Security news weekly round-up - 4th December 2020

Habdul Hazeez - Dec 4 '20 - - Dev Community

Introduction

This week is mostly about bugs and vulnerabilities, with a bit of hacking and malicious software in between.


WebKit Vulnerabilities Allow Remote Code Execution via Malicious Websites

WebKit is an open-source web browser engine used by some browser vendors and software developers. Now, Talos intelligence has discovered multiple use after-free vulnerabilities in the engine.

Excerpt from the article:

Cisco’s Talos threat intelligence and research group revealed on Monday (November 30, 2020) that one of its researchers identified several high-severity use-after-free vulnerabilities that can be exploited for remote code execution by getting the targeted user to access a specially crafted web page with a browser that uses WebKit.

Malicious NPM packages used to install njRAT remote access trojan

NPM stands for Node Package Manager used by developers to download and host software programs known as packages. But like all website, it can be used to host malicious programs which appears as innocent looking programs.

Excerpt from the article:

New malicious NPM packages have been discovered that install the njRAT remote access trojan that allows hackers to gain control over a computer.

Analysis of 4 Million Docker Images Shows Half Have Critical Vulnerabilities

The title says it all.

Excerpt from the article:

Roughly 6,400 containers, representing 0.16% of the total, were classified as malicious or potentially harmful due to the presence of malware, cryptocurrency miners, hacking tools, a malicious npm package (flatmap-stream), and trojanized applications.

GitHub Says Vulnerabilities in Some Ecosystems Take Years to Fix

Humans are not perfect, that is why we have bugs and vulnerabilities in our code. Based on a report by GitHub, some vulnerabilities might take years to fix.

Excerpt from the article:

The report, which is based on the analysis of more than 45,000 active repositories, shows that it typically takes 7 years to address vulnerabilities in Ruby, while those in npm are usually patched in five years. This is due to the fact that they often remain undetected or unnoticed.

Several Unpatched Popular Android Apps Put Millions of Users at Risk of Hacking

It's a vulnerability in Google's widely used update library.

Excerpt from the article:

Many popular apps, including Grindr, Bumble, OkCupid, Cisco Teams, Moovit, Yango Pro, Microsoft Edge, Xrecorder, and PowerDirector, are still vulnerable and can be hijacked to steal sensitive data, such as passwords, financial details, and e-mails.

The bug, tracked as CVE-2020-8913, is rated 8.8 out of 10.0 for severity and impacts Android's Play Core Library versions prior to 1.7.2.

Credit card stealing malware hides in social media sharing icons

You should be on look-out the next time you go shopping.

Excerpt from the article:

The payment skimmer malware pulls its sleight of hand trick with the help of a double payload structure where the source code of the skimmer script that steals customers' credit cards will be concealed in a social sharing icon loaded as an HTML 'svg' element with a 'path' element as a container.

VMware fixes zero-day vulnerability reported by the NSA

No system is safe and you are lucky if someone informs you nicely.

Excerpt from the article:

VMware has released security updates to address a zero-day vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.

The vulnerability is a command injection bug tracked as CVE-2020-4006.

Credits

Cover photo by Jazmin Quaynor on Unsplash.


That's it for this week, I'll see you next Friday.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .