Enlarge (credit: Getty Images )

Researchers recently discovered a Windows code-execution vulnerability that has the potential to rival EternalBlue, the name of a different Windows security flaw used to detonate WannaCry, the ransomware that shut down computer networks across the world in 2017.

Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. The wormability of EternalBlue allowed WannaCry and several other attacks to spread across the world in a matter of minutes with no user interaction required.

But unlike EternalBlue, which could be exploited when using only the SMB, or server message block, a protocol for file and printer sharing and similar network activities, this latest vulnerability is present in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability.

Enlarge / The fallout of an OpenSSL vulnerability, initially listed as "critical," should be much less severe than that of the last critical OpenSSL bug, Heartbleed.

An OpenSSL vulnerability once signaled as the first critical-level patch since the Internet-reshaping Heartbleed bug has just been patched . It ultimately arrived as a "high" security fix for a buffer overflow, one that affects all OpenSSL 3.x installations, but is unlikely to lead to remote code execution.

OpenSSL version 3.0.7 was announced last week as a critical security fix release. The specific vulnerabilities (now CVE-2022-37786 and CVE-2022-3602 ) had been largely unknown until today, but analysts and businesses in the web security field hinted there could be notable problems and maintenance pain. Some Linux distributions, including Fedora , held up releases until the patch was available. Distribution giant Akamai noted before the patch that half of their monitored networks had at least one machine with a vulnerable OpenSSL 3.x instance, and among those networks, between 0.2 and 33 percent of machines were vulnerable.

But the specific vulnerabilities—limited-circumstance, client-side overflows that are mitigated by the stack layout on most modern platforms—are now patched, and rated as "High." And with OpenSSL 1.1.1 still in its long-term support phase, OpenSSL 3.x is not nearly as widespread.

Enlarge (credit: Getty Images)

Microsoft said on Wednesday that it recently identified a vulnerability in TikTok's Android app that could allow attackers to hijack accounts when users did nothing more than click on a single errant link. The software maker said it notified TikTok of the vulnerability in February and that the China-based social media company has since fixed the flaw, which is tracked as CVE-2022-28799.

The vulnerability resided in how the app verified what's known as deeplinks, which are Android-specific hyperlinks for accessing individual components within a mobile app. Deeplinks must be declared in an app's manifest for use outside of the app so, for example, someone who clicks on a TikTok link in a browser has the content automatically opened in the TikTok app.

An app can also cryptographically declare the validity of a URL domain. TikTok on Android, for instance, declares the domain m.tiktok.com. Normally, the TikTok app will allow content from tiktok.com to be loaded into its WebView component but forbid WebView from loading content from other domains.

Značky: #Network, #JWT, #Vulnerability, #cryptography, #Cryptography

Enlarge / A critical vulnerability in Zoom for MacOS, patched once last weekend, could still be bypassed as of Wednesday. Users should update again. (credit: Getty Images)

It's time for Zoom users on Mac to update—again.

After Zoom patched a vulnerability in its Mac auto-update utility that could give malicious actors root access earlier this week, the video conferencing software company issued another patch Wednesday , noting that the prior fix could be bypassed.

Zoom users on macOS should download and run version 5.11.6 (9890), released August 17. You can also check Zoom's menu bar for updates. Waiting for an automatic update could leave you waiting days while this exploit is publicly known.

Enlarge (credit: Getty Images )

A secretive seller of cyberattack software recently exploited a previously unknown Chrome vulnerability and two other zero-days in campaigns that covertly infected journalists and other targets with sophisticated spyware, security researchers said.

CVE-2022-2294, as the vulnerability is tracked, stems from memory corruption flaws in Web Real-Time Communications , an open source project that provides JavaScript programming interfaces to enable real-time voice, text, and video communications capabilities between web browsers and devices. Google patched the flaw on July 4 after researchers from security firm Avast privately notified the company it was being exploited in watering hole attacks, which infect targeted websites with malware in hopes of then infecting frequent users. Microsoft and Apple have since patched the same WebRTC flaw in their Edge and Safari browsers, respectively.

Avast said on Thursday that it uncovered multiple attack campaigns, each delivering the exploit in its own way to Chrome users in Lebanon, Turkey, Yemen, and Palestine. The watering hole sites were highly selective in choosing which visitors to infect. Once the watering hole sites successfully exploited the vulnerability, they used their access to install DevilsTongue , the name Microsoft gave last year to advanced malware sold by an Israel-based company named Candiru.

Yes, two of the drivers immediately caught attention by their very unfortunate (but surprisingly honest) names: SecureBackDoor and SecureBackDoorPeim. I also seem to recall Lenovo had a similar issue about 5 or 6 years ago, so not a first time.

Altogether, the list of affected devices contains more than one hundred different consumer laptop models with millions of users worldwide, from affordable models like Ideapad-3 to more advanced ones like Legion 5 Pro-16ACH6 H or Yoga Slim 9-14ITL05. The full list of affected models with active development support is published in the Lenovo Advisory.

Bottom line though is, if you have a consumer Lenovo device, you really want to check if there is a firmware update.

See https://www.welivesecurity.com/2022/04/19/when-secure-isnt-secure-uefi-vulnerabilities-lenovo-consumer-laptops/

#technology #security #vulnerability #lenovo #backdoor

Značky: #Network, #Vulnerability, #Threema, #cryptography, #Zero-Day, #privacy, #Cryptography

Značky: #Network, #side-channels, #Vulnerability, #authentication, #cryptography, #databases, #Cryptography, #Cybersecurity, #Lobste.rs, #security