Apple’s Urgent Updates – Interesting How’s and Why’s

By now, I imagine most of you are aware of the updates released by Apple to address to zero day vulnerabilities in Apple iOS, Apple WatchOS and Big Sur 11.6. Apple announced that these exploits are in the wild and actively in use. Needless to say, updates your devices as soon as possible to defend against these threats. The larger story behind the “why” of these zero day exploits caught my attention and deserves a little more attention.

Knowledge of these vulnerabilities came as the result of the work at the University of Toronto’s Citizens Lab and the Lab’s research on the exploit “FORCEDENTRY”. Ultimately, it was determined aspects of this exploit were weaponized by Israeli surveillance vendor NSO Group and sold to multiple world government agencies including the government of Bahrain for use in spying against opposition leaders and dissidents. As the Hacker News reported, NSO Group engineers are facilitating ‘despotism-as-a-service’ to the highest bidder.

It would be completely naive to think that this type of offense exploit development is not taking place at every level of government around the world including within the walls of several US government agencies. I am particularly disturbed in this situation by the lack of discretion in client choice by the NSO Group and the open monetization of this tool to oppressive governments. I expect more of our democratic allies. That said, I believe my expectations are misplaced.

The world is changing and we need to be prepared to defend ourselves against the output of these vendors – the exploits and root kits and tools – as they get leaked to cybercriminals everywhere via the DarkWeb. Stay patched. Faithfully use MFA. Build layered defenses. Be diligent and stay prepared.

https://www.infosecurity-magazine.com/news/apple-patch-pegasus-spyware/

https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html

Patch Your Microsoft Windows and Office: Fortinet Discovers Three Zero-Day Remote Code Execution Vulnerabilities

The Patch Tuesday cycle has begun once again and the team at Fortinet has announced some of the conditions surrounding several of the Windows and Office related patches that have been released by Microsoft.  Please review your environments and patch your systems accordingly.

https://www.fortinet.com/blog/threat-research/microsoft-windows-office-zeroday-remote-code-vulnerabilities.html

Latest Chrome update plugs a zero-day hole

I particularly like the title from the linked article from “The Register” – “Put down the cat, coffee, beer pint, martini, whatever you’re holding, and make sure you’ve updated Chrome (unless you enjoy being hacked)” .  It is imperative that we all patch these types of zero day vulnerabilities, especially once they are active in the wild.  Review and patch accordingly!

https://www.theregister.co.uk/2019/03/07/google_chrome_zero_day/

https://www.welivesecurity.com/2019/03/07/latest-chrome-update-plugs-zero-day-hole/

LastPass password manager “zero-day” bug hits the news

This is a very good, common sense explanation of the “zero-day” vulnerability that has been discussed in the press for the popular password manager LastPass.  I agree that caution is warranted, but I do not believe it is time to wholesale abandon the product or the use of password managers in general.  Watch for the patch and apply as soon as possible.

https://nakedsecurity.sophos.com/2016/07/27/lastpass-password-manager-zero-day-bug-hits-the-news/

Microsoft Zero Day Exposes 100 Companies to PoS Attack

This article is an excellent reminder of why it is very important for retailers to move forward with the implementation of EMV/Chip-Pin card readers and the necessary associated Point-of-Sale software.  Far too many retailers have hardware in place, but that the software to leverage this new technology.

It is also important to remember that value of timely patching of all systems, regardless of the card handling mechanisms in place.

https://threatpost.com/microsoft-zero-day-exposes-100-companies-to-pos-attack/118026/

FBI might have a way to unlock shooter’s iPhone without Apple’s help

I must admit that my first gut reaction to this story was to make a joke about the FBI discovering Google and realizing that there are numerous other ways to extract data from a mobile device without a court order.  That said, there are serious implications to personal security is the FBI has discovered or has been given an iPhone Zero-day that can be exploited in the wild.  Many an ethical and social dilemma arise from this conversation.  I suppose we will have to wait and see.

https://nakedsecurity.sophos.com/2016/03/22/fbi-might-have-a-way-to-unlock-shooters-iphone-without-apples-help/