Weekly threat roundup: Fortinet, Apple Mail, AMD Zen 3 CPUs

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Three Fortinet’s FortiOS vulnerabilities under attack

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert last week warning businesses that hackers are scanning vulnerable Fortinet systems to gain access to corporate networks.

FortiOS, the software powering Fortinet’s security products, is embedded with three flaws tracked as CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591. Although all three have been patched in the past, security agencies have recently detected an uptick in the number of cyber criminals exploiting them, largely because a handful of organisations have not yet applied the fixes.

The first and second flaws, each rated 9.8 on the CVSS threat severity scale, are a path traversal vulnerability and improper authentication issue, both affecting the FortiOS SSL VPN component. Hackers can exploit these bugs to download system files through HTTP requests, and also log in without being prompted for two-factor authentication (2FA) if they change the case of the username. The third is a default configuration issue in FortiOS 6.2.0, which can allow attackers to intercept sensitive data.

Zero-click Apple Mail flaw allows email spying

A vulnerability in Apple’s macOS Mail app could allow an attacker to add or modify any file inside its sandbox environment, opening the door for a range of attacks including information disclosure and account takeover.

The now-patched flaw, tracked as CVE-2020-9922, could be triggered without any user action, according to researcher Mikko Kenttala. The Mail app has a feature that lets it uncompress attachments that may have been automatically compressed by another Mail user. If an attacker sends an email with a malicious .ZIP file attached, for example, Mail’s tendency to automatically uncompress these files exposes the user to potential harm.

Although he only disclosed the flaw recently, Kenttala discovered the bug several months ago before informing the developer. Apple then patched the flaw in macOS Mojave 10.14.6, macOS High Sierra 10.13.6, and macOS Catalina 10.15.5.

Wormable Android malware spreading through WhatsApp texts

A new strain of malware affecting Android smartphones is spreading itself between devices through fake WhatsApp messages.

Hidden in a fake application on the Google Play store called ‘FlixOnline’, this malware strain can automatically reply to a victim’s incoming WhatsApp messages with a malicious payload, should the user grant the fake app the right permissions. This method, according to Check Point Research, is unique and could allow hackers to distribute phishing attacks, spread false information, or steal credentials from users’ WhatsApp accounts.

The fake app claims to allow users to view Netflix content from anywhere in the world, although, in reality, it monitors users’ WhatsApp notifications and sends automatic replies which are embedded with content received from the C&C server. Because it’s wormable, it can spread without user interaction.

The researchers have warned users to be wary of downloading attachments, even if they come from trusted sources.

AMD Zen 3 CPUs embedded with Spectre-like vulnerability

The chipmaking giant AMD has warned users of a potentially significant flaw embedded in its Zen 3 processors that resembles the Spectre issue that infamously plagued Intel CPUs.

The side-channel attack centres on a technology known as Predictive Store Forwarding (PSF), which improves code execution performance by predicting the relationship between loads and stores. This is mostly accurate, although occasional miscalculations mean that software relying on sandboxing is at risk. This could open the door for side-channel attacks as we’ve seen in the past with Spectre and Meltdown flaws found in Intel CPUs.

The risk is low, AMD claims, and it hasn’t seen any code that’s considered vulnerable, nor has it seen any reported cases of an exploit. AMD recommends leaving PSF on as it improves the performance of its Zen 3 CPUs, although customers who do run software that relies on sandboxing can disabling PSF should they choose to.