Weekly threat roundup: Windows, Intel, and Ubuntu

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Actively exploited Windows zero-day flaw

Microsoft patched 112 vulnerabilities as part of its routine Patch Tuesday wave of fixes, including an actively exploited zero-day flaw in Windows.

This bug, tagged CVE-2020-17087, was a privilege escalation vulnerability in the Windows Kernel Cryptography Driver (cng.sys), and was successfully exploited in combination with another flaw, tagged CVE-2020-15999. This second bug is a buffer overflow vulnerability in the FreeType 2 library used by Google Chrome.

This bug was being used to escape Google Chrome’s sandbox in order to elevate privileges on the exploited system, according to Tenable staff research engineer Satnam Narang, and is the second chained exploit involving Google and Microsoft flaws within a year.

‘Platypus’ Intel CPU side-channel attacks

Security researchers have uncovered a series of vulnerabilities in Intel CPUs, dubbed Platypus, which can be exploited to access sensitive data using power side-channel attacks.

These attacks exploit fluctuations in a device’s power consumption to extract sensitive material including cryptographic keys. These are normally difficult to exploit as they require accurate power measurements, which are hard to secure using just malware and usually require a hacker gaining physical access.

Intel processors were found to be vulnerable to such attacks which could be conducted with unprecedented accuracy, even without physical access. The two approaches include configuring the 'running average power limit' (RAPL) interface to log power consumption without administrative rights, and moving data by misusing Intel’s software guard extensions (SGX) security functions.

Ubuntu 20.04 vulnerable to privilege escalation flaw

GitHub researcher Kevin Blackhouse found flaws in Ubuntu 20.04, now patched, that could have allowed any desktop user to gain root access to the operating system.

Two separate issues may be exploited to allow hackers to escalate user privileges in an “astonishingly straightforward” manner, using a few simple commands in the terminal and a few mouse clicks.

The first element involves exploiting the daemon which manages user accounts, known as AccountsService, while the second element involves a component of the Gnome desktop, which triggers system setup. This would allow somebody running the exploit to create a new user account with root privileges.

Actively exploited Chrome zero-days

Google has patched two zero-day vulnerabilities in its Chrome web browser, representing the fourth and fifth actively exploited flaws to be patched in recent weeks.

The two flaws, tagged CVE-2020-16013 and CVE-2020-16017 respectively, are considered to be highly severe and will be fixed as part of Chrome version 86.0.4240.198 for Windows, Mac, and Linux over the coming days.

The first involves inappropriate implementation in the V8 JavaScript engine, whereas the second is a use-after-free memory corruption flaw located in Site Isolation, a Chrome security feature that isolates websites into sandboxes.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

IT security awareness and training firm KnowBe4 acquires MediaPRO
Acquisition

IT security awareness and training firm KnowBe4 acquires MediaPRO

3 Mar 2021
High-risk email security threats increased by 32% last year
phishing

High-risk email security threats increased by 32% last year

3 Mar 2021
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

3 Mar 2021
Microsoft Exchange targeted by China-linked hackers
zero-day exploit

Microsoft Exchange targeted by China-linked hackers

3 Mar 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021