Weekly threat roundup: Windows, Chrome, VMware

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It's become typical, for example, to expect dozens of patches to be released on Microsoft's Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Patch available for Chrome zero-day under attack

Google has fixed a vulnerability tracked as CVE-2021-30551, the sixth flaw in Chrome that's been exploited in 2021 so far.

The company has disclosed few details about the vulnerability, but it's been described as a type confusion flaw in the open source and C++ WebAssembly and JavaScript engine, V8. The same hackers exploiting this vulnerability, according to Project Zero researcher Shane Huntley, are also exploiting a Windows zero-day flaw also fixed by Microsoft this week. 

Version 91.0.4472.101 of Chrome for Windows, Mac, and Linux is built to fix 14 different vulnerabilities, including the aforementioned bug that's been exploited.

Microsoft fixes 50 bugs in latest Patch Tuesday

Microsoft's latest round of Patch Tuesday vulnerability fixes has addressed 50 flaws, including six zero-days that are under attack.

The vulnerabilities that hackers are exploiting are CVE-2021-33742, CVE-2021-33739, CVE-2021-31199, CVE-2021-31201, CVE-2021-31955, and CVE-2021-31956.

Related Resource

NETSCOUT threat intelligence report

Cyber crime: Exploiting a pandemic

Threat intelligence report - whitepaper from NETSCOUTDownload now

The most severe, CVE-2021-33739, is described as an elevation of privilege flaw in Microsoft Desktop Window Manager Core Library and is rated 8.4 on the CVSS threat severity scale.

Both CVE-2021-31199 and CVE-2021-31201, meanwhile, are described as elevation of privilege flaws in the Microsoft Enhanced Cryptographic Provider component. These are both rated a modest 5.2 on the CVSS threat severity scale, but are nonetheless being used in attacks.

Details behind these exploits are scarce, but CVE-2021-33742, a remote code execution flaw in Windows MSHTML Platform, is being exploited by a commercial exploit company to target nation states in Eastern Europe and the Middle East.

'Mystery' malware steals 26 million passwords

Researchers with NordLocker have discovered that a massive 1.2TB trove of data containing login credentials, browser cookies, autofill data, and payment information has been stolen by an unknown malware strain.

A hacking group accidentally revealed the location of a database in which countless sensitive credentials and other data have been harvested from 3.2 million Windows devices. This data was collected by an unidentified malware strain between 2018 and 2020, with 400 million of the two billion cookies still valid at the time the database was discovered.

The cache also includes six million files taken from Desktop and Downloads folders, three million text files, 900,000 image files, and 600,000 Word files. The malware also generated screenshots to reveal the spread of illegal software, as well as photographs of a user if the device had a webcam.

The researchers have recommended that people refrain from using web browsers to store sensitive information, and instead adopt a dedicated password manager. Deleting cookies should also be a monthly habit, as well as not installing software from peer-to-peer networks.

Unpatched VMware deployments under attack

Cyber criminals are attempting to exploit a remote code execution flaw in VMware vCenter Server and VMware Cloud Foundation, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

The vulnerability is tracked as CVE-2021-21985, and involves a lack of input validation in the Virtual SAN Health Check plugin, which is enabled by default in the system. The vSAN system is a software-defined storage platform that's used to eliminate the need for additional storage boxes using local server storage. The plugin allows users to run automated maintenance and various health checks.

Although VMware issued a patch for this flaw weeks ago, lackadaisical patching on the part of customers may lead to exploitation should detected attempts be successful, according to a warning issued by the agency.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Ransomware criminals look to other hackers to provide them with network access
ransomware

Ransomware criminals look to other hackers to provide them with network access

17 Jun 2021
FBI still frowns on ransomware payments
ransomware

FBI still frowns on ransomware payments

11 Jun 2021
Windows devices targeted by PuzzleMaker malware exploiting Chrome zero-day flaw
zero-day exploit

Windows devices targeted by PuzzleMaker malware exploiting Chrome zero-day flaw

9 Jun 2021

Most Popular

Q&A: Enabling transformation
Sponsored

Q&A: Enabling transformation

10 Jun 2021
OnePlus 9 Pro review: An instant cult classic
Hardware

OnePlus 9 Pro review: An instant cult classic

7 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021