April 19, 2025 - Red Dot Security

(For a video version of the opening comments below, click this link)

Hello all,

I was expecting a quieter week, but I was surprised by how many serious vulnerabilities were revealed, and about the drama surrounding MITRE and their CVE contract, spawning at least two new numbering authority prospects in response. I sincerely hope that these players will cooperate, otherwise a trifurcation of this important service will do more harm than good.

Headline NEWS:

Apache Roller an open-source, Java-based blogging server software, has a hole large enough to be seen from almost-space by Katy Perry, scoring a perfect ten on CVSS. The fix is to update to the latest version.
Apple plugged a couple of zero-day vulnerabilities that the iFruit company reported were being exploited against targeted individuals. CISA has ordered all Federal agencies must update by May 8, 2025. Check your system for updates to keep the fruit flies away.
ASUS has released updates for some routers to plug an authentication bypass defect when using their AiCloud. This is as bad as it gets because it needs no authentication to exploit. If your device has an update, do so ASAP. If yours is EOL, turn off the AiCloud feature.
Atlassian released “seven updates that address four high-severity flaws impacting third-party dependencies in Bamboo, Confluence, and Jira, including some that were publicly disclosed nearly six years ago.” If you use a self-hosted version of this, it would be wise to update quickly.
MITRE (Massachusetts Institute of Technology Research Establishment) had funding renewed by CISA at the 11^th hour for another 11 months so that it can continue to provide both the Common Vulnerabilities and Exposures Program, and Common Weakness Enumeration program. During the course of the drama and outcry over the potential shutdown of this valuable worldwide resource, several other independent bodies announced that they too will begin performing CVE and CWE enumeration and enrichment. Let’s hope they cooperate and don’t compete.
Cisco Webex has a defect that enables someone to “execute arbitrary code remotely by convincing a user to click on a crafted meeting invite link and download arbitrary files”. In other words, a bad guy can send a meeting link and compromise your system. Update to the latest version to plug this hole.
Google Chrome and Mozilla Firefox released new versions to patch severe vulnerabilities this past week. Naturally, browsers based on Chromium and the Gecko engines will be following suit shortly. Make sure you check your browser for updates, or at the least close and reopen it, which should trigger an update cycle on most.
Erlang/Open Telecom Platform (OTP) has a critical defect in SSH, with a perfect CVSS of 10.0 that requires patching. Unfortunately for most of us, this needs to be patched by our hardware or software vendors. If you do not have a patch available, take mitigating action such as disabling SSH, or at the least limit access to only specific IP addresses via firewall and port rules – which is best practice anyway.
Widespread Microsoft Entra Account Lockouts were apparently errantly triggered by a new Microsoft Enterprise App that was installed on Friday. Yes, on a holiday weekend! Before Redmond realized their blunder, thousands of accounts worldwide had been flagged as at “High Risk” and locked. It could be an interesting Monday for lots of IT folk.

In Ransomware, Malware, and Vulnerabilities News:

Data Poisoning is something that I’ve mostly associated with vengeful or disgruntled employees. But a recent article posits, what if ransomware actors do this? There have been recent news reports of attacks on water pumping stations that had levels of chemicals altered, which would have been lethal if not caught. A restaurant employee maliciously added a warning about peanuts on menu items. What if that had been the other way around? Now imagine an evil ransomware dirtbag infiltrating a hospital and altering patient records, removing allergy lists, changing medications, or how about accessing financial records and altering numbers, finding research files and making changes. How long would it take to find that needle in a haystack? Could you do it before someone died, or a company couldn’t meet payroll or pay suppliers? Sadly, these scenarios are highly possible and easy to perform. And I don’t think we’re ready for them.

In Other News Events of Note and Interest:

Microsoft Patch Tuesday brought a bunch of needed fixes, but it also brought a goodly amount of chaos as well. Windows 2025 servers encountered a problem with firewall profiles, Outlook Classic has random CPU spikes, random Blue Screens Of Death popping up on Windows 11 systems, Windows Hello logins not working and more. Even with these highly annoying defects, it is still in your best interest to apply the patches, if your system can handle them. Active exploitation against the patched defects is already underway. The disease is still worse than the cure, but not by much it seems.

Musings:

My wife enjoys feeding the critters in our backyard. She has a birdfeeder that brings her hours of entertainment, watching the wide variety of feathered friends that enjoy the free feast. The squirrels didn’t take long to notice the buffet and the fuzzy-tailed threat actor rats tried to get in on the action. Thankfully, after a bit of research, I found that a squirrel baffle on the feeder pole will keep them from being able to climb up. So now they forage underneath it for gleanings dropped by my wife’s prized plumed avians. But I must stay vigilant as trees and other plants grow up near the feeder and if not pruned provide the unwanted intruders with a springboard to bypass my defenses. In the same way, we need to ensure that we’re pruning our digital worlds. We tend to accumulate technology, and keep it around forever without retiring it, and sometimes entirely forgetting it. Don’t leave springboards around for unwanted fuzzy-tailed rats. Prune that old tech.

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

Like this: