Weekly threat roundup: Microsoft Teams, iOS, Samsung Galaxy

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Zero-day allowed hackers to steal files from Microsoft Teams

A vulnerability in the Microsoft Power Apps service on Microsoft Teams can be exploited by an attacker to gain persistent read/write access to a victim’s email, Teams chats, OneDrive storage, Sharepoint, and a host of other services.

The side-server vulnerability, which has now been patched, affects Power Apps, a service that allows businesses to create specific use-cases on Microsoft products to suit their own needs.

These applets would manifest as tabs. Hackers could exploit the flaw by setting up a malicious tab, which when opened by the victim, would grant them access to private communications and files.

The attacker could also disguise themselves as a victim and send emails and messages on their behalf, according to Even Grant, a research engineer at Tenable, allowing them to conduct further social engineering attacks.

Hackers exploit WebKit Engine flaws in iOS

Apple released an emergency update for iOS 12 this week after revealing that hackers had exploited two zero-day flaws to launch remote code execution attacks on devices hosting the operating system.

The flaws, tracked as CVE-2021-30761 and CVE-2021-30762, lie in the open source WebKit browser rendering engine. This is used to power the Safari web browser, as well as various iOS, macOS, watchOS, and Apple TV apps and services.

The first is a memory corruption issue, while the second is a use-after-free bug, and they have been fixed with “improved state management” and “improved memory management” respectively in iOS 12.5.3.

These are just the latest flaws to affect the WebKit browser engine that hackers have successfully exploited since the start of the year. In total, Apple has patched seven WebKit-related flaws since January 2021.

Supply chain bug in connected cameras

A widely used software development kit (SDK) in IoT-enabled cameras, developed by ThroughTek, is embedded with a flaw that has exposed swathes of industrial hardware to potential cyber attacks.

The vulnerability in ThroughTek’s P2P SDK, which is used to provide remote access to audio or video feeds over the internet, can grant hackers access to media feeds as well as sensitive data. Cyber criminals could also exploit the flaw, rated 9.1 out of ten on the CVSS threat severity scale, to spoof devices and hijack their certificates.

The vulnerable SDK is used by multiple camera vendors and is deployed in many CCTV systems, as well as IoT devices like baby monitors. Nozomi Networks researchers discovered the flaw, and reported it to ThroughTek in line with the firm’s disclosure policy.

Although ThroughTek has updated its SDK to remove the flaw, IoT devices made by customers that haven’t updated their SDKs will still be vulnerable. The severity of the bug, and likelihood of exploitation, has prompted the US Cybersecurity & Infrastructure Agency (CISA) to issue an alert to businesses with guidance on how to mitigate against attacks.

Samsung phones vulnerable to takeover

Pre-installed apps bundled with Samsung Galaxy smartphones were embedded with seven vulnerabilities that could have allowed hackers to access sensitive data and take over control of the device.

The seven flaws, discovered by Oversecured, were found in Knox Core, Managed Provisioning, Secure Folder, SecSettings, Samsung DeX System UI, Telephony UI, and PhotoTable. If exploited the bugs could allow cyber criminals to edit contacts, calls, and text messages, while breaching an unpatched device could also let hackers install malicious apps with administrative rights, and change the device’s default settings.

Samsung updated the software for all affected apps, which users need to apply as soon as possible if they haven’t done so already, although the firm wouldn’t reveal which devices could be exploited.