Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
Irretrievable data loss in macOS Big Sur
Apple has patched a programming bug in its flagship macOS Big Sur operating system that could lead to users being locked away from their data during a major software upgrade.
Usually, before any Mac device undergoes a significant OS update, the installation software performs a check for how much free hard disk space is available. In versions 11.2 and 11.3 of Big Sur, however, the check didn’t work as intended, according to Mr Macintosh, meaning the upgrade started even if users only had a few megabytes of space remaining.
The installer would eventually get stuck in a boot loop as it tried and failed to complete the installation. For users with Mac devices fitted with the T2 security chip and FileVault 2 encryption enabled, the problem was made worse, as this potent combination would permanently lock them out of their hard disk due to a failure to accept correct passwords in the recovery prompts following the installation process.
Centreon hit by SolarWinds-style supply-chain attack
French authorities have uncovered a wide-reaching supply-chain attack targeting several major organisations by hackers who compromised Centreon, an enterprise IT platform.
Centreon describes itself as a firm offering IT monitoring services that provide visibility to complex IT workflows from the cloud to the edge, with its customers including Airbus and Orange. The ANSSI cyber security agency claimed the hackers mainly targeted IT providers, and web hosting companies specifically.
The attack, which bears striking similarities to the devastating SolarWinds attack disclosed a few months ago, was orchestrated by alleged Russian cyber criminals, based on early evidence uncovered by investigators. One backdoor, for example, was identical to the Exaramel backdoor previously linked with the Russian TeleBots threat group.
Telegram patches major security holes
More than a dozen major vulnerabilities that could be triggered by remote hackers were fixed in the Telegram messaging service last year, according to a security researcher.
These 13 memory corruption flaws could have allowed attackers to send malicious animated stickers to users in order to gain access to their private messages, photos and video clips, if successfully exploited.
The leading WhatsApp alternative has now fixed all 13 flaws identified by the vulnerability researcher known as Polict, in three updates released across September and October for the Android, iOS, and macOS apps.
QNAP’s Surveillance Station vulnerable to exploitation
QNAP has patched a critical security flaw in its Surveillance Station app that, if exploited, could allow hackers to execute malicious code remotely on network-attached storage (NAS) devices running the software.
This app functions as a surveillance management system and can connect with up to 12 internet protocol (IP) cameras. However, It was found to be embedded with a stack-based buffer overflow vulnerability tracked as CVE-2020-2501, that meant NAS devices managed by the app were vulnerable to remote attack.
QNAP has now patched this bug, alongside fixing a separate cross-site scripting (XSS) flaw in its Photo Station app. This XSS flaw, which could’ve allowed hackers to inject malicious code into the service, was tagged CVE-2020-2502 and rated ‘medium’ in severity.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
"Thinly spread": Questions raised over UK government’s latest cyber funding schemeThe funding will go towards bolstering cyber skills, though some industry experts have questioned the size of the price tag
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
