Updates on the cyber attack at TfL, Fortinet confirms a data breach, a warning from Intel and loads of patches... all in this week's security news...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Microsoft September 2024 Patch Tuesday fixes 4 zero-days, 79 flaws
Microsoft has released security updates to address 79 vulnerabilities in Microsoft products. The security updates include four zero-day vulnerabilities, one under active exploitation and one publicly disclosed. Microsoft have reported that four vulnerabilities are under active exploitation. These are:
- CVE-2024-38014
- CVE-2024-38217
- CVE-2024-38226
- CVE-2024-43491
Additionally, security researchers are reporting that CVE-2024-43461 is under exploitation as a zero-day. The number of bugs in each vulnerability category is listed below:
- 30 Elevation of Privilege Vulnerabilities
- 4 Security Feature Bypass Vulnerabilities
- 23 Remote Code Execution Vulnerabilities
- 11 Information Disclosure Vulnerabilities
- 8 Denial of Service Vulnerabilities
Affected organisations are encouraged to review Microsoft’s September 2024 Security Update Summary and apply the relevant updates.
Adobe Releases Security Updates for Acrobat and Reader
Adobe has released security updates addressing two critical vulnerabilities affecting Acrobat products on Windows and MacOS.
- CVE-2024-41869 is a ‘use after free’ vulnerability with a CVSSv3 score of 7.8 and if exploited could allow arbitrary code execution (ACE).
- CVE-2024-45112 is a ‘type confusion’ vulnerability with a CVSSv3 score of 8.6 and if exploited could allow ACE.
The following platforms are known to be affected:
- Acrobat 2024 | Prior to 24.001.30187
- Acrobat 2020 | Prior to 20.005.30680
- Acrobat DC | Prior to 24.003.20112
- Acrobat Reader DC | Prior to 24.003.20112
- Acrobat Reader 2020 | Prior to 20.005.30680
Affected organisations are encouraged to review Adobe Security Bulletin APSB24-70 and apply the relevant updates.
Cyber Attacks
TfL cyber-attack: Thousands of passengers feared to have bank details exposed as teenager arrested
The cyber-attack that hit Transport for London a week ago is much worse than first thought, TfL admitted on Thursday as it was revealed a teenager has been arrested in connection with the hack. Names and phone numbers of passengers are thought to have been obtained, including some personal data from Oyster cards and Contactless bank cards used to make journeys on the capital’s public transport network. The hack is understood to have potentially exposed the bank account details of about 5,000 passengers – either via activity on their Oyster card account or refund data. This includes account numbers and sort codes. In addition, an unknown number of passengers who had signed up to TfL email alerts – for example, for regular email bulletins on the Elizabeth line or a particular Tube line – are thought to have had their name, home address or email account exposed. TfL said all passengers affected would be contacted directly. It said it was taking immediate measures to improve online security. The announcement came as the National Crime Agency revealed a 17-year-old male has been arrested on suspicion of Computer Misuse Act offences in relation to the attack.
Fortinet Confirms Data Breach After Hacker Claims 440GB Heist
Cybersecurity giant Fortinet, known for its firewalls and network security solutions, has confirmed a cybersecurity incident affecting its systems. The Fortinet data breach confirmation comes following a hacker’s claim of stealing a massive 440GB of files from the company’s Microsoft SharePoint server. Apart from selling secure networking products, the company also offers SIEM, network management, and EDR/XDR solutions, as well as consulting services. While the exact details of the Fortinet data breach remain unclear, the incident raises concerns about the security of sensitive information entrusted to the company. Fortinet quickly responded by acknowledging the unauthorized access. In a statement on its website, the company disclosed, “An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number (less than 0.3%) of Fortinet customers.”
In Other News...
WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers
WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily. The enforcement is expected to come into effect starting October 1, 2024. “Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide,” the maintainers of the open-source, self-hosted version of the content management system (CMS) said. “Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community”. Besides requiring mandatory 2FA, WordPress.org said it’s introducing what’s called SVN passwords, which refers to a dedicated password for committing changes. This, it said, is an effort to introduce a new layer of security by separating users’ code commit access from their WordPress.org account credentials.
Intel Warns of 20+ Vulnerabilities, Advises Firmware Updates
Intel on Tuesday published security advisories to inform customers about more than 20 vulnerabilities found in processors and other products. The chip giant has published four new advisories. One of them covers 11 vulnerabilities affecting the UEFI firmware for some server, workstation, mobile and embedded processors, including Atom, Xeon, Pentium, Celeron, and Core series products. More than half of the security holes have been assigned a ‘high severity’ rating. They can be exploited for local privilege escalation, and some can allow DoS attacks or lead to information disclosure. Another advisory describes a medium-severity processor vulnerability that can allow a local, privileged attacker to cause a DoS condition. The company has also informed customers about some processors being impacted by an information disclosure flaw related to the Running Average Power Limit (RAPL) interface.