Introduction
This week's review is about vulnerabilities, online scam, malware, and privacy. Get ready, and let's proceed.
Google Warns of Chrome Browser Zero-Day Being Exploited
Web browsers are sophisticated applications that we depend on for our daily online activities. Sometimes, they're vulnerable and you'll need to update them when an update is made available by the vendor.
At the time of writing, it does not seem that an update is available, but here is what the vulnerability is all about:
Google has pushed out an urgent Chrome browser update to fix a trio of high-severity security defects and warned that one of the bugs is already being exploited in the wild.
The exploited zero-day, tagged as CVE-2024-0519, is described as an out-of-bounds memory access issue in the V8 JavaScript engine.
Remote Code Execution Vulnerability Found in Opera File Sharing Feature
They fixed it. Nonetheless, I am not surprised that no system is safe.
Here is more about the RCE:
Guardio Labs discovered that there were several versions of the My Flow landing page laying around, some of them a few years old and lacking the more recent security checks.
“This is exactly what an attacker needs — an unsafe, forgotten, vulnerable to code injection asset, and most importantly — has access to (very) high permission native browser API,” Guardio Labs notes.
GitHub Rotates Credentials in Response to Vulnerability
The article's title says it all and the lesson here is this: if it's "secure", it's because someone has not dedicated the time to break it. Don't forget that.
More from the article:
The security defect, which allowed access to credentials within a production container, had no impact beyond the security researcher who identified and reported it, but the platform’s security protocols call for rotating credentials exposed to third-parties.
Virtual kidnapping: How to see through this terrifying scam
The core of the scam is Artificial Intelligence. Be careful out there.
Quick excerpt for you:
There are variations on this theme. Most concerning is the potential for ChatGPT and other AI tools to supercharge virtual kidnapping by making it easier for fraudsters to find the ideal victims
New UEFI vulnerabilities send firmware devs industry wide scrambling
I am getting bored in an attempt to write a quick summary of these vulnerabilities. What should I do? 🤔
Let's have a quick excerpt and proceed:
The vulnerabilities, which collectively have been dubbed PixieFail by the researchers who discovered them, pose a threat mostly to public and private data centers and possibly other enterprise settings. People with even minimal access to such a network can exploit the vulnerabilities to infect connected devices with a malicious UEFI
Researcher uncovers one of the biggest password dumps in recent history
If you can, change your passwords. Also, the researcher in question is Troy Hunt of Have I Been Pawned (HIBP).
More for you:
Hunt said that a large percentage of the credentials came not from stealer malware as claimed, but from credential stuffing, a form of account-hijacking attack that collects large numbers of stolen account credentials from previous breaches.
Npm Trojan Bypasses UAC, Installs AnyDesk with "Oscompatible" Package
They took it down after 380 downloads. Since npm is popular among developers, always double-check what you download.
Here is more on the story:
While "oscompatible" appears to be the only npm module employed as part of the campaign, the development is once again a sign that threat actors are increasingly targeting open-source software (OSS) ecosystems for supply chain attacks
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.