Security news weekly round-up - 6th November 2020

Habdul Hazeez - Nov 6 '20 - - Dev Community

Cover photo by Jazmin Quaynor on Unsplash.

This week it's all about bugs 🐛.


WARNING: Google Discloses Windows Zero-Day Bug Exploited in the Wild

Microsoft Windows needs no introduction and the title of the article is not surprising.

Excerpt from the article:

The elevation of privileges (EoP) vulnerability, tracked as CVE-2020-17087, concerns a buffer overflow present since at least Windows 7 in the Windows Kernel Cryptography Driver ("cng.sys") that can be exploited for a sandbox escape.

"The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue," Google's Project Zero researchers Mateusz Jurczyk and Sergei Glazunov noted in their technical write-up.

New NAT/Firewall Bypass Attack Lets Hackers Access Any TCP/UDP Service

The title says it all.

Excerpt from the article:

Called NAT Slipstreaming, the method involves sending the target a link to a malicious site (or a legitimate site loaded with malicious ads) that, when visited, ultimately triggers the gateway to open any TCP/UDP port on the victim, thereby circumventing browser-based port restrictions.

Adobe fixes critical security vulnerabilities in Acrobat, Reader

Are you using any of the above named products? Update now!.

Excerpt from the article:

In all, the company today addressed 14 security flaws affecting the two products, 10 of them rated as either critical or important severity bugs.

These bugs may allow arbitrary code execution, local privilege escalation, information disclosure, arbitrary JavaScript execution, and dynamic library injection.

New Chrome Zero-Day Under Active Attacks – Update Your Browser

Update your browser.

Excerpt from the article:

The zero-day flaw, tracked as CVE-2020-16009, was reported by Clement Lecigne of Google's Threat Analysis Group (TAG) and Samuel Groß of Google Project Zero on October 29.

The company also warned that it "is aware of reports that an exploit for CVE-2020-16009 exists in the wild."

From Naked Security blog spot on the same topic:

On Android, things are worse, and the version you need is 86.0.4240.185, because the Android patches include a fix for an additional bug, dubbed CVE-2020-16010, that is apparently unique to the Android version of Chrome…

Google Discloses Details of GitHub Actions Vulnerability

The title says it all.

Excerpt from the article:

Tracked as CVE-2020-15228, the vulnerability is related to the use of the set-env and add-path workflow commands, which are set to be disabled. GitHub has assigned the issue a moderate severity rating, but Google Project Zero says it’s high severity.

Update Your iOS Devices Now — 3 Actively Exploited 0-Days Discovered

iPhone users, please your devices.

Excerpt from the article:

Rolled out as part of its iOS, iPadOS, macOS, and watchOS updates, the flaws reside in the FontParser component and the kernel, allowing adversaries to remotely execute arbitrary code and run malicious programs with kernel-level privileges.

Critical bug actively used to deploy Cobalt Strike on Oracle servers

That moment when a legitimate tool is used by adversaries. That is the case of Cobalt Strike.

Excerpt from the article:

"Interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans," the Cisco Talos Incident Response (CTIR) team revealed in a September quarterly report.


That's it for this week, I'll see you next Friday.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .