Information Technology

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Guest editorial by Haroon Meer. Meer is the founder of Thinkst, the company behind the well regarded Thinkst Canary. Haroon has contributed to several books on information security and has published a number of papers and tools on various topics related to the field. Over the past decade (or two) he has delivered research, talks, and keynotes at conferences around the world.
The recent SolarWinds mega-hack has managed to grab mainstream media headlines around the world but the more I read, the more I think the press coverage has buried the lede. 
The incident gets called a “supply chain” attack which hints at war-time tactics and, I’m willing to bet, will launch a dozen VC-backed startups. People are (rightfully) worried about the knock-on effect since the SolarWinds attackers had access to several other development-houses and could have also poisoned those wells. 
Must read:
This is definitely scary but there’s a hard, sobering truth below that actually makes this a bit worse than you might think.
An abstracted, low resolution summary for those (very few) who haven’t paid attention to the incident:
SolarWinds make a network management product called Orion that is deployed on hundreds of thousands of networks worldwide;
Attackers broke into SolarWinds and made their way to the SolarWinds build environment;
They compromised the build pipelines, to inject malicious code into the SolarWinds update process;
Networks all over the world updated themselves with this poisoned update;
(Now-compromised) SolarWinds servers worldwide attacked internal networks of selected organizations;
Almost nobody discovered any of this for months until a security company discovered its own compromise.
Here are the four main reasons why it’s actually worse than we think.

The state of enterprise security: While we’ve made progress in some areas of information security (e.g. the degree of knowledge and skill required to exploit memory corruption bugs in modern operating systems) , enterprise security is still stuck pretty firmly in the early 2000s. An enterprise network consists of an untold number of disparate products, duct-taped together through poorly documented interfaces where often the standard for product integration is “this config works, don’t touch it!”. Any moderately skilled attacker will decimate an internal corporate network long before they are discovered, and the average time it takes to gain Domain Admin is measured in hours and days instead of weeks or months. 
Most organizations, sadly, don’t know this. They know they spend money on security and they know they see charts with red and green boxes and arrows tracking progress. Most have no clue they’re sitting ducks for average attackers of moderate skill, much less nation state-backed adversaries with unlimited resources.
Enterprise Products: Even ignoring the weakness that comes with cobbling together many products (security at the joints), most enterprise products won’t hold up very well to serious security testing. Heavyweight vendors like Adobe and Microsoft were publicly spanked into upping their game years ago, but it drops off pretty steeply after them. There’s an interesting carveout for online SaaS companies who have to build security competency since they run their own infrastructure and compromising their products is the same as compromising them. But for products installed into an Enterprise network the incentives are horribly misaligned. Owning, say, Symantec’s antivirus agent doesn’t compromise Symantec, it compromises you (who are running it) and this separation makes all the difference.
Enterprise networks have too many moving parts: The past few years have seen creative hackers exploit software in places that we never knew were running software. The Thunderstrike crew ran code on Apple VGA adaptors. Ang Cui has rwritten exploits for monitors, and office phones. Bunnie and xobs ran code on SD-cards and a number of people have now run Linux on hard drive controllers. This makes it clear that the average office network is connected to dozens and dozens of types of devices that wont ever make it into a regular audit, that are nonetheless capable of hiding attackers and injecting badness into your network. 
Third Party Risk Evaluations:  The joke going around after the incident was that SolarWinds had negatively impacted hundreds of enterprises, but definitely passed their third-party risk evaluations. It’s slightly unfair, but also true. We simply do not have a good way for most organizations to test software like this, and third-party questionnaires have always been a weak substitute. Even if we could tell whether a product was meeting a minimum security bar (using safe patterns, avoiding unsafe calls, using compile time safety nets, etc.) automatic-updates mean that tomorrow’s version of the product might not be the product you tested today. And if the vendor doesn’t know when they are compromised, then they probably won’t know when their update mechanism is used to convert their product into an attacker’s proxy.
I’m not saying that auto-updates are bad. We believe they solve important problems, but they do introduce a new set of variables that need to be considered.  
The current focus on “supply chain” security will no doubt see the VC-backed creation of next-gen start-ups claiming to solve the problem, but this part of the problem seems intractable. There’s the “easy” suite of software you know about: applications installed on your infrastructure and their dependencies.  But, for one, this ignores your vendor’s own vendors. In addition, what product is going to provide guidance on the provenance of the code running in your monitors (on processors we didn’t even know were there?). Will we examine the firmware on the microphone that people are now using for their Zoom calls? Will we re-examine it post-automatic-update? There are way too many connected pieces of code to tackle the problem from this angle.
If it takes just hours or days to successfully compromise an internal network, and if the average network has enough hiding places for skilled attackers to burrow deep, what do you think happens when attackers are allowed to move around undetected for months? 
A bunch of analysts looking at the SolarWinds incident point out (correctly) that compromised SolarWinds servers were installed on so many networks that the ripples of this attack could be crazily exponential. What this analysis misses is that the average enterprise runs dozens and dozens of SolarWinds-look-alikes everywhere.
Ransomware didn’t spring up overnight. Networks hit by ransomware were typically vulnerable for years and ran along blissfully unaware until attackers figured out a way to monetize those compromises. Most enterprises have been completely vulnerable to their vendors’ horrible insecurity too, the SolarWinds incident just published a blueprint for how to abuse it.
The situation is dire not because we are fighting some fundamental laws of physics, but because we’ve deluded ourselves for a long time. If there’s a silver lining out of this, it’s that customers will hopefully demand more from their vendors. Proof that they’ve gone through more than compliance checklists and proof that they’d have a shot at knowing when they were compromised. That more enterprises will ask “how would we fare if those boxes in the corner turned evil? Would we even know?”
Related stories: More

Vulnerabilities in the communications protocols used by millions of Internet of Things (IoT) and operational technology (OT) devices could allow cyber attackers to intercept and manipulate data.
The vulnerabilities in some TCP/IP stacks have been detailed by cybersecurity researchers at Forescout, who’ve dubbed the set of nine new vulnerabilities as ‘Number:Jack’.

Internet of Things

It forms ongoing research by the cybersecurity company as part of Project Memoria, an initiative examining vulnerabilities in TCP/IP stacks and how to mitigate them.
SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)
The latest disclosures are based around a fundamental aspect of TCP communication in embedded devices: Initial Sequence Number (ISN) generation. These ISNs are designed to ensure that every TCP between two computers or other internet-connected devices is unique and that third parties can’t interfere with or manipulate connections.
In order to ensure this, ISNs need to be randomly generated so an attacker can’t guess it, hijack it or spoof it. It’s a fundamental of computer security that was already known in the 90s – but when it comes to security of IoT devices, researchers found that this old vulnerability was present as numbers weren’t completely random, so the pattern of ISN numbers in these TCP communications could be predicted.
“This stuff has been mostly fixed in Windows and Linux and the typical IT world. But when you look into the IoT world, this stuff is happening again,” Daniel dos Santos, research manager at Forescout told ZDNet.

“It’s not difficult for us or an attacker to find this type of vulnerability because you can clearly see the way the numbers are generated by the stack is predictable,” he added.
By predicting an existing TCP connection, attackers could close it, essentially causing a denial-of-service attack by preventing the data from being transferred between devices. Alternatively, they could hijack it and inject their own data into the session, through which it’s possible to intercept unencrypted traffic, add file downloads to serve malware or use HTTP responses to direct the victim to a malicious website. It’s also possible for attackers to abuse TCP connections of the embedded devices to bypass authentication protocols, which potentially provide attackers with additional access to networks.
All of the vulnerabilities were discovered and disclosed to the relevant vendors and maintainers of affected TCP/IP stacks by October 2020.
TCP/IP stacks found to contain the vulnerabilities include several open-source stacks analysed in Forescout’s previous study, including uIP, FNET, picoTCP, Nut/Net, cycloneTCP and uC/TCP-IP. Vulnerabilities have also been discovered in Siemens’ Nucleus NET, Texas Instruments’ NDKTCPIP and Microchip’s MPLAB Net.
The majority of of the vendors have patched to protect devices against the vulnerabilities or are in the process of doing so, although researchers note that one hasn’t responded to the disclosure at all. ZDNet has attempted to contact each of the vendors detailed in the research paper for a response.
Forescout hasn’t publicly identified the exact devices that rely on the nine stacks found to have vulnerabilities in order to prevent them becoming potential victims of attacks. However, they do note that systems including medical devices, wind turbine monitoring systems and storage systems are all reliant on systems known to use the examined stacks.
SEE: What’s in your network? Shadow IT and shadow IoT challenge technology sensibilities
To help protect against attacks, Forescout Research Labs has released an open-source script to help identify stacks discovered to have vulnerabilities as part of Project Memoria.
It’s recommended that if these vulnerabilities are uncovered on the network that security patches are applied to prevent attackers from taking advantage. It’s also suggested that when it isn’t possible to patch IoT or OT devices, the affected products are segmented onto part of the network that will reduce the likelihood of compromise.
The research also serves as a reminder that, when it comes to security of IoT devices, there are security lessons to be learned from IT security that must be applied – especially when it comes to fundamentals that have been known about for decades.
“The foundations of IoT are vulnerable and not just for one vendor or specific device – it’s across several types of devices and the software components used in these devices. It’s often that they share similar types of vulnerabilities,” said dos Santos.
“The reason we’ve looked across TCP stacks is to show that history’s repeating again in several stacks. This provides proof that people should be looking at what has happened before and how that affects their operations – all down the IoT supply chain,” he added.
MORE ON CYBERSECURITY More

Adobe has patched numerous critical vulnerabilities in a range of software including Magento, Acrobat, Reader, and Photoshop.

On Tuesday, the tech giant published security advisories for each product included in this month’s standard patch round. 
The first notice relates to Adobe Acrobat and Reader 2020, Acrobat and Reader DC, and the 2017 versions of both Acrobat and Reader on Windows and macOS machines. 
Adobe has resolved 23 vulnerabilities in these software packages, 17 of which are deemed critical and the rest, important. The security issues reported to Adobe include buffer and integer overflows, improper access controls, and use-after-free flaws that can be weaponized for arbitrary code execution, privilege escalation, denial-of-service crashes, and information leaks. 
Magento, an open source e-commerce platform, has also received a slew of security fixes. Specifically, Magento Commerce and Magento Open Source on all platforms are subject to a total of 18 bugs, varying in severity from critical to moderate. 
The worst vulnerabilities, including Insecure Direct Object Reference (IDOR) bugs, file upload list bypasses, security and access control bypasses, and blind SQL injections, can be used by attackers to perform code execution, to deploy JavaScript in a browser, and to access restricted resources. 
In total, five critical vulnerabilities have been reported in Adobe Photoshop on Windows and macOS. The bugs are described as out-of-bounds read/write and buffer overflow issues which can be exploited for the execution of malicious code.  

Two critical vulnerabilities, tracked as CVE-2021-21053 and CVE-2021-21054, are now patched in both Windows and macOS versions of Adobe Illustrator. If exploited, the out-of-bounds write bugs can trigger arbitrary code execution. 
Adobe Animate was also the subject of a critical out-of-bounds write flaw, CVE-2021-21052, which could also be weaponized to deploy arbitrary code.
A single fix has also been issued for Adobe Dreamweaver, website design software developed by the tech giant. CVE-2021-21055 is an uncontrolled search path element issue potentially leading to information leaks. 
Adobe thanked a number of independent researchers, Decathlon, the Trend Micro Zero Day Initiative, FortiGuard Labs, and participants of the Tianfu Cup 2020 International Cybersecurity Contest for reporting the security issues. 
In January, Adobe’s first scheduled security update of the year resolved bugs in seven products, including Photoshop, Illustrator, Bridge, and Campaign Classic. Heap buffer overflow vulnerabilities and out-of-bounds write flaws were among those patched. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Indo-Pacific region’s tech sector is “ripe for investment”, according to Trisha Ray, an associate fellow with the Observer Research Foundation’s Technology and Media Initiative.
“Rare earths, which go into all our devices, computers, electric vehicles, and so on, alternatives to untrusted 5G vendors, even basic infrastructure investment in fibreisation of networks, all of these are ripe for investment,” Ray said on Tuesday.
“Most of the region, Southeast Asia [and] India especially, are major assembly hubs in global technology trade, but there needs to be more focus on core competencies and capacity building.”
One example is semiconductors. The region is home to plenty of pure-play chip foundries, but they generally don’t design the chips.
“Most of the value for semiconductors lies in the design, which is why Intel accounts for a quarter of global semiconductor value,” she said.
Ray was speaking at the launch of the Quad Tech Network (QTN), an initiative of the Australian government to “promote regional track two research and public dialogue on cyber and critical technology issues” between the four members of the Quadrilateral Security Dialogue or “Quad”: Australia, India, Japan, and the United States.
The QTN is managed by the National Security College at the Australian National University in Canberra.

Ray’s comments were based on the paper she co-authored, titled The Digital Indo-Pacific: Regional Connectivity and Resilience, which was one of four papers released at the launch.
Its recommendations included developing common standards for digital services, such as harmonising national and then regional standards for digital payments; interoperable cross-border digital IDs; and improving digital skills at all levels.
The report notes that Malaysia, India, and Australia’s research output “remains far below their potential”. While Malaysia has a “high level of digitally skilled workers”, and Indonesia and Cambodia “lack basic digital skills”.
And while Vietnam “needs to channel its tech talent better”, Australia “lacks advanced digital skills”.
“We also focus a lot on first order connectivity issues, including just basic electricity, access to reliable high-speed internet, digital literacy, all of these are important elements,” Ray said.
According to Martijn Rasser, co-author of the Center for a New American Security paper titled Networked: Techno-Democratic Statecraft for Australia and the Quad, the QTN is a logical expansion of the Quad’s remit.
“You have a large portion of the world’s GDP and population, shared interests and values, and a common understanding of what it will take to be economically competitive in coming decades, Rasser said.
“In the near term, there’s good opportunity to make important strides in areas including setting norms that promote a free and open cyberspace, addressing supply chain vulnerabilities such as for rare earths, and boosting technological innovation for 5G wireless infrastructure.”
Australia’s cyber diplomacy has already played a key role in setting international cyber norm, although its influence has declined under the Morrison government.
Where is Australia’s 40-year tech vision?
Rasser recommended that each of the Quad nations “craft a true national strategy for technology”.
“This requires a vision. Where do you want to be 20, 30, 40 years down the road?”, he said.
“In what tech areas do you want your country to be the world leader? Where should you be globally competitive? And where are the areas where you can afford to be a fast follower? Because you’re not going to be number one in everything, it’s just not affordable, it’s not achievable ultimately.”
Once more it’s worth noting that Australia’s 2020 Cyber Security Strategy was disappointingly drab and inward-looking, with little expansion on cyber industry development beyond the 2016 strategy.
There’s clearly room for improvement here and it’s clear to your correspondent that the Australian government will need to spark up its technological nous to meet the challenge.
“The ultimate goal of this strategy should be for a country to empower its citizens, compete economically, and secure your national interests, without having to compromise your values or your sovereignty,” Rasser said.
Trust, inclusivity, and governance systems are further issues, according to Professor Jolyon Ford from the ANU College of Law.
“How do you bring along your societies with you, and include them in the conversations about the possibilities and the problems of governance, and include them in in that process?”, Ford asked.
“[How do you] build trust, not just in the technologies, but in the frameworks governing those technologies?”
There are limits to state-based and state-led strategies, he said, especially in fields such as artificial intelligence (AI).
Big tech’s ‘disproportionate role’
“The private sector and big tech firms in particular play such an outsized or disproportionate role in shaping the whole narrative around these technologies and their good or otherwise, and shaping the possibilities of governance models around these technologies,” Ford said.
Ford co-authored the paper Embracing Difference: Governance of Critical Technologies in the Indo-Pacific, which examined human rights and ethical issues.
The perennial issue of the importance of sharing cyber threat intelligence was raised by Dr Kohei Takahashi, a researcher at Japan’s National Graduate Institute for Policy Studies.
“Australia and the United States are already working on the cyber threat intelligence in the Five Eyes framework. So it is important for the Quad countries to establish a new framework for sharing information on cyber threat effectively,” he said.
Takahashi also stressed the importance of establishing a fact-checking system.
“Influence operations in cyberspace using fake news, for example, have become a big issue. It is important for the Quad countries to establish a fact-checking system,” he said.
The paper Takahashi co-authored, Cyber Security, Critical Technology, and National Security, also recommended collaborative research on AI and joint cyber exercises.
“AI will be used in cyberspace in the future. It will be necessary for us to promote research and study in this field to enhance our interoperability capabilities,” he said.
“Each country has its own strengths and weaknesses. It is important to conduct joint exercises in order to run the strengths of the other potential allies and partners, and to improve their resilience.”
RELATED COVERAGE More

Image: Alex Birsan
Microsoft has published a white paper on Tuesday about a new type of attack technique called a “dependency confusion” or a “substitution attack” that can be used to poison the app-building process inside corporate environments.

The technique revolves around concepts like package managers, public and private package repositories, and build processes.
Today, developers at small or large companies use package managers to download and import libraries that are then assembled together using build tools to create a final app.
This app can be offered to the company’s customers or can be used internally at the company as an employee tool.
But some of these apps can also contain proprietary or highly-sensitive code, depending on their nature. For these apps, companies will often use private libraries that they store inside a private (internal) package repository, hosted inside the company’s own network.
When apps are built, the company’s developers will mix these private libraries with public libraries downloaded from public package portals like npm, PyPI, NuGet, or others.
New “dependency confusion” attack
In research published on Tuesday, a team of security researchers has detailed a new concept called “dependency confusion” that attacks these mixed app-building environments inside large corporations.

Researchers showed that if an attacker learns the names of private libraries used inside a company’s app-building process, they could register these names on public package repositories and upload public libraries that contain malicious code.
The “dependency confusion” attack takes place when developers build their apps inside enterprise environments, and their package manager prioritizes the (malicious) library hosted on the public repository instead of the internal library with the same name.
The research team said they put this discovery to the test by searching for situations where big tech firms accidentally leaked the names of various internal libraries and then registered those same libraries on package repositories like npm, RubyGems, and PyPI.
Using this method, researchers said they successfully loaded their (non-malicious) code inside apps used by 35 major tech firms, including the likes of Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Uber, and others.
But besides npm, RubyGems, and PyPI, other package managers are also vulnerable, researchers said, including the likes of JFrog and NuGet.
Microsoft urges companies to analyze internal package repos
While the research team said it notified all the affected companies and package repositories, Microsoft appears to have understood the severity of this issue more than the others.
After the research team’s work went public on Tuesday, the OS maker, which also runs the NuGet package manager for .NET developers, has published a white paper detailing the dependency confusion technique, which Microsoft calls “substitution attack.”
The white paper warns companies about hybrid package manager configurations, where both public and private library sources are used, but also details a series of mitigations that companies can apply to avoid dependency confusions within their build environments.
Among some of the listed recommendations there are:
Reference one private feed, not multiple
Protect your private packages using controlled scopes on public package repositories
Utilize client-side verification features, such as version pinning and integrity verification
More inside the white paper. More

A Brazilian consumer rights watchdog has urged the federal government to take immediate and urgent action to protect citizens who had their personal details exposed online.
The notices sent by the Brazilian Institute for Consumer Protection (IDEC) to several government agencies relate to a massive data leak, which saw details of 223 million Brazilians, ranging from name, address to current income, personal vehicle information and tax returns exposed and sold in the dark web.
In addition, the leak also included information from Mosaic, a consumer segmentation model used by Serasa, the Brazilian subsidiary of credit research multinational Experian company exposed online and offered for sale online. The incident, which was discovered by cybersecurity firm Psafe in January, and is considered to be Brazil’s most significant data leak on record.
According to IDEC, the scale and scope of the situation calls for regular inspection measures be adopted for large scale databases, such as credit bureaus, which could have been the source of the leak. The consumer rights organization also noted that data leaks in Brazil became an “unacceptable routine” and that one way to reduce the likelihood of such occurrences is to prevent that consumer databases are formed without any limitations and that consumers are given the choice of opting out of them.
“What we have today is a single certainty, that the citizen is completely adrift. Fear is a constant, with fraud attempts increasing every day due to the amount of data that was leaked”, points out IDEC’s lawyer, Michel Roberto de Souza. “Institutions must investigate and punish, but they must also inform and guide citizens about what is happening. We need a lot of transparency as well as timely and adequate solutions.”
Yesterday (8)  Experian released a statement saying that it is carrying out a a “detailed forensic investigation” into the possibility that “some of the [leaked information] may have been sourced from its non-sensitive marketing data”.

On the other hand, the company argued that the data offered for sale online “includes photographs, social security numbers, vehicle registrations and social media login details, which Serasa does not collect or hold.” In addition, Experian stated that “there is no evidence” that credit data has been illegally obtained from Serasa, or that the company’s technology systems had been compromised.

According to IDEC, the data exposure is a serious violation of the General Data Protection Regulations, as well as the Brazilian Consumer Protection Code, due to the non-compliance with security measures, as well as a serious violation of security and information duties in the provision of services.
In the documents sent to the authorities, the Institute is requesting more effective measures and a “robust cooperation” from the recently created National Data Protection Authority and the National Consumer Secretariat with the Federal Police, the Public Prosecutor’s Office and the National Congress.
In addition, IDEC points out the need for involvement of the Central Bank, which regulates Serasa, due to the considerable doubt over the possibility that “at least part of the data leak” has originated from the company.
According to the consumer rights institute, the scope and risks posed by this incident require “coordinated action by all competent authorities to ensure efficiency and speed in investigations and in the adoption of measures necessary for consumer safety”.
In addition, IDEC argued that a contingency plan to minimize the damage caused by the leak, is among the actions needed, alongside extensive communication of the incident, with a website made available to outline the data leaked by each consumer, as well as wide dissemination of the necessary precautions to avoid scams with use of leaked data and mechanisms for monitoring usage of taxpayer registry identification numbers free of charge. More

Microsoft has released today its monthly batch of security updates, known as Patch Tuesday. This month, the OS maker has fixed 56 security vulnerabilities, including a Windows bug that was being exploited in the wild before today’s patches.
Tracked as CVE-2021-1732, the Windows zero-day is an elevation of privelege bug in Win32k, a core component of the Windows operating system.
The bug was exploited after attackers gained access to a Windows system in order to obtain SYSTEM-level access.
Details about the attacks where this bug was used were not revealed. Microsoft credited three security researchers from Chinese security firm DBAPPSecurity with discovering the attacks where this zero-day was employed.
Many bug details went public
Besides the zero-day, this month’s Patch Tuesday also stands out because of the high number of vulnerabilities whose details were made public even before patches were available.
In total, six Microsoft product bugs had their details posted online before today’s patches. This included:
CVE-2021-1721 – .NET Core and Visual Studio Denial of Service Vulnerability
CVE-2021-1733 – Sysinternals PsExec Elevation of Privilege Vulnerability
CVE-2021-26701 – .NET Core Remote Code Execution Vulnerability
CVE-2021-1727 – Windows Installer Elevation of Privilege Vulnerability
CVE-2021-24098 – Windows Console Driver Denial of Service Vulnerability
CVE-2021-24106 – Windows DirectX Information Disclosure Vulnerability
The good news is that none of these bugs were exploited by attackers, despite their details being posted online.
Warning about TCP/IP bugs

But that’s not all. This month, Microsoft has also released fixes for three vulnerabilities in the Windows TCP/IP stack, which allows the operating system to connect to the internet.
Two of these bugs (CVE-2021-24074, CVE-2021-24094) apply fixes for remote code execution vulnerabilities that could allow attackers to take over Windows systems remotely.
A third bug (CVE-2021-24086) could be used to crash Windows devices.
“The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely [to be exploited] in the short term,” Microsoft said in a blog post specifically published to warn about these three issues.
“We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release,” the company added. “Thus, we recommend customers move quickly to apply Windows security updates this month.”
Of all Windows systems, Windows Server instances are the ones most likely to be susceptible to attacks, as many are used to host web servers or cloud infrastructure and are almost certainly connected to the internet at all times and exposed to attacks.
“It is essential that customers apply Windows updates to address these vulnerabilities as soon as possible,” Microsoft said.
If patches can’t be applied right away, various workarounds can be deployed, details in each vulnerability’s advisory.
Below are additional details about today’s Microsoft Patch Tuesday and security updates released by other tech companies:
Microsoft’s official Security Update Guide portal lists all security updates in a filterable table.
ZDNet has published this file listing all this month’s security advisories on one single page.
Adobe’s security updates are detailed here.
SAP security updates are available here.
Intel security updates are available here.
VMWare security updates are available here.
Chrome 88 security updates are detailed here.
Android security updates are available here.
Tag
CVE ID
CVE Title
.NET Core
CVE-2021-26701
.NET Core Remote Code Execution Vulnerability
.NET Core
CVE-2021-24112
.NET Core Remote Code Execution Vulnerability
.NET Core & Visual Studio
CVE-2021-1721
.NET Core and Visual Studio Denial of Service Vulnerability
.NET Framework
CVE-2021-24111
.NET Framework Denial of Service Vulnerability
Azure IoT
CVE-2021-24087
Azure IoT CLI extension Elevation of Privilege Vulnerability
Developer Tools
CVE-2021-24105
Package Managers Configurations Remote Code Execution Vulnerability
Microsoft Azure Kubernetes Service
CVE-2021-24109
Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
Microsoft Dynamics
CVE-2021-24101
Microsoft Dataverse Information Disclosure Vulnerability
Microsoft Dynamics
CVE-2021-1724
Microsoft Dynamics Business Central Cross-site Scripting Vulnerability
Microsoft Edge for Android
CVE-2021-24100
Microsoft Edge for Android Information Disclosure Vulnerability
Microsoft Exchange Server
CVE-2021-24085
Microsoft Exchange Server Spoofing Vulnerability
Microsoft Exchange Server
CVE-2021-1730
Microsoft Exchange Server Spoofing Vulnerability
Microsoft Graphics Component
CVE-2021-24093
Windows Graphics Component Remote Code Execution Vulnerability
Microsoft Office Excel
CVE-2021-24067
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office Excel
CVE-2021-24068
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office Excel
CVE-2021-24069
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office Excel
CVE-2021-24070
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2021-24071
Microsoft SharePoint Information Disclosure Vulnerability
Microsoft Office SharePoint
CVE-2021-1726
Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePoint
CVE-2021-24066
Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2021-24072
Microsoft SharePoint Server Remote Code Execution Vulnerability
Microsoft Teams
CVE-2021-24114
Microsoft Teams iOS Information Disclosure Vulnerability
Microsoft Windows Codecs Library
CVE-2021-24081
Microsoft Windows Codecs Library Remote Code Execution Vulnerability
Microsoft Windows Codecs Library
CVE-2021-24091
Windows Camera Codec Pack Remote Code Execution Vulnerability
Role: DNS Server
CVE-2021-24078
Windows DNS Server Remote Code Execution Vulnerability
Role: Hyper-V
CVE-2021-24076
Microsoft Windows VMSwitch Information Disclosure Vulnerability
Role: Windows Fax Service
CVE-2021-24077
Windows Fax Service Remote Code Execution Vulnerability
Role: Windows Fax Service
CVE-2021-1722
Windows Fax Service Remote Code Execution Vulnerability
Skype for Business
CVE-2021-24073
Skype for Business and Lync Spoofing Vulnerability
Skype for Business
CVE-2021-24099
Skype for Business and Lync Denial of Service Vulnerability
SysInternals
CVE-2021-1733
Sysinternals PsExec Elevation of Privilege Vulnerability
System Center
CVE-2021-1728
System Center Operations Manager Elevation of Privilege Vulnerability
Visual Studio
CVE-2021-1639
Visual Studio Code Remote Code Execution Vulnerability
Visual Studio Code
CVE-2021-26700
Visual Studio Code npm-script Extension Remote Code Execution Vulnerability
Windows Address Book
CVE-2021-24083
Windows Address Book Remote Code Execution Vulnerability
Windows Backup Engine
CVE-2021-24079
Windows Backup Engine Information Disclosure Vulnerability
Windows Console Driver
CVE-2021-24098
Windows Console Driver Denial of Service Vulnerability
Windows Defender
CVE-2021-24092
Microsoft Defender Elevation of Privilege Vulnerability
Windows DirectX
CVE-2021-24106
Windows DirectX Information Disclosure Vulnerability
Windows Event Tracing
CVE-2021-24102
Windows Event Tracing Elevation of Privilege Vulnerability
Windows Event Tracing
CVE-2021-24103
Windows Event Tracing Elevation of Privilege Vulnerability
Windows Installer
CVE-2021-1727
Windows Installer Elevation of Privilege Vulnerability
Windows Kernel
CVE-2021-24096
Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel
CVE-2021-1732
Windows Win32k Elevation of Privilege Vulnerability
Windows Kernel
CVE-2021-1698
Windows Win32k Elevation of Privilege Vulnerability
Windows Mobile Device Management
CVE-2021-24084
Windows Mobile Device Management Information Disclosure Vulnerability
Windows Network File System
CVE-2021-24075
Windows Network File System Denial of Service Vulnerability
Windows PFX Encryption
CVE-2021-1731
PFX Encryption Security Feature Bypass Vulnerability
Windows PKU2U
CVE-2021-25195
Windows PKU2U Elevation of Privilege Vulnerability
Windows PowerShell
CVE-2021-24082
Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability
Windows Print Spooler Components
CVE-2021-24088
Windows Local Spooler Remote Code Execution Vulnerability
Windows Remote Procedure Call
CVE-2021-1734
Windows Remote Procedure Call Information Disclosure Vulnerability
Windows TCP/IP
CVE-2021-24086
Windows TCP/IP Denial of Service Vulnerability
Windows TCP/IP
CVE-2021-24074
Windows TCP/IP Remote Code Execution Vulnerability
Windows TCP/IP
CVE-2021-24094
Windows TCP/IP Remote Code Execution Vulnerability
Windows Trust Verification API
CVE-2021-24080
Windows Trust Verification API Denial of Service Vulnerability More

Cybersecurity firm SentinelOne said it has signed a deal to acquire Scalyr, makers of a data analytics platform for log management and observability, for $155 million in cash and equity.

According to SentinelOne, the acquisition will help the company add significant capabilities to its extended detection and response (XDR) platform. 
Specifically, the company said Scalyr’s technology will bolster SentinelOne’s ability to ingest, correlate, search, and action data across sources, including both public cloud and internal enterprise data sources.
Scalyr’s big data technology is perfect for the use cases of XDR, ingesting terabytes of data across multiple systems and correlating it at machine speed so security professionals have actionable intelligence to autonomously detect, respond, and mitigate threats,” said Tomer Weingarten, CEO of SentinelOne. “This is a dramatic leap forward for our industry – while other next-gen products are entirely reliant on SIEM integrations or OEMs for point in time data correlation and response, SentinelOne uniquely provides customers with proactive operational insights from a security-first perspective.”
The acquisition is expected to close during SentinelOne’s first quarter. SentinelOne said its data services team will continue offering log management, observability and event data cloud services in conjunction with integrating Scalyr.
RELATED: More