IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Weekly threat roundup: SolarWinds-style hack, macOS Big Sur, Telegram

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Irretrievable data loss in macOS Big Sur

Apple has patched a programming bug in its flagship macOS Big Sur operating system that could lead to users being locked away from their data during a major software upgrade.

Usually, before any Mac device undergoes a significant OS update, the installation software performs a check for how much free hard disk space is available. In versions 11.2 and 11.3 of Big Sur, however, the check didn’t work as intended, according to Mr Macintosh, meaning the upgrade started even if users only had a few megabytes of space remaining.

The installer would eventually get stuck in a boot loop as it tried and failed to complete the installation. For users with Mac devices fitted with the T2 security chip and FileVault 2 encryption enabled, the problem was made worse, as this potent combination would permanently lock them out of their hard disk due to a failure to accept correct passwords in the recovery prompts following the installation process.

Centreon hit by SolarWinds-style supply-chain attack

French authorities have uncovered a wide-reaching supply-chain attack targeting several major organisations by hackers who compromised Centreon, an enterprise IT platform.

Centreon describes itself as a firm offering IT monitoring services that provide visibility to complex IT workflows from the cloud to the edge, with its customers including Airbus and Orange. The ANSSI cyber security agency claimed the hackers mainly targeted IT providers, and web hosting companies specifically.

The attack, which bears striking similarities to the devastating SolarWinds attack disclosed a few months ago, was orchestrated by alleged Russian cyber criminals, based on early evidence uncovered by investigators. One backdoor, for example, was identical to the Exaramel backdoor previously linked with the Russian TeleBots threat group.

Telegram patches major security holes

More than a dozen major vulnerabilities that could be triggered by remote hackers were fixed in the Telegram messaging service last year, according to a security researcher.

These 13 memory corruption flaws could have allowed attackers to send malicious animated stickers to users in order to gain access to their private messages, photos and video clips, if successfully exploited.

The leading WhatsApp alternative has now fixed all 13 flaws identified by the vulnerability researcher known as Polict, in three updates released across September and October for the Android, iOS, and macOS apps.

QNAP’s Surveillance Station vulnerable to exploitation

QNAP has patched a critical security flaw in its Surveillance Station app that, if exploited, could allow hackers to execute malicious code remotely on network-attached storage (NAS) devices running the software.

This app functions as a surveillance management system and can connect with up to 12 internet protocol (IP) cameras. However, It was found to be embedded with a stack-based buffer overflow vulnerability tracked as CVE-2020-2501, that meant NAS devices managed by the app were vulnerable to remote attack.

QNAP has now patched this bug, alongside fixing a separate cross-site scripting (XSS) flaw in its Photo Station app. This XSS flaw, which could’ve allowed hackers to inject malicious code into the service, was tagged CVE-2020-2502 and rated ‘medium’ in severity.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks

Swift exit: How the world cut off Russian banks

24 Jun 2022