Showing a laptop being updated

Supply chain attacks and Zero-days

The year 2021 has seen several high profiled vulnerabilities being actively exploited in big
and popular software, including Microsoft Exchange and Solar Winds Orion.
Experience shows that in some cases it is too late to patch even after a few days.
Many organizations work with the guideline of patching within 30 days, if the vendor states the
update is of important nature. This is an attempt to verify that the patch does not cause any
adverse effects. The need for a vigilant Vulnerability Management process that continuously triage
published vulnerabilities is becoming clear.

Some of the issues published lately is Supply chain attacks, where an attacker manipulates
products or product delivery mechanisms prior to receipt by a final consumer or exploiting
previously unknown vulnerabilities (so called Zero Days). Defending against these attacks is in
some cases not possible, or at least demands such a high level of security that it often is difficult
to stay productive and profitable. Seemingly in some cases it seems like the best an organization
can do is to not be the weakest link and the easiest target.

It is important to prepare for an attack and have a plan for incident response. Perform exercises.
Deploy a security framework in order to engage in continuous improvement of the security

Adobe Flash Zero Day Exploit

There is a vulnerability available for Adobe Flash Player that means anyone running anything but the latest version of Flash has the risk of being infected by malware when browsing a website. One of the most common ways to get infected these days are by drive-by methods, which means that a common website will unknowingly start serving malware through advertisement systems or by simply getting compromised.

It doesn’t matter if you run MAC OS X, Windows or Linux; Flash is universal and everyone run the risk if they are not keeping up-to-date (same as with Java).

I really wish I could say that this is an uncommon or ground-breaking attack vector, but unfortunately it’s the same as with Java – new exploits are coming every month and those who do not keep up-to-date will get compromised. You can find multiple other entries by, for example, searching for patch tuesday;

For those who are unsure if they are vulnerable to this, you can browse to this page to see the status of your plugins (should work with all browsers), and update as necessary:

It could even be a good idea to set it as your start-page in order to verify your browser each and every day.

As we mentioned in a previous newsletter ( ), you should really turn on “click-to-play” in your browser for flash and other objects (or use NoScript or something similar, but that’s for more technical people).

I personally recommend using Chrome as your browser. The reason for this is that Flash will auto update itself without you having to do anything, whenever there is a new release. So, those running Chrome does not need to worry about this specific vulnerability.

You can check which version of Flash you’re running by going to this website:

It should say you’re running 12.0.44 if you’re running Mac/Windows, and if you are running Linux.

You can find more information here:

Zero-day Microsoft Internet Explorer

A new high risk zero Internet Explorer day exploit is currently being active in the wild.

That means that anyone using Internet Explorer 7,8 or 9 to browse the internet has the potential of getting infected by simply visiting a webpage with the specific bad code in it. The code will then download an exploit pack to your computer and can give the unauthorized people access into the infrastructure.

There is currently no patch or solution to the issue from Microsoft, so the only viable option is to switch to another browser. Thinking “I won’t click any links from unknown people” is unfortunately not enough, as it’s getting more and more common for these kind of people to either hack known sites and add the code, or to purchase banner space etc for well known sites which then launches the code without you noticing anything at all.

Two browsers you could use are:
Firefox: http://www.getfirefoxcom

For more information:

Update: Since, Microsoft has released an update. Run Windows Update to get the latest versions available.