Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, we have collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
Microsoft patches three zero-days
A zero-day flaw in the beleaguered Exchange Server platform was among the 55 vulnerabilities Microsoft fixed as part of its latest Patch Tuesday round of security updates.
The flaw, tracked as CVE-2021-31207, is present in the same platform that was at the heart of a devastating supply chain attack earlier in the year, although it hasn’t yet been exploited by cyber criminals. It’s described as a security feature bypass flaw and was discovered as part of last month’s Pwn2Own contest.
This has been fixed alongside two other zero-day vulnerabilities. These are an elevation of privilege flaw in .NET and Visual Studio, tagged CVE-2021-31204, and a remote code execution flaw in Microsoft's Common Utilities component, tagged CVE-2021-31200.
Adobe fixes Reader bug under attack
Adobe’s Patch Tuesday included multiple fixes for 12 different products, including a zero-day flaw in Adobe Reader that’s under attack.
CVE-2021-28550, in Adobe Reader, is a user after free bug that has led to reports of remote code execution attacks against Windows users. However, the bug also affects Adobe deployments on macOS machines, although exploitation hasn’t yet been detected. This vulnerability was fixed alongside bugs in Adobe Experience Manager, InDesign, InCopy, Genuine Service, Acrobat, Magento, Media Encoder, After Effects, Medium, Animate, and the Creative Cloud Desktop.
Of the 14 flaws, 11 could have been exploited to launch remote code execution attacks, while the other three were described as a memory leak, arbitrary file system read and privilege escalation flaw.
RELATED RESOURCE
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email security
WordPress patches critical object injection flaw
WordPress has fixed a critical vulnerability with version 5.7.2 that’s been described as an object injection flaw in PHPMailer, which is a code library used to send emails using PHP code from a web server.
Rated 9.8 on the CVSS threat severity scale, the flaw, known as CVE-2020-36326, could have allowed an attacker to perform a variety of attacks, such as code injection, SQL injection and denial of service. This would have put many websites at risk of compromise.
For WordPress users who haven’t updated to 5.7, all versions since 3.7 have also been updated automatically to fix the security flaw.
“Frag attacks” targeting Wi-Fi devices
Millions of Wi-Fi devices manufactured over the last 20 years are embedded with vulnerabilities that hackers can exploit to steal data or take control of smart home devices.
According to security researcher Mathy Vanhoef, “frag attacks” are present in the Wi-Fi Protected Access 3 (WPA3) protocol, which is the most up-to-date Wi-Fi security protocol available. To exploit the collection of design flaws, an attacker within radio range of a targeted device can inject frames into a protected network, which can be abused to intercept traffic, by, for instance, tricking the user into using a malicious DNS server.
There are 12 vulnerabilities in total. Vanhoef has informed the Wi-Fi Alliance of his discovery of these “frag attacks., and device manufacturers are now developing fixes, according to the Industry Consortium for Advancement of Security on the Internet (ICASI).
-
How the UK is leading Europe at AI-driven manufacturingIn-depth A new report puts the country on top of the charts in adopting machine learning on the factory floor in several critical measures
-
US data center power demand forecast to hit 106GW by 2035, report warnsNews BloombergNEF research reveals a sharp 36% jump in energy forecasts as "hyperscale" projects reshape the American grid
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
