Patching still lagging
A recent report from Bitdefender states that 64% of all unpatched vulnerabilities, reported in the first 6 months of 2020, date from between 2002 and 2018. Which means those organisations are potentially open to cyber attack via longstanding flaws.
The NCSC knows that patching is often hard to do in practice, it is time-consuming, repetitive and unrewarding, but it is the single most important thing you can do to secure your technology.
We have guidance on how to assess and prioritise your vulnerabilities to mitigate against potential cyber attack and the Secure design principles cover how to ensure that networks and technologies are designed and built securely.
Zero-day vulnerability warning from Google
Users of Android devices are being encouraged to update their Chrome for Android browser, as Google revealed that attackers have been exploiting a zero-day vulnerability. Zero-day refers to recently discovered vulnerabilities (or bugs), not yet known to vendors or antivirus companies, that attackers can exploit.
The updated Chrome for Android was released earlier this week, and it fixes an issue that allowed attackers to bypass and escape the Chrome security sandbox and run code on the underlying OS.
Affected users should follow vendor best practice advice in the mitigation of vulnerabilities. In this case, the most important aspect is to install the latest version as soon as practicable. The NCSC has published guidance for staying safe online, and encourages users to ensure auto-updates are turned on, and that they are using the most up-to-date version of the application.
Oracle WebLogic Server remote code execution vulnerabilities (CVE-2020-14750 & CVE-2020-14882)
The NCSC are aware of remote code execution vulnerabilities (CVE-2020-14750 and CVE-2020-14882) affecting Oracle WebLogic Server versions 10.3.6.0.0, 126.96.36.199.0, 188.8.131.52.0, 184.108.40.206.0, 220.127.116.11.0.
The NCSC recommends following vendor best practice advice in the mitigation of vulnerabilities. In this case, the most important aspect is to install the latest updates as soon as practicable. The October 2020 Oracle Critical Patch Update Advisory fixes a number of security vulnerabilities, including CVE-2020-14882.
Topics Cyber threat