In brief Apple has issued critical security patches for all supported phones, fondleslabs, and watches after being alerted to multiple possible intrusions by Google.
The fix issued on Friday for iOS 14.4.2 and iPadOS 14.4.2, CVE-2021-1879, is urgently needed. According to Apple, the flaw allows for the creation of "maliciously crafted web content," which "may lead to universal cross-site scripting." Apple has heard that the code snafu "may have been actively exploited."
To make matters worse, the problem was reported by Clement Lecigne and Billy Leonard of Google's Threat Analysis Group (TAG), which monitors state-sponsored cyber attacks, which suggests this one's serious.
Cupertino also warned iOS 12.5.2 users with older kit – iPhone 5s, 6, and 6 Plus holdouts, and those using the same code on an iPad – to update for the same flaw. Even Cupertino's wrist computer app, watchOS 7.3.3, is vulnerable.
Apple's privacy and security is better than most – provided you don't live in China or the like – but this one looks like something you should check to make sure it is patched.
Cisco warns Jabber could spill the beans
On Thursday Cisco urged Jabber users to patch immediately after the discovery of flaws that allow code execution, data theft, and/or simply crashing the entire system, along with a couple of serious OpenSSL issues for good measure.
The issue affects Jabber for Windows, macOS, iOS, and Android clients, with five flaws found in Redmond's version, and two apiece in macOS and mobile versions. The most serious issue, CVE-2021-1411, carries a 9.9 CVSS score because it would allow code execution on any Jabber client and there's no workaround.
"To exploit the vulnerabilities, an attacker must be authenticated to an Extensible Messaging and Presence Protocol (XMPP) server that the affected software is using," and be "able to send XMPP messages to a targeted system," Cisco said in its advisory.
Cisco also disclosed two high-severity flaws in OpenSSL following the open-source software library's own warning of issues. Rated high severity, they would allow "an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition."
It's not as though Cisco admins didn't have enough to do. On Wednesday they got another 37 patches from the biz – 18 of which were rated high severity. The US government's Cybersecurity and Infrastructure Security Agency has warned that these need to be checked and fixed where possible.
Ransomware attack takes down Sierra Wireless
On Tuesday venerable transmitter tech biz Sierra Wireless had to stop manufacturing after getting hit with a nasty ransomware attack.
Only its internal systems were caught in the infection, but this still left factories offline until Friday, at which point the Canadian company reported manufacturing had restarted and it had restored a number of internal IT sustems.
"Sierra Wireless maintains a clear separation between its internal IT systems and its customer-facing products and services. Sierra Wireless believes that the impact of the attack was limited to Sierra Wireless' internal systems and corporate website, and that its products and connectivity services were not impacted, and its customers' products and systems were not breached during the attack," it said.
"At this point in its investigation of the ransomware attack, the company does not expect there to be any product security patches, or firmware or software updates required as a result of the attack."
Google code fixes shutdown Western counterterrorism op – report
In January Google's bug hunters reported blocking an unusual number of zero-day flaws being used by sophisticated criminals. Now it appears that the Chocolate Factory may have disrupted an anti-terrorism op by Western governments.
"There are certain hallmarks in Western operations that are not present in other entities... you can see it translate down into the code," a former senior US intelligence official told MIT Tech Review.
The six-part report from Google's Project Zero bug hunters and the aforementioned TAG detailed how a total of 11 zero-day attacks were detected being used in less than a year, an unusually high number. So they made patches and fixed the problem.
Google didn't just help sort its own zero-day flaws, but those of Microsoft and Apple as well. If this anonymous government official is suggesting they run bug fixes past local spying agencies first, maybe it's a good thing that he's a "former" intelligence official.
ColdFusion hot for patching
Users of Adobe's ColdFusion web app dev platform, take heed – the biz has released some out-of-band patches for every build issued since 2016.
"Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11," it said. "Applying the ColdFusion update without a corresponding JDK update will NOT secure the server."
While not critical, Adobe recommended a quick fix since the flaws would allow arbitrary code execution. But, as we all should know, smaller problems become massive ones when chained together. ®