Tag Archive for: fixed

Chrome just fixed a massive exploit, but you could still be at risk

/in


If you haven’t updated Chrome in the past few days, then it is highly recommended that you do. That’s because Google recently reported on a critical zero-day vulnerability within the browser that it has since fixed in Chrome version 117.0.5938.132. While Chrome has fixed the issue, though, it isn’t the only browser or software that could be plagued by this exploit.

According to Ars Technica, the latest zero-day exploit is not only attached to Chrome. Instead, it seems to affect libvpx, a library of packages that is widely used across multiple platforms, including Chrome, Firefox, Skype, Adobe, VLC, and Android – and the list of vendors that use it goes on.

The newest critical zero-day vulnerability appears to be related to VP8 encoding. Therefore, any vendors that utilize VP8 for decoding only will not have to worry about the exploit at the moment. Luckily, both Chrome and Firebox have been updated to resolve issues with this particular vulnerability. At the moment, it is unclear when libvpx will be updated to address the vulnerability.

If you are using any programs that utilize libvpx, it is highly recommended that you upgrade to the latest version in order to try to negate any possible exposure to this critical zero-day vulnerability. While details on the “in the wild” existence of this exploit are slim, we have seen tweets from security researchers mentioning the zero-day use by at least one commercial surveillance vendor.

The vulnerability was first discovered on Monday, September 25, and Chrome patched it out on Wednesday, just two days later. The security issue is currently known as CVE-2023-4863, and it will probably take a few more days to see just how wide of a scope this exploit affects. For the moment, though, ensure you have the latest versions of Firefox and Chrome before continuing to use them.

This isn’t the first time Chrome has suffered from a zero-day issue, and it won’t be the…

Source…

Apple, Google, and Microsoft Just Fixed Zero-Day Security Flaws

/in


Tech giants Apple, Microsoft, and Google each fixed major security flaws in April, many of which were already being used in real-life attacks. Other firms to issue patches include privacy-focused browser Firefox and enterprise software providers SolarWinds and Oracle.

Here’s everything you need to know about the patches released in April.

Apple

Hot on the heels of iOS 16.4, Apple has released the iOS 16.4.1 update to fix two vulnerabilities already being used in attacks. CVE-2023-28206 is an issue in the IOSurfaceAccelerator that could see an app able to execute code with kernel privileges, Apple said on its support page.

CVE-2023-28205 is an issue in WebKit, the engine that powers the Safari browser, that could lead to arbitrary code execution. In both cases, the iPhone maker says, “Apple is aware of a report that this issue may have been actively exploited.”

The bug means visiting a booby-trapped website could give cybercriminals control over your browser—or any app that uses WebKit to render and display HTML content, says Paul Ducklin, a security researcher at cybersecurity firm Sophos.

The two flaws fixed in iOS 16.4.1 were reported by Google’s Threat Analysis Group and Amnesty International’s Security Lab. Taking this into account, Ducklin thinks the security holes could have been used for implanting spyware.

Apple also released iOS 15.7.5 for users of older iPhones to fix the same already exploited flaws. Meanwhile, the iPhone maker issued macOS Ventura 13.3.1, Safari 16.4.1, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6.

Microsoft

Apple wasn’t the only big tech firm issuing emergency patches in April. Microsoft also released an urgent fix as part of this month’s Patch Tuesday update. CVE-2023-28252 is an elevation-of-privilege bug in the Windows Common Log File System Driver. An attacker who successfully exploited the flaw could gain system privileges, Microsoft said in an advisory.

Another notable flaw, CVE-2023-21554, is a remote code execution vulnerability in Microsoft Message Queuing labeled as having a critical impact. To exploit the vulnerability, an attacker would need to send a malicious MSMQ packet to an MSMQ server, Microsoft said, which could result in…

Source…

Bug fixes this week | Vulnerabilities in Google, Microsoft, and Mozilla products fixed 

/in


Indian Computer Emergency Response Team (CERT-In), released multiple vulnerability notes throughout the week for security bugs detected in commonly used software. Amongst the affected software were Google’s Android and Chrome OS, Microsoft’s Edge, and Mozilla’s Thunderbird email application.

Google Android and Chrome OS

Multiple high-severity vulnerabilities were reported in Google’s Android OS which could be exploited by threat actors to obtain sensitive information, gain elevated privileges and cause a denial of services on targeted systems.

The bugs found to exist due to flaws in Android OS’ Framework, media framework, system components Google play systems, MediaTek components, Qualcomm components, and Unisoc components, could allow attackers to remotely bypass security restrictions thereby compromising the security of affected devices.

In Chrome OS multiple security bugs were detected which could be exploited by an attacker to cause a denial of service condition on targeted systems. These bugs could be exploited due to a heal buffer overflow in network services and use after free in web transport.

(For top technology news of the day, subscribe  to our tech newsletter Today’s Cache)

A heap buffer overflow bug can be used by threat actors to use memory beyond the allocated space within a system and compromise the memory function and ability of software to function properly.

Security bugs in Android and Chrome OS were fixed with the release of updates from Google and users are advised to download and install them to ensure their security.

Microsoft Edge

A data manipulation vulnerability with low severity rating was detected in Microsoft Edge. The bug could allow remote threat actors to trigger a denial of service conditions on affected systems.

The bug in Microsoft Edge existed due to data manipulation which could be exploited by attackers by convincing users to open a maliciously crafted file, the vulnerability report shared from CERT-In shared.

Microsoft has released an update fixing the security bug and users should update their software to ensure security.

Mozilla Thunderbird

A high-severity security bug was reported in Mozilla’s Thunderbird email…

Source…

When will the Royal Mail cyber attack be fixed? What we know about how hack affects international deliveries

/in


Royal Mail has confirmed that a cyber attack is to blame for ongoing disruption to postal services.

The attack is believed to have already left more than half a million letters and parcels stuck in limbo, according to reports last week.

The attack is suspected to have come from a Russian-linked ransomware gang called Lockbit, though this is yet to be confirmed.

Here’s how the attack is affecting postal services, and when Royal Mail says it will be fixed.

How is the cyber attack affecting post?

Royal Mail is continuing to ask customers not to post items overseas while it investigates the cyber attack.

The company said it was experiencing “severe disruption” to its international export services and is temporarily unable to dispatch items abroad.

A Royal Mail distribution centre in Northern Ireland revealed its printers began “spurting” out copies of a ransom note on Tuesday, saying “your data are stolen and encrypted”.

In a statement issued on Monday, Royal Mail said: “To support faster recovery when our service is restored and to prevent a build-up of export items in our network, we’re asking customers not to post international items until further notice.”

“Items that have already been dispatched may be subject to delays.”

The company has been hit by disruption in recent months, with postal workers staging walkouts in a long-running dispute over jobs, pay, pensions and conditions.

It has caused havoc for businesses who rely on the delivery services, with major retailers such as Moonpig, Card Factory and Asos partially blaming the strikes for a drop in sales towards the end of 2022.

When will the cyber attack be fixed?

Simon Thompson, chief executive of Royal Mail, told a parliamentary select committee on Tuesday: “We’ve confirmed that we’ve had a cyber attack.”

He was unable to provide a date for when the issue will be resolved, telling MPs: “The team have been working on workarounds so that we can get the service up and running again.”

He added there would be “more news to share” soon.

Mr Thompson said he could not discuss any details of the attack, saying it would be “detrimental” to the ongoing investigation.

More from News

Will there be more Royal…

Source…