When it comes to fixing Vulnerability-related.PatchVulnerability security vulnerabilities , it should be clear by now that words only count when they ’ re swiftly followed by actions . Ask peripherals maker Logitech , which last week became the latest company to find itself on the receiving end of an embarrassing public flaw disclosure Vulnerability-related.DiscoverVulnerability by Google ’ s Project Zero team . In September , Project Zero researcher Tavis Ormandy installed Logitech ’ s Options application for Windows ( available separately for Mac ) , used to customise buttons on the company ’ s keyboards , mice , and touchpads . Pretty quickly , he noticed Vulnerability-related.DiscoverVulnerability some problems with the application ’ s design , starting with the fact that it… opens a websocket server on port 10134 that any website can connect to , and has no origin checking at all . Websockets simplify the communication between a client and a server and , unlike HTTP , make it possible for servers to send data to clients without first being asked to , which creates additional security risks . The only “ authentication ” is that you have to provide a pid [ process ID ] of a process owned by your user , but you get unlimited guesses so you can bruteforce it in microseconds . Ormandy claimed Vulnerability-related.DiscoverVulnerability this might offer attackers a way of executing keystroke injection to take control of a Windows PC running the software . Within days of contacting Logitech , Ormandy says he had a meeting to discuss Vulnerability-related.DiscoverVulnerability the vulnerability with its engineers on 18 September , who assured him they understood the problem . A new version of Options appeared Vulnerability-related.PatchVulnerability on 1 October without a fix , although in fairness to Logitech that was probably too soon for any patch for Ormandy ’ s vulnerability to be included Vulnerability-related.PatchVulnerability . As anyone who ’ s followed Google ’ s Project Zero will know , it operates a strict 90-day deadline for a company to fix Vulnerability-related.PatchVulnerability vulnerabilities disclosed Vulnerability-related.DiscoverVulnerability to it , after which they are made public Vulnerability-related.DiscoverVulnerability . I would recommend disabling Logitech Options until an update is available Vulnerability-related.PatchVulnerability . Clearly , the disclosure got things moving – on 13 December , Logitech suddenly updated Vulnerability-related.PatchVulnerability Options to version 7.00.564 ( 7.00.554 for Mac ) . The company also tweeted that the flaws had been fixed Vulnerability-related.PatchVulnerability , confirmed by Ormandy on the same day . Logitech aren ’ t the first to feel Project Zero ’ s guillotine on their neck . Earlier in 2018 , Microsoft ran into a similar issue over a vulnerability found Vulnerability-related.DiscoverVulnerability by Project Zero in the Edge browser . Times have changed – vendors have to move from learning about a bug to releasing Vulnerability-related.PatchVulnerability a fix much more rapidly than they used to .

I get an alert on my phone from a news feed around critical vulnerability patches being released Vulnerability-related.PatchVulnerability by SAP . Before I discuss Vulnerability-related.DiscoverVulnerability the details of the latest two SAP HANA vulnerabilities and the potential business impact , let me take a moment to reiterate Vulnerability-related.DiscoverVulnerability that this is the most vulnerable period for any SAP customer with this critical flaw in their IT landscape . This period , which I call “ Hackers Busy Cracking , ” started this morning and will not end until affected clients across the globe apply Vulnerability-related.PatchVulnerability the patch from SAP . Onapsis Security Research Lab discovered Vulnerability-related.DiscoverVulnerability these vulnerabilities but hasn ’ t published technical details yet . We do know Vulnerability-related.DiscoverVulnerability that the vulnerability is in the user self-service functionality provided by SAP HANA and has been present Vulnerability-related.DiscoverVulnerability since SPS09 of SAP HANA , which was released in 2014 . As the name suggests , the user self-service functionality enables users to perform maintenance and support activities for their accounts and for new users to register the accounts . For this functionality to be useful , it must be accessible from wherever the user population is , be it on internal or external networks . The second critical vulnerability revolves around Vulnerability-related.DiscoverVulnerability session fixation , which can allow an attacker to elevate privileges by impersonating another user in the system . The SAP HANA 2.0 SPS 00 version is affected by Vulnerability-related.DiscoverVulnerability this vulnerability . User self-service is a good example of technology that is a double-edged sword . It cuts costs associated with supporting a large user population and reduces the time taken to correct user issues , thus ensuring individuals spend more time as productive users . However , any unattended mechanism that allows modification of accounts without human intervention will always be an attractive target . According to the Onapsis report Vulnerability-related.DiscoverVulnerability , a combination of vulnerabilities can allow an attacker with remote access to the user self-service functionality to edit any account on the system , including activating previously deactivated accounts . The natural target for this attack would be the SYSTEM account present in all HANA deployments . The potential business impact of an attacker with access to the SYSTEM account is extraordinary . I strongly urge all SAP HANA customers to check their HANA version levels and make immediate plans to prioritize these updates . SAP customers who have already deployed active threat protection ( ATP ) controls or third-party products are one step ahead of zero-day threats . For the rest , look to invest in an active threat monitoring and detection solution — meaning a SAP-specific threat vector detection solution .