Weekly threat roundup: Apple, VMware, OpenSSL

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Apple WebKit zero-day under exploitation

Apple has released an emergency patch fixing a zero-day vulnerability in its iOS, iPadOS, and watchOS operating systems, that has been exploited by unidentified hackers.

Tracked as CVE-2021-187, the flaw resides in WebKit, which is an open source browser engine primarily used in the Safari web browser, as well as all iOS web browsers, alongside various other iOS and iPadOS apps.

Hackers were able to exploit the flaw by sending victims a malicious link and executing arbitrary code through a cross-site scripting (XSS) attack, with potential implications including the theft of sensitive data or forcing changes to the appearance of a website.

Apple has rolled out patches for all versions of the iPad Pro, iPad Air 2 and later, the fifth generation of the iPad and later, iPad mini 4 and later, and the seventh generation of the iPod touch. This is in addition to updates released for all Apple Watch products, and all iPhones from iPhone 6s.

VMware patches severe vRealize flaws

Vmware has patched two critical vulnerabilities in its vRealize Operations platform that could allow cyber criminals to infiltrate corporate networks, steal user credentials, and manipulate underlying systems.

This is a platform augmented with artificial intelligence that's capable of managing IT operations in various cloud deployments, allowing admins to monitor, troubleshoot, and manage the health and capacity of virtual IT environments.

The first flaw, tracked as CVE-2021-21975, is rated 8.6 on the CVSS threat severity scale. If exploited, it could allow a malicious actor with network access to the vRealize Operations Manager API to perform a server-side request forgery attack to steal admin credentials.

A second flaw, tracked as CVE-2021-21983, is considered less severe as it requires an attacker to be authenticated in order to successfully exploit. There are fears, however, that it can be chained with the first bug to allow hackers to write files to various locations on the underlying operating system.

OpenSSL fixes major denial of service bug

The most widely-used encryption software library, OpenSSL, has patched a severe flaw that could have allowed hackers to crash a wide number of servers.

The open source cryptography toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, is used across a host of products and platforms, including Linux as well as other software and email clients.

The latest update, OpenSSL 1.1.1k, fixed two severe bugs including CVE-2021-3449, which could have been exploited by hackers to deliberately crash vulnerable web servers or email servers at will, causing a looped denial of service (DoS) situation.

The second flaw, CVE-2021-3450, was a more complex issue that could have allowed security checks to be circumvented when an app would seek out the legitimacy of a TLS certificate.

Netmask flaw allows hackers to bypass server access controls

Related Resource

Taking a proactive approach to cyber security

A complete guide to penetration testing

A complete guide to penetration testing - whitepaper from CyberCxDownload now

A vulnerability in the networking npm library, netmask, could give hackers the ability to bypass server access controls and launch server-side request forgery attacks, according to research by Sick Codes.

The nine-year-old exploit is considered far-reaching as hundreds of thousands of apps use the package to parse or compare IPv4 addresses and Classless Inter-Domain Routing (CIDR) blocks. The code was downloaded three million times last week alone, with 278,000 GitHub repositories using it.

The issue centres on the way netmask handles mixed-format IP addresses, with the library seeing a different IP address when parsing an address with a prefixed zero. The researchers warned that anyone could submit an address in netmask that looks like a private IP, but then connects to a public IP to download malicious files.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
UK gun owners urged to be ‘vigilant’ after Guntrader data breach
data breaches

UK gun owners urged to be ‘vigilant’ after Guntrader data breach

23 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021