Weekly threat roundup: Microsoft Defender, Adobe, Mimecast
Pulling together the most dangerous and pressing flaws that businesses need to patch
Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
Microsoft Defender under active exploitation
The vulnerability, tracked as CVE-2021-1647, is a remote code execution bug which hackers used to embed code on devices with Microsoft Defender installed, by tricking victims into opening a malicious document.
This was part of 83 bug fixes released this week across a range of Microsoft products, including Windows, Azure and other services. The tech giant also released a patch for a flaw in the Windows splwow64 services. This bug, tracked as CVE-2021-1648, could be exploited to escalate privileges.
Seven Adobe products receive Patch Tuesday treatment
Adobe Photoshop, Illustrator, InCopy, Animate, Bridge, Captivate and Campaign Classic all received eight security fixes this week as part of the company’s own round of Patch Tuesday updates.
All vulnerabilities were rated ‘critical’ apart from a privilege escalation flaw in Adobe Captivate 2019, which was deemed ‘important’. The flaws in Photoshop, Illustrator, InCopy, Animate, and two in Bridge, could all be exploited for arbitrary code execution.
The final bug, affecting Adobe Campaign Classic, is tracked as CVE-2021-21009, and can be exploited for the purposes of sensitive information disclosure.
SaferVPN flaw allows privilege escalation on Windows
The popular virtual private network (VPN) service SaferVPN is embedded with a flaw that could be exploited by hackers to escalate privileges on a victim’s Windows machine and run a malicious file.
In a Medium post, a security researcher known as nmht3t claimed he was publishing the details behind the vulnerability, as well as a proof-of-concept because SaferVPN hadn’t fixed it 90 days following disclosure.
Because low-privileged users are allowed to create folders under the C:\ drive, it’s possible for somebody to create an appropriate file path and place within it a malicious file. Once the VPN service starts, the file will load a malicious OpenSSL engine library, and allow result in arbitrary code execution on the system.
The flaw affects SaferVPN for Windows versions 18.104.22.168 through to the latest iteration, version 22.214.171.124, released on 12 January - there’s currently no patch available for this flaw.
Zero-days used to load websites with malware
Four now-patched zero-day vulnerabilities in Chrome have been flagged by Google’s Project Zero security research team as having been under active exploitation by cyber criminals during 2020.
These Google Chrome flaws were tracked as CVE-2020-6418, CVE-2020-0938, CVE-2020-1020, and CVE-2020-1027. The attack itself was revealed to researchers as part of an initiative aimed at researching new ways to detect zero-day exploits in the wild.
The bugs were exploited through watering-hole attacks, which involved “highly sophisticated” attackers compromising frequently-visited websites and loading them with malicious code that installs malware on victims’ devices. The hackers targeted both Android and Windows users with the compromised sites by deploying two exploit servers, before fixes were released in February and April 2020.
Mimecast admits hackers access Microsoft accounts
Cyber criminals violated a small number of Mimecast customers’ Microsoft 365 accounts after they obtained one of the firm’s digital certificates and abused it to gain access to their user accounts.
Roughly 10% of customers use the connection involving this certificate, with no more than nine customers believed to be affected by the breach. Nevertheless, the incident represents a huge worry in light of the recent attack against SolarWinds.
As a precaution, Mimecast has asked the customers who use the affected certificate to immediately delete the existing connection within their Microsft 365 tenant, and re-establish a new certificate-based connection.