Security news weekly round-up - 14th May 2021

Habdul Hazeez - May 14 '21 - - Dev Community

Time waits for no one. It feels like yesterday since the last edition of this round-up only for me to check, and it's 2 weeks already, and I am like: Are you kidding me?

What more could I say? Let's move on.

Hopefully, I can keep track of time and I will be here next week to say: "Yeah I made it this week".

Introduction

This week it's everything security.


Foxit Reader bug lets attackers run malicious code via PDFs

Foxit Reader comes pre-installed on some laptop computers. If you (or anyone else) use Foxit, you should update it.

Excerpt from the article:

The high-severity vulnerability (tracked a CVE-2021-21822) results from a Use After Free bug found by Aleksandar Nikolic of Cisco Talos in the V8 JavaScript engine used by Foxit Reader to display dynamic forms and interactive document elements.

Successful exploitation of use after free bugs can lead to unexpected results ranging from program crashes and data corruption to the execution of arbitrary code on computers running the vulnerable software.

Security researcher successfully jailbreaks an Apple AirTag

You've locked and secured it, congratulations. Just so you know, there is someone out there who would break it.

Excerpt from the article:

It's not immediately clear how far hacking the firmware might change this threat landscape—but an attacker might, for instance, look for ways to disable the "foreign AirTag" notification to nearby iPhones.

University of California Confirms Personal Information Stolen in Cyberattack

If you store it, make sure it's safe, otherwise be prepared to explain yourself when you lose it.

Excerpt from the article:

UC initially confirmed impact from the incident in early April, after the operators of Clop ransomware, which orchestrated the attack on Accellion’s service, published on their Tor-based leaks website information allegedly stolen from the university and other entities.

This week, the university confirmed the attackers were indeed able to access a great deal of personal information pertaining to “employees (current and former) and their dependents, retirees and beneficiaries, and current students, as well as other individuals who participated in UC programs.”

Experts warn of a new Android banking trojan stealing users' credentials

You should watch out and be wary of the application that you install on your Android device.

Excerpt from the article:

The rogue Android application, which masquerades as media and package delivery services like TeaTV, VLC Media Player, DHL, and UPS, acts as a dropper that not only loads a second-stage payload but also forces the victim into granting it accessibility service permissions.

Researchers Abuse Apple’s Find My Network for Data Upload

You create a service to serve a specific purpose then you realize it can be utilized for other purpose.

Excerpt from the article:

Security researchers have discovered a way to leverage Apple’s Find My's Offline Finding network to upload data from devices, even those that do not have a Wi-Fi or mobile network connection.

Using Bluetooth Low Energy, the data is being sent to nearby Apple devices that do connect to the Internet, and then sent to Apple’s servers, from where it can be retrieved at a later date.

Big Cybersecurity Tips For Remote Workers Who Use Their Own Tech

The COVID-19 pandemic led to an increase in remote workers. These workers, one way or another, connect their tech to their company's network.

This article shares some tips on computer and cyber hygiene which contribute to a safer working environment.

Excerpt from the article:

Though you might not want to follow all of the news that comes out about security issues on a daily basis, you might find it helpful to pay close attention to at least those that directly impact you. Perhaps most importantly, you're going to want to install mitigations for the biggest breaches.

Cross-browser tracking vulnerability tracks you via installed apps

It's no joke.

Excerpt from the article:

A researcher from one of the most well-known fingerprinting scripts, FingerprintJS, has disclosed a vulnerability that allows a website to track a device's user between different browsers, including Chrome, Firefox, Microsoft Edge, Safari, and even Tor.

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, I'll see you next Friday.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .