Information Technology

President Joe Biden signed a memorandum on Wednesday addressing cybersecurity for critical infrastructure, ordering CISA and NIST to create benchmarks for organizations managing critical infrastructure.The move builds on, and formalizes, an effort started in April around securing industrial control systems, which are now facing a barrage of attacks from both cybercriminals and state-backed entities. In a press briefing, a senior administration official explained that federal cybersecurity regulation in the US is sectoral, noting that the country has “a patchwork of sector-specific statutes that have been adopted piecemeal, typically in response to discrete security threats in particular sectors that gained public attention.” The official added that there is no strategic, coordinated requirement for the cybersecurity of critical infrastructure.  “To the extent, as I noted, there are mandatory cybersecurity requirements. They’re either sector specific — finance and chemical; they’re mandated under state or local law, like electricity ones; or they’re limited and piecemeal — water and bulk electricity are two that we’ve put a lot of work into studying in the last few weeks,” the official said. “So, our current posture is woefully insufficient given the evolving threat we face today. We really kicked the can down the road for a long time. The administration is committed to leveraging every authority we have, though limited, and we’re also open to new approaches, both voluntary and mandatory. Responsible critical infrastructure owners and operators should be following voluntary guidance as well as mandatory requirements in order to ensure that the critical services the American people rely on are protected from cyber threats.”The memorandum formalizes the Industrial Control Systems Cybersecurity Initiative, which the White House said was a “voluntary, collaborative effort between the federal government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.”

The first part of the initiative started with the electricity subsector, according to a statement from the White House. The pilot will now start a second round on natural gas pipelines. Water systems, as well as wastewater sector systems and the chemical sector will be next. The senior administration officials said the effort has already led to over 150 electricity utilities representing almost 90 million residential customers deploying or agreeing to deploy control system cybersecurity technologies.”These are the technologies that, had they been in place, would have blocked what occurred at Colonial Pipeline in that they connect the operational technology side of the network to the IT side of the network. The action plan for natural gas pipelines is underway, and additional initiatives for other sectors will follow later this year,” the official said. The White House acknowledged that each organization has different cybersecurity needs but it ordered CISA and NIST to work together on creating cybersecurity baselines “that are consistent across all critical infrastructure sectors,” and “security controls for select critical infrastructure that is dependent on control systems.”DHS has until September 22 to release the preliminary guidelines and one year to issue the final draft of the rules. The sector-specific rules will also be released within one year. “These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services,” the memorandum said.  “That effort may also include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our Nation.”A report by cybersecurity researchers at Trend Micro earlier this month warned that ransomware is “a concerning and rapidly evolving threat to industrial control systems endpoints globally” with a significant rise in activity during the past year. Of all countries covered in the report, the US has the most instances of ransomware affecting industrial control systems. The White House said almost 90 percent of critical infrastructure in the US is owned and operated by the private sector.Recent attacks on Colonial Pipeline and meat processor JBS prompted the federal government to get serious about forcing cybersecurity measures on private companies running critical systems. The White House specifically mentioned both ransomware attacks as reasons why more stringent measures were needed.DHS unveiled a new security directive a week ago that forces owners and operators of important pipelines to put tougher cybersecurity protections in place. The memorandum comes one day after Biden caused a minor stir with his comments about the ability of a cyber conflict to turn into a physical war. “You know, we’ve seen how cyber threats, including ransomware attacks, increasingly are able to cause damage and disruption to the real world,” Biden told reporters on Tuesday. “I can’t guarantee this, and you’re as informed as I am, but I think it’s more likely we’re going to end up — well, if we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence. And it’s increasing exponentially — the capabilities.” More

