Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.
Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.
‘Unpatchable’ flaws in Apple’s T2 security chip
A certain iteration of Apple’s T2 security-centric co-processing unit is embedded with two critical flaws that can be exploited in combination to grant hackers full access to targeted MacOS devices.
‘Checkm8’, originally an iPhone vulnerability, and ‘Blackbird’ can be exploited in the T2 security chips built on Apple’s A10 architecture, present in some, but not the newest, Macs.
The CheckM8 bug allows hackers to circumvent the activation lock, and ‘jailbreak’ targeted devices. Once this happens, the T2 chip would normally exit with a fatal error if it recognised that the Device Firmware Update (DFU) mode was enabled. With the Blackbird exploit, however, hackers are able to bypass this critical security check, and gain full root access to the device.
Alarmingly, according to Iron Peak, the core vulnerability is can’t be patched through software updates as the T2 operating system is classed in read-only memory for security reasons. The bugs currently affect Mac devices shipped with Intel CPUs, and may not affect units fitted with Arm-based processors, although there’s no guarantee.
85 flaws in Android and Google Chrome
Google has released patches to fix severe bugs in both its Chrome web browser and its Android operating system this week. The firm fixed 35 flaws in the former, and more than 50 vulnerabilities in the latter.
With the release of Chrome 86, Google has patched a critical flaw in the browser’s payments component, tagged CVE-2020-15967. This is a…