Weekly Vulnerabilities Review (August 9 – August 15)
Weekly Vulnerabilities Review (August 9 – August 15)

Let’s take a look at a brief overview of new cybersecurity solutions from last week. In the spotlight: Ford, ScrutisWeb, Iagona, CISA, Visual Studio, Claroty, Western Digital, Microsoft, Intel, SAP, AMD.

Ford has clarified that a vulnerability detected within the Wi-Fi driver of its SYNC 3 infotainment system, equipped in select Ford and Lincoln models, doesn’t jeopardize vehicle safety. The glitch, referenced as CVE-2023-29468, affects the Texas Instruments Wi-Fi driver, incorporated in at least twelve vehicle models.

Сoncerning discoveries have been made in the ScrutisWeb ATM monitoring software by French tech firm Iagona. Identified vulnerabilities could allow remote ATM breaches. This discovery was attributed to members of the Synack Red Team, but Iagona promptly addressed the issues, introducing fixes in the ScrutisWeb 2.1.38 version launched in July 2023.

The spotlight is also on the US Cybersecurity and Infrastructure Security Agency (CISA) as they highlighted a pressing zero-day defect impacting Microsoft’s .NET and Visual Studio. This vulnerability, labeled as CVE-2023-38180, was rectified in Microsoft’s August 2023 updates. Additionally, these updates tackled another CVE-2023-36884 flaw in the Office suite, which was reportedly manipulated by Russian cyber adversaries.

Shifting focus to the realm of IoT and industrial cybersecurity, Claroty has identified significant vulnerabilities in Western Digital and Synology’s network storage products. Such vulnerabilities could potentially expose a multitude of user files. The real-world repercussions of these vulnerabilities were showcased at the Pwn2Own Toronto hacking event in December 2022. At this contest, hackers walked away with almost $1 million, demonstrating their expertise across a range of devices, including smartphones and smart speakers.

Microsoft, for the fourth year running, boasts significant payouts through its bug bounty initiatives. The tech behemoth confirmed disbursing $13.8 million to 345 specialists from over 45 nations within a span of one year from July 2022 to June 2023. These rewards, which totaled over 1,100 vulnerability submissions, included a single top-end payout of $200,000.

Intel recently broadcasted 46 security advisories, apprising users of 80 vulnerabilities present in its firmware and software components. Alarmingly, 18 of these are high-severity, with some granting unauthorized privileges and a few even permitting potential denial-of-service attacks.

German software heavyweight SAP isn’t without its share of challenges either. It recently patched numerous vulnerabilities in its August 2023 updates, with a notable flaw targeting its PowerDesigner product. SAP launched 16 fresh patches, in addition to revising several earlier ones.

Lastly, a new CPU side-channel attack technique named “Inception” has been unveiled, affecting AMD chips. Discovered by researchers from Switzerland’s ETH Zurich university, this method could let local attackers extract sensitive information like passwords or encryption codes from systems equipped with an AMD Zen processor.