Security News
A strong case can be made that shoring up defenses requires "Automating out" the weakest link - i.e., humans - from any cloud that companies are entrusting with their data. In "Automating out the weak link," the ability of superusers or IT administrators - or of bad actors who have gained access to valid admin credentials - to manually interfere with sensitive data becomes non-existent, because human interaction is eliminated.
Today, Apple has released security updates that fix two actively exploited iOS zero-day vulnerabilities in the Webkit engine used by hackers to attack iPhones, iPads, iPods, macOS, and Apple Watch devices. "Apple is aware of a report that this issue may have been actively exploited," the company said in multiple security advisories published today.
Security researchers at Microsoft are warning the industry about 25 as-yet undocumented critical memory-allocation vulnerabilities across a number of vendors' IoT and industrial devices that threat actors could exploit to execute malicious code across a network or cause an entire system to crash. Dubbing the newly discovered family of vulnerabilities "BadAlloc," Microsoft's Section 52-which is the Azure Defender for IoT security research group-said the flaws have the potential to affect a wide range of domains, from consumer and medical IoT devices to industry IoT, operational technology, and industrial control systems, according to a report published online Thursday by the Microsoft Security Response Center.
The Internet Systems Consortium has released updates for the BIND DNS software to patch several vulnerabilities that can be exploited for denial-of-service attacks and one possibly even for remote code execution. Only servers using a certain feature with non-default configurations are vulnerable to attacks, but ISC suggested these types of servers may not be uncommon.
Anastasia Malashina, a doctoral student at HSE University, has proposed a new method to assess vulnerabilities in encryption systems, which is based on a brute-force search of possible options of symbol deciphering. To avoid hacks, it is necessary to reinforce the cipher protection from leaks and to test encryption systems for vulnerabilities.
Cisco this week released patches for multiple vulnerabilities in Firepower Threat Defense software, including high-severity issues that could be exploited for arbitrary command execution or denial-of-service attacks. An attacker able to abuse it may execute arbitrary commands as root on the underlying OS. The flaw exists because user-supplied command arguments aren't sufficiently validated, and affects Firepower 4100 and Firepower 9300 series appliances.
Power management solutions provider Eaton has released patches for its Intelligent Power Manager software to address several potentially serious vulnerabilities, including ones that researchers say could allow hackers to disrupt power supply. Eaton's IPM solution is designed to ensure system uptime and data integrity by allowing organizations to remotely monitor, manage and control the uninterruptible power supply devices on their network.
Moxie Marlinspike has an intriguing blog post about Cellebrite, a tool used by police and others to break into smartphones. We found that it's possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned.
Apple on Monday shipped the long-awaited iOS and iPadOS 14.5 update with patches for at least 50 documented security vulnerabilities. The patch, which is currently being rolled out via iOS and iPadOS automatic-updating mechanism, includes cover for a WebKit vulnerability that Apple believes may have been exploited in the wild by attackers.
While apps like Zoom, Slack, Teams and others are great for working from anywhere, they also create a larger attack surface.