Security updates issued for Atlassian, Citrix, VMware and Chrome products
Welcome to Cyber Security Today. It’s Wednesday, January 17th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
This episode is filled with news about security updates.
Last week I wrote a story on ITWorldCanada.com on the need to mitigate vulnerabilities in Ivanti’s Connect Secure and Pulse Secure VPNs and gateways. Some network administrators didn’t act fast enough. According to researchers at Volexity, who discovered the holes, as of Monday over 1,700 devices had been exploited. In its initial report Volexity said it found only one organization had been victimized. Now it says there’s evidence companies had been compromised as early as last December 3rd. The mitigations Ivanti urges will have to do until the company issues security updates. It’s important that administrators not only work to mitigate the vulnerabilities but also look for signs of compromise by a web shell.
Attention administrators of Atlassian products: A critical severity vulnerability has been discovered in Confluence Server and Data Server collaboration application that needs patching. It includes current and an out of date versions released before December 5th of last year, as well as version 8.45
In addition Atlassian released patches for 28 high-severity vulnerabilities in its products, including five in Confluence Data Center and Server, nine in Bamboo Data Center and Server and eight in Bitbucket Data Center and Server.
VMware has issued patches for its Aria Automation products. These close a critical access control vulnerability that could allow an authenticated hacker to remotely access organizations using VMware products. Aria Automation, previously called Cloud Foundation, streamlines the deployment of cloud infrastructure and applications.
Citrix is urging administrators to patch their installations of NetScaler ADC and NetScaler Gateway to close two vulnerabilities. One allows an attacker logged in with low-privileges to execute code, while the other would allow a denial of service attack. This alert applies only to customer-managed versions of these products.
Threat actors are actively exploiting a Windows vulnerability announced last November. That’s according to researchers at Trend Micro. The vulnerability allows attackers to bypass the protection in Windows Smart Screen. Attackers are exploiting unpatched Windows systems to install the Phemedrone information stealer. It targets web browsers and data from cryptocurrency wallets and messaging apps, takes screenshots and collects system information such as hardware, location and operating system details for further exploitation. It’s another reason why Windows patches need to be installed as soon as they are available.
Google has issued an update for Windows, Linux and Mac versions of the Chrome browser. The update, which will be rolled out over the next few days, includes four security fixes. An exploit for one of them is already out there, so IT departments have to make sure the update is installed fast.
Here’s more on browsers: Sometimes an application feature designed to benefit customers ends up being a security risk. That’s what happened with the Opera browser’s My Flow feature, which allows notes and file sharing between the desktop computer of a user and their mobile devices. Researchers at Guardio Labs discovered the feature would execute a malicious file from Opera’s file system that pretended to be a browser extension. This file would execute outside of the browser’s security confines. The developers of Opera were notified last November and they implemented the most critical part of a fix by removing problematic and insecure extensions and files from their servers. One lesson: Browser extensions can be easily created to steal data. Another lesson: Security has to be built into every app development workflow.
Any smart device — that is, a product that connects to the internet — has the possibility of being an entryway into a corporate IT network if security isn’t tight. The latest example is the Bosch BCC100 Wi-Fi smart thermostat used in buildings. Researchers at Bitdefender discovered a vulnerability that could let an attacker on the same network replace the device’s firmware with a rogue version. From there the attacker could do nasty things. The vulnerability was fixed in November. But, again, one lesson is security has to be built into every app development workflow.
Another company has allowed an unsecured database of sensitive information to be left open on the internet. According to security researcher Jeremiah Fowler, the database belonged to an American e-commerce provider. The database included photos of credit cards, drivers licences and other documents. How someone was able to create the database and leave access exposed isn’t explained.
Finally, the British Library’s catalogue of printed and rare books and other material is back online after the institution suffered a ransomware attack last October. However, for now the catalogue is available only in read-only format, meaning people can’t order items online. Full recovery of all IT services is still some time away. The Rhysida ransomware group stole and leaked some employee data.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
