Security news weekly round-up - 5th June 2020

Habdul Hazeez - Jun 5 '20 - - Dev Community

Cover photo by Jazmin Quaynor on Unsplash.

Introduction

Welcome to the weekly round-up of security news from around the Web. I hope your week was fine.

This week it is mostly about bugs and vulnerabilities.


Hackers tried to steal database logins from 1.3M WordPress sites

WordPress is arguably the largest blogging platform on the Web, therefore, this is not good news.

Excerpt from the article:

"Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files," Wordfence QA engineer and threat analyst Ram Gall said.

Wallpaper image crashing Android phones

It's a bug affecting Android users especially Samsung.

Excerpt from the article:

The fault does not appear to have been maliciously created. Rather, according to developers following Ice Universe's Twitter thread, the problem lies in the way color space is handled by the Android OS.

The image was created using the RGB color space to display image hues, while Android 10 uses the sRGB color space protocol, according to 9to5Google contributor Dylan Roussel. When the Android phone cannot properly convert the Adobe RGB image, it crashes.

Attempts to fix the problem by restarting the phone in Safe Mode and holding the volume button on start-up did not succeed.

Do not install the image in the linked post.

Two Critical Flaws in Zoom Could've Let Attackers Hack Systems via Chat

Zoom is a video conferencing application that became popular during the 2020 coronavirus pandemic. It came under serious scrutiny from the information security world due to some design decisions of the application that did not take security seriously, well, this seems to be another one.

Excerpt from the article:

Both flaws in question are path traversal vulnerabilities that can be exploited to write or plant arbitrary files on the systems running vulnerable versions of the video conferencing software to execute malicious code.

Critical 'Sign in with Apple' Bug Could Have Let Attackers Hijack Anyone's Account

The title says it all.

Excerpt from the article:

The now-patched vulnerability could have allowed remote attackers to bypass authentication and take over targeted users' accounts on third-party services and apps that have been registered using 'Sign in with Apple' option.

Cisco Patches Dozen Vulnerabilities in Industrial Routers

Excerpt from the article:

A dozen vulnerabilities appear to impact the company’s industrial products. One of the security bugs rated critical is CVE-2020-3205, which allows an unauthenticated attacker with network access to execute arbitrary shell commands on the virtual device server of affected devices.

VMware flaw allows takeover of multiple private clouds

VMware is a producer of virtual software and the flaw actually affects one of their products named VMware Cloud Director.

The vulnerability was a code injection flaw, now identified as CVE-2020-3956. The researchers developed a proof-of-concept that used the web-based interface or the platform’s Application Programming Interface (API) capable of taking over multiple private clouds on any vulnerable provider.

Firefox fixes cryptographic data leakage in the latest security update

In my opinion Firefox browser needs no introduction. If you are reading this at the time of publication, please update your browser.

Excerpt from the article:

Those fixes are denoted CVE-2020-12410 and CVE-2020-12411 respectively, and cover various memory management problems that were found by Mozilla itself as part of its internal bug hunting process.


That's it for this week, I'll see you next Friday.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .