Web & OS Applications Security

February 22, 2021 – WhatsApp users who do not accept its updated terms and conditions by the 15 May deadline will be unable to receive or send messages until they do so.

Their account will be listed as “inactive”. And inactive accounts can be deleted after 120 days. Source: BBC News

February 6, 2021 — Late last December we started getting a distress call from our forum patrons. Patrons were experiencing ads that were opening via their default browser out of nowhere. The odd part is none of them had recently installed any apps, and the apps they had installed came from the Google Play store. Then one patron, who goes by username Anon00, discovered that it was coming from a long-time installed app, Barcode Scanner. An app that has 10,000,000+ installs from Google Play! We quickly added the detection, and Google quickly removed the app from its store. Source: MalwarebytesLABS

December 8, 2020 — UPDATED A security researcher has gone public with a chain of vulnerabilities in Microsoft Teams they claim could have allowed an attacker to plant malicious code into systems simply by tricking a target into viewing a maliciously crafted chat message.

Oskars Vegeris found and reported the cross-platform bugs to Microsoft at the end of August. The tech giant addressed the issue at the end of October through an automated update. Source: The Daily Swig

December 1, 2020 — The security team behind the “npm” repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects.

The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications. Source: ZDNet

November 24, 2020 – Web application attacks have increased by over 800%, according to the State of the Web Security for H1 2020 report.

Published by CDN and cloud security provider CDNetworks, the report found that during the first half of this year, web application attacks, which use malformed requests or injected payloads to steal data, modify data or obtain privileges illicitly, increased nine times relative to H1 2019.

CDNetworks saw and blocked over 4.2 billion web application attacks during H1 2020. Source: ITPro

November 23, 2020 — Facebook has fixed a critical flaw in the Facebook Messenger for Android messaging app. Natalie Silvanovich of Google’s Project Zero reported the bug to the Facebook bug bounty program. The bug could have allowed a sophisticated attacker logged in on Messenger for Android to simultaneously initiate a call and send an unintended message type to someone logged in on Messenger for Android and another Messenger client (i.e. web browser). Source: Security Magazine

November 6, 2020 — Just days after Google disclosed an actively-exploited bug in Windows and discovered and squashed two zero-day bugs in its Chrome web browser, Apple has released patches of its own to fix three zero-day vulnerabilities under active attacks. The trio of flaws, affecting a broad range of Apple’s products, also happened to be unearthed by the bug-hunting crew of the Alphabet-owned company. Source: Welivesecurity

Source: Bleeping Computer

October 21, 2020 — Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today.

Google released Chrome version 86.0.4240.111 today to patch several security high-severity issues, including a zero-day vulnerability that has been exploited in the wild by attackers to hijack targeted computers. Source: The Hacker News

October 16, 2020 — Microsoft has published today two out-of-band security updates to address security issues in the Windows Codecs library and the Visual Studio Code application.

The two updates come as late arrivals after the company released its monthly batch of security updates earlier this week, on Tuesday, patching 87 vulnerabilities this month. Source: ZDNet

October 5, 2020 — The cloud was already a big topic before the pandemic started and pushed organizations to adopt the cloud more quickly than originally planned.  But the pandemic has pushed many organizations to deploy and update applications sooner than expected to support the increased number of employees working from home. Source: Security Boulevard

September 25, 2020 — The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) recently issued a Risk Alert (the “Alert”) discussing cybersecurity observations from its examinations over time. The Alert did not state the time period of examinations included; however, OCIE has conducted several cybersecurity targeted exams over recent years. Source: Security Magazine

September 24, 2020 — Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said this morning.

“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks,” the company wrote in a series of tweets. ZDNet

September 17, 2020 — Cyber attack confirmed – security gap in widespread software enabled access – recovery proceeds step by step.

Since last Thursday (September 10th) the IT system of the University Hospital Düsseldorf (UKD) has been largely disrupted. Therefore, the UKD is still deregistered from emergency care and patients with appointments should contact the treating department to coordinate. Source: UKD

August 19, 2020 – Kaspersky recently revealed details about an attack campaign, launched in May 2020, against a South Korean company.
Dubbed “Operation PowerFall,” the attack campaign involved exploitation zero-day vulnerabilities in Windows and Internet Explorer. Source: CYWARE SOCIAL

July 22, 2020 – Roundcube is urging users to update their installations to resolve a security vulnerability that can be exploited to conduct stored, or persistent, cross-site scripting (XSS) attacks.

On July 21, an advisory was published concerning CVE-2020-15562, a vulnerability present in the Roundcube stable version 1.4 and LTS versions 1.3 and 1.2. Source: Port Swigger

July 14, 2020 – Analysis of the Alexa top 1000 websites has revealed a troubling lack of security controls required to prevent data theft and loss through client-side attacks. Source: Info Security Magazine