Weekly Security News – 12th August 2024

Firefox & Chrome security flaw exploited, NHS software provider facing a £6m fine and Crowdstrike reveals more about the recent outage... all in this week's security news...

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

18-year-old security flaw in Firefox and Chrome exploited in attacks

Cybersecurity researchers have discovered a new “0.0.0.0 Day” impacting all major web browsers that malicious websites could take advantage of to breach local networks. The critical vulnerability “exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices,” Oligo Security researcher Avi Lumelsky said. The Israeli application security company said the implications of the vulnerability are far-reaching, and that it stems from the inconsistent implementation of security mechanisms and a lack of standardization across different browsers. 0.0.0.0 Day impacts Google Chrome/Chromium, Mozilla Firefox, and Apple Safari that enables external websites to communicate with software that runs locally on MacOS and Linux. It does not affect Windows devices as Microsoft blocks the IP address at the operating system level.

Google patches 46 Android bugs, including exploited kernel flaw

Google has addressed a high-severity security flaw impacting the Android kernel that it said has been actively exploited in the wild. The vulnerability, tracked as CVE-2024-36971, has been described as a case of remote code execution impacting the kernel. “There are indications that CVE-2024-36971 may be under limited, targeted exploitation,” the tech giant noted in its monthly Android security bulletin for August 2024. As is typically the case, the company did not share any additional specifics on the nature of the cyber-attacks exploiting the flaw or attribute the activity to a particular threat actor or group. It’s currently not known if Pixel devices are also impacted by the bug. The August patch addresses a total of 47 flaws, including those identified in components associated with Arm, Imagination Technologies, MediaTek, and Qualcomm.

Cyber Attacks

NHS software provider faces £6m fine after hackers steal tens of thousands of medical records

The data protection watchdog’s provisional ruling blames software company Advanced for “serious failings” after sensitive patient data was stolen and NHS services disrupted. A major NHS IT provider faces a penalty of just over £6m for failures which led to a cyber-attack and the theft of nearly 83,000 medical records. The Information Commissioner’s Office (ICO) has been investigating Advanced, which supplies vital systems for the health service, since the breach on 4 August 2022. The cyber-attack had wide-ranging implications, affecting the system used to dispatch ambulances, book out-of-hours appointments and issue emergency prescriptions. In a provisional ruling, the ICO says the software provider breached data protection law by failing to secure personal information belonging to 82,946 people.

Windows Zero-day Flaw Let Hackers Downgrade Fully Updated Systems to Old Vulnerabilities

Microsoft said it is developing security updates to address two loopholes that it said could be abused to stage downgrade attacks against the Windows update architecture and replace current versions of the operating system files with older versions.

The vulnerabilities are listed below –

  • CVE-2024-38202 (CVSS score: 7.3) – Windows Update Stack Elevation of Privilege Vulnerability
  • CVE-2024-21302 (CVSS score: 6.7) – Windows Secure Kernel Mode Elevation of Privilege Vulnerability

Credited with discovering and reporting the flaws is SafeBreach Labs researcher Alon Leviev, who presented the findings at Black Hat USA 2024 and DEF CON 32.

In Other News...

CrowdStrike Reveals Root Cause of Global System Outages

Cybersecurity company CrowdStrike has published its root cause analysis detailing the Falcon Sensor software update crash that crippled millions of Windows devices globally. The “Channel File 291” incident, as originally highlighted in its Preliminary Post Incident Review (PIR), has been traced back to a content validation issue that arose after it introduced a new Template Type to enable visibility into and detection of novel attack techniques that abuse named pipes and other Windows interprocess communication (IPC) mechanisms. Specifically, it’s related to a problematic content update deployed over the cloud, with the company describing it as a “confluence” of several shortcomings that led to a crash – the most prominent of them is a mismatch between the 21 inputs passed to the Content Validator via the IPC Template Type as opposed to the 20 supplied to the Content Interpreter.

Microsoft: Exchange 2016 reaches extended end of support in October

Microsoft reminded today that Exchange 2016 will reach the end of extended support next year on October 14 and shared guidance for admins who need to decommission outdated servers. Exchange 2016 reached its mainstream end date in October 2020, while Exchange Server 2013 (the previous version) reached its extended end-of-support (EOS) date on April 11, 2023. “If you plan to stay on-premises, we recommend moving to Exchange 2019 as soon as possible. Only Exchange 2019 will support in-place upgrades to Exchange SE, marking the first time in many years that you can perform an in-place upgrade on any Exchange release,” the Exchange team warned. “You should start decommissioning Exchange 2016 servers in favour of Exchange 2019 now, to be ready for easy in-place upgrades to Exchange SE when it becomes available.”