Exposures, Exposed! Weekly Round-up May 13 - 19
Cyber threats unfold,
Experts guide through shifting sands,
Stay secure, week by week.
Here's what our experts have uncovered for you this week:
Microsoft Patch Tuesday Addresses Zero-Day Vulnerabilities
Microsoft released security updates for 61 vulnerabilities in its May 2024 Patch Tuesday update . Three vulnerabilities are particularly concerning: two zero-days and a critical remote code execution flaw.
Two zero-day vulnerabilities were patched this month. CVE-2024-30040 affects the MSHTML platform used in Microsoft 365 and Office, allowing attackers to bypass security measures and download malicious content. CVE-2024-30051 impacts the Desktop Window Manager Core Library, potentially granting attackers full control of the system. Both require immediate patching due to active exploitation attempts.
A critical remote code execution vulnerability (CVE-2024-30044) was patched, affecting Microsoft SharePoint Server. This flaw could allow attackers with specific access to inject and execute malicious code on the server.
The Takeaway: Apply May 2024 security updates immediately, particularly for the zero-day vulnerabilities. Consider broader security strategies beyond patching to address potential gaps.
Intel Patches Critical Vulnerability in AI Tool
Intel addressed over 90 vulnerabilities in its products this Patch Tuesday, including a critical flaw (CVE-2024-22476) in its Neural Compressor AI optimization tool which could allow attackers to remotely gain escalated privileges on systems using Neural Compressor.??
High-severity flaws were also patched in various products, including server firmware, graphics components, and network adapters. These vulnerabilities could potentially allow attackers to escalate privileges, launch denial-of-service attacks, or steal sensitive information.
The Takeaway: Update all Intel products according to the latest security advisories to address critical and high-severity vulnerabilities.
Critical Vulnerabilities Found in Cinterion Cellular Modems
Kaspersky researchers discovered multiple security flaws in Cinterion cellular modems used in various industries. These vulnerabilities could allow attackers to steal sensitive information, take control of devices, or disrupt critical infrastructure.
The most concerning flaw (CVE-2023-47610) enables remote attackers to execute malicious code on affected devices through specially crafted SMS messages. This vulnerability poses a significant risk as it doesn't require physical access to the device.
Other vulnerabilities allow attackers with local access to potentially escalate privileges, access sensitive data, or bypass security measures.
The Takeaway: Organizations using Cinterion modems should disable non-essential SMS functionality, update firmware, and restrict physical access to devices to mitigate these vulnerabilities.
Critical iTunes Vulnerability Patched for Windows Users
Apple addressed a critical vulnerability (CVE-2024-27793) in iTunes for Windows 10 and 11 that could allow attackers to remotely execute malicious code.?
领英推荐
The flaw impacted the CoreMedia framework used for processing media. Attackers could have exploited it to potentially take control of vulnerable systems. Apple released a fix (iTunes version 12.13.2) on May 8th, 2024.?
The Takeaway: Update iTunes to version 12.13.2 or later to address this critical remote code execution vulnerability, especially if you are on Windows 10 or 11.
Google Patches Two Chrome Zero-Days in One Week
Google addressed two critical zero-day vulnerabilities (CVE-2024-4761 and CVE-2024-4671) in its Chrome web browser within four days.?
The first vulnerability, CVE-2024-4761, is a high-severity out-of-bounds write vulnerability affecting Chrome's V8 JavaScript engine. This engine is responsible for processing JavaScript code, a core functionality for many websites. Attackers could exploit this flaw to potentially inject malicious code and compromise user systems.
The second vulnerability, CVE-2024-4671, is a high-severity use-after-free vulnerability impacting the Chrome Visuals component. This component handles visual elements displayed on web pages. Exploiting this vulnerability could allow attackers to manipulate memory management in Chrome, potentially leading to data breaches or code execution.
The Takeaway: Update Chrome to version 124.0.6367.207/.208 (Mac & Windows) or 124.0.6367.207 (Linux) to mitigate these zero-day risks and protect yourself from these recently exploited vulnerabilities.
Wi-Fi Flaw Tricks Devices onto Insecure Networks
Researchers discovered a critical vulnerability (CVE-2023-52424) in the Wi-Fi standard that allows attackers to trick devices into connecting to insecure networks.
The SSID Confusion attack exploits a design flaw that doesn't require network name verification. Attackers can spoof a trusted network name, downgrade security settings, and steal user traffic. Even VPNs can be disabled during this attack.
The Takeaway: Update Wi-Fi standards and be cautious of public Wi-Fi networks. Businesses should use unique passwords for each Wi-Fi network and avoid using the same credentials across different networks.
Critical SAP Flaws Patched in CX Commerce, NetWeaver
SAP addressed critical security vulnerabilities in its Customer Experience (CX) Commerce and NetWeaver products on May 14th. These critical flaws (CVE-2019-17495 & CVE-2024-33006) could allow attackers to steal data or compromise systems entirely. More specifically:?
The Takeaway: Update SAP Business Client, CX Commerce, and NetWeaver immediately to mitigate these risks.
That’s all for this week – have any exposures to add to our list? Let us know!