Weekly threat roundup: Fortinet, Apple Mail, AMD Zen 3 CPUs

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Three Fortinet’s FortiOS vulnerabilities under attack

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert last week warning businesses that hackers are scanning vulnerable Fortinet systems to gain access to corporate networks.

FortiOS, the software powering Fortinet’s security products, is embedded with three flaws tracked as CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591. Although all three have been patched in the past, security agencies have recently detected an uptick in the number of cyber criminals exploiting them, largely because a handful of organisations have not yet applied the fixes.

The first and second flaws, each rated 9.8 on the CVSS threat severity scale, are a path traversal vulnerability and improper authentication issue, both affecting the FortiOS SSL VPN component. Hackers can exploit these bugs to download system files through HTTP requests, and also log in without being prompted for two-factor authentication (2FA) if they change the case of the username. The third is a default configuration issue in FortiOS 6.2.0, which can allow attackers to intercept sensitive data.

Zero-click Apple Mail flaw allows email spying

A vulnerability in Apple’s macOS Mail app could allow an attacker to add or modify any file inside its sandbox environment, opening the door for a range of attacks including information disclosure and account takeover.

The now-patched flaw, tracked as CVE-2020-9922, could be triggered without any user action, according to researcher Mikko Kenttala. The Mail app has a feature that lets it uncompress attachments that may have been automatically compressed by another Mail user. If an attacker sends an email with a malicious .ZIP file attached, for example, Mail’s tendency to automatically uncompress these files exposes the user to potential harm.

Although he only disclosed the flaw recently, Kenttala discovered the bug several months ago before informing the developer. Apple then patched the flaw in macOS Mojave 10.14.6, macOS High Sierra 10.13.6, and macOS Catalina 10.15.5.

Wormable Android malware spreading through WhatsApp texts

Related Resource

Taking a proactive approach to cyber security

A complete guide to penetration testing

A complete guide to penetration testing - whitepaper from CyberCxDownload now

A new strain of malware affecting Android smartphones is spreading itself between devices through fake WhatsApp messages.

Hidden in a fake application on the Google Play store called ‘FlixOnline’, this malware strain can automatically reply to a victim’s incoming WhatsApp messages with a malicious payload, should the user grant the fake app the right permissions. This method, according to Check Point Research, is unique and could allow hackers to distribute phishing attacks, spread false information, or steal credentials from users’ WhatsApp accounts.

The fake app claims to allow users to view Netflix content from anywhere in the world, although, in reality, it monitors users’ WhatsApp notifications and sends automatic replies which are embedded with content received from the C&C server. Because it’s wormable, it can spread without user interaction.

The researchers have warned users to be wary of downloading attachments, even if they come from trusted sources.

AMD Zen 3 CPUs embedded with Spectre-like vulnerability

The chipmaking giant AMD has warned users of a potentially significant flaw embedded in its Zen 3 processors that resembles the Spectre issue that infamously plagued Intel CPUs.

The side-channel attack centres on a technology known as Predictive Store Forwarding (PSF), which improves code execution performance by predicting the relationship between loads and stores. This is mostly accurate, although occasional miscalculations mean that software relying on sandboxing is at risk. This could open the door for side-channel attacks as we’ve seen in the past with Spectre and Meltdown flaws found in Intel CPUs.

The risk is low, AMD claims, and it hasn’t seen any code that’s considered vulnerable, nor has it seen any reported cases of an exploit. AMD recommends leaving PSF on as it improves the performance of its Zen 3 CPUs, although customers who do run software that relies on sandboxing can disabling PSF should they choose to.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021
Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget
Mobile Phones

Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget

13 Apr 2021