Patch alert for Apple fans: Cybercrooks have already been exploiting this flaw in iPhones, iPads, and watches

Plus: Did Google expose a Western spying op? Who cares? You're safer

In brief Apple has issued critical security patches for all supported phones, fondleslabs, and watches after being alerted to multiple possible intrusions by Google.

The fix issued on Friday for iOS 14.4.2 and iPadOS 14.4.2, CVE-2021-1879, is urgently needed. According to Apple, the flaw allows for the creation of "maliciously crafted web content," which "may lead to universal cross-site scripting." Apple has heard that the code snafu "may have been actively exploited."

To make matters worse, the problem was reported by Clement Lecigne and Billy Leonard of Google's Threat Analysis Group (TAG), which monitors state-sponsored cyber attacks, which suggests this one's serious.

Cupertino also warned iOS 12.5.2 users with older kit – iPhone 5s, 6, and 6 Plus holdouts, and those using the same code on an iPad – to update for the same flaw. Even Cupertino's wrist computer app, watchOS 7.3.3, is vulnerable.

Apple's privacy and security is better than most – provided you don't live in China or the like – but this one looks like something you should check to make sure it is patched.

Cisco warns Jabber could spill the beans

On Thursday Cisco urged Jabber users to patch immediately after the discovery of flaws that allow code execution, data theft, and/or simply crashing the entire system, along with a couple of serious OpenSSL issues for good measure.

The issue affects Jabber for Windows, macOS, iOS, and Android clients, with five flaws found in Redmond's version, and two apiece in macOS and mobile versions. The most serious issue, CVE-2021-1411, carries a 9.9 CVSS score because it would allow code execution on any Jabber client and there's no workaround.

"To exploit the vulnerabilities, an attacker must be authenticated to an Extensible Messaging and Presence Protocol (XMPP) server that the affected software is using," and be "able to send XMPP messages to a targeted system," Cisco said in its advisory.

Cisco also disclosed two high-severity flaws in OpenSSL following the open-source software library's own warning of issues. Rated high severity, they would allow "an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition."

It's not as though Cisco admins didn't have enough to do. On Wednesday they got another 37 patches from the biz – 18 of which were rated high severity. The US government's Cybersecurity and Infrastructure Security Agency has warned that these need to be checked and fixed where possible.

Ransomware attack takes down Sierra Wireless

On Tuesday venerable transmitter tech biz Sierra Wireless had to stop manufacturing after getting hit with a nasty ransomware attack.

Only its internal systems were caught in the infection, but this still left factories offline until Friday, at which point the Canadian company reported manufacturing had restarted and it had restored a number of internal IT sustems.

"Sierra Wireless maintains a clear separation between its internal IT systems and its customer-facing products and services. Sierra Wireless believes that the impact of the attack was limited to Sierra Wireless' internal systems and corporate website, and that its products and connectivity services were not impacted, and its customers' products and systems were not breached during the attack," it said.

"At this point in its investigation of the ransomware attack, the company does not expect there to be any product security patches, or firmware or software updates required as a result of the attack."

Google code fixes shutdown Western counterterrorism op – report

In January Google's bug hunters reported blocking an unusual number of zero-day flaws being used by sophisticated criminals. Now it appears that the Chocolate Factory may have disrupted an anti-terrorism op by Western governments.

"There are certain hallmarks in Western operations that are not present in other entities... you can see it translate down into the code," a former senior US intelligence official told MIT Tech Review.

The six-part report from Google's Project Zero bug hunters and the aforementioned TAG detailed how a total of 11 zero-day attacks were detected being used in less than a year, an unusually high number. So they made patches and fixed the problem.

Google didn't just help sort its own zero-day flaws, but those of Microsoft and Apple as well. If this anonymous government official is suggesting they run bug fixes past local spying agencies first, maybe it's a good thing that he's a "former" intelligence official.

ColdFusion hot for patching

Users of Adobe's ColdFusion web app dev platform, take heed – the biz has released some out-of-band patches for every build issued since 2016.

"Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11," it said. "Applying the ColdFusion update without a corresponding JDK update will NOT secure the server."

While not critical, Adobe recommended a quick fix since the flaws would allow arbitrary code execution. But, as we all should know, smaller problems become massive ones when chained together. ®

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022