vulnerability

now browsing by tag

 
 

#hacking | XSS vulnerability in CKEditor prompts need for Drupal update

Source: National Cyber Security – Produced By Gregory Evans


John Leyden

20 March 2020 at 14:20 UTC

Updated: 20 March 2020 at 14:29 UTC

Text editor flaw spawns CVE

A vulnerability in a third-party library component has had a knock-on effect on software packages that rely on it, including the Drupal content management system.

The issue involves a cross-site scripting (XSS) bug in CKEditor, a rich text editor that comes bundled with various online applications.

An attacker might be able to exploit the XSS vulnerability to target users with access to CKEditor. This potentially includes site admins with privileged access.

Exploitation is far from straightforward and would involve tricking potential victims into copying maliciously crafted HTML code before pasting it into CKEditor in ‘WYSIWYG’ mode.

“Although this is an unlikely scenario, we recommend upgrading to the latest editor version,” developers of CKEditor explain in an advisory, issued earlier this month.

CKEditor 4.14 fixes this XSS vulnerability in the HTML data processor, discovered by Michał Bentkowski of Securitum, as well as offering featuring improvements and resolution for an unrelated XSS vulnerability in the third-party WebSpellChecker Dialog plugin.

An advisory from Drupal, issued on Wednesday, instructs users to update to a version of the CMS that feature the updated version of CKEditor in order to mitigate the vulnerability.

In practice, this means upgrading to either Drupal 8.8.4 or Drupal 8.7.12.

The security flaw is described as “moderately critical” by Drupal, even though attackers would need to be able to create or edit content in order to attempt exploitation.

READ MORE WordPress Terror: Researchers discover a massive 5,000 security flaws in buggy plugins

Source link

The post #hacking | XSS vulnerability in CKEditor prompts need for Drupal update appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | WhiteHat Provides Free Vulnerability Discovery Services to Gov’t Agencies

Source: National Cyber Security – Produced By Gregory Evans

As part of an effort to help chronically underfunded government agencies combat state-sponsored cyberattacks, WhiteHat Security, a unit of NTT, has decided to offer free of charge two services it provides for discovering vulnerabilities before and after application code is deployed to federal, state and municipal agencies in North America.

Company CEO Craig Hinkley said the decision to make WhiteHat Sentinel Dynamic and Sentinel Source Essentials Edition available for free to government agencies is motivated by civic duty. A native of Australia, Hinkley moved to the U.S. 23 years ago and last year became a U.S. citizen. State-sponsored attacks against election systems are nothing less than an attack on democracy, he said.

Citing data compiled by the Center for Strategic & International Studies, recent examples of state-sponsored cyberattacks against applications and websites included are of increasing concern, with recent examples include the theft of login credentials from government agencies in 22 countries across Asia, Europe and North America and hacking campaign that kicked more than 2,000 websites offline in Georgia.

At the same time, North Dakota officials this week disclosed cyberattacks aimed at the state government nearly tripled last year. Shawn Riley, North Dakota’s chief information officer and head of the Information Technology department, disclosed there were more than 15 million cyberattacks against the state’s government per month in 2019, a 300% increase year over year.

The Texas Department of Information Resources revealed it has seen as many as 10,000 attempted attacks per minute from Iran over a 48-hour period on state agency networks, while the U.S. Coast Guard (USCG) issued a security bulletin after revealing that one of its bases had been knocked offline last month by a Ryuk ransomware attack. Even small school districts are being impacted by cybersecurity: Richmond, Michigan, a small city near Detroit, recently announced that students would be enjoying a few extra days of holiday break this year while its school system recovered from a ransomware attack.

A recent report published by Emisoft, a provider of endpoint security software, estimates attacks against roughly 966 government agencies, educational institutions and healthcare providers created costs in excess of $7.5 billion.

Clearly, a lot of focus on cybersecurity attacks is on state and local governments that are responsible for ensuring the integrity of elections. Just this week, a bipartisan bill was proposed calling for the director of the Cybersecurity and Infrastructure Security Agency to appoint a cybersecurity state coordinator in each U.S. state.

Hinkley said it’s apparent government agencies don’t have the resources required to thwart attacks being launched by states themselves or rogue organized groups acting to advance their interests. By making available cybersecurity vulnerability assessment services for free, WhiteHat Security is moving to help agencies identify vulnerabilities in websites and applications that could be easily exploited, he said.

Making that capability available as a service should make it easier for both application developers and cybersecurity teams to scan for vulnerabilities before and after an application is deployed. It may even help foster the adoption of best DevSecOps practices within government agencies, Hinkley noted.

State-sponsored cybersecurity attacks have become a global issue. Concerns about such attacks have risen sharply as tensions in the Middle East continue to rise. The challenge now is how best to thwart those attacks before they are launched by eliminating as many existing vulnerabilities as possible.

Source link

The post #cybersecurity | #hackerspace |<p> WhiteHat Provides Free Vulnerability Discovery Services to Gov’t Agencies <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | NSA: Microsoft Releases Patch to Fix Latest Windows 10 Vulnerability

Source: National Cyber Security – Produced By Gregory Evans

NSA discloses a Windows security flaw that leaves more than 900 million devices vulnerable to spoofed digital certificates

The National Security Agency (NSA) isn’t exactly known for wanting to share information about vulnerabilities they discover. In fact, they kept the Microsoft bug known as Eternal Blue a secret for at least five years to exploit it as part of their digital espionage. (At least, you know, until it was eventually discovered and released by hackers).

But maybe they’ve had a change of heart. (If you truly
believe that, I have a bridge to sell you.)

The NSA, in an uncharacteristic show of transparency, recently announced a major public key infrastructure (PKI) security issue that exists in Microsoft Windows operating systems that’s left more than 900 million PCs and servers worldwide vulnerable to spoofing cyberattacks. This vulnerability is one of many vulnerabilities Microsoft released as part of their January 2020 security updates. Maybe they didn’t want a repeat of the last incident. Whatever the reason, we’re just glad they decided to disclose the potential exploit.

This risk of this vulnerability boils down to a weakness in
the application programming interface of Microsoft’s widely used operating
systems. But what exactly is this Windows 10 vulnerability? How does it affect
your organization? And what can you do to fix it?

Let’s hash it out.

What’s the Situation with This Windows 10 Vulnerability?

Windows 10 has been having a rough go of things these past several months in terms of vulnerabilities. In the latest Window 10 vulnerability news, the NSA discovered a vulnerability (CVE-2020-0601) that affects the cryptographic functionality of Microsoft Windows 32- and 64-bit Windows 10 operating systems and specific versions of Windows Server. Basically, the vulnerability exists within the Windows 10 cryptographic application programming interface — what’s also known as CryptoAPI (or what you may know as the good ol’ Crypt32.dll module) — and affects how it validates elliptic curve cryptography (ECC) certificates.

What it does, in a nutshell, is allow users to create websites and software that masquerade as the “real deals” through the use of spoofed digital certificates. A great example of how it works was created by a security researcher, Saleem Rashid, who tweeted images of NSA.com and Github.com getting “Rickrolled.” Essentially, what he did was cause both the Edge and Chrome browsers to spoof the HTTPS verified websites.

Although humorous, Rashid’s simulated attacks are a great
demonstration of how serious the security flaw is. By spoofing a digital
certificate to exploit the security flaw in CryptoAPI, it means that anyone can
pretend to be anyone — even official authorities.

CryptoAPI is a critical component of Microsoft Windows operating systems. It’s what allows developers to secure their software applications through cryptographic solutions. It’s also what validates the legitimacy of software and secure website connections through the use of X.509 digital certificates (SSL/TLS certificates, code signing certificates, email signing certificates, etc.). So, basically, the vulnerability’s a bug in the OS’s appliance for determining whether software applications and emails are secure, and whether secure website connections are legitimate.

So, what the vulnerability does is allow actors to bypass
the trust store by using malicious software that are signed by forged/spoofed ECC
certificates (doing so makes them look like they’re signed by a trusted
organization). This means that users would unknowingly download malicious or
compromised software because the digital signature would appear to be from a
legitimate source.

This vulnerability can cause other issues as well, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA):

This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.”

Does This Mean ECC Is Not Secure?

No. This flaw in no way, shape, or form affects the
integrity of ECC certificates. It does, however, cast a negative light on
Windows’ cryptographic application programming interface by shining a spotlight
on the shortcomings of its validation process.

Let me reiterate: This is a flaw concerning Windows
CryptoAPI and does not affect the integrity of the ECC certificates themselves.

If you’re one of the few using ECC certificates (you know, since RSA is still
the more commonly used than ECC), this doesn’t impact the security of your certificates.

The patch from Microsoft addresses the vulnerability to
ensure that Windows CryptoAPI fully validates ECC certificates.

What This Windows 10 Vulnerability Means for Your Organization

Basically, this cryptographic validation security flaw
impacts both the SSL/TLS communication stream encryption and Windows
Authenticode file validation. Malicious actors who decide to exploit the CryptoAPI
vulnerability could use it to:

  • defeat trusted network connections to carry out man-in-the-middle (MitM) attacks and compromise confidential information;
  • deliver malicious executable code;
  • prevent browsers that rely on CryptoAPI from validating malicious certificates that are crafted to appear from an unauthorized hostname; and
  • appear as legitimate and trusted entities (through spoofing) to get users to engage with and download malicious content via email and phishing websites.

The NSA press release states:

NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

Steps to Take to Mitigate This Bug

Wondering what you should do to mitigate the threat on your
network and devices? The NSA has a few recommendations:

Get to Patchin’ ASAP

The NSA recommends installing a newly-released patch from Microsoft for Windows 10 operating systems and Windows Server (versions 2016 and 2019) as soon as possible on all endpoints and systems. Like, right now. Get to it! As a best practice, you also can turn on automatic updates to ensure that you don’t miss key updates in the future.

According to Microsoft’s Security Update Guide:

After the applicable Windows update is applied, the system will generate Event ID 1 in the Event Viewer after each reboot under Windows Logs/Application when an attempt to exploit a known vulnerability ([CVE-2020-0601] cert validation) is detected.”

Here at The SSL Store, we’ve already rolled out the patch to ensure that all of our servers and endpoint devices are protected. (Thanks, Ross!) Rolling out these kinds of updates is something you don’t want to wait around to do because it leaves your operating systems — and everything else as a result — vulnerable to spoofing and phishing attacks using spoofed digital certificates.

Prioritize Your Patching Initiatives

But what if you’re a major enterprise that can’t just get it
done with a snap of the fingers? (Yeah, we know how you big businesses
sometimes like to do things.) In that case, they recommend prioritizing
patching your most critical endpoints and those that are most exposed to the
internet. Basically,
patch your
mission-critical systems and infrastructure, internet-facing systems, and
networked servers first.

Implement Network Prevention and Detection Measures

For those of you who route your traffic through proxy
devices, we have some good news. While your endpoints are getting patched, your
proxy devices can help you detect and isolate vulnerable endpoints. That’s
because you can use TLS inspection proxies to validate SSL/TLS certificates
from third parties and determine whether to trust or reject them.

You also can review logs and packet analysis to extract
additional data for analysis and check for malicious or suspicious properties.

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/nsa-microsoft-releases-patch-to-fix-latest-windows-10-vulnerability/

Source link

The post #cybersecurity | #hackerspace |<p> NSA: Microsoft Releases Patch to Fix Latest Windows 10 Vulnerability <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | Hitches in a voting vendor vulnerability disclosure program

Source: National Cyber Security – Produced By Gregory Evans

With help from Eric Geller, Mary Lee, Martin Matishak and Alexandra S. Levine

Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at politicopro.com.

Story Continued Below

Lawmakers and election equipment makers discussed researcher probes of the companies’ wares at a rare hearing on Thursday.

A major software industry organization raised doubts about a proposed Commerce Department rule for information and communications technology supply chain security.

The risk of possible Iranian cyberattacks has stayed on the agenda for DHS, researchers and others.

HAPPY FRIDAY and welcome to Morning Cybersecurity! Stay strong, Betelgeuse. We’re all on your side. Send your thoughts, feedback and especially tips to tstarks@politico.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

THE ROAD TO A CVD — Voting machine vendors keep inching toward a coordinated vulnerability disclosure program, Thursday’s House Administration Committee hearing revealed, but there are still some hitches emerging toward fuller collaboration with researchers. John Poulos, CEO of Dominion Voting Systems, testified that his company reached out to an organizer of DEFCON’s machine-hacking Voting Village because it was “interested in a more collaborative penetration testing with stakeholders,” and actually sent modern certified systems, but an internal conference dispute led to scuttling those plans.

The CEOs of Election Systems & Software (Tom Burt) and Hart InterCivic (Julie Mathis) both said their companies had submitted equipment to Idaho National Laboratory, which conducts vulnerability tests with DHS. Overall, Burt said he doesn’t want to hand-select red teams but is “interested in making sure we attract hackers who can make our systems better without requiring that the information that they discover be put into the public domain,” and would like to see the Election Assistance Commission manage the program and choose researchers.

At the same hearing, Chairwoman Zoe Lofgren expressed concern about the potential for internet connectivity on vote tabulators, and the vendors voiced support for federal rules creating reporting requirements for companies’ cybersecurity practices.

I DON’T EVEN KNOW WHERE TO START — The Commerce Department’s proposed regulation for information and communications technology supply chain security is unworkable because it gives the Commerce secretary “unbounded discretion to review commercial ICT transactions, applying highly subjective criteria in an ad hoc and opaque process that lacks meaningful safeguards for companies,” the software trade group BSA said in comments filed this morning as part of the proceeding. The proposed supply chain rule, released in November, would let the government block U.S. companies from buying equipment and services that jeopardize national security. But BSA said the rule needed a serious overhaul.

BSA policy director Christian Troncoso wrote that the rule needed better transparency mechanisms and “procedural safeguards,” more precise definitions of what types of transactions and entities are covered and better-defined criteria for blocking those transactions. BSA called for exempting companies from the rule if they meet certain supply chain security standards, ensuring that “an official with adequate levels of political accountability” supervises the process and formally involving the intelligence community in decisions.

The group also urged changes such as requiring annual reports to Congress, giving companies more time to respond to a proposed decision and letting an independent interagency group reverse any decision. Absent these changes, Troncoso said, the rule’s “broad scope” and “vaguely defined standards” will “put U.S. companies at a competitive disadvantage.”

UPDATING MY PROFILE CISA Director Chris Krebs and agency leadership met with acting Homeland Security Secretary Chad Wolf this week to discuss efforts to shore up election security and stave off potential cyberattacks originating from Iran following the U.S.-led airstrike. CISA is urging organizations to “assess their cyber readiness and take steps to protect their networks and assets, including heightened awareness, increasing organizational vigilance, confirming reporting processes, and exercising incident response plans,” according to a note.

They also discussed the mounting threat of ransomware and CISA’s efforts to support governments and businesses, as well as efforts to protect the 2020 elections from foreign interference, such as providing cybersecurity services and developing and exercising incident response plans.

IRAN’S STILL A THING, PART TWO — That recent Saudi Arabian alert about Iranian cyberattacks involves its hackers placing data-wiping malware on Bahrain’s national oil company Bapco, ZDNet pieced together. The new wiper strain is dubbed Dustman, and seemingly didn’t have the impact the hackers were looking for. And it doesn’t appear directly linked to the recent U.S.-Iran tensions, the outlet reported.

A Dragos report out Thursday highlighted an Iranian hacking group’s password-spraying attacks on the North American energy sector. “MAGNALLIUM’s increased activity coincides with rising escalations between the U.S. and allies, and Iran in the Middle East,” the report states. “Dragos expects this activity to continue.”

And Check Point released numbers on Thursday about the volume of Iranian attacks in the week since the U.S. launched missiles that killed general Qassem Soleimani showing no particular major uptick in attacks. Turkey was the top target of Iranian hackers, at 19 percent, compared to 17 percent for the U.S.

KIDS’ PRIVACY BACK IN THE SPOTLIGHT — From our friends at Morning Tech: As we await comprehensive data privacy legislation from Congress, a bipartisan pair of House Energy and Commerce lawmakers are offering a separate privacy measure — one aimed at bringing COPPA, the 1998 federal children’s online privacy law, up to date.

Reps. Tim Walberg (R-Mich.) and Bobby Rush (D-Ill.) on Thursday introduced the PROTECT Kids Act (shorthand for Preventing Real Online Threats Endangering Children Today), which would make location data and biometric data categories protected under the law; ensure that rules safeguarding children online also apply to apps on mobile phones; give parents more control over children’s data and consent; and task the FTC with reviewing the decades-old COPPA law and making recommendations on it to Congress.

“In the past, predators and perpetrators sought to harm our children by lurking near schoolyards and playgrounds,” Rush said. “But now — due to incredible advancements in technology — they are able to stalk our children through their mobile devices and in video game lobbies.”

Meanwhile, in the Senate: Sens. Ed Markey (D-Mass.), author of the COPPA bill, and Josh Hawley (R-Mo.) last spring introduced a bipartisan COPPA 2.0 bill (S. 748) that would, similarly, expand existing federal privacy protections for children and compel the FTC to enforce them. The agency is also doing its own self-reflection on whether COPPA rules need to be changed or updated.

TWEET OF THE DAY — “Come and get us!”

RECENTLY ON PRO CYBERSECURITY — House and Senate Democrats urged the FCC to take on SIM swapping scams. … “Countries that award 5G contracts to Western-aligned companies over Huawei won’t be hobbling their transition to next-generation wireless networks, a senior State Department official said.” … Belgian security services advised the government to limit the use of “non-trusted suppliers.” … Companies are reacting to California’s landmark Privacy Act by interpreting the complex law as they see fit.

Law firm Alston & Bird announced the election of 17 lawyers to its partnership, including Maki DePalo in the organization’s privacy and data security group.

Intrusion Truth has returned with more information on Chinese tech companies recruiting hackers for the government. CyberScoop

Las Vegas said it dodged a horrible cyberattack. ZDNet

Herb Lin contemplated the intersection of cyber and psychological operations. Lawfare

Malwarebytes said it found unremovable malware preinstalled on low-end smartphones sold to low-income Americans. ZDnet

“Industry working groups tasked with implementing the Pentagon’s landmark cybersecurity certification program have selected the University of Virginia’s Ty Schieber as board chairman, to lead the process for selecting a board of directors for an accreditation body that is expected to be up and running later this month.” Inside Cybersecurity

The PCI Security Standards Council and U.S. Chamber of Commerce blogged about Magecart.

Rockwell Automation is buying Israeli cybersecurity company Avnet Data Security. Security Week

That’s all for today.

Stay in touch with the whole team: Mike Farrell (mfarrell@politico.com, @mikebfarrell); Eric Geller (egeller@politico.com, @ericgeller); Mary Lee (mlee@politico.com, @maryjylee) Martin Matishak (mmatishak@politico.com, @martinmatishak) and Tim Starks (tstarks@politico.com, @timstarks).

Source link

The post #nationalcybersecuritymonth | Hitches in a voting vendor vulnerability disclosure program appeared first on National Cyber Security.

View full post on National Cyber Security

What Is the ‘Fujiwhara Effect’ of Vulnerability Patching?

Source: National Cyber Security – Produced By Gregory Evans

Microsoft, Oracle and other software vendors release regular vulnerability patches to help organizations guard against cyberattacks. However, several software vendors will launch vulnerability patches on the same date at least three times in 2020, resulting in a phenomenon known as the “Fujiwhara effect.”

The Fujiwhara effect typically occurs when two hurricanes collide with one another, resulting in a massive storm. In terms of vulnerability patching, the Fujiwhara effect happens when two or more software vendors release vulnerability patches on the same day, according to Risk Based Security.

Organizations can experience the Fujiwhara effect of vulnerability patching this year on January 14, April 14 and July 14. On these dates, the following software vendors are scheduled to release vulnerability patches:

  • Microsoft.
  • Oracle.
  • Adobe.
  • SAP.
  • Siemens.
  • Schneider Electric.

MSSPs can help organizations prepare for the Fujiwhara effect, too. They can provide insights into vulnerability patching and help organizations keep their software up to date, and in doing so, ensure organizations are protected against current and emerging cyber threats.

Source

The post What Is the ‘Fujiwhara Effect’ of Vulnerability Patching? appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | CISA Wants a Vulnerability Disclosure Program At Every Agency

Source: National Cyber Security – Produced By Gregory Evans

The Homeland Security Department on Wednesday released a draft of a binding operational directive that would require every federal agency to create a vulnerability disclosure policy.

Under the measure, each civilian agency would need to create a formal process for security researchers to share vulnerabilities they uncover within the organization’s public-facing websites and other IT infrastructure. Agencies must also develop a system for reporting and closing the security gaps that are uncovered through the program.

Despite the growing popularity of public cyber initiatives like bug bounties, security researchers often find themselves in a legal gray area when reporting cyber weaknesses to the government. By creating vulnerability disclosure policies, agencies can set clear guardrails on legal hacking.

“A [vulnerability disclosure policy] allows people who have ‘seen something’ to ‘say something’ to those who can fix it,” Jeanette Manfra, assistant director for cybersecurity within the Cybersecurity and Infrastructure Security Agency, said in a blog post. “It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems.”

The BOD would bring the rest of the government up to speed with the Pentagon and the General Services Administration’s tech office, which have already established vulnerability disclosure programs. DHS is also in the process of finalizing its own policy.

CISA will accept public feedback on the proposed directive through Dec. 27.

Specifically, the measure would give agencies six months to create a web-based system for receiving “unsolicited” warnings about potential vulnerabilities. They must also develop and publish a vulnerability disclosure policy, outlining the systems and hacking methods that are authorized under the program and describing the process for submitting vulnerabilities. 

The directive would require agencies to consistently add new systems to the program over time. Within two years, “all internet-accessible systems and services” must be in scope of the policy, according to the measure. Every system launched after the directive is issued must automatically be considered in scope.

Agencies would also need to set procedures for handling submissions and report both specific vulnerabilities and program metrics directly to CISA.

While the directive gives agencies some latitude in the metrics and policies around their own policies, the measure could ultimately lay the foundation for a standardized, government-wide vulnerability disclosure program, Manfra said. 

“We think a single, universal vulnerability disclosure policy for the executive branch is a good goal … but we expect that goal to be an unrealistic starting place for most agencies,” she said. “The directive supports a phased approach to widening scope, allowing each enterprise–comprised of the humans and their organizational tools, norms, and culture–to level up incrementally.”

Source link

The post #hacking | CISA Wants a Vulnerability Disclosure Program At Every Agency appeared first on National Cyber Security.

View full post on National Cyber Security

Most Organizations Have Incomplete Vulnerability …

Source: National Cyber Security – Produced By Gregory Evans Companies that rely solely on CVE/NVD are missing 33% of disclosed flaws, Risk Based Security says. A new report shows companies that rely solely on the Common Vulnerabilities and Exposures (CVE) system for their vulnerability information are leaving themselves exposed to a substantial number of security […] View full post on AmIHackerProof.com

#cybersecurity | Have you updated your browser yet? Severe Chrome Zero-day vulnerability getting actively exploited

Source: National Cyber Security – Produced By Gregory Evans

Estimated reading time: 2 minutes

Attention! Are you using Chrome as your web browsing software on your Windows, Linux and Mac? High time you update your browser!!

That’s right. With Google recently releasing Chrome version 78.0.3904.87 for Windows, Mac, and Linux, there come’s an urgent warning, requesting billions of users to update their software immediately. The warning comes after news of hackers exploiting two high-severity zero-day vulnerabilities. Apparently, the new Chrome version addresses these vulnerabilities.

What are these zero-day vulnerabilities?

According to Google, the following 2 zero-day vulnerabilities have been detected:

  • CVE-2019-13720 – This is basically a use-after-free-bug that has been detected in the audio component of Chrome.
  • CVE-2019-13721 – This again is a user-after-free security vulnerability and affects the PDFium library. This is basically used to view and generate PDF files in your browser, a feature that is commonly required by users.

How do these vulnerabilities work?

user-after-free security vulnerability is basically a memory-corruption flaw that allows modification or corruption of memory data, allowing a hacker to take control of an affected software or system. All that the remote attackers need to do, is to escalate privileges on your Chrome web browser by convincing you to click and visit a malicious website. This instantly allows attackers to run malicious code on your affected system while bypassing any sandbox protections.

How can you protect yourself?

The use-after-free vulnerability has been existing in the wild for quite some time now and is one of the most commonly discovered vulnerabilities. Thus, the chances of it reappearing in frequent periods are high.

Thankfully, Google has already released an update for this new Chrome version, to patch this active zero-day vulnerability and the stable channel has been updated to 78.0.3904.87. So now, all you need to do is to Click on the update arrow visible at the top-right corner of Chrome browser. Once you have successfully updated to the latest version of Chrome across your desktop and mobile, you will become safe from these vulnerabilities.

Such security bugs and vulnerabilities are bound to appear and reappear from time to time. It is for this reason that Quick Heal strongly recommends that you keep your web browser and security products up-to-date and follow best security practices for optimum defense against the rising/evolving threats and zero-day vulnerabilities.

 

Have something to add to this story? Share it in the

Source link

The post #cybersecurity | Have you updated your browser yet? Severe Chrome Zero-day vulnerability getting actively exploited appeared first on National Cyber Security.

View full post on National Cyber Security

Singapore’s GovTech Launches Vulnerability Disclosure Program

Source: National Cyber Security – Produced By Gregory Evans

GovTech

Singapore’s Government Technology Agency (GovTech) has launched a new vulnerability disclosure program on HackerOne so researchers can disclose vulnerabilities in government sites.

Started by Singapore’s GovTech, this program allows researchers to examine internet-accessible government sites and applications for vulnerabilities and disclose them to the agency.

“As part of the Government Technology Agency’s (“GovTech”) ongoing efforts to ensure the cyber-security of Government internet-accessible applications used by the citizens, business and public sector employees, GovTech has established this suspected vulnerability disclosure programme (“VDP”) to encourage the responsible reporting of suspected vulnerabilities or weaknesses in IT services, systems, resources and/or processes which may potentially affect Government internet-accessible applications. We look forward to working with the cyber-security research community and members of the public to keep our services safe for all users.”

Rresearchers who want to participate in the Singapore vulnerability disclosure program can target the following services for vulnerability research:

  1. Government internet-accessible applications for use by the public including Government internet-accessible applications, that are owned by any department or ministry of the Government, any Organ of State or any statutory board. Examples of such Government digital services are “gov.sg” and “ns.sg”, and examples of such mobile applications are “SingPass Mobile” and “SGSecure”.
  2. Government internet-accessible applications for use by Government employees only, that are provided by any department or ministry of the Government, any Organ of State, or any statutory board. Examples of such web-based and mobile applications are “pacgov.agd.gov.sg”, and “DWP Mobile”.

Unlike many popular bounty programs on HackerOne, researchers will not be rewarded with cash bounties for disclosing vulnerabilities. This decision may lead researchers to stay away from this program compared to using others that they can earn a living.

Singapore bug bounty challenge started over the weekend

Unlike the new vulnerability disclosure programs, HackerOne launched a bug bounty challenge for Singapore’s Ministry of Defense over the weekend that does offer cash rewards for discovered vulnerabilities.

This challenge started on July 28th 2019 and will go through October 21st, 2019.

“The three-week challenge will run from September 30, 2019 to October 21, 2019, and will bring together trusted hackers from around the world to test 11 government-owned targets, including websites and public digital systems belonging to MINDEF/Singapore Armed Forces (SAF) and other agencies in the defense sector. Hackers will search these systems for security weaknesses so they can be safely resolved and therefore, enhance the safety and security of these systems. This year’s bug bounty challenge also has an added focus on personal data protection.”

This challenge is only open to invited trusted researchers who will attempt to find bugs in eleven government-owned targets.

Source link

The post Singapore’s GovTech Launches Vulnerability Disclosure Program appeared first on National Cyber Security.

View full post on National Cyber Security

Tinder #vulnerability allows #hackers to take over #accounts with just one #phone number

Source: National Cyber Security News

After it was reported last month that online dating app Tinder had a security flaw, which allows strangers to see users’ photos and matches, security firm, Appsecure has now uncovered a new flaw which is potentially more damaging.

Infiltrators who exploit the vulnerability will be able to get access to users’ account with the help of their login phone number. The issue has, however, been fixed after Tinder was alerted by Appsecure.

Appsecure says, the hackers could have taken advantage of two vulnerabilities to attack accounts, with one being Tinder’s own API and the other in Facebook’s Account Kit system which Tinder uses to manage the logins.

In a statement sent to The Verge, a Tinder spokesperson said, “Security is a top priority at Tinder. However, we do not discuss any specific security measures or strategies, so as not to tip off malicious hackers.”

The vulnerability exposed the access tokens of the users. If a hacker is able to obtain a user’s valid access token then he/she can easily take over a user account.

“We quickly addressed this issue and we’re grateful to the researcher who brought it to our attention,” The Verge quoted a Facebook representative as saying.

Read More….

advertisement:

View full post on National Cyber Security Ventures