Weekly threat roundup: Dell, Apple, Qualcomm

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Dell patches flaws in hundreds of PCs

Dell has fixed a vulnerability found in a driver file that affects hundreds of desktop and notebook models stretching back to 2009.

Tracked as CVE-2021-21551, the vulnerability is embedded in the Dell driver dbutil_2_3.sys, which contains an insufficient access control flaw that may lead to escalation of privileges, denial of service or information disclosure attacks.

The flaw, discovered by Sentinel Labs, can allow an attacker to bypass security protections, although there’s no evidence of active exploitation so far. A variety of models are affected by the vulnerability, including Dell XPS 13 and XPS 15 units, as well as a host of other devices including Latitude, Inspiron and Precision machines.

VMware patches exploitable ‘unauthorised API’

VMware’s vRealize Business for Cloud platform includes an “unauthorised VAMI API” that could be exploited to launch remote code execution attacks on virtualised systems.

This flaw, which has now been patched, is rated 9.8 out of ten on the CVSS threat severity scale and is tagged as CVE-2021-21984. The vulnerability centres around an API in the vCenter Server Appliance Management Interface (VAMI), which is the tool IT admins use to power vCenter Server Appliance and manage virtual machines.

VMware hasn’t disclosed how this unauthorised API was found to be in VAMI, although the issue only affects version 7.6 of the product.

Apple patches exploited WebKit flaws

Related Resource

X-Force threat intelligence index

Understand the threat landscape with fresh intelligence

X Force threat intelligence indexDownload now

Hackers exploited zero-day vulnerabilities in Apple’s WebKit browser engine for iPhones and iPads before the firm issued a patch with its latest operating system (OS) updates.

The pair of flaws, known as CVE-2021-30665 and CVE-2021-30663, allowed cyber criminals to launch remote code execution attacks on any device that visited a malicious website. A vast number of Apple devices are affected, including the iPhone 6s and later, all iPad Pro models, the iPad Air 2 and later, the fifth-generation iPad and later, iPad mini 4 and later, the seventh-generation iPod touch, and the Apple Watch Series 3.

Apple released iOS 14.5.1 and iPadOS 14.5.1 on Monday to fix the flaws, which it described as “a memory corruption issue” and “an integer overflow”, which were addressed with “improved state management”. These patches were released alongside minor fixes to flaws in Apple’s App Tracking Transparency (ATT) tool.

Qualcomm flaw affects 40% of smartphones

A serious vulnerability embedded in the Qualcomm Mobile Station Modem (MSM) chips, including the latest 5G versions, may allow hackers to gain access to text messages and call histories, while also eavesdropping on voice conversations.

These system on chips (SoCs) are used in approximately 40% of all mobile phones in use today including high-end flagship units manufactured by the likes of Samsung and Google, according to Check Point researchers. The issue only concerns Android devices.

The vulnerability, known as CVE-2020-11292, can be exploited if attackers abuse a heap overflow flaw in the MSM Interface (QMI) voice service. Malicious apps might also hide their activity under the cover of the chip, rendering themselves invisible to Android security protections.

The researchers have advised users to update their devices to the latest OS version, and to only install apps from official app stores to avoid inadvertently downloading something malicious.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Putin open to handing cyber criminals over to US
hacking

Putin open to handing cyber criminals over to US

14 Jun 2021
Crypto-mining hackers hit Kubernetes clusters
cryptocurrencies

Crypto-mining hackers hit Kubernetes clusters

10 Jun 2021

Most Popular

Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
Fastly blames software bug for major outage
public cloud

Fastly blames software bug for major outage

9 Jun 2021
GitHub to prohibit code that’s used in active attacks
cyber security

GitHub to prohibit code that’s used in active attacks

7 Jun 2021