Security Snacks #5 – Avalanche of security updates, Zoom snooping & The 2020 business threat landscape

Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Patches, patches and more patches! This sums up the past couple of weeks. Patching remains a challenge for a lot of organizations as confirmed by a new report on the 2020 business threat landscape: 63% of reported unpatched vulnerabilities are more than two years old!

However, patching doesn’t cure all issues. Take video conferencing software for instance. Hackers can guess what people are typing based on their movements! So, how do we protect ourselves from these attacks?

Notable Security News

Microsoft November 2020 Patch Tuesday arrives with fix for Windows zero-day

Remember CVE-2020-17087, the Windows zero-day that Google Project Zero disclosed two weeks ago? Cybercriminals were exploiting it in the wild chained with a Chrome zero-day (CVE-2020-16009) to gain remote access to Windows 10 and 7 systems. Microsoft has released a patch to fix this as well as other vulnerabilities – 112 in total and 17 critical.

Google patches two more Chrome zero-days

Chrome patched no less than 5 zero-days in the past three weeks, all being exploited in the wild. That’s all you need to hurry with patching, but if you want more technical details, here’s a summary:

  • CVE-2020-15999 affects Chrome’s Freetype font rendering library and was exploited in combination with the Windows zero-day mentioned before.
  • CVE-2020-16009 is a Remote Code Execution in Chrome’s V8 JavaScript engine.
  • CVE-2020-16010 impacts only Chrome for Android.
  • CVE-2020-16013 is an implementation flaw in Chrome V8.
  • CVE-2020-16017 is a memory corruption bug in Chrome’s Site Isolation.

Oracle Rushes Emergency Fix for Critical WebLogic Server Flaw

Oracle released a patch for CVE-2020-14750, an unauthenticated Remote Code Execution in WebLogic with a CVSS score of 9.8/10. If this sounds familiar, it is because it is related to CVE-2020-14882, another WebLogic RCE that was easy to bypass. I’ve got the feeling this isn’t the last we will hear about these vulnerabilities…

BitDefender 2020 – Business Threat Landscape Report

This report has interesting findings on how attacks are shifting in the context of the Coronavirus pandemic and Work From Home. For example, 63.63 % of all unpatched vulnerabilities reported during the first half of 2020 involve known vulnerabilities that are older than 2018!

Zoom Snooping: How Body Language Can Spill Your Password

Researchers are able to guess what people in Zoom calls are typing. By looking at their arms and shoulders movements, they can extrapolate the keystrokes being typed. Though the accuracy varies depending on many variables (e.g. the background, what the person is wearing, noise…), it is interesting to be informed that such attacks against video conferencing software are possible.

Other Interesting News

Cybercrime

Vulnerabilities

Reports

Responsible disclosure

Tech

Misc.

Intigriti News

Congratulations to our new Intigriti 1337 hackers!