IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Weekly threat roundup: Zero-days in Windows, Adobe, Google Chrome

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

FBI warns against Windows 7 usage following Oldsmar hack

One of the most alarming scares of the week came about in the City of Oldsmar, Florida, in which hackers infiltrated a water treatment facility and jacked the Sodium Hydroxide (NaOH) levels to potentially lethal amounts.

It’s since emerged that they infiltrated the facility thanks to a potent combination of using the now-retired Windows 7 operating system, password-sharing, and use of the remote desktop software TeamViewer without a firewall.

While TeamViewer is itself entirely legitimate and used by businesses for remote IT support, the FBI has warned organisations to stay vigilant of unauthorised remote access to their systems through this service.

Microsoft fixes actively-exploited Windows 10 zero-day

The latest Patch Tuesday round of fixes from Microsoft saw 56 bugs fixed, including a dangerous vulnerability being actively exploited in the wild.

Tracked as CVE-2021-1732, the critical flaw affects the win32k component of Windows 10 and has been exploited in a handful of incidents to escalate privileges on a targeted device. The zero-day vulnerability has been exploited in China by BITTER APT, according to researchers with DBAPPSecurity, allowing hackers to run malicious code on a targeted system having escalated privileges.

This “sophisticated” exploit has been patched alongside ten additional ‘critical’ flaws, 43 ‘important’ bugs, two moderately severe bugs.

Google fixes actively exploited Chrome zero-day

Google has urged Chrome users to upgrade to the latest iteration, version 88.0.4324,150, following reports of a zero-day vulnerability that’s been successfully exploited in the wild.

The update fixed a memory corruption bug in Chome’s V8 JavaScript engine, tagged CVE-2021-21148, which has been actively exploited by attackers. This was reported by a researcher named Mattias Buelens to Google on 24 January.

While the exact attack mechanism hasn’t been disclosed, Microsoft also incidentally warned of North Korean hackers exploiting a Chrome zero-day on 28 January. Google hasn’t tied these two incidents together, although the overwhelming consensus is that they’re linked in some way.

Firefox users could fall victim to $i30 bug

Firefox has also updated its browser to protect users against a Windows 10 drive corruption vulnerability discovered in January that can be triggered by exploiting shortcomings in widely-used web browsers.

Hackers can crash targeted Windows 10 devices by simply getting them to access the $i30 new technology file system (NTFS) attribute through a web browser, according to findings published by security researcher Jonas L.

NTFS corruption could be remotely triggered by accessing “c:\:$i30:$bitmap” through the address bar, according to Tech Radar, before the update, although the issue has been fixed with version 85.0.1. Microsoft is still reportedly working on a core fix, although until this arrives, web browsers will need to individually patch their services to prevent exploitation.

Adobe software zero-day under attack

Adobe has released updates for multiple versions of its Adobe Acrobat and Reader services after receiving reports that attackers have exploited a critical flaw to target Windows users.

Tracked as CVE-2021-21017, the heap-based buffer overflow vulnerability has allowed hackers to conduct remote code execution attacks against victims running affected versions on their Windows machines. Affected software includes Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017 and Acrobat Reader 2017, with Mac users also vulnerable.

This bug has been patched alongside 22 other flaws deemed both critical and important as part of Adobe’s Patch Tuesday round of bug fixes. They include information disclosure, arbitrary code execution and privilege escalation vulnerabilities, but have been patched with the latest versions of the affected software.

Critical flaws in Cisco VPN routers for businesses

Related Resource

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

cost of a data breach report 2020 - whitepaper from IBMDownload now

Cisco has patched several critical vulnerabilities in its web-based management platform for internet routers marketed at small businesses. By exploiting these flaws, an attacker could execute arbitrary code remotely as the root user.

The seven critical flaws - tracked as CVE-2021-1289 through to CVE-2021-1295 - exist because HTTP requests are not properly validated, meaning an attacker could send a crafted HTTP request to the web management interface. Successful exploitation could allow an attacker to conduct remote code execution attacks.

Users of Cisco Small Business RV160, RV160W, RV260P and V260W VPN routers are advised to immediately upgrade their software to resolve any potential issues.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022