By now, I imagine most of you are aware of the updates released by Apple to address to zero day vulnerabilities in Apple iOS, Apple WatchOS and Big Sur 11.6. Apple announced that these exploits are in the wild and actively in use. Needless to say, updates your devices as soon as possible to defend against these threats. The larger story behind the “why” of these zero day exploits caught my attention and deserves a little more attention.
Knowledge of these vulnerabilities came as the result of the work at the University of Toronto’s Citizens Lab and the Lab’s research on the exploit “FORCEDENTRY”. Ultimately, it was determined aspects of this exploit were weaponized by Israeli surveillance vendor NSO Group and sold to multiple world government agencies including the government of Bahrain for use in spying against opposition leaders and dissidents. As the Hacker News reported, NSO Group engineers are facilitating ‘despotism-as-a-service’ to the highest bidder.
It would be completely naive to think that this type of offense exploit development is not taking place at every level of government around the world including within the walls of several US government agencies. I am particularly disturbed in this situation by the lack of discretion in client choice by the NSO Group and the open monetization of this tool to oppressive governments. I expect more of our democratic allies. That said, I believe my expectations are misplaced.
The world is changing and we need to be prepared to defend ourselves against the output of these vendors – the exploits and root kits and tools – as they get leaked to cybercriminals everywhere via the DarkWeb. Stay patched. Faithfully use MFA. Build layered defenses. Be diligent and stay prepared.
Given the nature of these vulnerabilities, please review your environment and make sure your version of Chrome is up-to-date.
This situation is a great example of the importance of patch and firmware management. Just because a system is hosted in the cloud, it does not mean that you are not responsible for parts if not all of the patch and firmware oversight. Pay close attention to your service level agreements and other cloud services documentation.
If you are using these particular Azure services from Microsoft, please review this content and patch accordingly.
As the article author states, it has been an embarrassing few days for Adobe and their patch process. Though we like to poke fun at Adobe and we often whine about the ongoing parade of vulnerabilities, do not get lulled into a state where patches are missed and systems are left vulnerable. Please review your environment and patch accordingly.
Though at its face, this sounds like good news, a slight reduction in the number of reported and identified vulnerabilities does not really point to an improvement in the overall security of technology users. In all honesty, I believe cybercriminals are more effectively leveraging existing vulnerabilities and taking advantage of the human element (phishing, adware, social engineering) to gain the access they desire.
What a wonderful case of “Do as I say…not as I do”. The realistic labor and cost implications of information security have alluded the federal government for far too long. DHS clearly does not grasp practical IT management. There is no sound argument as to why basic blocking and tackling has not been performed. DHS has a huge target on its back. It must lead this fight for US government agencies and not hide from it.
Linus Torvalds and many others have come out in protest against the hasty and often flawed patching approach to the Meltdown and Spectre vulnerabilities. It is good to see Intel pumping the breaks on this process and taking a closer look at the architectural needs associated with the correction of this flaw.
More information came to light yesterday evening and overnight concerning the reported flaws in Intel and other processors. I am including numerous links to multiple sources, but some of the key updates include:
- There are actually two architectural vulnerabilities in play – Meltdown and Spectre
- This is more than an Intel problem – AMD and ARM chips are also affected to various degrees
- Microsoft has released an emergency out-of-band patch overnight that begins to address some of the vulnerabilities
- There are still many unknowns as to the extent of impact that will come from patching and/or rearchitecting OS/chipset interactions