Security news weekly round-up - 1st September 2023

Habdul Hazeez - Sep 1 '23 - - Dev Community

Welcome to this week's review. I remain your host, Habdul Hazeez 😊

Introduction

This week's review is mostly about malware and software vulnerabilities. We have others in the mix, so let's get to it.


How a Well-Regarded Mac App Became a Trojan Horse

Once upon a time, it was what Mac users needed, then it became obsolete and was turned into a Trojan horse. My advice, keep track of applications on your system, if you no longer use them, REMOVE THEM. Here is more for you:

After some users noted issues with the app after a June update, web developer Taylor Robinson discovered the problem ran deep, as the program redirected users’ computers’ connections without any notification. The real dark mode turned out to be the transformation of a respectable Mac app into a playground for data harvesters.

Four common password mistakes hackers love to exploit

Make your passwords strong 💪 and if you can use a password manager. However, ensure you don't lose access to it. Why? Not good 🚫. Back to the news, the mistakes are as follows:

Common ‘base’ terms, Short password length, Keyboard walk patterns, and Password reuse

WordPress migration add-on flaw could lead to data breaches

Are you moving your WordPress website using All-in-One WP Migration? Be careful because it contains a flaw tracked with CVE-2023-40004. Here is more for you:

The flaw, tracked as CVE-2023-40004, allows unauthenticated users to access and manipulate token configurations on the affected extensions, potentially allowing attackers to divert website migration data to their own third-party cloud service accounts or restoring malicious backups.

High-Severity Memory Corruption Vulnerabilities Patched in Firefox, Chrome

It's super technical and super interesting. Take time to read it. Here is something to get you started:

Mozilla released Firefox 117 with patches for 13 vulnerabilities, including seven rated ‘high severity’, four of which are described as memory corruption bugs affecting the browser’s IPC CanvasTranslator, IPC ColorPickerShownCallback, IPC FilePickerShownCallback, and JIT UpdateRegExpStatics components.

Trojanized Signal and Telegram apps on Google Play delivered spyware

Always double-check everything that you download from the Google Play Store. You can never be too safe. Here is why:

This malware was previously used to target ethnic minorities in China, but ESET's telemetry shows that this time, the attackers target users in Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States.

Dangling DNS Used to Hijack Subdomains of Major Organizations

If you love research, you will love this one. It's a fun read, starting with the following:

They targeted subdomains belonging to government organizations in the US, Canada, UK and Australia; the Austrian political party FPÖ; cybersecurity firm Netscout; US insurance giant Penn Mutual; CNN; several major universities in the United States (UCLA, Stanford, and University of Pennsylvania); and a couple of financial institutions.

What you need to know about iCloud Private Relay

It's strictly for traffic within Safari web browser. There you go, it might not be what you're expecting. But it might be worth it and here is why:

The reason why Private Relay is still an interesting service is that fundamentally, it still allows for a more private browsing and, more important, gives added protection for your browsing habits (on Safari, that is).

Coupled with an effective ad-blocking Safari extension and a non-acceptance of tracking cookies, it presents an interesting opportunity to tailor your browsing and data sharing habits.


Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, and I'll see you next time.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .