This week is a big patch week with Microsoft and Oracle releasing hundreds of patch fixes for their related software. Moreover, Zoom continues to bring headaches to the cybersecurity industry, while an unusual alliance took place to battle COVID-19. Let's go and see what happened in more detail.
1. Patch Tuesday again, this time Microsoft patches 113 security vulnerabilities in its several Windows OS and related software. Nineteen of those vulnerabilities were given the "critical" rating while at least three of the flaws fixed were actively being exploited. Some notable patched flaws include the Adobe Font Manager library exploitable bug that was seen used in active attacks and CVE-2020-1027 which affects Windows 7 and 10 and can result in privilege escalation to a locally authenticated user. As always, we recommend users to patch their systems to stay safe from malicious exploitation.
2. As reported from the Wall Street Journal, Travelex seems to have paid $2.3 million worth of Bitcoin to the REvil ransomware gang, who was behind the ransomware attack on their systems. The attackers threatened to publish personal customer data stolen from the company's network if the company did not give in to their demands. Whether ransom should be paid or not is a divisive topic, since it encourages more ransomware attacks.
3. Google and Apple have joined forces to create an application that will help people determine if they have come in contact with someone infected with COVID-19. The app will use Bluetooth low energy beacons to allow contract tracing. A benefit of this new approach is that it does not involve any user location tracking or other identifying data, ensuring this way that privacy is not compromised. Apple has even launched a new website detailing the Bluetooth and Cryptography specifications and the framework of the API.
4. Oracle has released their collection of security patches for April 2020 that includes 367 fixes for vulnerabilities affecting two dozen products. Sixty of those vulnerabilities are flagged as "critical", some of the patched products include the E-Bussiness Suite, Fusion Middleware and GraalVM. Customers are advised to apply the newly released security patches as soon as possible to ensure their safety from attacks.
5. Another week, another security concern for Zoom, as two zero-day vulnerabilities are reportedly on sale for $500,000. The vulnerabilities are currently present in Zoom's Windows and macOS clients and if exploited, can potentially lead to the remote code execution on the target's endpoint, which could result in espionage and data leakage. India, on the other hand, join the club of the nations and organizations to ban Zoom from their official government agencies. Moreover, the nation's Cyber Coordination Center has issued a warning for everyday users on the weak authentication methods of Zoom and how to use it securely.