Weekly Security News – 20th May 2024

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

Microsoft releases May 2024 Security Updates

Microsoft has released security updates to address 60 vulnerabilities, including two that are actively exploited. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. Users and administrators are encouraged to review the following advisory and apply the necessary updates.

Microsoft has detected exploits for vulnerabilities CVE-2024-30040 and CVE-2024-30051.

  • CVE-2024-30040 Windows MSHTML Platform Security Feature Bypass Vulnerability. An attacker could gain code execution through convincing a user to open a malicious document, at which point the attacker could execute arbitrary code in the context of the user.
  • CVE-2024-30051 Windows DWM Core Library Elevation of Privilege Vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Apple Releases Security Updates for Multiple Products

Apple has released a security update to address one zero-day vulnerability and several other vulnerabilities for multiple products. The zero-day vulnerability in the Safari web browser, which has been designated CVE-2024-27834, has a CVSSv3 score of 9.1 and could allow an attacker with arbitrary read and write capability to bypass pointer authentication. CVE-2024-27834 was successfully exploited at the Pwn2Own Vancouver 2024 hacking contest. Exploits discovered in this way are not usually publicly disclosed for 90 days. While exploitation has not been observed in the wild for this vulnerability, the existence of an as-yet undisclosed working exploit makes the possibility more likely.

Mozilla Releases Security Updates for Firefox and Firefox ESR

Mozilla has released security updates to address 16 vulnerabilities in Firefox and Firefox ESR, with two of the vulnerabilities rated as high.

  • CVE-2024-4764: Use-after-free when audio input connected with multiple consumers.
  • CVE-2024-4367: A type check was missing when handling fonts in PDF.js. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged-on user.

Nine medium-severity and five low severity vulnerabilities were also addressed. Affected organisations are encouraged to review the Mozilla Foundation Security Advisories and apply the relevant updates from the advisories below.

Google Releases Security Update for Vulnerabilities CVE-2024-4761 and CVE-2024-4947

Google has released a security update which addresses a high severity vulnerability in Google Chrome for Windows, Mac, and Linux. The high severity vulnerability, designated as CVE-2024-4761, relates to an out of bounds write in V8.  This could allow a remote attacker to perform an out of bounds memory write via a crafted HTML page. Google acknowledges that an exploit for CVE-2024-4761 exists in the wild. Affected organisations are encouraged to review the Chrome Release 124.0.6367.207 advisory and apply the necessary updates to the latest release.

Google has also released a security update which addresses one exploited vulnerability, CVE 2024-4947, and eight others in Google Chrome for Windows, macOS, and Linux. Google acknowledges that an exploit for CVE-2024-4947 (Type Confusion in V8) exists in the wild. Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Affected organisations are encouraged to review the Chrome Release 125.0.6422.60 advisory and apply the necessary updates to the latest release.

Cyber Attacks

Nissan Data Breach Impacts 53,000 Employees

Nissan North America informed the Maine Attorney General this week that a ransomware attack launched last year resulted in the personal information of employees getting compromised. According to the company, it learned in early November 2023 that a threat actor had gained access to its systems through an external VPN. The attacker did not encrypt data or disrupt any systems, but it did steal files from local and network shares and demanded a ransom. An initial investigation showed that the files potentially accessed by the hackers only contained business information. However, in late February 2024, Nissan determined that the compromised files did include personal information, mainly related to current and former employees, including names and social security numbers.

Personal Information Stolen in City of Wichita Ransomware Attack

The City of Wichita, Kansas, has revealed this week that files containing personal information were stolen in a ransomware attack in early May.The city disclosed the incident on May 5, when certain systems were shut down as a containment measure, to stop the spreading of file-encrypting ransomware deployed during the attack. The city said at the time that some of its online services were impacted, but not first responders, which immediately switched to business continuity measures. Payments across several services continue to be down. This week, Wichita revealed that, between May 3 and 4, the attackers copied certain files from its network and that those files contain personal information.


Apple and Google Launch Cross-Platform Feature to Detect Unwanted Bluetooth Tracking Devices

Apple and Google on Monday officially announced the rollout of a new feature that notifies users across both iOS and Android if a Bluetooth tracking device is being used to stealthily keep tabs on them without their knowledge or consent. “This will help mitigate the misuse of devices designed to help keep track of belongings,” the companies said in a joint statement, adding it aims to address “potential risks to user privacy and safety.” The proposal for a cross-platform solution was originally unveiled exactly a year ago by the two tech giants.