Maksim Kabakou - Fotolia

A vulnerable week: Tech firms scramble to release patches

It's been a tough week, with vulnerabilities found in Microsoft, Apple and Google platforms. Even Mumsnet has been attacked

A number of vulnerabilities have been discovered this week, leaving the likes of Microsoft, Apple and Google all reeling to get patches released.

Microsoft released an urgent patch to secure a zero-day exploit found in all versions of Internet Explorer. The vulnerability, named CVE-2015-2502, could potentially allow a wrongdoer to gain admin privileges through a malicious website.

“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” Microsoft said in its security advisory. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability.”

Windows 10’s Edge browser, which replaces the IE family, is not affected by the flaw.

Mac OSX

Apple often gets to sit back and laugh at Microsoft when vulnerabilities are discovered, but as its OSX gains popularity, hackers are readjusting their sights; and this week, Apple got some pie in its face.

The bug was discovered by a hacker who describes himself on Twitter as an 18 year-old Italian called Luca Todesco. The developer made the vertical privilege escalation security flaw public and has received criticism from the development community for not giving Apple the chance to patch the vulnerability.

In response the critics Todesco said: “This is kinda getting out of proportion. Best outcome for me would have simply been to stay quiet. I had reasons to drop it the other day.”

The tpwn exploit, which exists in all versions of publicly released OS X, requires physical access to a system in order to implement an attack, but could potentially be exploited if a user were install malicious software. Todesco recommends that users install SUIDGuard, available as an installer on Github, to protect themselves from the exploit.

In typical Apple fashion, the OS-maker has declined to comment.

Android

Yet another bug has been found in Google’s Android operating system, affecting all versions dating back to 2.3, released five years ago.

The flaw utilises the mediaserver component, and is similar to the Stagefright bug, allowing malicious applications to execute arbitrary code, says Trend Micro.

“This attack can be fully controlled, which means a malicious app can decide when to start the attack and also when to stop,” Trend said in an advisory.

“An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines. Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk. Devices with customized versions of Android but with no modification made to the mediaserver component are also affected.”

Google has released a patch for the bug, but due to the disparate Android ecosystem, it could take weeks or even months to reach devices.

Read more on Threat Management Solutions and Services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

ComputerWeekly.com

SearchITChannel

Close