5 Companies That Had A Rough Week

For the week ending Jan. 24, CRN looks at IT companies that were unfortunate, unsuccessful or just didn't make good decisions.

ARTICLE TITLE HERE

The Week Ending Jan. 24

Topping this week's roundup of those having a rough week is ConnectWise, which scrambled to fix critical vulnerabilities in its Control software.

Also making the list are SolarWindMSP, which dealt with its own vulnerability issue this week, and Microsoft, for having to deal with the fallout from a security error that exposed millions of customer service and support records. Frontier Communications made the list for reportedly facing the prospect of a bankruptcy filing while Citrix had to develop patches to fix a bug in several key software products.

id
unit-1659132512259
type
Sponsored post

Not everyone in the IT industry was having a rough go of it this week. For a rundown of companies that made smart decisions, executed savvy strategic moves – or just had good luck – check out this week's Five Companies That Came To Win roundup.

ConnectWise Control MSP Security Vulnerabilities Were “Severe”

Remote control software developer ConnectWise scrambled this week to respond to a report that the company’s ConnectWise Control software contained eight security vulnerabilities that could give cyber-criminals the ability to hijack an MSP’s systems and MSP customer devices.

The discovery of the vulnerabilities by security consultant Bishop Fox were reported by CRN on Wednesday, the day Bishop Fox published an advisory about the bugs. Chaining the vulnerabilities, some of them deemed critical, could allow an attacker to execute arbitrary code on a ConnectWise Control server and gain control of any client machines connected to a Control instance, according to the security researcher.

ConnectWise told CRN that company engineers had patched six of the flaws identified by Bishop Fox, despite difficulty in reproducing them. The company said it was working to resolve a seventh flaw, which it deemed lower risk, and was taking the stance that the final item did not pose a credible threat. Both the company and Bishop Fox said there was no evidence the vulnerabilities were being exploited.

MSPs say the vulnerabilities disclosed this week illustrate the growing problem of security flaws in the remote monitoring and management (RMM) tools they rely on.

SolarWinds RMM Tool Has Open Zero-Day Exploit

Developers at SolarWinds MSP, meanwhile, scrambled this week to develop a fix for a zero-day vulnerability in the company’s n-Central remote monitoring and management tool. Researchers at Huntress Labs said the bug allowed them to steal the administrative credentials of an account holder.

SolarWinds MSP issued a hot fix for the vulnerability on Friday, along with mitigation tools in the event the fix can’t be applied. Although the “Dumpster Diver” flaw was first reported on Oct. 10, it remained open into early Jan. 24, according to Huntress Labs.

SolarWinds MSP said there have been no known exploits of the vulnerability and it began developing a patch as soon as a proof of concept was disclosed this week.

Microsoft Says Security Error Exposed Customer Support Data

Microsoft this week was dealing with the fallout of a security failure in December in which a reported 250 million customer service and support records were exposed for much of the month.

The database exposure was discovered by security researcher Bob Diachenko, who reported it to Microsoft on Dec. 29. It’s believed the records were left unprotected between Dec. 5 and Dec. 31 when the problem was remediated by Microsoft engineers.

Microsoft is blaming the error on misconfigured security rules when a change was made to the network security group for the customer support database. The internal database was used for support case analytics.

Diachenko has said that 250 million records were exposed, although Microsoft has not confirmed that number. Microsoft said its investigation has found no malicious use of the data.

Both Microsoft and the security researcher said that personally identifiable data, including email aliases and payment information, had been redacted from most of the records. But Diachenko said some records still contained plain text data including customer email addresses and descriptions of service and support claims and cases.

Frontier Communications Reportedly Mulling A Spring Bankruptcy Filing

Struggling telecom provider Frontier Communications has reportedly informed creditors of its plans to file for bankruptcy in March 2020, according to a Bloomberg report. The carrier is also reportedly considering a company-wide restructuring more than a month after president and CEO Dan McCarthy stepped down from his post.

Frontier, which provides telecom services in 29 states, reportedly met with creditors and advisers last week to negotiate an agreement before $356 million of debt payments come due March 15.

“Frontier’s business and operations are solid and serving our customers remains our top priority. As we have said publicly, Frontier is evaluating its capital structure with an eye to reducing debt so as to be able to better serve our customers,” the company said in a statement provided to CRN.

“Our customers should expect no changes as we remain focused on providing connectivity services without interruption to our residential customers, institutions and businesses. We are proud to continue to offer well-paying jobs and benefits that contribute to the economic health of the communities we serve.”

In May Frontier said it would sell its assets and operations in Washington, Oregon, Idaho and Montana for $1.35 billion. The company has posted weak earnings for the past four years, which the carrier has attributed to “cord-cutting” activity among its consumer customers.

Citrix Rolls Out Patches For Critical Vulnerabilities in ADC, Gateway Products

It was a busy week on the bug-fix front for Citrix Systems, which issued security updates to fix a critical flaw in its Citrix Application Delivery Controller (ADC), Citrix Gateway and Citrix SD-WAN WANOP software.

Citrix is just issuing the patches for the bug, described as a directory traversal security flaw, despite first disclosing the vulnerabilities back in December, according to reports on the Forbes and Threatpost websites. The company announced a number of mitigations at the time while it worked on a permanent fix, originally due at the end of January.

But there are reports the vulnerability is already being exploited by cyberattackers, apparently spurring Citrix to accelerate its patch development timetable. The flaw allows an unauthenticated hacker to perform arbitrary code execution.