It’s another week of integral fixes, updates and upgrades to your most used software and hardware this Threat Thursday.
Apple, Google and Windows each have their own security updates to implement, so let’s jump right in.
Security Researcher Reveals Safari Bug as Apple Kicks its Heels
A security researcher, who disclosed a Safari browser bug to Apple way back in April, has gone public with his discovery after learning that Apple was delaying a patch until… *shuffles papers*…. Wait, 2021?
Pawel Wylecial of REDTEAM.PL, notably frustrated at Apple’s postponing, shared his discovery in a blog post this Tuesday. The vulnerability could allow malicious actors to exploit Apple’s Web Share API; essentially, the code allowing for the sharing of links, files and content across different browsers. The exploit could cause unwitting victims to unknowingly share personal files across malicious websites by being encouraged to click on links.
While Pawel notes this is far from the most serious exploit that Apple has encountered, owing to it requiring user interaction, it does demonstrate how important human caution is when protecting against cyber threats. Until Apple has this bizarrely long-in-the-oven patch ready next year, vigilance is your best defense against the (now quite probable) abuse of this bug.
Microsoft Gives Cloud-Based Internet of Things Developers some Extra Added Azurance
Microsoft has patched some Remote Code Execution bugs in their Azure Sphere platform, the solution which secures numerous IoT devices through secure updates and app deployments. On Monday, Cisco’s Talos Intelligence group revealed these flaws in a ‘Vulnerability Spotlight’, but only after they’d worked with Microsoft to see them subsequently patched.
If the Vulnerability Spotlight leaves your head reeling a little, here’s the abridged version: all in all, there were four vulnerabilities discovered, relating to privilege escalation, data amendment and Remote Code Execution vulnerabilities.
While Remote Code Execution is always a serious issue, it’s worth noting that these vulnerabilities could only be exploited internally – the attacker would need to be within the Azure Sphere environment to take advantage of them.
Even so, with the cat out of the bag (and the patches well and truly in it), there’s no reason not to update your Azure environment with the latest patches, especially if you’re making use of Sphere.
Microsoft Exiles Malware to the Desert to Better Defend Office365
Well, maybe not quite the desert. But call a digital environment a ‘sandbox’ and you’re asking for comparisons.
On Monday, Microsoft announced the official release of Application Guard for Office; a sandbox for office environments designed to isolate suspicious files and open them in a tightly restricted mode. As well as warning users about the legitimacy of downloaded documents, it also restricts certain features which may compromise certain resource. It’s available to install now via Microsoft’s enterprise security platform, Microsoft Defender Advanced Threat Detection.
Now available in public preview format (following a limited preview in November last year), Application Guard is compatible with Word, Excel, and PowerPoint for Microsoft 365 and Windows 10 Enterprise. You’ll also need a Microsoft 365 E5 or Microsoft 365 E5 Security license.
Note that by default, Application Guard is disabled across software – so we’ll let Microsoft themselves explain how to implement it and help better keep your users protected.
Ribbit to Pieces: FritzFrog Botnet Revealed by Cybersecurity Researchers
Cyber security experts at Guardicore have opened the lid on an all new, peer-to-peer botnet named FritzFrog, which until now had remained uncovered following its January inception. In fact, it’s been quite the busy little amphibian, performing millions of brute-force IP attacks on educational, financial and medical enterprises, as well as telecom providers.
Targeting SSH servers, Fritzfrog’s successful breaches – of which over 500 are confirmed – grant ongoing access to any connected machines at the botnet’s behest.
As explained in the Guardicore report, FritzFrog isn’t just a sophisticated piece of work, it’s a unique one too. It’s fileless, more aggressive than any comparable botnet, and appears to have been developed by expert developers. It’s efficient at avoiding detection, has an intricate network of nodes and commands and runs malicious payloads and cryptominers. Nasty.
The full write up – in case you missed the link earlier – is available again here. Echoing our own oft-repeated advice, Guardicore recommends a strong password policy; weak passwords, as they explain, are the “immediate enabler of FritzFrog attacks”. Similarly, IoT devices and routers often expose their SSH ports while in use – so change or disable them completely if neither are in use.
Was Not WASS – Cisco Fixes a Critical Flaw in Their Enterprise Server Software
A critical flaw with a rather meaty 9.8 severity score has been patched across Cisco enterprise software, specifically its Virtual Wide Area Application Services (vWAAS). Affecting the ENCS5400-W and CSP 5000-W series of devices, this flaw allowed attackers to exploit default passwords and access the device with elevated, administrator level privileges - that’s such a big deal that even Cisco italicised it in their security bulletin, here.
Thankfully, a patch has addressed this vulnerability, so if your enterprise relies on any of the above series of devices, or on Cisco’s vWAAS version 6.4.5 or 6.4.3d, now’s the time to get downloading.
And that’s a wrap on another update-heavy edition of Threat Thursday. Fewer immediate business threats this week, but don’t sleep on those new software editions and updates.
Until then, why not sign up to our Threat Thursday newsletter?
We’ll be back the same time and place next week – or why not drop your email address in the box on the right➡️, and we’ll make sure you get the latest Threat Thursday updates in your inbox every week?