This week, Microsoft and Adobe rolled out security updates for multiple products used by millions of users globally. Microsoft also expanded its Threat and Vulnerability Management solution for Linux and macOS, while Apple disclosed its assessment of potentially fraudulent activities on its App Store, which led to nearly one million app rejections and collectively saved customers $1.5 billion.
Let’s talk about security.
A lot has been said and done with respect to security of applications, systems, networks, etc, but when it comes down to business, the products that end users use are the most crucial in drawing the line of defense against threat actors. Operating systems, productivity applications, device hardware, and even the undecorated internet browser can have major ramifications on the end user.
This week, Microsoft, Adobe, Qualcomm, and Apple came up with multiple updates which can impact millions of users worldwide.
Security Updates
The second Tuesday of this month heralded Microsoft’s May Patch Tuesday. This month’s security patches from Redmond pertain to 32 of its products and services including Microsoft Office, Windows 10, Internet Explorer, wireless networking and more.
In total, the May edition of Microsoft Patch Tuesday features fixes to 55 vulnerabilities, four of which are rated ‘critical’ in severity, 50 are rated ‘important’, while the remaining one is rated moderately severe. Fortunately, none of these are under active exploitation so users can rest easy, although not too easy since a flaw residing in multiple Adobe products is in fact under active exploitation.
Not to worry though as patches for the vulnerability in Adobe Acrobat and Reader are out and available for download. So if you’re an Adobe and Windows user, and automated downloads are turned off, you may want to patch your system by downloading updates here for WindowsOpens a new window and here for AdobeOpens a new window before continuing to read.
The most concerning flaw in Windows allows an attacker to get their hands on the contents of encrypted wireless packets on an affected system. It is tracked as CVE-2020-24587Opens a new window . Notice the year of its discovery, meaning the tech giant has been working on fixing it along with two other CVEs (also from 2020) since a while now.
Internet Explorer is seldom used today owing to much better options. Still, it would be prudent to update it to fix CVE-2021-26419Opens a new window , which can allow a threat actor to execute arbitrary code on the machine in the context of the current user. Additionally, users with Skype for BusinessOpens a new window , and the bluetooth driverOpens a new window in Windows are at risk of remote code execution (RCE) and spoofing threats respectively.
A few other RCE flaws (CVE-2021-31180Opens a new window , CVE-2021-31175Opens a new window , CVE-2021-31176Opens a new window , CVE-2021-31177Opens a new window , and CVE-2021-31179Opens a new window ) in Microsoft Office were also patched although the most serious one affecting end users is CVE-2021-31166Opens a new window .
CVE-2021-31166 is a wormable flaw that affects the HTTP protocol stack to remotely execute code as a kernel by sending a specially crafted message. Rest of the flaws are nothing an end user would lose their sleep over, however the same can’t be said for professionals working on Microsoft Hyper-V hypervisor, Visual Studio, SharePoint Server, Microsoft Exchange Server.
Besides Microsoft, Adobe also lines up its patches for the second Tuesday of every month. This patch Tuesday, Adobe fixed an RCE flaw within Adobe Acrobat and Adobe Reader for both Windows as well as macOS. CVE-2021-28550Opens a new window affects Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017, and Acrobat Reader 2017.
A zero-day flaw, CVE-2021-28550 also allows arbitrary code execution in the context of the current user. Vulnerabilities in applications such as Adobe Reader and Office is a huge concern, primarily because of their pervasiveness and popularity across almost all industries.
Besides CVE-2021-28550, Adobe also addressed 14 other vulnerabilitiesOpens a new window residing in Adobe Experience Manager, Adobe Creative Cloud Desktop Application, Adobe InDesign, Adobe Illustrator, Adobe InCopy, Adobe Animate, Adobe Genuine Service, Adobe After, Magento, Adobe Media Encoder, Effects, and Adobe Medium.
Threat and Vulnerability Management for Linux
Microsoft’s core security updates are complemented by an important announcement that enables it to expand its secure configuration assessment capabilities over to Linux and macOS beside Windows.
With computer devices being a major entry point for hackers into organizations, Threat and Vulnerability Management (TVM) for Windows and Windows Server is leveraged for real time insights into system risk and exposure, discover vulnerabilities, prioritize in accordance with impact area, asset value and the likelihood of being breached, and finally remediate them.
Gilad MittelmanOpens a new window , Senior Product Manager, Microsoft Defender ATP Threat & Vulnerability Management (TVM) at Microsoft wrote, “With this expansion, organizations can now discover, prioritize, and remediate over 30 known unsecure configurations in macOS and Linux to improve their organization’s security posture. We’ll be continuously expanding on the initial set of supported configuration assessments to provide more visibility into your security posture.â€
75% of computersOpens a new window worldwide run on Windows, but with TVM for Linux and macOS, Microsoft has effectively covered all major operating systems in use today. The expansion can be particularly beneficial to organizations facing new security challenges since hybrid work became the norm last year.
Currently in public preview, TVM for Linux is available for RHEL, CentOS, and Ubuntu, with Oracle Linux, CentOS, SUSE, and Debian Linux distributions. Microsoft has also planned further expansion to cover Android and iOS before the end of summer.
TVM has security professionals written all over it, so before signing off, let us get back to end users with Apple’s crackdown on suspicious App Store entries.
See Also: Microsoft’s Cloud Misconfiguration Blunder May Have Cost Them 63 GB of Sensitive Data
The $1.5 Billion Worth Bust
It seems the Apple App Review team was quite busy last year now that the company has revealed that it rejected approximately one million app submissions and an equal number of app updates in 2020.
The company provided a breakdown of these rejections. Of the total, Apple rejected:
- 48,000 apps for using hidden or undocumented features
- 150,000 apps because they were misleading, spam or were illegitimate imitators
- 215,000 apps for privacy violations like collecting more than necessary user data and others
- 95,000 apps were removed for bait-and-switch fraud
In a bait-and-switch tactic, the app developer presents an app for a specific function and later changes it after initial review. As such Apple kicked out 470,000 existing developer accounts and 205,000 new enrollments citing fraudulent activities.
Further, Apple also deactivated 244 million customer accounts and rejected 424 million attempted account creation requests owing to fraudulent and abusive activity. The company estimates that overall, these rejected apps could’ve defrauded its customers of more than $1.5 billionOpens a new window .
Apple has always been predisposed to being reticent when it comes to its App Store policies. But things have taken a turn since Epic Games filed an anticompetitive lawsuit, and since HEY took the battle public. More recently, the European Commission (EC) also conveyed its concerns over the Apple-Spotify case, for which Apple has until July to respond.
Before disclosing this data, Apple has slashed in-app purchase commissions to 15%Opens a new window for certain apps, which makes sense considering the fight was against Apple’s opaque pricing. But Apple’s move to suddenly be transparent about App Store statistics ahead of their response to the EC may not have the pull that the company hopes it will.
Nevertheless, it is reassuring that Apple customers are being protected.
Closing Thoughts
The precariousness of the security fabric of a system owned by an end user, whether from vulnerabilities, human error, or blatant fraud is a threat. But so far, so good at least, this week for the users of Windows, Linux, macOS, and iOS, provided they’re making necessary updates. And as much as we’d like to add Android to the list, it is uncertain whether all devices will receive security updates for the Qualcomm modem chip flaw.
Vigilance is the price we all must pay for security.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!