Security Wrap-Up (May 4th, 2021)

May the 4th be with you! Unfortunately, the Dark Side has been able to wreak some havoc across a few tech giants, so let’s take a look at the latest in security news -

Apple fixes zero-day security bugs under active attack
Yesterday, Apple released a set of unscheduled updates for iOS, macOS, and watchOS, issuing out-of-band patches for critical security issues affecting iPad, iPhone, and iPod, which could allow remote code execution (RCE) and other attacks, compromising users’ systems. Three of these are zero-day flaws, while one is an expanded patch for a fourth vulnerability. The three zero-day bugs include: CVE-2021-30665 (a critical memory-corruption issue in the Safari WebKit engine where “processing maliciously crafted web content may lead to arbitrary code execution” was addressed with improved state management), CVE-2021-30663 (an integer overflow, which can also lead to RCE), and CVE-2021-30666 (a buffer overflow issue addressed with improved memory handling). The fourth bug (CVE-2021-30661) is a use after free issue addressed with improved memory management.

Patch issue to tackle critical security issues present in Dell driver software
Today, five serious vulnerabilities in a driver used by Dell devices have been disclosed by SentinelLabs and discovered by security researcher Kasif Dekel, who explored Dell’s DBUtil BIOS driver, software used in the vendor’s desktop and laptop PCs, notebooks, and tablet products. The team says that the bug has been vulnerable since 2008, but there’s no evidence that the bugs have been exploited in the wild. The five vulnerabilities have been listed under CVE-2021-21551 with a CVSS score of 8.8. Two are memory corruption issues in the driver, two are security failures caused by a lack of input validation, and one logic issue was found that could be exploited to trigger denial-of-service. “These multiple critical vulnerabilities in Dell software could allow attackers to escalate privileges from a non-administrator user to kernel mode privileges,” the researchers say.

Microsoft warns of 25 critical vulnerabilities in IoT and industrial devices
Security researchers at Microsoft are warning the industry about 25 as-yet undocumented critical memory-allocation vulnerabilities across a number of vendors’ IoT and industrial devices that threat actors could exploit to execute malicious code across a network or cause an entire system to crash. The newly discovered family of vulnerabilities, named “BadAlloc,” have the potential to affect a wide range of domains, from consumer and medical IoT devices to industry IoT, operational technology, and industrial control systems. According to researchers, the problem is systemic, so it can exist in various aspects of devices, including real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. A separate advisory by the Cybersecurity Infrastructure and Security Agency includes a full list of affected devices. On the list of 25 devices, 15 already have updates, while some vendors do not expect to have updates to fix the problem for various reasons, and others will release fixes at a later date.

DigitalOcean says it exposed customer data after it left an internal doc online
According to an email sent out by the company, the recent DigitalOcean security leak was due to an internal document that was mistakenly left accessible online. The document contained several types of user account details, including personally identifiable information such as customer email addresses and their respective DigitalOcean usernames, but also technical details such as the number of servers owned by the customer, the user’s bandwidth usage, support or sales communications notes, and the amount of money the customer paid during calendar year 2018. DigitalOcean said that the internal document was accessed at least 15 times while it was left available online.

Feel free to add any of your own security news in the comments below!

1 Like