Cover photo by Jazmin Quaynor on Unsplash.
This week round-up is mostly hacking related.
Windows 10, iOS, Chrome, Firefox and Others Hacked at Tianfu Cup Competition
Software engineers make it their daily jobs to create safe and secure software systems, Security engineers and Researchers make it their job to crack the "secure" systems. Like I have said multiple times in this series — No System is Safe.
Excerpt from the article:
The two-day event, which happened over the weekend, saw white hat hackers from 15 different teams using original vulnerabilities to break into widely used software and mobile devices in 5 minutes over three attempts.
Watch Out! New Android Banking Trojan Steals From 112 Financial Apps
Mobile banking applications were built for customers convenience but as everything ever created by Man, it can be misused, abused, and exploited.
Excerpt from the article:
Ghimob is a full-fledged spy in your pocket: once infection is completed, the hacker can access the infected device remotely, completing the fraudulent transaction with the victim's smartphone, so as to avoid machine identification, security measures implemented by financial institutions and all their anti-fraud behavioral systems
Google Chrome to block JavaScript redirects on web page URL clicks
This is all about opening links in a new tab using HTML target=_blank
. It's known to have security issues that allow the new tab to hijack the original page to a different URL.
Developers were encouraged to add rel="noopener"
to prevent this, and now Browser maker are taking matters into their hands.
Excerpt from the article:
In 2018, to increase security, Apple made a change in Safari that treats all HTML links that utilize
target="_blank"
to also automatically imply the noopener attribute. With this feature enabled, even if a web site does not use rel="nooopener" on their URLs, the browser will still secure them.Last week, Microsoft Edge developer Eric Lawrence added this same feature to Chromium, which means it will also be brought to Microsoft Edge, Google Chrome, Brave, and other Chromium-based browsers.
Microsoft Releases Windows Security Updates For Critical Flaws
Humans are not perfect and no matter how "safe" we design our software systems to be, it will always contain flaws. When these flaws are discovered by Threat Actors they'll use them for their benefit but luckily if we find the bugs ourselves, we fix them.
Excerpt from the article:
Chief among those fixed is CVE-2020-17087 (CVSS score 7.8), a buffer overflow flaw in Windows Kernel Cryptography Driver ("cng.sys") that was disclosed on October 30 by the Google Project Zero team as being used in conjunction with a Chrome zero-day to compromise Windows 7 and Windows 10 users.
Two New Chrome 0-Days Under Active Attacks – Update Your Browser
I have nothing to add to this one, the title says it all and please update your browser.
Excerpt from the article:
Tracked as CVE-2020-16013 and CVE-2020-16017, the flaws were discovered and reported to Google by "anonymous" sources, unlike previous cases, which were uncovered by the company's Project Zero elite security team.
Intel SGX defeated yet again—this time thanks to on-chip power meter
Once again, Intel Secure Enclave has been defeated.
Excerpt from the article:
PLATYPUS, as the researchers are calling the attack, uses a novel vector to open one of the most basic side channels, a form of exploit that uses physical characteristics to infer secrets stored inside a piece of hardware.
DNS cache poisoning attacks return due to Linux weakness
A bug from 2008 has risen from the dead.
Excerpt from the article:
Researchers from Tsinghua University and the University of California have identified a new method that can be used to conduct DNS cache poisoning attacks.
The new discovery revives a 2008 bug that had once been thought to have resolved for good.
That's it for this week, I'll see you next Friday.