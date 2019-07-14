Security: Bugfixes, Short-Sighted Outsourcing, and SolarWinds
Microsoft Delivers Fixes for 83 Vulnerabilities in January Security Patch Bundle
Microsoft released its January security patch bundle on Tuesday, delivering fixes for 83 common vulnerabilities and exposures (CVEs).
Of that number, 10 CVEs were described as "Critical" by security researchers, while 73 are deemed "Important." One vulnerability (CVE-2021-1647) is known to have been exploited (Microsoft's first "zero day" of the new year), while another (CVE-2021-1648) was described as being publicly known before Tuesday's patch release. A list describing all of the January patches can be found in this Trend Micro Zero Day Initiative post by Justin Childs.
Security updates for Wednesday
Security updates have been issued by Debian (coturn, imagemagick, and spice-vdagent), Fedora (roundcubemail and sympa), Gentoo (asterisk and virtualbox), Oracle (kernel and kernel-container), Red Hat (dotnet3.1, dotnet5.0, and thunderbird), SUSE (crmsh, firefox, hawk2, ImageMagick, kernel, libzypp, zypper, nodejs10, nodejs14, openstack-dashboard, release-notes-suse-openstack-cloud, and tcmu-runner), and Ubuntu (coturn).
Alan Pope: null [Ed: Canonical has outsourced its control to Microsoft already. Outsourcing GNU/Linux to Microsoft is a big no-no but part of Microsoft's plan.]
The Snap Store has a delightful open source web frontend, the source code for which is on GitHub.
David A. Wheeler: Preventing Supply Chain Attacks like SolarWinds
In late 2020, it was revealed that the SolarWinds Orion software, which is in use by numerous US Government agencies and many private organizations, was severely compromised. This was an incredibly dangerous set of supply chain compromises that the information technology community (including the Open Source community) needs to learn from and take action on.
The US Cybersecurity and Infrastructure Security Agency (CISA) released an alert noting that the SolarWinds Orion software included malicious functionality in March 2020, but it was not detected until December 2020. CISA’s Emergency Directive 21-01 stated that it was being exploited, had a high potential of compromise, and a grave impact on entire organizations when compromised. Indeed, because Orion deployments typically control networks of whole organizations, this is a grave problem. The more people look, the worse it gets. As I write this, it appears that a second and third malware have been identified in Orion.
