August was full of surprises for the technology sector, most of which center on major vulnerabilities with popular software, web applications, operating systems and more. While this is nothing new for today’s tech savvy consumers, many of the identified flaws have opened users up to heightened levels of identity theft and data exploitation. What’s more, some of the identified vulnerabilities have been present for several years, raising questions about tech developers’ ability to detect and mitigate zero-day exploits. Addressing these issues will be a chief concern moving forward, as declining consumer confidence could have serious repercussions for the technology market over the next few years. To help you stay ahead of the curve, this month’s tech roundup shines a spotlight on two key news stories every consumer should know about.
Google reveals iPhone security defects allowed website to steal user data
In late August, security researchers at Google’s Project Zero announced they had discovered several infected websites that may have distributed malware to iPhone users for years. According to a recent blog post, the researchers warned Apple about the vulnerabilities back in February, which prompted the technology giant to release urgent updates along with a detailed blog post on the security content of iOS 12.1.4. Despite Apple’s quick response, thousands of devices had likely been infiltrated by the time a fix was publically available. Diving a bit deeper into Google’s findings, the researchers claimed to have discovered a total of 14 vulnerabilities across five different exploit chains, including:
- 7 vulnerabilities with iPhone’s web browser
- 5 vulnerabilities in the kernel
- 2 separate “sandbox escapes”
These security flaws impacted iOS 10 to the current version, iOS 12, and allowed infected websites to compromise users’ private messages, photos and location data. Visiting one of these websites would enable the exploit server to download a “monitoring implant” on consumers’ devices. In some cases, attackers were able to gain full control over the infected iPhone, which permitted them to download malicious apps, steal personal information and bypass iOS encryption. The monitoring implant could also access the iPhone’s keychain, which stores passwords and important database files used by popular messaging apps like iMessage and WhatsApp.
This string of zero-day exploits was uncharacteristic for Apple products, as the company’s iPhones and other mobile devices are widely considered to be highly secured. While it’s still unclear which parties may have been behind the attack, many researchers are quick to point out that infiltrating iPhones is extremely difficult, most often resulting from nation-state tampering, CNET reported. To help reduce the impact of these types of vulnerabilities, Apple has offered upwards of $1 million in “bug bounties,” according to a Forbes’ article posted in early August. Moving forward, the tech giant is planning to be a lot more vigilant during the development stages of iOS to help prevent large-scale identity theft and keep its upcoming product line secure from malicious actors.
Microsoft Recommends Updating Windows 10 Immediately
Earlier this month, Microsoft urged Windows 10 users to update their devices to the latest OS version after several high-priority vulnerabilities were discovered. In a mid-August press release, the company announced that two “wormable” remote code execution vulnerabilities could allow hackers to spread malware, viruses and harmful code to devices running outdated versions of Windows 10, Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows 8.1. Users who opt into automatic updates have likely already downloaded the requisite batch files, but enterprises that strictly control their patch management processes may still be at risk.
The vulnerabilities in question (CVE-2019-1181 and CVE-2019-1182) are both housed within Microsoft’s remote desktop services, which allows users to control remote computers and virtual machines through a secure network connection. Both security flaws are considered “pre-authentication” and do not require any direct user interaction to infiltrate vulnerable networks and devices. More specifically, hackers are able to hijack Windows RDS processes that are responsible for managing connection requests, giving them access to critical endpoints, data stores and even administrator profiles. Once a system or network has been compromised, malicious actors could send out a series of internal attacks, install malware or ransomware and create new profiles with complete admin permissions.
The best way to mitigate the identified vulnerabilities is to download the latest OS version for Windows 10 and turn on automatic updates, as this may help protect against future zero-day exploits. In cases where immediate patching is not possible, Microsoft has recommended disabling the RDS or enabling network-level authentication. Another temporary fix is to block TCP port 3389 at the perimeter firewall, which could prevent cybercriminals from forcing their way into enterprise systems. This incident demonstrates the crucial role cybersecurity plays in both consumer and corporate IT management, and will likely serve as a valuable use case in the foreseeable future.
That concludes this month’s tech round-up, so be sure to check out Faronics’ blog to learn more about endpoint security and important trends in the industry.