Please see Security Advisories for the week ending January 8, 2021
- Mozilla Releases Security Updates for Firefox, Firefox for Android, and Firefox ESR
- Google Releases Security Updates for Chrome
- CISA Updates Emergency Directive 21-01 Supplemental Guidance and Activity Alert on SolarWinds Orion Compromise
________________________________
Mozilla Releases Security Updates for Firefox, Firefox for Android, and Firefox ESR
Situation
Mozilla has found vulnerabilities and released security updates for Firefox, Firefox for Android, and Firefox ESR.
Problem
Mozilla has found and patched several bugs in its most recent version of Firefox that an attacker can exploit to take control of an unpatched system. A malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free vulnerability.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
Mozilla advises patching to the most up to date version of Firefox 84.0.2, Firefox for Android 84.1.3, and Firefox ESR 78.6.1.
For a brief overview:
For a more technical overview:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/
________________________________
Google Releases Security Updates for Chrome
Situation
Google has discovered and patched several vulnerabilities for its Chrome web browser software.
Problem
Google has identified several security vulnerabilities for its Chrome web browser software that an attacker can exploit to take control of affected systems.
Implication
Failure to patch systems could result in loss of control of affected systems. Possible compromise of system and network integrity.
Need
Google has released Chrome version 87.0.4280.141 for Windows, Mac, and Linux. Please upgrade to latest version to ensure that you are protected.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/01/07/google-releases-security-updates-chrome
For a more technical overview:
https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html
________________________________
CISA Updates Emergency Directive 21-01 Supplemental Guidance and Activity Alert on SolarWinds Orion Compromise
Situation
CISA has released a new guide on mitigating the SolarWinds Orion Code Compromise. Although the guide is mainly directed at Federal Civilian Executive Branch agencies, CISA advises all public and private sector organizations to review the v3 guidelines.
The three important points of the guidelines:
- Orgs running affected versions must conduct forensic analysis
- Orgs that accept the risk must comply with certain hardening requirements
- CIOs must submit two additional status reports to CISA using their given template
Problem
Affected versions of SolarWinds (2019.4 HF5, 2020.2 RC1, 2020.2 RC2, 2020.2, 2020.2 HF1) must check if they are permitted to continue using and perform the required hardening.
Implication
Not following CISA’s new guidelines may increase risk or expose your org to the SolarWinds attack.
Need
For a brief overview:
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
For a more technical overview:
