//Week in review - 30 Jul 2021

AusCERT Week in Review for 30th July 2021


Thank you to those who were able to join us for our delayed NAIDOC event with team Baidam Solutions earlier this week. We are extremely grateful that in Brisbane we were able to meet and celebrate together (while of course following strict COVID guidelines).

Of note this week, Apple released security updates to address a vulnerability (CVE-2021-30807) for macOS, iOS and iPadOS in which an application may be able to execute arbitrary code with kernel privileges. Be sure to catch up on this alert via our highlighted AusCERT Security Bulletin details below.

Until next week everyone, have a great weekend.

Apple releases fix for iOS and macOS zero-day, 13th this year
Date: 2021-07-26
Author: The Record by Recorded Future

[See ASB-2021.0165.]
Apple has released patches today for iOS, iPadOS, and macOS to address a zero-day vulnerability that the company says has been exploited in the wild.
Tracked as CVE-2021-30807, Apple said the zero-day impacts IOMobileFramebuffer, a kernel extension that allows developers to control how a device’s memory handles the screen display—the screen framebuffer, to be more exact.
According to Apple, an application may exploit CVE-2021-30807 to execute arbitrary code with kernel privileges on a vulnerable and unpatched device.

More than half of all Aussies continue to encounter forms of cyber scams in 2021
Date: 2021-07-23
Author: ZDNET

Within the Asia Pacific, Australians are second most likely to fall victim to a tech support cyber scam, according to new findings from Microsoft. Leading the way is India which recorded 69% of people encountered a tech support scam.
The 2021 Global Tech Scam Research report showed that in the past 12 months, 68% of Australians encountered some form of tech support scam. While it was a two-point decrease from 2018, it was still higher than the global average which came in at 59%, five points lower than in 2018.

Google announces new bug bounty platform
Date: 2021-07-27
Author: ZDNet

Google has announced a new bug bounty platform as it celebrated the 10-year anniversary of its Vulnerability Rewards Program. The program led to a total of 11,055 bugs found, 2,022 rewarded researchers and nearly $30 million in total rewards.

A Controversial Tool Calls Out Thousands of Hackable Websites
Date: 2021-07-27
Author: WIRED

The web has long been a playground for hackers, offering up hundreds of millions of public-facing servers to comb through for basic vulnerabilities to exploit. Now one hacker tool is about to take that practice to its logical, extreme conclusion: Scanning every website in the world to find and then publicly release their exploitable flaws, all at the same time—and all in the name of making the web more secure.

ASB-2021.0165 – Apple IOMobileFrameBuffer vulnerability

Apple released security updates for macOS, iOS and iPadOS to address CVE-2021-30807, an arbitrary code execution vulnerability

ESB-2021.2561 – Security update for qemu

Multiple vulnerabilities identified in qemu with a security update released by SUSE

ESB-2021.2548 – Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3)

SUSE security update for the Linux kernel, multiple vulnerabilities

ESB-2021.2531 – USN-5022-1: MySQL vulnerabilities

MySQL vulnerabilities discovered with with security fixes and bug patches released

Stay safe, stay patched and have a good weekend!

The AusCERT team