Security News > 2021 > April > Microsoft Warns of 25 Critical Vulnerabilities in IoT, Industrial Devices

Security researchers at Microsoft are warning the industry about 25 as-yet undocumented critical memory-allocation vulnerabilities across a number of vendors' IoT and industrial devices that threat actors could exploit to execute malicious code across a network or cause an entire system to crash.

Dubbing the newly discovered family of vulnerabilities "BadAlloc," Microsoft's Section 52-which is the Azure Defender for IoT security research group-said the flaws have the potential to affect a wide range of domains, from consumer and medical IoT devices to industry IoT, operational technology, and industrial control systems, according to a report published online Thursday by the Microsoft Security Response Center.

"Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations," according to the report.

As IoT and OT devices are highly pervasive, "These vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds," researchers observed.

If administrators running networks on which affected devices are present can't apply patches to fix the problem, the CISA and Microsoft have recommended other mitigations.

Microsoft recommends similar mitigations but also suggested that administrators implement more careful and continuous monitoring of devices on networks "For anomalous or unauthorized behaviors, such as communication with unfamiliar local or remote hosts."

News URL

https://threatpost.com/microsoft-warns-25-critical-iot-industrial-devices/165752/