IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Weekly threat roundup: Apple's M1 chip, VMware, Trend Micro

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It's become typical, for example, to expect dozens of patches to be released on Microsoft's Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Apple's M1 chip affected by hardware-level flaw

The flagship M1 CPU developed by Apple is embedded with a vulnerability that can allow any two apps under an operating system (OS) to exchange data between them covertly.

Tracked as CVE-2021-30747, the flaw is baked into the hardware, meaning it cannot be fixed without changing the chip technology. It allows communication between processes running as different users and under different privilege levels. 

The vulnerability isn't easily exploited, and malware cannot use this to infect machines or take over systems. It does, however, give strains of malware already installed on computers additional capabilities, such as communication with other strains. 

Practically, however, it's unlikely cyber criminals can develop mechanisms to exploit the bug, according to Hector Martin, the researcher who discovered it, with advertising companies more likely to be inclined to abuse it for cross-app tracking purposes.

VMware advises immediate patching of vCenter systems

Ransomware gangs are primed to exploit two vulnerabilities in VMware's vCenter Server platform, according to the company, with hackers able to abuse the flaws to launch remote code execution attacks.

The most severe bug of the pair, tracked as CVE-2021-21985, which lies in the vSphere Client, involves a lack of input validation in the Virtual SAN Health Check plugin, which is enabled in the system by default. This plugin allows customers to manage their virtual deployments and includes dozens of automated health checks.

Related Resource

The technology of trust

How to protect your most valuable commodity

The technology of trust- whitepaper from OktaDownload now

It's rated 9.8 on the CVSS threat severity scale, out of ten, meaning its effects are particularly devastating and it's relatively straightforward to exploit. Hackers with network access to port 443  will be able to execute commands with unrestricted privileges on the OS that hosts vCenter Server. 

The second flaw, tracked as CVE-2021-21986, is less severe but also allows hackers with network access to port 443 on vCenter Server to perform actions allowed by various plugins without authentication. These comprise the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager and VMware Cloud Director Availability plugins.

Bluetooth bug allows hackers to mimic devices

Cyber criminals can exploit flaws in Bluetooth Core and Mesh Profile Specifications to disguise themselves as legitimate devices and execute man in the middle attacks.

The fresh wave of flaws, discovered by researchers at the French security agency known as Agence nationale de la sécurité des systèmes d'information (ANSSI), allow impersonation attacks and AuthValue disclosures. 

The discovery of six flaws, CVE-2020-26555 through CVE-2020-26560, builds on previously discovered vulnerabilities which could have been exploited in so-called 'Bluetooth Impersonation Attacks' (BIAS)

They allow hackers to impersonate a device and establish a secure connection with a victim without possessing the long-term key shared by the impersonated device and the victim. It effectively bypasses the authentication mechanism.

Apple fixes three macOS flaws under attack

Apple has issued a patch to fix several vulnerabilities across its various operating systems, including a macOS Big Sur zero-day flaw that's under attack.

Tracked as CVE-2021-30713, the flaw lies in Apple's Transparency, Consent and Control (TCC) framework, which manages user consent for permissions across local apps. Hackers can exploit the flaw to gain permissions for malicious apps, granting access to the hard drive and to screen recording, which could allow them to take screenshots of infected machines. 

While Apple declined to share the exploit mechanism, security firm Jamf has identified the malware known as XCSSET is currently abusing the flaw. 

Alongside this flaw, Apple has patched CVE-2021-30663 and CVE-2021-30665, both lying in the WebKit browser engine in Safari and Apple TV, and both under attack. They can each be exploited to launch remote code execution attacks.

Trend Micro home network security allows PC takeover

Researchers have discovered flaws in Trend Micro's Home Network Security Station that could let attackers launch denial of service (DoS) attacks, escalate user privileges and levy remote code execution attacks.

This is a device that plugs into home routers in order to prevent internet of things (IoT) devices from being hacked. The first two flaws lead to privilege escalation, while the third is a hard-coded password flaw. 

Three security vulnerabilities in the platform, tracked CVE-2021-032457 through CVE-2021-32459, can be exploited to infiltrate home networks. Specifically, hackers can exploit the first two bugs to elevate permissions on the targeted device. The third flaw exists with a set of hard-coded credentials on the device, which an attacker could exploit to create files, change permissions and upload arbitrary data to an SFTP server.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
The benefits of a hardware update for SMBs
Sponsored

The benefits of a hardware update for SMBs

2 Aug 2022