Select Page
Latest iOS 12.2 Update Patches Some Serious Security Vulnerabilities

Latest iOS 12.2 Update Patches Some Serious Security Vulnerabilities

Apple on Monday released iOS 12.2 to patch a total of 51 security vulnerabilities in its mobile operating system that affects iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

A majority of vulnerabilities Apple patched this month reside in its web rendering engine WebKit, which is used by many apps and web browsers running on the Apple’s operating system.

According to the advisory, just opening a maliciously crafted web content using any vulnerable WebKit-based application could allow remote attackers to execute arbitrary code, disclose sensitive user information, bypass sandbox restrictions, or launch universal cross-site scripting attacks on the device.

Among the WebKit vulnerabilities include a consistency issue (CVE-2019-6222) that allows malicious websites to potentially access an iOS device microphone without the “microphone-in-use” indicator being shown.

A similar vulnerability (CVE-2019-8566) has been patched in Apple’s ReplayKit API that could allow a malicious application to access the iOS device’s microphone without alerting the user.

“An API issue existed in the handling of microphone data. This issue was addressed with improved validation,” Apple says in its advisory briefing the ReplayKit bug.

Apple has also patched a serious logical bug (CVE-2019-8503) in WebKit that could have allowed malicious websites to execute scripts in the context of another site, allowing them to steal your information stored on other sites or launch a wide-range of online attacks.

Besides WebKit issues, the advisory also revealed the existence of a critical flaw in earlier iOS versions that could lead to arbitrary code execution just by convincing victims into clicking a malicious SMS link.

images from Hacker News

Warning: ASUS Software Update Server Hacked to Distribute Malware

Warning: ASUS Software Update Server Hacked to Distribute Malware

Remember the CCleaner hack?

CCleaner hack was one of the largest supply chain attacks that infected more than 2.3 million users with a backdoored version of the software in September 2017.

Security researchers today revealed another massive supply chain attack that compromised over 1 million computers manufactured by Taiwan-based tech giant ASUS.

A group of state-sponsored hackers last year managed to hijack ASUS Live automatic software update server between June and November 2018 and pushed malicious updates to install backdoors on over one million Windows computers worldwide.

According to cybersecurity researchers from Russian firm Kaspersky Lab, who discovered the attack and dubbed it Operation ShadowHammer, Asus was informed about the ongoing supply chain attack on Jan 31, 2019.

images from Hacker News

Medtronic’s Implantable Defibrillators Vulnerable to Life-Threatening Hacks

Medtronic’s Implantable Defibrillators Vulnerable to Life-Threatening Hacks

The U.S. Department of Homeland Security Thursday issued an advisory warning people of severe vulnerabilities in over a dozen heart defibrillators that could allow attackers to fully hijack them remotely, potentially putting lives of millions of patients at risk.

Cardioverter Defibrillator is a small surgically implanted device (in patients’ chests) that gives a patient’s heart an electric shock (often called a countershock) to re-establish a normal heartbeat.

While the device has been designed to prevent sudden death, several implanted cardiac defibrillators made by one of the world’s largest medical device companies Medtronic have been found vulnerable to two serious vulnerabilities.

Discovered by researchers from security firm Clever Security, the vulnerabilities could allow threat actors with knowledge of medical devices to intercept and potentially impact the functionality of these life-saving devices.

“Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data,” warns the advisory released by DHS.

The vulnerabilities reside in the Conexus Radio Frequency Telemetry Protocol—a wireless communication system used by some of Medtronic defibrillators and their control units to wirelessly connect to implanted devices over the air using radio-waves.

Flaw 1: Lack of Authentication in Medtronic’s Implantable Defibrillators

According to an advisory [PDF] published by Medtronic, these flaws affect more than 20 products, 16 of which are implantable defibrillators and rest are the defibrillators’ bedside monitors and programmers.

The more critical flaw of the two is CVE-2019-6538 which occurs because the Conexus telemetry protocol does not include any checks for data tampering, nor performs any form of authentication or authorization.

images from Hacker News

Microsoft Announces Windows Defender ATP Antivirus for Mac

Microsoft Announces Windows Defender ATP Antivirus for Mac

Brace yourself guys.

Microsoft is going to release its Windows Defender ATP antivirus software for Mac computers.

Sounds crazy, right? But it’s true.

Microsoft Thursday announced that the company is bringing its anti-malware software to Apple’s macOS operating system as well—and to more platforms soon, like Linux.

As a result, the technology giant renamed its Windows Defender Advanced Threat Protection (ATP) to Microsoft Defender Advanced Threat Protection (ATP) in an attempt to minimise name-confusion and reflect the cross-platform nature of the software suite.

But wait, does your Macbook need antivirus protection? Of course!

For all those wondering if Mac even gets viruses—macOS is generally more secure than Windows, but in recent years cybercriminals have started paying attention to the Mac platform, making it a new target for viruses, Trojans, spyware, adware, ransomware, backdoors, and other nefarious applications.

Moreover, hackers have been successful many times. Remember the dangerous FruitFly malware that infected thousands of Mac computers, the recently discovered cryptocurrency-stealing malware CookieMiner and DarthMiner, and .EXE malware discovered last month?

Microsoft Defender ATP Antivirus for Mac

Microsoft has now come up with a dedicated Defender ATP client for Mac, offering full anti-virus and threat protection with the ability to perform full, quick, and custom scans, giving macOS users “next-generation protection and endpoint detection and response coverage” as its Windows counterpart.

“We’ve been working closely with industry partners to enable Windows Defender Advanced Threat Protection (ATP) customers to protect their non-Windows devices while keeping a centralised “single pane of glass” experience,” Microsoft says in a blog post.

Microsoft also promised to add Endpoint Detection and Response, and Defender ATP’s new Threat and Vulnerability Management (TVM) capabilities in public preview next month.

images from Hacker News

Facebook Mistakenly Stored Millions of Users’ Passwords in Plaintext

Facebook Mistakenly Stored Millions of Users’ Passwords in Plaintext

Holy moly, Facebook is again at the centre of a new privacy controversy after revealing today that its platform mistakenly kept a copy of passwords for “hundreds of millions” users in plaintext.

What’s more? Not just Facebook, Instagram users are also affected by the latest security incident.

So, if you are one of the affected users, your Facebook or Instagram password was readable to some of the Facebook engineers who have internal access to the servers and the database.

Though the social media company did not mention exactly what component or application on its website had the programmatic error that caused the issue, it did reveal that the company discovered the security blunder in January this year during a routine security check.

In a blog post published today, Facebook’s vice president of engineering Pedro Canahuati said an internal investigation of the incident found no evidence of any Facebook employee abusing those passwords.

“To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them,” Canahuati said.

Canahuati didn’t mention the exact number of users affected by the glitch, but confirmed that the company would start notifying its “hundreds of millions of affected Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”

Also Read:

Facebook has now fixed this issue and recommended users to change their Facebook and Instagram passwords immediately.

images from Hacker News