A new report from cybersecurity company Barracuda has found that IT staffers and CEOs continue to face a barrage of phishing attacks throughout the year.Barracuda analysts examined more than 12 million spear phishing and social engineering attacks impacting more than 3 million mailboxes at over 17,000 organizations between May 2020 and June 2021. The “Spear Phishing: Top Threats and Trends Vol. 6 — Insights” report found that 43% of phishing attacks impersonate Microsoft and the average organization is targeted by over 700 social engineering attacks each year. Nearly 80% of BEC attacks target employees outside of financial and executive roles, with the average CEO receiving 57 targeted phishing attacks each year and IT staffers getting an average of 40 targeted phishing attacks annually.Cryptocurrency-related attacks also grew 192% between October 2020 and April 2021, and the researchers noted that the number of attacks rose alongside the general price of various cryptocurrencies. Almost 50% of all socially engineered threats the company saw over the past year were phishing impersonation attacks, and nearly all included a malicious URL. “Although phishing emails are nothing new, hackers have started to deploy ingenious ways to avoid detection and deliver their malicious payloads to users’ inboxes. They shorten URLs, use numerous redirects, and host malicious links on document sharing sites, all to avoid being blocked by email scanning technologies,” the report said.  

“Phishing impersonation attacks have also been trending upwards. These attacks made up 46% of all social engineering attacks we detected in June 2020 and grew to 56% by the end of May 2021.”Business email compromise attacks only made up 10% of the attacks Barracuda analysts saw but have cost companies in the education, healthcare, commercial, and travel sectors millions.Hackers are also continuing to use many of the same tactics, including using brands for phishing impersonation attacks. Microsoft, WeTransfer, and DHL are the top three brands used in impersonation attacks going back to 2019. Because of the company’s ubiquity, Microsoft was used in 43% of phishing attacks in the past 12 months. Often cybercriminals will “send fake security alerts or account update information to get their victims to click on a phishing link.” The same goes for WeTransfer, which went from 9% of all phishing attacks to 18% by 2021. The rest of the top ten impersonated brands includes Google, DocuSign, and Facebook.Don MacLennan, senior vice president of Email Protection at Barracuda, said cybercriminals are now targeting employees outside the finance and executive teams, looking for weak links in organizations. “Targeting lower level employees offers them a way to get in the door and then work their way up to higher value targets,” MacLennan said. “That’s why it’s important to make sure you have protection and training for all employees, not just focus on the ones you think are the most likely to be attacked.” More

Around a third of cybersecurity professionals have personal experience of facing harassment and abuse either online or in person – and a new initiative is aiming to provide support to victims while also encouraging action to help stop bullying and abuse across the industry. Set up with the aim of taking stand against all forms of harassment in the cybersecurity industry, Respect In Security is encouraging organisations to formally pledge their commitment to creating a workplace and professional community free from harassment and fear. Research by Sapio Research on behalf of Respect In Security found 32 percent of 302 cybersecurity professionals surveyed have experienced harassment online via email, LinkedIn, Twitter or other social media platforms, while 35 percent have experienced it in person at industry events, the office or work socials. “As an industry we spend a lot of time online and probably a lot more so than other industries… so I think in that respect we are quite unique in that we are more exposed to some of the online stuff,” said one of the co-founders of Respect In Security, Lisa Forte, partner at Red Goat Cyber Security. In an interview with ZDNet Security Update, Forte said she has been sent unsolicited explicit videos, had fake profiles set up using her name, and been threatened via messages on social media. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  Respect In Security’s research revealed that male, female and non-binary people have all faced abuse. 

“This is a broad industry wide issue. It affects men and women, affects people of all sexual orientations, affects people of all skin colours,” Rik Ferguson, VP of security research at Trend Micro and a co-founder of Respect In Security told ZDNet Security Update. “We are here to make a stand for a fair and for a more respectful industry and if we ever hope to professionalize cybersecurity, which is where we need to go, this is job zero on the list to get done,” he said.”I think people will walk away from [the industry], and I think a lot of people might be put off, you know, deterred from entering it,” Ferguson added. Respect In Security is encouraging organisations in the information security industry, as well as other organisations with cybersecurity teams to sign its pledge and help to build a more tolerant and respectful industry.  The pledge not only represents a commitment from companies to build a respectful environment, but also a promise to publish a grievance policy externally, so in the event of harassment taking place, there are systems in place that mean it can be reported. “Like a vulnerability claim procedure if you think you’ve discovered a vulnerability in someone’s product, there’s a process to go through that those companies will publish; here’s how you contact us, here’s how we’re going to deal with it, here’s what you can expect – we want to see that with regards to harassment and abuse as well,” said Ferguson. You can watch the full interview here.MORE ON CYBERSECURITY More

Image: Shutterstock
At the end of almost seven months in 2021, one of the 30 most exploited vulnerabilities dates from 2017, according to the US Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the US FBI. CVE-2017-11882 is the holder of the dubious honour, and it is due to a stack buffer overflow in the equation editor of Microsoft Office, which can lead to remote code execution (RCE). It is an exploit that vendors have been banging on about for years already. The quartet of agencies said on Wednesday that the easiest way to fix this hole, and the 29 others listed, would be to patch systems. “Cyber actors continue to exploit publicly known — and often dated — software vulnerabilities against broad target sets, including public and private sector organisations worldwide. However, entities worldwide can mitigate the vulnerabilities … by applying the available patches to their systems and implementing a centralised patch management system,” the quartet stated. “Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimises risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known.” The top 30 list is broken down into 14 historical CVEs from 2020 and earlier, and 16 from the current year. The list of historical vulnerabilities is led by four CVEs related to cloud, remote work, or VPNs.

“Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organisation to conduct rigorous patch management,” the agencies said. As well as patching, the agencies said best practice involved adhering to Australia’s Essential Eight mitigation strategies. Historical vulnerabilities Citrix: CVE-2019-19781Topping the historical list is the Citrix NetScaler RCE that appeared over Christmas in 2019. This one should hit close to home for Australia as it was used to access a Defence recruitment database. Pulse: CVE-2019-11510Taking the silver medal is a directory traversal vulnerability in Pulse Secure Connect that can result in arbitrary file disclosure and leaks of admin credentials. “Once compromised, an attacker can run arbitrary scripts on any host that connects to the VPN. This could lead to anyone connecting to the VPN as a potential target to compromise,” the agencies said. “The CVE-2019-11510 vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorised credentials for all users on a compromised Pulse VPN server and can retain unauthorised access after the system is patched unless all compromised credentials are changed.” That sounds nice. Fortinet: CVE-2018-13379Fresh from a May warning is Fortinet’s version of a directory traversal bug that can lead to an attacker gaining usernames and passwords. “Multiple malware campaigns have taken advantage of this vulnerability. The most notable being Cring ransomware (also known as Crypt3, Ghost, Phantom, and Vjszy1lo),” the agencies warned. F5- Big IP: CVE-2020-5902When it was announced, this CVE scored a perfect 10 — so it is a big deal. It involved the traffic management user interface allowing any old user gain access; they didn’t need to be authenticated to execute arbitrary commands, create or delete files, disable services, or run arbitrary Java. “This vulnerability may result in complete system compromise,” is how the agencies understated the threat. MobileIron: CVE-2020-15505Getting sick of unprivileged attackers remotely executing code on your MobileIron kit? Well, you were warned in November. Microsoft Exchange: CVE-2020-0688Welcome to the list Microsoft Exchange — we’ve been expecting you. This vulnerability from early 2020 occurred because Exchange servers failed to create a unique cryptographic key for the Exchange control panel at install time, which resulted in attackers being able to use malformed requests to run code under the SYSTEM context. Small solace could be found in knowing authentication was needed to run this exploit. Atlassian Confluence: CVE-2019-3396If you are getting flashbacks from many vulnerabilities on this list, that’s because the NSA tried to warn people last October. Not to be left out of path traversal, and remote code execution antics of other vendors, this old Atlassian Confluence vulnerability adds a touch of server-side template injection. The big question though is do you have to log the patch to Confluence as a task in JIRA? It bears not thinking about. Microsoft Office: CVE-2017-11882This is the oldest bug on the list, related to the equation editor, mentioned at the start of this piece. Scroll up. Atlassian Crowd: CVE-2019-11580Attackers can use this vulnerability to install arbitrary plugins, which can lead to remote code execution. The agencies called out this vulnerability specifically. “Focusing scarce cyber defence resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries’ operations,” they said. “For example, nation-state APTs in 2020 extensively relied on a single RCE vulnerability discovered in the Atlassian Crowd, a centralised identity management and application (CVE-2019-11580) in its reported operations. “A concerted focus on patching this vulnerability could have a relative broad impact by forcing the actors to find alternatives, which may not have the same broad applicability to their target set.” Drupal: CVE-2018-7600Remember Drupalgeddon2? A lack of input sanitation from the hook-crazed Drupal codebase can lead to an unauthenticated attacker gaining remote code execution. Naturally, malware campaigns including monero mining and having sites used as parts of botnets quickly followed. Telerik: CVE-2019-18935A hole in the sanitisation of serialized input in the Telerik framework used by ASP.NET apps can lead to RCE. Once again, cryptojacking was not far behind. Microsoft Sharepoint: CVE-2019-0604To keep with the recent theme, Sharepoint had a vulnerability when deserializing XML due to a lack of sanitisation, which could lead to remote code execution. Microsoft Windows Background Intelligent Transfer Service: CVE-2020-0787Due to improperly handling symbolic links, an attacker could use this vulnerability to execute arbitrary code with system-level privileges. Microsoft Netlogon: CVE-2020-1472When announced, it was reported as one of the most severe bugs ever, and with a CVSS score of 10, it was little wonder. Also known as Zerologon, the vulnerability allows an unauthenticated attacker to impersonate a computer on a domain, with the potential to disable security features in the Netlogon authentication process, and gain domain administrator privileges. “Threat actors were seen combining the MobileIron CVE-2020-15505 vulnerability for initial access, then using the Netlogon vulnerability to facilitate lateral movement and further compromise of target networks,” the agencies said. “A nation-state APT group has been observed exploiting this vulnerability.” The class of 2021 Compared to the vulnerabilities from years prior, the 2021 group are nicely grouped together and mostly related to a single product, so without any further ado. Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065These vulnerabilities are the ones that NATO, the United States, European Union, United Kingdom, Australia, Canada, New Zealand, and Japan recently said were attributed to China, and were the exploits where the FBI decided it needed to blast away web shells on US servers. CVE-2021-26855 allowed an unauthenticated attacker, if they could connect to port 443, to exploit the Exchange control panel via a server-side request forgery that would allow them to send arbitrary HTTP requests, authenticate as the Exchange Server, and gain access to mailboxes. CVE-2021-26857 used insecure deserialization to gain RCE, while the final two used a post-authentication arbitrary file write vulnerability that could lead to RCE. Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900Appearing in March, the first CVE scored a full 10 marks for enabling a remote unauthenicated user to execute arbitrary code, while the second and third CVE were close behind on 9.9 and related to remote authenticated users being able to execute arbitrary code. In the case of CVE-2021-22894, this was as the root user. CVE-2021-22900 scored a more modest 7.2, and related to an authenticated administrator to performing a file write thanks to a maliciously crafted archive uploaded via the administrator web interface. Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104The hacks that occurred via Accellion FTA file transfer service seem to keep coming, with victims including the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, Singtel, and many other organisations around the world. In February, Accellion said it would retire the vulnerable product. VMware: CVE-2021-21985The recent vulnerability hitting vCenter Server and Cloud Foundation that allows for RCE also made the cut. When announced, VMware warned that since the attacker only needs to be able to hit port 443 to conduct the attack, firewall controls are the last line of defence for users. Fortinet: CVE-2018-13379, CVE-2020-12812, CVE-2019-5591That’s right, CVE-2018-13379 made both lists. What an honour.

Related Coverage More

US president Joe Biden had some tough words over recent state-sponsored and criminal ransomware attacks, suggesting that if the US were to end up in a “real shooting war” it would be because of a major cyberattack. Biden’s comments follow this month’s REvil ransomware attack on the managed service provider (MSP) customers of US software vendor Kaseya that affected 60 MSPs and around 1,500 of their customers. 

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

Cyber attacks have become central to talks between Biden and Russia’s president Vladimir Putin in recent weeks, following the Kremlin-backed supply chain attack on SolarWinds that impacted federal agencies and US cybersecurity firms, as well as criminal ransomware attacks on fuel distribution network Colonial Pipeline and meat packer JBS. Addressing the US intelligence community, he said the road to war with a major power would likely be as a consequence of a major future cyber attack on the US. “You know, we’ve seen how cyber threats, including ransomware attacks, increasingly are able to cause damage and disruption to the real world,” said Biden. “I can’t guarantee this, and you’re as informed as I am, but I think it’s more likely we’re going to end up — well, if we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence.  And it’s increasing exponentially — the capabilities.”He also belittled the state of Russia’s economy under Putin, who “has a real problem” that makes the Russian president dangerous.           

“He’s sitting on top of an economy that has nuclear weapons and oil wells and nothing else.  Nothing else.  Their economy is — what? — the eighth smallest in the world now — largest in the world?  He knows he’s in real trouble, which makes him even more dangerous, in my view.”Biden added that Russia’s alleged disinformation campaign targeting the US 2022 elections as a “pure violation of our sovereignty.” Biden also warned Putin that critical infrastructure should be “off limits” in G7 talks at Geneva last month. More

Iranian hackers spent 18 months masquerading as an aerobics instructor in a cyber espionage campaign designed to infect employees and contractors working in defence and aerospace with malware in order to steal usernames, passwords and other information which could be exploited.Active since at least 2019, the campaign used Facebook, Instagram and email to pose as the fake persona “Marcella Flores”. The attackers could spend months to build up rapport with targets via messages and emails before attempting to distribute malware after trust was gained. The campaign has been detailed by cybersecurity researchers at Proofpoint who’ve linked it to TA456 – also known as Tortoiseshell – a state-backed Iranian hacking group with ties to the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian military. The way a fake social media profile was run for so long demonstrates the amount of effort and persistence that those behind the espionage campaign went to in an effort to target individuals of interest, predominantly people working for US defence contractors, particularly those involved in supporting operations in the Middle East.Marcella’s public facing Facebook profile claimed she was an aerobics instructor in Liverpool, England – and her friends list contained several people identifying as defence contractors on their profiles. The attackers behind the fake persona used email, social media profiles, photos and even flirtatious messages to give the impression she was a genuine person while in contact with the targets. After a period of messages back and forth with the target, the attackers used a Gmail account set up as the persona to send a OneDrive link which contained a document or a video file to the victim. It’s this lure that was used to distribute malware to the victim – an updated version of Lideric malware which researchers have dubbed Lempo. 

This malware secretly establishes persistence on the victim’s Windows computer, allowing the attackers to search for and steal sensitive information including usernames and passwords which then get sent to the back to those running the operation. Proofpoint said due to the specific targeting of victims it was not possible to say whether that attacks were successful.SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)     The stolen usernames and passwords could help the attackers conduct further espionage campaigns. It’s likely that defence contractors were targeted because stealing their credentials could provide the attackers with the means of moving further up the supply chain and gaining access to the networks of defence and aerospace firms. Stolen passwords could be exploited to gain remote access to VPNs and remote software, or compromised credentials could be used to conduct further phishing attacks.”The information gathered by Lempo could be operationalized in a variety of ways including the utilization of stolen VPN credentials, exploitation of vulnerabilities in the identified software, or the customization of follow-on malware to be delivered,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint told ZDNet.   Iranian state-backed hacking and cyber espionage groups have previously engaged in this kind of social engineering, using false social media profiles of women to lure individuals into downloading malware. Like other known Iranian espionage campaigns, this one is focused on the defence industry and particularly companies providing support to military operations in the Middle East. All of this has led to Proofpoint attributing the campaign to Iranian state-linked hacking group TA456. Facebook shutdown the Marcella’s profile in July after identifying it and other accounts as working on cyber espionage operations on behalf of Tortoiseshell. Facebook has linked malware used in the campaigns to an Iranian IT company with links to the IRGC. The attackers behind the Marcella Flores persona spent at least 18 months running the account and using it for social engineering. The dedication to creating and maintaining these false personas, complete with the hands-on effort required for attackers to interact with potential victims, means it’s unlikely that this is the last time IRGC affiliated espionage and malware distribution campaigns will use these tactics.”TA456’s years-long dedication to significant social engineering, benign reconnaissance of targets prior to deploying malware, and their cross platform kill chain makes them a very resourceful threat actor and signifies that they must be experiencing success in gaining information that meets their operational goals,” said DeGrippo.The Marcella Flores operation and other espionage campaigns operating out of Iran demonstrate how effective social engineering can be as part of malicious hacking campaigns – and the importance of being mindful about what you share on public social media profiles.”It is especially important for those working within or tangentially to the defense industrial base to be vigilant when engaging with unknown individuals regardless of whether it is via work or personal accounts,” said DeGrippo.”Malicious actors will often utilize publicly available information about a target to build up a picture of their role, connections, access to information, and vulnerability to attacks – ‘over-sharing’ on social media is a particularly risky behaviour in sensitive industries, so organizations should ensure employees are properly and frequently trained in security awareness,” she added.READ MORE ON CYBERSECURITY More

Microsoft has released an out of band non-security update to fix a bug in some business printers and scanners that use a smart card for authentication. The update, KB5005394, addresses an issue in Windows 10 version 1809 — Windows 10 Enterprise 2019 LTSC — that caused printers, scanners and multifunctional devices (MFDs) to not function. The update bumps up the OS build number to 17763.2091. 

The issue stems from a July 13 update to harden the Windows 10 against the security vulnerability tagged as CVE-2021-33764. Printers and MFDs that were affected were not compliant with the authentication specification RFC 4556. Microsoft advised admins to verify that the latest firmware and drivers for these devices were installed and promised a mitigation, which it’s been delivering to different versions of Windows 10 over the past week.This was a separate issue to the so-called PrintNightmare bugs that Microsoft patched ahead of the July 2021 Patch Tuesday security update, and the Windows Print Spooler bug it fixed this month.  Microsoft released fixes for the same smart card authentication issue for newer versions of Windows 10 last week. “After installing updates released July 13, 2021 on domain controllers (DCs) in your environment, printers, scanners, and multifunction devices that are not compliant with section 3.2.1 of RFC 4556 spec might fail to print when using smart card (PIV) authentication,” it noted in advisories for Windows 10 20H1 and Windows 10 2004. 

In a separate support note, Microsoft explains printers and MFDs were affected if they don’t support Diffie-Hellman for key-exchange or or advertise support for des-ede3-cbc (“triple DES”) during PKINIT Kerberos authentication. The issue affected all versions of Windows, including: Client: Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 2004; Windows 10, version 1909; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1Server: Windows Server, version 20H2; Windows Server, version 2004; Windows Server, version 1909; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Windows 10 More

If you’ve not yet updated your iPhones, iPads, and Macs with the latest patches from Apple, then you need to take some time out of your day to do it right now, because this is a big one.Earlier this week, Apple published iOS 14.7.1, iPadOS 14.7.1, and macOS Big Sur 11.5.1. While this update contains bug fixes, the main part of this update is a security fix for a vulnerability that Apple says is “may have been actively exploited.”In other words, the bad guys are already using it.Must read: Don’t make this common, fatal iPhone or Android mistakeHere’s how Apple describes the vulnerability in relation to iOS and iPadOS:Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.Description: A memory corruption issue was addressed with improved memory handling.CVE-2021-30807: an anonymous researcherIt’s unclear is this is the vulnerability used for jailbreaking iOS devices, or whether it is linked to the NSO Group spyware tool hack used to target journalists, activists, and government figures. To update your iPhone and iPad, go to Settings > General > Software Update and download and install any available updates. 

For macOS, click on the apple in the top-left corner, go to System Preferences, find Software Update and download and install any updates available.I recommend carrying out these updates as soon as possible.To get immediate notifications of updates for the iPhone and iPad, I’ve been using the app iVerify. More