Freely subscribe to our NEWSLETTER

In July, researchers found a total of 2403 vulnerabilities, of which 184 were given a CVSS score greater than 9. Additionally, 5 vulnerabilities were deemed as known exploits that were used in the wild. In comparison, last month researchers found 3109 vulnerabilities of which 287 were rated 9 or more.

From widely used development tools to major operating systems, these security flaws have the potential to compromise data, disrupt operations, and open doors for malicious actors across various industries. By understanding these risks, companies can prepare themselves better and implement necessary security measures to protect their data and systems.

"Each new vulnerability is a potential entry point for attackers. They present danger to businesses of all sizes. Hacks can lead to data breaches, financial loss, and severe reputational damage. In some cases, a single exploit could compromise an entire network, potentially bringing operations to a standstill," says Andrius Buinovskis, cybersecurity expert at NordLayer.

CocoaPods patches vulnerabilities to prevent supply chain attacks

CocoaPods, a platform in Apple’s ecosystem used to add and manage external libraries (pods), has patched three severe vulnerabilities. It exposed countless iOS and macOS applications to potential supply chain attacks. The most critical flaw, CVE-2024-38366, received a maximum CVSS score of 10, allowing remote code execution.

Two other vulnerabilities, related to unclaimed pods and session verification, were rated 9.3 and 8.2 respectively. These security gaps, present in the platform for years, affected popular apps across various categories, including social media, transportation, and hospitality. CocoaPods has implemented fixes and reset all user sessions since October 2023.

Microsoft releases patches for 143 security flaws

Microsoft’s July patch release tackled 143 issues across its products. Among these, five were classified as critical, with two actively exploited vulnerabilities drawing particular attention: CVE-2024-38080, a Windows Hyper-V Elevation of Privilege flaw (CVSS 7.8), and CVE-2024-38112, a Windows MSHTML Platform Spoofing vulnerability (CVSS 7.5).

The latter vulnerability involves attackers using malicious Windows Internet Shortcut files (.URL) to redirect victims to harmful websites via the retired Internet Explorer browser. Microsoft notes that successful exploitation requires user interaction, which requires additional caution from employees when handling suspicious files.

High-severity Cisco bug grants attackers password access

Cisco has addressed a security flaw, CVE-2024-20419, affecting its SSM On-Prem and SSM Satellite products. This maximum-severity vulnerability, carrying a CVSS score of 10, allows attackers to change any user or admin password without requiring privileges or user interaction.

According to Cisco, exploitation involves sending crafted HTTP requests to affected devices, potentially granting attackers access to the web UI or API with compromised user privileges. Given the absence of workarounds and the vulnerability’s low attack complexity, Cisco strongly urges users to apply the available patches immediately to mitigate this significant security risk.

CrowdStrike update failure exposes Windows systems to potential attacks

A recent update failure in CrowdStrike’s Falcon Sensor created an unexpected vulnerability window for Windows systems worldwide. On Friday, the attempted update resulted in an endless cycle booting and the infamous "blue screen of death," causing global crashes of Windows systems.

While not a traditional software vulnerability, this incident potentially lowered defenses on affected Windows systems. CrowdStrike has since isolated the issue and implemented fixes, including publishing a self-remediation video for remote users still experiencing problems.

Cybersecurity expert offers advice about how to defend against vulnerabilities

Buinovskis explains that regular device and software updates are a business’ first line of defense. Setting up automatic updates wherever possible and establishing a routine for manually updating systems that can’t be automated can significantly lower the risks of being vulnerable.

"Businesses should consider implementing a zero-trust security model to minimize potential damage from successful attacks," he says. "Staying informed about emerging threats and always adapting security strategies is key to reducing risk exposure."

Lastly, Buinovskis emphasizes employee awareness. He recommends security training for all staff, focusing on recognizing phishing attempts, and proper handling of sensitive data. A security-conscious workforce significantly enhances your overall defense against cyber threats.