Contrary to the tradition of this weekly round-up that always contains seven links, there are ten links in this round-up hence, the five minutes reading time.
Introduction
Welcome to the weekly round-up of security news from around the Web. I hope your week was fine.
This week it's mostly about bugs and vulnerabilities.
Intel announces “exploit busting” features in its next processor chips
In recent years multiple vulnerabilities have been discovered in Intel processors but now, Intel is doing something about it called "exploit busting" features.
Excerpt from the article:
As far as we can see, the first wave of Intel processors that will include these new protections are the not-quite-out-yet CPUs known by the nickname “Tiger Lake”, so if you’re a programmer you can’t actually start tinkering with the CET features just yet.
Nevertheless, CET reminds us all that computer security is a cat-and-mouse game, where one round of security improvements provokes a change in behaviour by cybercrminals, which in turn leads to a new wave of defences, and so on.
The article is an interesting read.
Ripple20 bugs set off wave of security problems in millions of devices
When you read the word ripple from the article's title you should know it refers to lots of bugs.
Excerpt from the article:
Labeling the discovery Ripple20, the researchers said that the bugs enable attackers to take control of internet-facing devices and then lurk undetected for years.
Other risks include mass infections inside a network using a hacked device as a foothold, said their vulnerability analysis. No user interaction is necessary for a hacker to take over your network using these flaws.
New Mobile Internet Protocol Vulnerabilities Let Hackers Target 4G/5G Users
The title says it all.
Excerpt from the article:
High impact vulnerabilities in modern communication protocol used by mobile network operators (MNOs) can be exploited to intercept user data and carry out impersonation, fraud, and denial of service (DoS) attacks, cautions a newly published research.
Bug in ‘USB for Remote Desktop’ lets hackers add fake devices
The title says it all.
Excerpt from the article:
The flaw is identified as CVE-2020-9332 and resides in the bus driver for “USB for Remote Desktop” developed by FabulaTech. The company has an impressive customer list with high-profile organizations from a variety of sectors.
Among them are Google, Microsoft, Texas Instruments, BMW, MasterCard, NASA, Reuters, Intel, Chevron, Shell, Raytheon, Xerox, Harvard, General Electric, and Raiffeisen Bank.
VLC Media Player 3.0.11 fixes severe remote code execution flaw
This is scary because is quite a popular open-source media player.
Excerpt from the article:
VideoLan has released VLC Media Player 3.0.11, and it is now available for Windows, Mac, and Linux. In addition to bug fixes and improvements, this release also fixes a security vulnerability that could allow attackers to remotely execute commands or crash VLC on a vulnerable computer.
This vulnerability is tracked as CVE-2020-13428 and is a "buffer overflow in VLC's H26X packetizer" that would allow attackers to execute commands under the same security level as the user if properly exploited.
Adobe fixes critical flaws in Illustrator, After Effects, more
Do you know Adobe? I think you do.
Excerpt from the article:
Adobe has released out-of-band security updates to address 18 critical flaws that could allow attackers to execute arbitrary code on systems running vulnerable versions of Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush, and Audition on Windows and macOS devices.
18 of the security flaws patched today are all rated as Critical, could lead to arbitrary code execution following successful exploitation, and were reported by researchers at Fortinet's FortiGuard Labs (Honggang Ren, Kushal Arvind Shah, and Yonghui Han) and by Mat Powell of Trend Micro Zero Day Initiative.
Drupal Patches Code Execution Flaw Most Likely to Impact Windows Servers
Drupal is an open-source Content Management System used by websites therefore, this should be worth of your reading time.
Excerpt from the article:
The code execution vulnerability, tracked as CVE-2020-13664, can be exploited against Drupal 8 and 9 installations, but only in certain circumstances. According to Drupal developers, the issue is most likely to affect Windows servers.
Hackers use fake Windows error logs to hide malicious payload
The title says it all.
Excerpt from the article:
Hackers have been using fake error logs to store ASCII characters disguised as hexadecimal values that decode to a malicious payload designed to prepare the ground for script-based attacks.
The trick is part of a longer chain with intermediary PowerShell commands that ultimately delivers a script for reconnaissance purposes.
Hijacked Oxford server used by hackers for Office 365 phishing
Oxford University is a reputable name creating and attackers seems to be taking full advantage of this.
Excerpt from the article:
By leveraging the reputable brands of Oxford University, Adobe, and Samsung within the same campaign, the threat actors' attacks had everything needed to bypass their victims' security email filters and trick the victims themselves into handing over their Office 365 credentials.
Zoom Will Offer End-to-End Encryption to Free Users
Zoom became popular during the COVID-19 pandemic and has been in the news for the wrong reasons. This time it seems to be a good one.
Excerpt from the article:
Zoom announced on Wednesday that it has decided to offer end-to-end encryption to free users after all, as long as they verify their account by providing an additional piece of information, such as a phone number.
That's it for this week, I'll see you next Friday.
Cover photo by Jazmin Quaynor on Unsplash.