August 17, 2024 - Red Dot Security

Weekly Cyber Security
News Events &Information

From sources found online in the past seven days

Hello all,

I didn’t expect the massive amounts of vulnerabilities and software defects that were announced, and mostly fixed, this past week. I did expect a goodly volume, since it was Patch Tuesday, but not that many. The biggest surprise is Adobe. They nearly rivaled Microsoft in quantity. More on that in a moment. Make sure that you skim through the various links on our weekly page to see if something pertains to your environment so that malevolent individuals don’t spoil your week. So, onward faithful cyber warriors.

Headline NEWS:

Adobe which has significantly less infrastructure and software than Microsoft, released patches for a whopping 79 vulnerabilities in their assorted products. Some of them can enable Remote Code Execution (RCE). Microsoft, for their part, had 89 security flaws. How, after all this time, can there still be that many issues being found in Adobe products on a regular basis? I’m finding myself agreeing with Jen Easterly of CISA more and more. These things are software defects and should be labeled as such. Speaking of defects…
AMD and Intel have released updates to address over 110 vulnerabilities in their products. The numbers are staggering, and some are very severe. Why do they keep coming in such quantities? In November there were more than 130 items patched by them!
Fortinet didn’t want to feel left out so they released patches for FortiOS, FortiAnalyzer, FortiManager, FortiProxy, FortiPAM, and FortiSwitchManager. If you use these in your environment, patch quickly. Threat Actors love Foritnet bugs.
ICS Patch Tuesday the major Internet of Things/Industrial Control System vendors released patches and updates. Check if yours has done so and update quickly. OT/ICS/IoT are now the new beachhead for sophisticated threat actors and Nation State infiltration.
Microsoft, as mentioned earlier, has pumped out fixes for 89 security defects. What is most concerning was the 10 zero-day items that were disclosed, six of which are already under active exploitation by dirtbags. Obviously, as experience has shown, vet that the Microsoft’s patches are safe in your environment, and then apply them quickly to avoid being a victim. And pay attention to news of more incoming updates, some of the fixes are incomplete, and some require further action on your part after installing them. The TCP/IPv6 zero-day defect bears calling out. This thing requires zero-clicks on the part of the victim for successful exploitation. The patch is out, so vet, and apply it – fast. And, if you don’t use IPv6 in your environment, turn it off. Reduce your attack surface.
Palo Alto Networks has made a patch available for a defect in their Cortex XSOAR product. If you’re using it, patch it.
SAP has released patches for 17 defects. Among them is one that allows a remote attacker to bypass authentication and fully compromise their SAP BusinessObjects Business Intelligence Platform. Fun times.
SolarWinds has released a hotfix address an RCE defect in their Web Help Desk. You must be on the latest version, and then apply the hotfix to mitigate this flaw in their software.
Zabbix Server has a vulnerability that lets an authenticated attacker execute arbitrary code. Upgrade to the latest version to fix this problem.
Zoom patched a number of defects in Workplace Apps, SDKs, and Rooms Clients. The solution is to ensure that you upgrade to the latest version of their products.

In Ransomware, Malware, and Vulnerabilities News:

CISA’s Jen Easterly shared a music video that they created on LinkedIn that I found entertaining and informative. Check out Joan the Phone when you have a few minutes.
The US Government and various three- and four-letter agencies have had some nice wins announced this past week. They are linked in the upper portion of this section of the newsletter. Yay for the good guys!
National Public Data well, if your personal data wasn’t out there in the hands of evil people before, it is now. I highly recommend that you follow the advice in the link just below the NPD announcement, and “Shield Your Data from Dark Web Hackers”.

In Other News Events of Note and Interest:

DARPA competition shows promise of using AI to find and patch bugs, is an encouraging headline, especially in light of how many of these software defects are cropping up each month. I was privileged to witness this in action at DefCon32 recently. We do live in a remarkable age of innovation.
Both Google and Midjourney released updated AI image editors/generators. As this particular area of AI continues to advance, it is increasingly important to trust but verify anything that you see.

In Cyber Insurance News:

Cohesity Global Insurance Survey has some eye-opening statistics and information in their report. It is well worth reading.

Everything in life ultimately comes down to a value proposition. You must decide if the value of doing x outweighs the value of doing y. Do I purchase cyber insurance for my business, or is the cost so high that I feel I can justify going without? Do I patch the latest flaw in my ERP, and risk taking the system down for several hours, or possibly days if there is a problem, or do I feel confident in my other mitigations that the current flaw won’t be exploited? Do I, as a software vendor, spend millions of dollars rewriting software from the ground-up with security in mind, or do I continue to slap patches and fixes on top of it each month? Do I give up on my software vendor that patches dozens of flaws each month, costing me time, money and effort to mitigate, or do I rework my enterprise to use securely built from the ground up software? Seriously, how much valuable time and effort are we, as an industry, being asked to expend each month on defective products? It is time to demand better, or switch.

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

Cyber Insurance News

Like this: