Patch management is much easier said than done, and security teams can often be forced to prioritize patches for multiple business-critical systems, all released at the same time. It has become common, for example, to expect dozens of fixes to be released on Microsoft’s patch Tuesday, with other vendors also regularly jumping into the act.
Below, we’ve rounded up the most urgent disclosures from the past seven days, including details such as a summary of the exploitation mechanism and whether the vulnerability is being exploited in the wild. This is to give teams an idea of the bugs and flaws that could pose the most dangerous immediate security risks.
Microsoft fixes three zero days
A zero-day flaw in the besieged Exchange Server platform was among 55 vulnerabilities Microsoft corrected in its latest round of Patch Tuesday security updates.
The flaw, called CVE-2021-31207, is present on the same platform that was at the heart of a devastating supply chain attack earlier in the year, although it has yet to be exploited by cybercriminals. It is described as a security feature bypass flaw and was discovered in the Pwn2Own contest last month.
This problem has been corrected with two other zero-day vulnerabilities. This is an elevation of privilege vulnerability in .NET and Visual Studio, labeled CVE-2021-31204, and a remote code execution vulnerability in Microsoft’s Common Utilities component, labeled CVE- 2021-31200.
Adobe fixes Reader bug under attack
Adobe’s Patch Tuesday included several fixes for 12 different products, including a zero-day flaw in Adobe Reader that is under attack.
CVE-2021-28550, in Adobe Reader, is a user post free bug that has led to reports of remote code execution attacks against Windows users. However, the bug also affects Adobe deployments on macOS machines, although the exploitation has not yet been detected. This vulnerability was corrected with bugs in Adobe Experience Manager, InDesign, InCopy, Genuine Service, Acrobat, Magento, Media Encoder, After Effects, Medium, Animate, and Creative Cloud Desktop.
Of the 14 flaws, 11 could have been exploited to launch remote code execution attacks, while the other three were described as a memory leak, an arbitrary file system read, and an escalation flaw. privileges.
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and compliance for email security
WordPress fixes a critical object injection flaw
WordPress fixed a critical vulnerability with version 5.7.2 which was described as an object injection flaw in PHPMailer, which is a code library used to send emails using PHP code from from a web server.
Rated 9.8 on the CVSS Threat Severity Scale, the flaw, known as CVE-2020-36326, could have allowed an attacker to carry out various attacks, such as code injection, injection SQL and denial of service. This would have put many websites in danger of compromise.
For WordPress users who haven’t updated to 5.7, all versions since 3.7 have also been updated automatically to fix the security vulnerability.
“Frag attacks” targeting Wi-Fi devices
Millions of Wi-Fi devices manufactured over the past 20 years are embedded with vulnerabilities that hackers can exploit to steal data or take control of smart home devices.
According to security researcher Mathy Vanhoef, “frag attacks” are present in the Wi-Fi Protected Access 3 (WPA3) protocol, which is the most recent Wi-Fi security protocol available. To exploit all of the design flaws, an attacker within radio range of a targeted device can inject frames into a protected network, which can be misused to intercept traffic, for example by tricking the user into use a malicious DNS server.
There are 12 vulnerabilities in total. Vanhoef has informed the Wi-Fi Alliance of his discovery of these “frag attacks.” And device makers are developing fixes, according to the Industry Consortium for the Advancement of Internet Security (ICASI).
How to become an MSP: seven steps to success
Building your business from scratch
The smart buyer’s guide to flash
Find out if flash storage is right for your business
How MSPs Build Successful Sales Teams
The definitive guide to selling
The Professional Guide to Ransomware
Everything you need to know to keep your business afloat