April 5, 2025

(Click here to see a video version of this week’s introduction)

Hello all,

Apache had a bad week with two vulnerabilities, the first in Parquet, and the second in Tomcat. Ivanti has another zero-day, Apple updated a lot of items, CrushFTP has some drama going on, and Microsoft celebrated 50 years. Of course there are plenty of other things to talk about, so onward.

Headline NEWS:

  • Apache Parquet has a critical defect that is rated 10.0 on CVSS. This one does require a bit of effort because an attacker must convince “… a vulnerable system into reading a specially crafted Parquet file, they could gain remote code execution (RCE) on that system.” This one is not known to be currently exploited, so patch soon.
  • Apache Tomcat vulnerability under active exploitation. This hole allows for Remote Code Execution (RCE). If you use any version of Apache Tomcat check your version immediately and if not at least versions 9.0.99, 10.1.35, or 11.0.3, upgrade immediately, and check for signs of compromise.
  • Apple patched three zero-days with their most recent OS updates. The flaws were deemed severe enough that the iFruit company back-ported the fixes to older OS versions as well. Check your Apple devices for updates as a large number of security fixes were contained in the latest releases.
  • Ivanti Connect Secure received a fix for a defect that has been actively exploited since March. The vulnerability exists in “Pulse Connect Secure 9.1x (which reached end-of-support in December), Ivanti Connect Secure 22.7R2.5 and earlier, Policy Secure, and Neurons for ZTA gateways.” This nasty hole does not require authentication or user interaction to exploit. Some of the aforenamed products don’t have fixes yet, so watch for announcements from Ivanti as to availability.
  • CrushFTP privately reached out to customers several weeks ago to warn of a defect that was discovered by Outpost24, and which needed to be immediately fixed. Unknown to Crush and Outpost24, another company discovered their vulnerability and issued a public CVE which resulted in Proof of Concept (PoC) code rapidly becoming available. CrushFTP had already been working with Outpost24 within a 90-day disclosure period in an attempt to mitigate before the vulnerability became public knowledge and had already applied for a CVE. Unfortunately, exploitation is now underway against as of yet unpatched systems. If you use CrushFTP, ensure you are patched, and check for Indications of Compromise (IoC).
  • Microsoft celebrated 50 years this past Friday. Big Redmond used their celebratory event to announce a cadre of Copilot agents and features, many of which are available for use now. Furniture is considered an antique at 50, does this apply to a computer company? I guess we’ll soon see as Microsoft continues with their rapid evolution into an AI centric company.

In Ransomware, Malware, and Vulnerabilities News:

  • More than One-Third of Data Breaches Due to Third-Party Compromises is a scary statistic. You can be doing everything right with your data and your organizational security, and despite all of your efforts you can suffer massive damage due to a trusted third-party. Make sure that your contracts specify who is liable for notifications, and that you fully understand what security measures and practices are in place before allowing “trusted” access to your data.
  • Oracle continued their public denials of any breach in “Oracle Cloud”, splitting hairs with their precise language of what was said and not said. Cybersecurity researchers advised Oracle clients to reset “all credentials in Oracle Cloud SSO, LDAP, or encrypted configuration files; invalidating existing sessions and tokens; and reviewing access logs, authentication records, and application behavior across Oracle Cloud components.”.

In Other News Events of Note and Interest:

  • Alexa Plus Early Access Is Coming to Select Echo Show Devices and will truly launch the personal AI revolution. Amazon has sold over half a billion Alexa devices, most of which will be compatible with the new Alexa Plus AI. This will be a monumental shift that will enable millions of households to conversationally interact with an AI in a way that the original Alexa could only dream of responding. If Amazon’s claims bear out to be true, this is the move that will bring AI to the masses. I wonder, are we ready?

Musings:

Microsoft, which is credited with launching the “personal computer” revolution, just turned 50 years old. We now have more power in the watch on our wrists than existed on the first computer that ran MS-DOS, we’ve put datacenters at the bottom of the ocean, and we’ve even attempted to put a datacenter on the moon. Nearly everyone carries around a device that in one generation miniaturized, and for many replaced, individual products and services such as cameras, phones, radios, watches, calculators, TV’s, address books, books, photo albums, reservation agents, personal coaches, wallets, cash, physical stores, and more. And now we’re about to enter a new era of computing where we are not the physical creators, rather we are the inspiration and direction, and machines, directed by Artificial Intelligence will be making the tools, computers, software, and appliances that we use in our day-to-day lives. I wonder what the next 50 years will bring.

Visc. Jan Broucinek

Keep the shields up!

Viscount Jan Broucinek
Red Dot Security News

Ransomware, Malware, and Vulnerabilities News
Ransomware, Malware, and Vulnerabilities News
Other News Events of Note and Interest

Tags
Share this with: