Security news weekly round-up - 11th December 2020

Habdul Hazeez - Dec 11 '20 - - Dev Community

Introduction

This week, it's about bugs and cyberattacks.


Chrome, Edge and Firefox May Leak Information on Installed Apps

Humans are not perfect, so is human creation.

The vulnerability is an information disclosure.

Excerpt from the article:

The bugs impact Protocol Handlers, which are related to a mechanism that allows apps to register their own URI schemes used for process execution.

To exploit the feature, an attacker could create web pages meant to trigger potentially vulnerable applications within the victim system. Such attacks may even bypass protection mechanisms like Smart Screen, the researcher argues.

Tracked as CVE-2020-15680 and already patched, the vulnerability exists because the web browser renders images sourced in existing and non-existing protocol handlers in a different manner. Specifically, if the source of an image element is set to a non-existing handler, the element would be displayed with different sizing of 0x0.

Amnesia:33 โ€” Critical TCP/IP Flaws Affect Millions of IoT Devices

The flaws have to do with improper memory management, and if successfully exploited could cause memory corruption, hence, the name Amnesia that is borrowed from human medical condition of the same name which is used to describe short term memory loss.

Excerpt from the article:

Collectively called "AMNESIA:33" by Forescout researchers, it is a set of 33 vulnerabilities that impact four open-source TCP/IP protocol stacks โ€” uIP, FNET, picoTCP, and Nut/Net โ€” that are commonly used in Internet-of-Things (IoT) and embedded devices.

As a consequence of improper memory management, successful exploitation of these flaws could cause memory corruption, allowing attackers to compromise devices, execute malicious code, perform denial-of-service (DoS) attacks, steal sensitive information, and even poison DNS cache.

Cybersecurity Firm FireEye Got Hacked; Red-Team Pentest Tools Stolen

If you are surprised after reading that title, you are not alone. Like: a cybersecurity company got hacked? Now, who is safe? Reality is, No one.

Excerpt from the article:

The company said the adversary also accessed some internal systems and primarily sought information about government clients but added there's no evidence that the attacker exfiltrated customer information related to incident response or consulting engagements or the metadata collected by its security software.

Credit card stealer hides in CSS files of hacked online stores

I am a Web developer with interests in Computer security and A.I., and I really find this crafty.

The attackers employed CSS custom properties popularly called CSS variables to embed the stealer URL as a variable value in the CSS file, afterwards JavaScript is used to retrieve this value on the Web page. Esta muy interensate, and awful.

Excerpt from the article:

By hiding their payment info stealer script within CSS code, this skimmer's creators successfully bypassed detection by automated security scanners and avoided raising any flags even when examined in manual security code audits.

This happened because scanners aren't commonly scanning CSS files for malicious code and anyone looking at the skimmer's trigger script reading a custom property (variable) from the CSS page wouldn't give it a second glance.

Cisco Reissues Patches for Critical Bugs in Jabber Video Conferencing Software

There was a path issued earlier, but another one was required after users were susceptible to remote attacks.

Excerpt from the article:

The vulnerabilities, if successfully exploited, could allow an authenticated, remote attacker to execute arbitrary code on target systems by sending specially-crafted chat messages in group conversations or specific individuals.

Cybersecurity Agencies Warn of High-Severity OpenSSL Vulnerability

It's a Denial of Service (DoS) vulnerability.

Excerpt from the article:

The security hole, tracked as CVE-2020-1971 and described as a NULL pointer dereference issue, was reported by Googleโ€™s David Benjamin and it impacts all 1.1.1 and 1.0.2 versions.

4 major browsers are getting hit in widespread malware attacks

Yeah, you read that right.

Excerpt from the article:

Adrozek, as the software maker has dubbed the malware family, relies on a sprawling distribution network comprising 159 unique domains with each one hosting an average of 17,300 unique URLs. The URLs, in turn, host an average of 15,300 unique malware samples. The campaign began no later than May and hit a peak in August, when the malware was observed on 30,000 devices per day.

The attack works against the Chrome, Firefox, Edge, and Yandex browsers, and it remains ongoing. The end goal for now is to inject ads into search results so the attackers can collect fees from affiliates. While these types of campaigns are common and represent less of a threat than many types of malware, Adrozek stands out because of malicious modifications it makes to security settings and other malicious actions it performs.

Credits

Cover photo by Jazmin Quaynor on Unsplash.


That's it for this week, I'll see you next Friday.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .