Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
Four exploited zero-days in Microsoft Exchange Server
State-backed hackers operating out of China are actively exploiting four critical zero-day vulnerabilities in Microsoft’s Exchange mail servers.
The vulnerabilities tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 are embedded in Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019, with Exchange Online unaffected.
Microsoft claims that the attackers are exploiting these flaws as part of a chain attack, with the initial attack demanding the ability to make an untrusted connection to Exchange server port 443. Businesses can protect against the attack by setting up a VPN to separate the Exchange server from external access, or by restricting untrusted connections.
This mitigation will only work against the initial phase of the attack, with hackers able to trigger other attacks along the chain if they already have access. As such, the firm has advised businesses to update their Exchange Server installations immediately.
Google fixes actively exploited Chrome flaw
Google has patched a series of flaws in its Chrome browser including the severe CVE-2021-21166, described as an “object lifecycle issue in audio” which is under exploitation by cyber criminals.
This is the fifth vulnerability discovered this week being actively exploited, and was patched alongside 32 other Chrome flaws in version 89.0.4389.72 of the browser. These included eight high-risk vulnerabilities.
It was first discovered by Alison Huffman, who works with Microsoft’s browser vulnerability research team. She also reported two additional high-risk flaws tagged CVE-2021-21165 and CVE-2021-21163. The former was also described as an “object lifecycle issue in audio” while the latter involved “insufficient data validation in Reader Mode”.
Malicious code found in JavaScript repositories
Hackers have placed malicious code in JavaScript repositories that could allow them to steal password files in Linux and Unix operating systems.
Malicious “dependency confusion” packages are published in the npm open source ecosystem used by software developers across the world, according to researchers with Sonotype, and are disguised as legitimate packages.
The malicious packages are deliberately named after repositories, namespaces, or components that companies such as Amazon, Zillow, Lyft, and Slack regularly use. These often have names such as ‘amzn’, ‘zg-rentals’, ‘lyft-dataset-sdk’, and ‘serverless-slack-app’.
As soon as these packages are installed automatically - because they share a name with a company’s legitimate dependency - they can exfiltrate sensitive data. One example involving the malicious ‘amzn’ package saw hackers deploy code to seize the etc/shadow file, which maintains hashed password data on Linux systems.
New Spectre exploits uploaded for Windows and Linux
Working exploits targeting the infamous Spectre vulnerability on Linux and Windows operating systems were recently uploaded to the VirusTotal platform.
The four-stage exploit could be triggered by hackers on systems that haven’t been patched against the three-year-old vulnerability to steal data, including sensitive files and passwords. A report published by researcher Julien Voisin claimed that users without privileges can extract password files from a target device, as well as authentication tickets that can be used to escalate privileges.
The Spectre flaw, tracked as CVE-2017-5753, was discovered by Google Project Zero researchers alongside Meltdown as a hardware-embedded vulnerability affecting a handful of modern processors. Manufacturers and software vendors have since moved to fix their systems against exploitation attempts, although devices that haven’t been patched may still be vulnerable to attack.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
Barracuda Networks says hacked devices “must be immediately replaced” despite patchesNews Seven-month exploitation of a critical vulnerability enabled persistent backdoor access in its email security gateway devices
-
The IT Pro Podcast: The problem with APIsIT Pro Podcast With API attacks on the rise, knowing your attack surface is crucial
-
Podcast transcript: The problem with APIsIT Pro Podcast Read the full transcript for this episode of the IT Pro Podcast
-
GTA V vulnerability exposes PC users to partial remote code execution attacksNews Millions of GTA Online players could fall prey to malware or data corruption
-
MSI to release securer BIOS settings after critical flaw discoveredNews The firm has admitted it essentially disabled Secure Boot on its motherboards in an attempt to improve customisability
-
China-backed hackers take down Amnesty International Canada for three weeksNews Cyber security experts linked state-sponsored APTs to the tools and methodology of the attack, which may have been intended as a covert campaign
-
Hyundai vulnerability allowed remote hacking of locks, engineNews Researchers discovered flaws in a number of apps linked to car brands that allowed for personal details and remote control of vehicles using easily-obtained IDs
-
Lenovo patches ThinkPad, Yoga, IdeaPad UEFI secure boot vulnerabilityNews Mistakenly used drivers could allow hackers to modify the secure boot process
