work as intended, according to Mr Macintosh, meaning the upgrade started even if users only had a few megabytes of space remaining.

The installer would eventually get stuck in a boot loop as it tried and failed to complete the installation. For users with Mac devices fitted with the T2 security chip and FileVault 2 encryption enabled, the problem was made worse, as this potent combination would permanently lock them out of their hard disk due to a failure to accept correct passwords in the recovery prompts following the installation process.

Centreon hit by SolarWinds-style supply-chain attack

French authorities have uncovered a wide-reaching supply-chain attack targeting several major organisations by hackers who compromised Centreon, an enterprise IT platform.

Centreon describes itself as a firm offering IT monitoring services that provide visibility to complex IT workflows from the cloud to the edge, with its customers including Airbus and Orange. The ANSSI cyber security agency claimed the hackers mainly targeted IT providers, and web hosting companies specifically.

The attack, which bears striking similarities to the devastating SolarWinds attack disclosed a few months ago, was orchestrated by alleged Russian cyber criminals, based on early evidence uncovered by investigators. One backdoor, for example, was identical to the Exaramel backdoor previously linked with the Russian TeleBots threat group.

Telegram patches major security holes

More than a dozen major vulnerabilities that could be triggered by remote hackers were fixed in the Telegram messaging service last year, according to a security researcher.

These 13 memory corruption flaws could have allowed attackers to send malicious animated stickers to users in order to gain access to their private messages, photos and video clips, if successfully exploited.

The leading WhatsApp alternative has now fixed all 13 flaws identified by the vulnerability researcher known as Polict, in three updates released across September and October for the Android, iOS, and macOS apps.

QNAP’s Surveillance Station vulnerable to exploitation

QNAP has patched a critical security flaw in its Surveillance Station app that, if exploited, could allow hackers to execute malicious code remotely on network-attached storage (NAS) devices running the software.

This app functions as a surveillance management system and can connect with up to 12 internet protocol (IP) cameras. However, It was found to be embedded with a stack-based buffer overflow vulnerability tracked as CVE-2020-2501, that meant NAS devices managed by the app were vulnerable to remote attack.

QNAP has now patched this bug, alongside fixing a separate cross-site scripting (XSS) flaw in its Photo Station app. This XSS flaw, which could’ve allowed hackers to inject malicious code into the service, was tagged CVE-2020-2502 and rated ‘medium’ in severity.