Patch Tuesday – September 2021 Edition

Several important patches and updates have been released by Microsoft and other vendors this week that deserve our immediate attention. Both Apple and Microsoft have addressed zero day vulnerabilities and Microsoft has even released yet another attempted fix for the PrintNightmare vulnerability.

Enjoy these two articles for additional details:

https://www.infosecurity-magazine.com/news/microsoft-fixes-omigod-mshtml/

https://krebsonsecurity.com/2021/09/microsoft-patch-tuesday-september-2021-edition/

Apple’s Urgent Updates – Interesting How’s and Why’s

By now, I imagine most of you are aware of the updates released by Apple to address to zero day vulnerabilities in Apple iOS, Apple WatchOS and Big Sur 11.6. Apple announced that these exploits are in the wild and actively in use. Needless to say, updates your devices as soon as possible to defend against these threats. The larger story behind the “why” of these zero day exploits caught my attention and deserves a little more attention.

Knowledge of these vulnerabilities came as the result of the work at the University of Toronto’s Citizens Lab and the Lab’s research on the exploit “FORCEDENTRY”. Ultimately, it was determined aspects of this exploit were weaponized by Israeli surveillance vendor NSO Group and sold to multiple world government agencies including the government of Bahrain for use in spying against opposition leaders and dissidents. As the Hacker News reported, NSO Group engineers are facilitating ‘despotism-as-a-service’ to the highest bidder.

It would be completely naive to think that this type of offense exploit development is not taking place at every level of government around the world including within the walls of several US government agencies. I am particularly disturbed in this situation by the lack of discretion in client choice by the NSO Group and the open monetization of this tool to oppressive governments. I expect more of our democratic allies. That said, I believe my expectations are misplaced.

The world is changing and we need to be prepared to defend ourselves against the output of these vendors – the exploits and root kits and tools – as they get leaked to cybercriminals everywhere via the DarkWeb. Stay patched. Faithfully use MFA. Build layered defenses. Be diligent and stay prepared.

https://www.infosecurity-magazine.com/news/apple-patch-pegasus-spyware/

https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html

OceanLotus: macOS malware update

A little virtual exercise for anyone reading this article this morning – raise your hand if, when you close your eyes and go to your happy place, you truly believe Apple Mac computers cannot get viruses or malware.  Go ahead.  Be honest.  Search your heart for what is often a painful truth.  I saw a few hesitant hands go up, at least for a second or two.  It is ok.  I get it.

I am a Mac user too, and though I would love to believe my Mac is safe and sound from all malware attacks and virus strains, the truth is Macs are targets too and viruses and malicious code is being developed and deployed everyday to infiltrate our Apple devices, collect data, and cause harm.  Yes, Macs represent a smaller target pool in comparison to Windows workstations, but Macs are still a target.  In many cases, Macs are specifically targeted because of the types of power users and executives who choose to use Apple products.

As this article from Eset demonstrates, the threats are real and precautions are warranted.  Make sure you properly patch and configure your Mac workstations and laptops.  Run a form of advanced malware protection.  Be prepared.

https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/

Apple scrambles to fix FaceTime eavesdropping bug

This is a huge miss on the part of Apple to allow this level of flaw/vulnerability into the wild.  If rumors are true, this issue was also covered up for a bit while a patch was under construction.  Please take the time to disable FaceTime on your iOS and MacOS devices immediately until a patch can be distributed by Apple.

https://nakedsecurity.sophos.com/2019/01/29/apple-facetime-eavesdropping-bug/

https://www.schneier.com/blog/archives/2019/01/iphone_facetime.html

https://www.infosecurity-magazine.com/news/group-facetime-disabled-while/

Apple releases iOS 11.4.1 and blocks passcode cracking tools

This is an important update from Apple and a solid step toward better security for iOS devices.  Much is made of this update relative to the actions of law enforcement agencies in obtaining information from seized devices.  That is not the only story or the only reason this update is relevant.  It is a genuine protection against sidejacking and other malicious intrusions that can occur from many others outside of the realm of the FBI or your local police department.

Review your devices and patch accordingly.

https://www.theverge.com/2018/7/9/17549538/apple-ios-11-4-1-blocks-police-passcode-cracking-tools