Welcome to The Threat Show powered by Fletch. This week we break down major threats you need to know about if you’re using Apple devices, SQLite, or Microsoft Azure. Host Robert Wagner interviews Peter Schawhacker, a cybersecurity veteran of a quarter century, about the changing role of CISO and where things are headed.
Stranger Strings: An exploitable flaw in SQLite! (2:01)
A newly discovered vulnerability in SQLite (a commonly used tight application packaged database) has actually been around for 22 years and can at best lead to denial of service, and at worst trigger remote code execution.
Mitigation: Update all your apps that use SQLite. If you’re running critical apps and are afraid to patch, this might be a tricky process, but you don’t want to expose yourself to this vulnerability.
CVEs: CVE-2022-35737
Apple fixes new zero-day used in attacks against iPhones, iPads (2:40)
Apple released iOS 16.1 which includes a fix for a new zero-day vulnerability. There is no evidence that this vulnerability has been used to compromise systems in the wild but now that the word is out there, threat groups might be motivated to attempt to exploit this vulnerability.
Mitigation: The patch is available but won’t be applied automatically, you have to manually kick off the update process. In the future this will be less of an issue as iOS 16.1 has a security rapid release mechanism that deploys patches quickly to devices connected to the internet.
CVEs: CVE-2022-32917, CVE-2022-32894, CVE-2022-32893, CVE-2022-22674, CVE-2022-22675, CVE-2022-22587, CVE-2022-22594, CVE-2022-42827
Microsoft Azure SFX bug let hackers hijack Service Fabric clusters (11:40)
Microsoft Azure’s Service Fabric Explorer version 1 (SFXv1) has a recently discovered flaw that is hard to detect and can allow attackers to gain full administrative rights to all the resources controlled by this component. Microsoft has deprecated v1 and told users to switch to v2, but if you didn’t hear about that change you could be vulnerable to this and future attacks.
Mitigation: There is a patch for v1, but they won’t be proactively auditing the code for v1. If you’re on version 1, go to version 2. If you’re dependent on v1, you might have to wait until Microsoft forces the update.
CVEs: CVE-2022-35829
