Weekly threat roundup: Microsoft Teams, iOS, Samsung Galaxy

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Zero-day allowed hackers to steal files from Microsoft Teams

A vulnerability in the Microsoft Power Apps service on Microsoft Teams can be exploited by an attacker to gain persistent read/write access to a victim’s email, Teams chats, OneDrive storage, Sharepoint, and a host of other services.

The side-server vulnerability, which has now been patched, affects Power Apps, a service that allows businesses to create specific use-cases on Microsoft products to suit their own needs.

These applets would manifest as tabs. Hackers could exploit the flaw by setting up a malicious tab, which when opened by the victim, would grant them access to private communications and files.

The attacker could also disguise themselves as a victim and send emails and messages on their behalf, according to Even Grant, a research engineer at Tenable, allowing them to conduct further social engineering attacks. 

Hackers exploit WebKit Engine flaws in iOS 

Apple released an emergency update for iOS 12 this week after revealing that hackers had exploited two zero-day flaws to launch remote code execution attacks on devices hosting the operating system.

The flaws, tracked as CVE-2021-30761 and CVE-2021-30762, lie in the open source WebKit browser rendering engine. This is used to power the Safari web browser, as well as various iOS, macOS, watchOS, and Apple TV apps and services.

The first is a memory corruption issue, while the second is a use-after-free bug, and they have been fixed with “improved state management” and “improved memory management” respectively in iOS 12.5.3.

These are just the latest flaws to affect the WebKit browser engine that hackers have successfully exploited since the start of the year. In total, Apple has patched seven WebKit-related flaws since January 2021.

Supply chain bug in connected cameras 

A widely used software development kit (SDK) in IoT-enabled cameras, developed by ThroughTek, is embedded with a flaw that has exposed swathes of industrial hardware to potential cyber attacks.

The vulnerability in ThroughTek’s P2P SDK, which is used to provide remote access to audio or video feeds over the internet, can grant hackers access to media feeds as well as sensitive data. Cyber criminals could also exploit the flaw, rated 9.1 out of ten on the CVSS threat severity scale, to spoof devices and hijack their certificates. 

The vulnerable SDK is used by multiple camera vendors and is deployed in many CCTV systems, as well as IoT devices like baby monitors. Nozomi Networks researchers discovered the flaw, and reported it to ThroughTek in line with the firm’s disclosure policy. 

Although ThroughTek has updated its SDK to remove the flaw, IoT devices made by customers that haven’t updated their SDKs will still be vulnerable. The severity of the bug, and likelihood of exploitation, has prompted the US Cybersecurity & Infrastructure Agency (CISA) to issue an alert to businesses with guidance on how to mitigate against attacks.

Samsung phones vulnerable to takeover

Related Resource

A guide to enterprise detection and response providers

The 12 providers that matter most and how they stack up

Forrester enterprise detection WPDownload now

Pre-installed apps bundled with Samsung Galaxy smartphones were embedded with seven vulnerabilities that could have allowed hackers to access sensitive data and take over control of the device.

The seven flaws, discovered by Oversecured, were found in Knox Core, Managed Provisioning, Secure Folder, SecSettings, Samsung DeX System UI, Telephony UI, and PhotoTable. If exploited the bugs could allow cyber criminals to edit contacts, calls, and text messages, while breaching an unpatched device could also let hackers install malicious apps with administrative rights, and change the device’s default settings.

Samsung updated the software for all affected apps, which users need to apply as soon as possible if they haven’t done so already, although the firm wouldn’t reveal which devices could be exploited.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021

Most Popular

Alibaba unveils custom Arm-based server chip
components

Alibaba unveils custom Arm-based server chip

19 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021