Looking Back at 2019’s Nastiest Software Vulnerabilities

Rhett | December 18, 2019

As 2019 draws to a close, we want to look back at the year’s biggest security breaches. Some we chose because of the damage they caused, others because of how easily they could have been avoided, just by using stronger passwords or paying attention to warnings. Even the more complex ones could have been prevented by applying a risk-based approach to vulnerability remediation.

Without further ado, here’s 2019’s Nasty Nine:

1. Eavesdropping via Apple’s FaceTime

In January, a 14-year old boy accidentally discovered that Apple’s FaceTime group chat feature lets him listen to conversations near other people’s iPhones and iPads, even when they were not using the phone. The vulnerability was formally identified as CVE-2019-6223.

To make things worse, Apple disregarded attempts made to contact them, acknowledging the issue only a month after it was first reported. Even granting the many false alarms Apple gets, it took the company too long to ignore a problem reported in the wild.

2. 197 Vulnerable Browser Extensions

January also included a French researcher, Dolière Francis Somé, reporting that malicious websites could use 197 browser extensions, affecting Chrome, Firefox, and Opera, to steal user data from their browser history and their personal computer. Somé notified the browsers’ security teams before releasing his findings. It should be noted that of over 78,000 known extensions, fewer than 200 were vulnerable but of these, approximately 30 had been downloaded over 10,000 times.

3. Thunderclap Affects Select USB-C and DisplayPort Hardware

February saw the disclosure of the “Thunderclap” vulnerability which could be used to steal data from laptops charged by USB-C and DisplayPort hardware. The team that discovered the vulnerability disclosed it to Microsoft and Apple in 2016, who remedied the problem in recent operating systems. The malware involved must be installed on the hardware itself, so it apparently was designed for attacks against specific computers. Nonetheless, you might want to think twice before using chargers on display in public places.

4. (“Thrangrycat “) Targets Cisco Hardware Vulnerability

In May, a team publicly announced a flaw in Cisco’s Trust Anchor nodule (TAm) that they had revealed to the company previously (most cybersecurity experts give the affected parties lead time before disclosing theoretical vulnerabilities). Malicious actors could use this flaw to open a permanent back door into Cisco hardware. While the discoverers doubt that any patch can fix a hardware problem, they also note there are no reports of the exploit being used in the wild. The threat is the first to be named by an emoji.

5. Exploiting Bad Passwords Via BlueKeep

Also in May, “BlueKeep,” a threat to Microsoft Windows XP, 7, Server 2003 and Server 2008 was announced. The malware involved transmits a worm via Microsoft’s Remote Desk Protocol (RDP).  Microsoft released a patch against the threat but the odds of it breaching a network can be reduced by simply using stronger RDP passwords (yes, Mom was right). Although no exploits have been reported in the wild, there are reports of “scanning activity looking for vulnerable systems.”

6. Bluetooth Exploit Affects iOS and Microsoft Mobile Users

In July, researchers from Boston University announced that a vulnerability in the Bluetooth Low Energy (BLE) communication protocol could be used to track users’ locations. The vulnerability affected devices using Apple iOS and Microsoft Mobile, but not Android because unlike the other systems, Android scans for advertising nearby rather than sending out advertising messages. Microsoft and Apple have since released patches for this and another Bluetooth vulnerability announced later.

7. SWAPGS Attacks Intel CPUs

August found the cybersecurity world talking about potential SWAPGS attacks against Intel CPUs. The exploit makes use of “speculative execution,” in which CPUs guess the next command they will execute. Incorrect guesses, which contain sensitive information, such as passwords, are discarded. This exploit attempts to use a Spectre-like technique to retrieve this information. Intel modified its software silently before the vulnerability was announced.

8. More Bad Dragonblood

Also in August, Mathy Vanhoef and Eyal Ronen disclosed that attempts to fix the set of five security WiFi problems known as “Dragonblood,” had actually led to two more problems being introduced. The first involves compromising the “Dragonfly handshake” used to add users securely to public WiFi networks. The second makes it possible for to guess passwords via “brute force.” Though theoretical, these vulnerabilities will almost certainly lead to modification of the current WPA3 WiFi security standard or creation of a new one.

9. US Armed Forces Purchases Electronic Goods Despite Security Warnings

Lastly, in August, it was disclosed that in 2018, the US Armed Forces purchased electronic goods worth almost $33 million from vendors accused of being security risks, In the case of printers purchased by the Navy and computers purchased by the Army and Air Force, it was feared that the products could be used by the Chinese for espionage, with some items banned by other branches of the US Government. Additionally, the Army ignored concerns that digital cameras could be compromised by online attackers.

Towards a More Secure 2020

Looking back, it was a challenging year for network security. Since the hackers aren’t going away, this might be a good time to evaluate your security practices. Is your remediation process efficient? Are you setting the right KPIs and you meeting them? Are you able to effectively improve your risk posture? If not, maybe it’s time you reassess your process.

Click here to schedule a consultation.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy