In brief Apple on Monday released security patches for macOS, iOS, iPadOS, watchOS, and Safari to fix up a vulnerability that can be exploited by malicious web pages to run malware on victims' computers and gadgets.
Thus surfing to a dodgy page could be enough to hand over control of your iThing or Mac to miscreants. Apple thanks Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research for reporting the arbitrary code execution security flaw, CVE-2021-1844, which is present in WebKit, the browser engine used by various bits of Cupertino code.
Here's a rapid-fire summary of other infosec news today.
Chrome exploited: Google last week patched a mystery security flaw, CVE-2021-21166, in the audio-handling part of its Chromium browser engine said to have been exploited in the wild. The bug was discovered by, again, Alison Huffman of Microsoft Browser Vulnerability Research.
Google Chrome 89.0.4389.72 includes a fix for the audio flaw as well as 46 other security patches. Microsoft Edge, which uses Google's browser engine, has also been updated.
SolarWinds: SecureWorks on Monday said what looks like a China-based team exploited one or more internet-facing SolarWinds servers to install a web shell to remotely control the system or systems. This is said to be separate to the hidden backdoor installed in SolarWinds' Orion network monitoring software by suspected Russian cyber-spies to infiltrate selected targets.
The torture garden of Microsoft Exchange: Grant us the serenity to accept what they cannot EOLREAD MORE
Microsoft Exchange: It's estimated that 30,000 organizations, from small biz to government bodies, have been compromised by miscreants exploiting critical security holes in internet-facing Microsoft Exchange server software. Redmond patched the holes earlier this month – make sure you've applied the updates, and/or searched for signs of compromise.
Malwarebytes, meanwhile, said it has found 1,000 Exchange servers on the public internet with remote-control panels installed on them by miscreants.
Homomorphic encryption: Intel has pledged to design a chip that accelerates homomorphic encryption in collaboration with Microsoft and the US government's boffinry agency DARPA. The silicon is expected to be commercialized and appear in Microsoft's Azure cloud.
This development will be part of DARPA's unfortunately named DPRIVE project – that's Data Protection in Virtual Environments. Homomorphic encryption allows you to perform operations on encrypted data without having to decrypt it into plain text, work with it, and then encrypt the output. Microsoft is a fan of the technology. ®