Microsoft today issued an out-of-band security update to patch a critical zero-day vulnerability in Internet Explorer (IE) Web browser that attackers are already exploiting in the wild to hack into Windows computers.

Discovered by security researcher Clement Lecigne of Google’s Threat Analysis Group, the vulnerability, tracked as CVE-2018-8653, is a remote code execution (RCE) flaw in the IE browser’s scripting engine.

According to the advisory, an unspecified memory corruption vulnerability resides in the scripting engine JScript component of Microsoft Internet Explorer that handles execution of scripting languages.

If exploited successfully, the vulnerability could allow attackers to execute arbitrary code in the context of the current user.

images from Hacker News

“Pay $20,000 worth of bitcoin, or a bomb will detonate in your building”

A massive number of businesses, schools, government offices and individuals across the US, New Zealand and Canada on Thursday received bomb threats via emails that caused nationwide chaos, forcing widespread evacuations and police response.

The bomb threat emails were apparently sent by spammers, threatening people that someone has planted bombs within their building that will be detonated unless a bitcoin payment of $20,000 is paid by the end of the business day.

“I write to inform you that my man has carried the bomb (Tetryl) into the building where your business is located,” one of the emails posted to social media read.

“It was assembled according to my instructions. It can be hidden anywhere because of its small size, it cannot damage the supporting building structures, but there will be many victims in case of its explosion.”

“You must pay me by the end of the working day, and if you are late with the transaction the bomb will explode.”

“This is just a business, if I do not see the bitcoins and a bomb detonates, other companies will transfer me more money, because it isn’t a single case,” the message continued.

However, the threat was appeared to be hoax ransom ploys for bitcoin payment, numerous law enforcement departments issued alerts notifying citizens after no actual explosives were found.

images from Hacker News

Facebook’s latest screw-up — a programming bug in Facebook website accidentally gave 1,500 third-party apps access to the unposted Facebook photos of as many as 6.8 million users.

Facebook today quietly announced that it discovered a new API bug in its photo-sharing system that let 876 developers access users’ private photos which they never shared on their timeline, including images uploaded to Marketplace or Facebook Stories.

“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories,” Facebook said.

What’s worse? The bug even exposed photos that people uploaded to Facebook but chose not to post or didn’t finish posting it for some reason.

The flaw left users’ private data exposed for 12 days, between September 13th and September 25th, until Facebook discovered and fixed the security blunder on the 25th September.

“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorised to access their photos,” Facebook said.

images from Hacker News

Cybersecurity researchers have discovered a critical vulnerability in widely used SQLite database software that exposes billions of deployments to hackers.

Dubbed as ‘Magellan‘ by Tencent’s Blade security team, the newly discovered SQLite flaw could allow remote attackers to execute arbitrary or malicious code on affected devices, leak program memory or crash applications.

SQLite is a lightweight, widely used disk-based relational database management system that requires minimal support from operating systems or external libraries, and hence compatible with almost every device, platform, and programming language.

SQLite is the most widely deployed database engine in the world today, which is being used by millions of applications with literally billions of deployments, including IoT devices, macOS and Windows apps, including major web browsers, such as Adobe software, Skype and more.

Since Chromium-based web browsers—including Google Chrome, Opera, Vivaldi, and Brave—also support SQLite through the deprecated Web SQL database API, a remote attacker can easily target users of affected browsers just by convincing them into visiting a specially crafted web-page.

images from Hacker News

Security researchers have discovered yet another example of how cybercriminals disguise their malware activities as regular traffic by using legitimate cloud-based services.

Trend Micro researchers have uncovered a new piece of malware that retrieves commands from memes posted on a Twitter account controlled by the attackers.

Most malware relies on communication with their command-and-control server to receive instructions from attackers and perform various tasks on infected computers.

Since security tools keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly using legitimate websites and servers as infrastructure in their attacks to make the malicious software more difficult to detect.

In the recently spotted malicious scheme, which according to the researchers is in its early stage, the hackers uses Steganography—a technique of hiding contents within a digital graphic image in such a way that’s invisible to an observer—to hide the malicious commands embedded in a meme posted on Twitter, which the malware then parses and executes.

Although the internet meme looks a normal image to human eyes, the command “/print” is hidden in the file’s metadata, which then prompts the malware to send a screenshot of the infected computer to a remote command-and-control server.

images from Hacker News