Security news weekly round-up - 5th March 2021

Habdul Hazeez - Mar 5 '21 - - Dev Community

One thing led to another, we did not publish any weekly round-up for the past three weeks. My sincere apologies.

Introduction

This week it's mostly about bugs.


New browser-tracking hack works even when you flush caches or go incognito

Among the advice you'll get when you'll like to prevent browser-tracking: Clear your cache or browser cookies, based on this research, that might not work.

Excerpt from the article:

The technique leverages the use of favicons, the tiny icons that websites display in users’ browser tabs and bookmark lists. Researchers from the University of Illinois, Chicago said in a new paper that most browsers cache the images in a location that’s separate from the ones used to store site data, browsing history, and cookies

Microsoft issues emergency patches for 4 exploited 0-days in Exchange

The title says it all.

Excerpt from the article:

The software maker said hackers working on behalf of the Chinese government have been using the previously unknown exploits to hack on-premises Exchange Server software that is fully patched.

Google Patches Critical Remote Code Execution Vulnerability in Android

The patch was among a series of patches for 37 vulnerabilities.

Excerpt from the article:

Tracked as CVE-2021-0397 and affecting Android 8.1, 9, 10, and 11 releases, the security issue could allow an attacker to execute code remotely on a vulnerable device.

Malicious NPM packages target Amazon, Slack with new dependency attacks

NPM stands for Node Package Manager, it is a dominant package manager used by developers to share software called packages. These packages aim to speed up the developer workflow, but in this case, they are malicious.

Excerpt from the article:

Threat actors are targeting Amazon, Zillow, Lyft, and Slack NodeJS apps using a new 'Dependency Confusion' vulnerability to steal Linux/Unix password files and open reverse shells back to the attackers.

This flaw works by attackers creating packages utilizing the same names as a company's internal repositories or components.

This "dependency confusion" would allow an attacker to inject their own malicious code into an internal application in a supply-chain attack.

New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP!

Do what the article title says.

Excerpt from the article:

Tracked as CVE-2021-21166, the security flaw is one of the two bugs reported last month by Alison Huffman of Microsoft Browser Vulnerability Research on February 11.

A separate object lifecycle flaw, also identified in the audio component, was reported to Google on February 4, the same day the stable version of Chrome 88 became available.

New 'unc0ver' Tool Can Jailbreak All iPhone Models Running iOS 11.0 - 14.3

unc0ver is a popular jailbreaking tool for Apple iPhone's now, its newest version can jailbreak iOS 11.0 to 14.3.

Excerpt from the article:

The latest version according to its lead developer Pwn20wnd, expanding its compatibility to jailbreak any device running iOS 11.0 through iOS 14.3 using a kernel vulnerability, including iOS 12.4.9-12.5.1, 13.5.1-13.7, and 14.0-14.3.

Tracked as CVE-2021-1782, the flaw is a privilege escalation vulnerability in the kernel stemming from a race condition that could cause a malicious application to elevate its privileges.

Hackers Now Hiding ObliqueRAT Payload in Images to Evade Detection

The title says it all.

Excerpt from the article:

First documented in February 2020, the malware has been linked to a threat actor tracked as Transparent Tribe (aka Operation C-Major, Mythic Leopard, or APT36), a highly prolific group allegedly of Pakistani origin known for its attacks against human rights activists in the country as well as military and government personnel in India.

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, I'll see you next Friday.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .