This week was filled with flaws, flaws and more flaws: From a zero-day under active exploit in the WhatsApp messaging app, to Patch Tuesday glitches addressed by Microsoft. Threatpost breaks down the top vulnerabilities of the week, including:
- A WhatsApp zero-day vulnerability being exploited in targeted spyware attacks
- Several Cisco vulnerabilities, including a critical remote code-execution (RCE) vulnerabilities in the Cisco Prime Infrastructure (PI) and Evolved Programmable Network (EPN) Manager; and an unpatched, high-severity Secure Boot flaw that was disclosed on Monday
- A new class of speculative execution vulnerabilities in all modern Intel CPUs, dubbed Microarchitectural Data Sampling (MDS)
- A Microsoft patch released on Patch Tuesday for an elevation-of-privileges vulnerability rated important, which is being exploited in the wild
- Apple rolling out 173 patches in various products across its hardware portfolio, including for dangerous bugs in macOS for laptops and desktops, iPhone, Apple TV and Apple Watch.
Click here for direct download.
Below find a lightly-edited transcription of the news wrap podcast for the week ended May 17.
Lindsey O’Donnell: Welcome to the Threatpost news wrap podcast for the week ended may 17. You’ve got the Threatpost team here, which is myself, Lindsey O’Donnell, as well as editors Tara Seals and Tom spring. How’s everyone doing?
Tara Seals: Hey, Lindsey.
Tom Spring: Lindsey, hey.
Lindsey: I feel like the big news of the week really revolved around just a ton of vulnerabilities. We had some interesting Microsoft flaws that were disclosed and fixed on Tuesday. But then there was also a zero-day flaw revealed in the WhatsApp messaging platform. There were some new side channel flaws revealed in Intel CPUs. There were Apple, Adobe patches. So just a whirlwind of vulnerabilities. So crazy.
Tom: Yeah, it was, it was pretty nuts. And, you know, we still have some of the week left to see some more patching. And you know, we’re just really scratching the surface with what we covered. I mean, there were so many patches this week. We couldn’t cover them all. I know that, who else had patches – Schneider Electric. And I mean, it just ran the gamut. I just kept on seeing US-CERT alerts in my inbox all week long.
Lindsey: Yeah, it’s been crazy. I’m sure we won’t even see the end of it for this week. Tom, you led Tuesday off with some nice coverage of Microsoft Patch Tuesday. I mean, it looked like there was a zero day bug that you wrote about that was under active attack. What were some of the main takeaways there?
Tom: Well, you know, it was really interesting Patch Tuesday. There were sort of your garden variety of vulnerabilities that were patched and then there was one mysterious one where they didn’t really get into the technical specifics of it. And that was actually a zero day that Microsoft reported, that was being exploited in the wild. And it wasn’t a critical vulnerability. I believe it was an important vulnerability if I’m not mistaken. And it was tied to the Windows Error Reporting System. And that is essentially a Windows version of event feedback infrastructure kind of thing, where hardware and software problems are detected, and you report back to Microsoft, but the vulnerability, again, it was a little mysterious in terms of what Microsoft was sharing regarding this vulnerability. I think they were very sensitive to the fact that it was being exploited in the wild. And we’ll probably learn more about it as the days come. But, that was really an interesting vulnerability, right? Anything that’s being exploited in the wild and zero day is always interesting to me.
But then there was this other vulnerability. And I don’t know who coined the name of the vulnerability. I’m seeing it more and more today for the first time. It’s called a Bluekeep vulnerability. And this was a critical patch. So this Bluekeep vulnerability impacted the Remote Desktop Services within Windows. And what made it really interesting was that it didn’t affect newer systems, new Window systems – It affected older systems, such as Windows 7, Windows Server 2008. And it was also a “Wormable” flaw, meaning that if exploited, we could have had the potential of seeing something along the lines of the worm, WannaCry, the ransomware malware of 2017. Microsoft was warning that this was a really bad one, this was a really nasty one. And then that likely there were exploits being developed in the wild. And this one could cause some serious problems. So again, really interesting that Microsoft was releasing patches for unsupported operating systems and that they were giving such a harsh warning on this one. It was really interesting, in terms of Patch Tuesday, and then I’m going to kick this right off to you, Lindsey. They also had a lot of notifications, a lot of information and some patching mitigation information on the Intel flaws, which was another huge patch, a vulnerability that we learned about this week. Right?
Lindsey: Yeah. So basically, if you remember Spectre and Meltdown, Intel revealed a new class of similar types of vulnerabilities which are side-channel flaws that take advantage of a process called speculative execution in CPUs. So Intel came out on Tuesday and disclosed a new class of side channel flaws that were impacting all modern Intel chips back to, I think 2011 was the oldest generation that was impacted, and basically, these types of attacks can potentially leak sensitive data from a system CPU. And it was a little confusing because a lot of the different names were being thrown around for the various flaws and the various attacks, but from a high level Intel said that the new class of flaws is called microarchitectural data sampling or MDS. It’s funny because the attacks themselves, which were discovered and disclosed by various researchers, all had much more, in my opinion, interesting names. One of them was called Zombieload and the other was called Fallout. So it’s kind of funny putting those up to Intel’s names. But basically, this has been the accumulation of about a year of working to report and disclose and offer mitigation for these types of flaws. And I think that there were just so many different researchers who were involved in in various flaws and attacks for this. So it was just a lot of effort from different researchers working to disclose these flaws.
Tom: Yeah, I found it really interesting. I read somewhere that a patched processor was going to see a 9 percent performance hit. I mean, it really begs the question how many people are going to want to patch something where you’re going to see that type of performance hit on your system to obtain that level of security? You know, it’ll be interesting to watch.
Lindsey: Yeah, no, it’s definitely a good point. That was part of all of it. And so, you know, as you mentioned, Intel has offered mitigation but then in addition to those mitigations for existing CPUs, they also said that the flaw will be addressed in hardware starting with select eighth and ninth generation Intel Core processors, and second gen Intel Xeon scalable processors, and then future chips will have integrated fixes as well. But beyond what Intel’s doing, Tom, like you mentioned, we saw a bunch of different OEMs roll out their own scheduled update processes to correlate with these flaws such as Red Hat, Oracle, Microsoft, Apple. So, you know, this was really an effort that had waves across the industry. And I mean, from my perspective I think it’s just another indication that side channel speculative execution attacks are not going anywhere – they’re going to continue to plague the chip industry. Back in August even beyond Spectre and Meltdown we saw Foreshadow, I think that this will just continue, unfortunately.
Tom: Yeah, well, it’s interesting that these most recent flaws are not impacting any other chips, if I’m not mistaken, other than Intel, is that correct?
Lindsey: Yeah. So AMD came out and said that they are not impacted.
Tom: You know, the one thing I keep waiting for is Spectre and Meltdown attacks. I mean, I know that there’s tons of proof of concepts. I’m grateful that we haven’t and I don’t know if it’s just a matter of time.
Tara: I actually had a question on that, Lindsey, because I know I covered the Apple updates, and they had addressed the side channel flaws. And they said that in the case of Apple, all of their Macbooks are impacted going back to 2011. And so it’s obviously a concern for Mac users everywhere to apply these updates and kind of get things up to speed but what was interesting is that they said that danger was only really from local attackers. There was no sort of remote way to exploit this. Is that the intel that you have as well?
Lindsey: Intel definitely came forward and said that it would be difficult to attack these vulnerabilities. I think that they made note that I think on the CVSS scale, the flaws basically range from between just over three out of 10, up to I think it was like 6.5 out of 10. So they’re not really critical flaws. I think people take note of these types of flaws, because they are just something that’s going to continue to plague the industry. And so I think that’s kind of why it got all the news coverage that it did at this point.
Tara: Yeah. And there’s just so widespread.
Lindsey: So but Tara, I know that you were also covering patches of your own. I know Cisco had some interesting flaws, anything that you saw, anything kind of interesting there?
Tara: Yeah, so there were a couple of things. So, first of all, you know, Cisco has an unpatched bug that they disclosed on Monday that we covered, that impacts literally millions and millions of devices. It basically exists on almost every single piece of hardware that they sell into the enterprise business market, so you know, that that’s a concern, obviously. And it’s a high severity vulnerability that makes it possible for a remote code execution. So, you know, it’s not a trivial bug by any stretch of the imagination. So I really was interested to cover that and a little bit shocked, to be honest, in terms of exactly how many enterprise military government networks are affected by it.
Tom: You know, Cisco had one of the most prolific bug reporting months I think I’ve ever recalled in recent history, I know that both Lindsey and I have also covered Cisco patches all month long, I kind of feel like I want to give them credit for being as transparent as they are being right out there with all of their bugs. And I also kind of want to be critical them for having so many bugs, you know, and it’s kind of a chicken and egg thing because just given the sheer amount of gear that they put out there in the marketplace. So, you know, from a sheer volume perspective, it’s probably maybe surprising they don’t have more to be honest, but some of these businesses tend to be, you know, really impacting, because they have such a huge installed footprint of stuff out there.
Tara: The one that I just mentioned exists in the Secure Boot hardware that they use. That’s their trusted execution environment. So, you know, again, it’s something to take notice of, and then, you know, they also issued a ton of patches and updates yesterday and today, one of which was an update to that unpatched bag saying that in some cases, they won’t even be able to issue fixes until as late as November depending on what the products that is so, you know, they are being very transparent, but it’s also a little bit alarming once you pull back the covers on some of this stuff, because it’s not really just another patch, or another bug.
Tom: so I’m going to put on my tin foil hat for two seconds, and come up with a cockamamie theory that has to do with Huawei. And some of the accusations that back doors exist within their networking in their telecom gear. And I think wow, we don’t have to go there. But I think there’s a sense that when you take a look at some other companies, and you take a look at some of the bugs, those could be perceived as on the same level as a vulnerability as perceived within Huawei. And I wonder whether or not Cisco is going bending over backwards to make sure that, you know, there’s no perception that it’s not trying to patch every single bug within its product catalog.
Tara: I think that’s a really good point. Actually, there are a couple of really good points there. One is that, just the sheer amount of coding effort that it’s probably taking to address all the different bags that they have is probably kind of herculean, props to them for that, and for investing in it and being transparent about it. But the other point that you made about Huawei and the other telecom suppliers is that they underlie everything that we use every single day. It’s sort of against the Intel side channel flaws. No one is immune right and Huawei is one of the top five telecom manufacturers out there. Cisco actually issued a critical patch for a telecom bag today that impacts the management interface that service providers use – the full range of types of service providers out there that are serving millions and millions and millions of customers across the US and other countries.
You know, this bag impacts all of them because it is in their core network management software. And it allows remote code execution without any sort of authentic authentication by the attacker, you can just kind of get in there and do your thing, and then boom, all of a sudden, millions of subscribers are potentially impacted by it. So it’s… an infiltrate once and impacts billions of potential and points.
Tom: No, I hear you. I mean, there’s a there’s a lot a lot at stake. And, and I guess, again, it’s like one cancels out the other, kudos to them for their transparency. But let’s get the code right the first time.
Lindsey: Yeah, and that’s interesting, too, because that bug that you were just talking about Tara was disclosed after all their other fixes as well, right?
Tara: Initially, they disclosed it on Wednesday. But then on Thursday, they issued an updated advisory for it that clarifies what exactly was vulnerable, how severe it was in terms of what all was impacted.
Tom: You know, I think we were all impacted by bugs. I feel like I’m gonna take a shower after this.
Lindsey: We didn’t even talk about the WhatsApp bug either.
Tom: Oh yeah, that’s how you covered the WhatsApp bag, which was a huge story. That was a huge story.
Tara: Yeah. Oh my God, this has been a whirlwind. Doesn’t it just kind of set the tone for the week for sure? So what was that all about? I have to confess it’s been so busy with other patches. I didn’t really delve too far into that, Lindsey.
Lindsey: Yeah, so over the weekend, a zero day vulnerability was disclosed in the WhatsApp messaging platform. And it was exploited by attackers in targeted attacks. Not widespread but they were able to inject spyware onto victims phones in using this app. And what stuck out about the attack was that all you had to do is call someone on their WhatsApp app. And then that was how you were able to exploit the flaw and then install the spyware.
Tara: Oh my gosh.
Lindsey: So the WhatsApp flaw is now patched but you know, obviously that gained a lot of media coverage because first of all it was in an end to end encryption type of form of communications and that had people unnerved. And then the other aspect of it was this whole part about how the spyware us seem very similar to that of that is sold by the NSO Group. That kind of led a lot of people to go up in arms there. But basically, the NSO Group is finding itself in some hot water after that.
Tara: Yeah. So sort of an unintended consequences kind of story.
Lindsey: Yeah, I keep seeing new stories about the NSO Group, you know, because it has this Pegasus spyware that it sells and lets governments use. And basically, a lot of human rights types of companies are saying, well, this is being used against government dissidents, it’s being used against human rights activists. So I think that there’s kind of a lot of controversy there already.
Tara: For sure. Like, I remember Amnesty International actually came out not too long ago saying that Pegasus have been used, or alleging that the Pegasus had been used against some of its representatives. And so yeah, it’s been a human rights story for a while. And meanwhile, and so as you pointed out, you know, they keep saying oh, no, we that our clients very carefully we only trade with, you know, governments that are on the up and up and there’s no issue with our business model, so it’s a “he said she said” sort of situation, but when you get evidence, like what, has turned up in this WhatsApp situation, it kind of makes you think for sure.
Lindsey: Speaking of Amnesty International after all this happened, they and a couple of other human rights groups said that they plan to file a petition in Israeli court to revoke and NSO Group’s export license, which would bar the company from making export transactions for its products. So we’ll see kind of how that works out. But definitely an interesting part of the entire story. Well I hope next week, we don’t have as many flaws as we did this week.
Tara: Yes, yes, indeed.
Lindsey: Well, Tom, Tara, thanks for coming on to the Threatpost news wrap to talk a little bit about the patch craziness this week.
Tom: My pleasure. Thanks so much, Lindsay.
Lindsey: All right. catch us next week on the Threatpost news wrap.
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.
