In today’s ever-evolving digital landscape, staying informed about cybersecurity threats is crucial, especially for nonprofits, who are the third most targeted industry in the world.
In this blog, we share three recent cyber security vulnerabilities you should be aware of, and instructions on how to protect yourselves from them.
Smartdesc are now offering charities a complimentary Microsoft Cloud Security Assessment, powered by Microsoft Tech for Social Impact. If you would like to take up this offer, register here.
1) Apple: two vulnerabilities Affecting iPhone and iPad
Apple has recently released an emergency update to fix two actively exploited vulnerabilities on iPhones and iPads.
The first problem, named CVE-2023-42824, is a critical severity vulnerability affecting iPhones and iPads running versions of the iOS software that are older than iOS 16.6. The second issue, known as CVE-2023-5217, would let a malicious person access videos on your device.
The affected versions include:
- iPhone XS and later
- iPad 6th generation and later
- iPad Air 3rd generation and later
- iPad mini 5th generation and later
- iPad Pro 12.9-inch 2nd generation and later
- iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later
ACTION: ensure your Apple devices are updated (either via your IT support, or do this yourself by going to Settings > General > Software Update and apply the update to the latest version
For more information, please visit the Apple security advisory.
2) Citrix: vulnerabilities discovered in Citrix NetScaler ADC and NetScaler Gateway
Citrix, widely used for remote desktop style software, has identified several vulnerabilities in their NetScaler ADC and NetScaler Gateway products. These vulnerabilities could potentially expose your data or lead to service disruptions if exploited by malicious actors.
The affected versions are:
- NetScaler ADC and NetScaler Gateway 14.1 (before version 14.1-8.50)
- NetScaler ADC and NetScaler Gateway 13.1 (before version 13.1-49.15)
- NetScaler ADC and NetScaler Gateway 13.0 (before version 13.0-92.19)
- NetScaler ADC 13.1-FIPS (before version 13.1-37.164)
- NetScaler ADC 12.1-FIPS (before version 12.1-55.300)
- NetScaler ADC 12.1-NDcPP (before version 12.1-55.300)
ACTION: If you use Citrix, firstly check with your IT what version your organisation runs; note that NetScaler ADC and NetScaler Gateway version 12.1 is now considered End-of-Life (EOL) and is also vulnerable.
The vulnerabilities could lead to two main problems:
- Sensitive Information Disclosure (CVE-2023-4966): If your appliance is configured as a Gateway (for VPN, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server, sensitive information could be exposed. This could be data that you want to keep private.
- Denial of Service (CVE-2023-4967): Again, if your appliance is configured as a Gateway or AAA virtual server, there’s a risk of service disruption. This means that the services you rely on could suddenly stop working.
Citrix strongly recommends that if you’re using an affected version, you update to the latest versions as soon as possible:
- For NetScaler ADC and NetScaler Gateway, choose versions 14.1-8.50 and later.
- If you’re using version 13.1, go for versions 13.1-49.15 and later.
- For version 13.0, consider versions 13.0-92.19 and later.
- For NetScaler ADC 13.1-FIPS, look for versions 13.1-37.164 and later.
- If you’re using NetScaler ADC 12.1-FIPS or 12.1-NDcPP, select versions 12.1-55.300 and later.
This simple update can significantly enhance your device’s security. If you require technical assistance with this issue, please contact Citrix Technical Support: https://www.citrix.com/support/open-a-support-case.
3) Microsoft: October patches
Microsoft has released its latest round of patches for October. In this month’s updates, they address 105 vulnerabilities across different products, features, and services.
- Three zero-day vulnerabilities
- 13 of the 105 vulnerabilities are rated as Critical and 91 as Important
- Patches to address one vulnerability related to Microsoft Edge (Chromium-based)
- Fixing several flaws in multiple software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing.
ACTION: make sure all your computers are updated. Either via asking your IT support to push these to all devices, and/or by doing this yourself by going to Start > Settings > Windows Updates and clicking Check for Updates, then applying and rebooting.
To read about the specific updates and patches in more detail, you can read the full blog here: Microsoft Patch Tuesday, October 2023 Security Update Review – Qualys ThreatPROTECT
If you don’t have any automated Patch Management in place, please speak to us about how we can deploy a simple and cost-effective platform to take this headache away.
Free Microsoft Cloud Security Assessment for Nonprofits
Smartdesc partners with Microsoft’s Tech for Social Impact team to help charities and nonprofits move forward on their cloud security journeys.
We’re offering nonprofits a complimentary and detailed Cloud Security Assessment to help you quantify how securely your Azure and Microsoft 365 estate is configured in order to improve your digital security. Reserve your place here.
If you would like to arrange a 1 to 1 consultation with one of our Cyber Security specialists, click here, or to speak to one of our Information Governance and Data Protection specialists, click here.