May was the busiest month of the year so far for critical security vulnerabilities and patch announcements. Perhaps the most significant was a Microsoft critical security update for Windows. This vulnerability fixes “BlueKeep”, which if exploited, could allow the rapid propagation of malware across networked devices, similar to the WannaCry ransomware attacks of 2017.
Such are the concerns at Microsoft, that they have released BlueKeep patches for their unsupported versions of Windows (i.e. XP, Visa, Server 2003) – a rare occurrence. Researchers from Errata Security claim to have found almost one million internet-connected systems which are vulnerable to the BlueKeep bug.
There were also critical security vulnerabilities and patch releases for Adobe, Drupal, Cisco devices, WhatsApp and Intel processors.
Given the popularity of WhatsApp, it was no surprise news of its vulnerability grabbed headlines around the world. Affecting both iPhone and Android versions of the encrypted mobile messaging app, an Israeli firm (NSO) coded and sold a toolkit which exploited the vulnerability to various government agencies. Dubbed Pegasus, the NSO toolkit granted access to smartphone call logs and text messages, and could covertly enable and record the phone’s camera and microphone.
Interestingly, two breaches went largely unreported. The gift card website for UK pub chain Greene King was hacked, compromising the personal data of the site’s users. Telephone service provider TalkTalk did not inform at least 4,500 of its customers that their personal information had been stolen as part of the 2015 TalkTalk data breach. BBC consumer show Watchdog investigated the breach and found the personal details of approximately 4,500 customers available online after a Google search.
To compound the misery, by the end of May, the Equifax data breach recovery had surpassed $1 billion in costs after it lost 148 million customer records in a 2017 security breach.