Introduction
Hello! It's another week and it's time for another review of security news that is worthy of your attention. In this week's edition, the articles that we'll review are about malware, vulnerabilities, and scams
So, let's get started.
New Malware Hits 300,000 Users with Rogue Chrome and Edge Extensions
At the end of the article, there are ways to get rid of the malware if you're infected. Nonetheless, this shows the lengths threat actors are willing to go to to compromise your computer system.
From the article:
At the heart of the campaign is the use of malvertising to push lookalike websites promoting known software like Roblox FPS Unlocker, YouTube, VLC media player, Steam, or KeePass to trick users searching for these programs into downloading a trojan, which serves as a conduit for installing the browser extensions.
Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure
Reading articles like this is what keeps me going in computer security. The ingenuity with which people find vulnerabilities will never cease to amaze me. Okay, back to the topic. The vuln is tracked as CVE-2024-38200 and has a CVSS score of 7.5.
From the article on how the vulnerability can be exploited:
In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability
Why scammers want your phone number
Something within you might yell "I know this already". But wait 🛑. There is more for you to learn in this article. Why? If words like pig butchering, smishing, and CEO fraud are new to you. You should read the article.
Here is some quick information from the article and more reasons why it's worthy of your time:
Why are all these scams such a threat? These days, many online services rely on phone numbers for authentication and account recovery. Compromising a phone number can, therefore, be tantamount to bypassing your security safeguards, including two-factor authentication (2FA). Additionally, scammers may impersonate you to defraud your contacts – or your employer.
GitHub Vulnerability 'ArtiPACKED' Exposes Repositories to Potential Takeover
From the guys at Palo Alto Networks Unit 42, the vulnerability is related to GitHub Actions. Now, wait, before you panic, based on the original author, some companies have patched their code.
From the article, it's on you (as the repository owner) to take action:
A number of open-source repositories related to Amazon Web Services (AWS), Google, Microsoft, Red Hat, and Ubuntu have been found susceptible to the attack. GitHub, for its part, has categorized the issue as informational, requiring that users take it upon themselves to secure their uploaded artifacts.
Zero-Click Exploit Concerns Drive Urgent Patching of Windows TCP/IP Flaw
At the time of writing, technical details of the vulnerability have not been made available due to some factors or other. To make matters worse, the vulnerability is susceptible to zero-click exploit; an exploit that requires no human interaction can be developed to exploit it. To complicate issues and to show the severity of this vulnerability, Microsoft has tagged it with a CVSS severity score of 9.8 out of 10.
From the article where they quoted Microsoft:
An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution
Google Pixel Devices Shipped with Vulnerable App, Leaving Millions at Risk
As a normal user, you can't uninstall the app. However, you're in luck. At the time of writing, the article quoted a Google spokesperson saying that they will be removing the app from all supported in-market Pixel devices with an upcoming Pixel software update. Good news!
Here is what's wrong with the vulnerable application in question:
The crux of the problem has to do with the app downloading a configuration file over an unencrypted HTTP web connection, as opposed to HTTPS, thereby opening the door for altering it during transit to the targeted phone.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.