Weekly threat roundup: Zero-days in Windows, Adobe, Google Chrome

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

FBI warns against Windows 7 usage following Oldsmar hack

One of the most alarming scares of the week came about in the City of Oldsmar, Florida, in which hackers infiltrated a water treatment facility and jacked the Sodium Hydroxide (NaOH) levels to potentially lethal amounts.

It’s since emerged that they infiltrated the facility thanks to a potent combination of using the now-retired Windows 7 operating system, password-sharing, and use of the remote desktop software TeamViewer without a firewall.

While TeamViewer is itself entirely legitimate and used by businesses for remote IT support, the FBI has warned organisations to stay vigilant of unauthorised remote access to their systems through this service.

Microsoft fixes actively-exploited Windows 10 zero-day

The latest Patch Tuesday round of fixes from Microsoft saw 56 bugs fixed, including a dangerous vulnerability being actively exploited in the wild.

Tracked as CVE-2021-1732, the critical flaw affects the win32k component of Windows 10 and has been exploited in a handful of incidents to escalate privileges on a targeted device. The zero-day vulnerability has been exploited in China by BITTER APT, according to researchers with DBAPPSecurity, allowing hackers to run malicious code on a targeted system having escalated privileges.

This “sophisticated” exploit has been patched alongside ten additional ‘critical’ flaws, 43 ‘important’ bugs, two moderately severe bugs.

Google fixes actively exploited Chrome zero-day

Google has urged Chrome users to upgrade to the latest iteration, version 88.0.4324,150, following reports of a zero-day vulnerability that’s been successfully exploited in the wild.

The update fixed a memory corruption bug in Chome’s V8 JavaScript engine, tagged CVE-2021-21148, which has been actively exploited by attackers. This was reported by a researcher named Mattias Buelens to Google on 24 January.

While the exact attack mechanism hasn’t been disclosed, Microsoft also incidentally warned of North Korean hackers exploiting a Chrome zero-day on 28 January. Google hasn’t tied these two incidents together, although the overwhelming consensus is that they’re linked in some way.

Firefox users could fall victim to $i30 bug

Firefox has also updated its browser to protect users against a Windows 10 drive corruption vulnerability discovered in January that can be triggered by exploiting shortcomings in widely-used web browsers.

Hackers can crash targeted Windows 10 devices by simply getting them to access the $i30 new technology file system (NTFS) attribute through a web browser, according to findings published by security researcher Jonas L.

NTFS corruption could be remotely triggered by accessing “c:\:$i30:$bitmap” through the address bar, according to Tech Radar, before the update, although the issue has been fixed with version 85.0.1. Microsoft is still reportedly working on a core fix, although until this arrives, web browsers will need to individually patch their services to prevent exploitation.

Adobe software zero-day under attack

Adobe has released updates for multiple versions of its Adobe Acrobat and Reader services after receiving reports that attackers have exploited a critical flaw to target Windows users.

Tracked as CVE-2021-21017, the heap-based buffer overflow vulnerability has allowed hackers to conduct remote code execution attacks against victims running affected versions on their Windows machines. Affected software includes Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017 and Acrobat Reader 2017, with Mac users also vulnerable.

This bug has been patched alongside 22 other flaws deemed both critical and important as part of Adobe’s Patch Tuesday round of bug fixes. They include information disclosure, arbitrary code execution and privilege escalation vulnerabilities, but have been patched with the latest versions of the affected software.

Critical flaws in Cisco VPN routers for businesses

Cisco has patched several critical vulnerabilities in its web-based management platform for internet routers marketed at small businesses. By exploiting these flaws, an attacker could execute arbitrary code remotely as the root user.

The seven critical flaws - tracked as CVE-2021-1289 through to CVE-2021-1295 - exist because HTTP requests are not properly validated, meaning an attacker could send a crafted HTTP request to the web management interface. Successful exploitation could allow an attacker to conduct remote code execution attacks.

Users of Cisco Small Business RV160, RV160W, RV260P and V260W VPN routers are advised to immediately upgrade their software to resolve any potential issues.