DEV Community

Cover image for Security news weekly round-up - 14th August 2020
Habdul Hazeez
Habdul Hazeez

Posted on

Security news weekly round-up - 14th August 2020

Cover photo by Jazmin Quaynor on Unsplash.

Introduction

Welcome to the weekly round-up of security news from around the Web. I hope your week was fine.

This week it's 85.7% about bugs and vulnerabilities.


Google Chrome Bug Could Let Hackers Bypass CSP Protection; Update Web Browsers

Currently, Google Chrome is arguably the most used Web Browser, therefore, this is serious business.

Excerpt from the article:

If you haven't recently updated your Chrome, Opera, or Edge web browser to the latest available version, it would be an excellent idea to do so as quickly as possible.

Cybersecurity researchers on Monday disclosed details about a zero-day flaw in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to entirely bypass Content Security Policy (CSP) rules since Chrome 73.

Citrix fixes critical bugs allowing takeover of XenMobile Servers

The title says it all.

Excerpt from the article:

The company strongly recommends customers to immediately update vulnerable XenMobile Server deployments since attackers will most likely immediately start scanning for vulnerable servers and attempt to exploit them.

"We recommend these upgrades be made immediately," Citrix says. "While there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit."

A New vBulletin 0-Day RCE Vulnerability and Exploit Disclosed Publicly

The title says it all.

Excerpt from the article:

vBulletin is a widely used proprietary Internet forum software package based on PHP and MySQL database server that powers over 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums.

In September last year, a separate anonymous security researcher publicly disclosed a then-zero-day RCE vulnerability in vBulletin, identified as CVE-2019-16759, and received a critical severity rating of 9.8, allowing attackers to execute malicious commands on the remote server without requiring any authentication to log into the forum.

Windows, IE11 zero-day vulnerabilities chained in targeted attack

I only have one word for this: Scary.

Excerpt from the article:

The malicious endeavor occurred in May and targeted a South Korean company. Researchers from Kaspersky believe that this may be a DarkHotel operation, a hacker group likely operating in one form or another for more than a decade.

Dubbed “Operation PowerFall,” the attack relied on a remote code execution (RCE) vulnerability in Internet Explorer 11, now tracked as CVE-2020-1380, and a flaw in Windows GDI Print/Print Spooler API allowing privilege escalation, now identified as CVE-2020-0986.

Flaws in Samsung Phones Exposed Android Users to Remote Attacks

Another day, another bug.

Excerpt from the article:

New research disclosed a string of severe security vulnerabilities in the 'Find My Mobile'—an Android app that comes pre-installed on most Samsung smartphones—that could have allowed remote attackers to track victims' real-time location, monitor phone calls, and messages, and even delete data stored on the phone.

Potentially Serious Vulnerability Found in Popular WYSIWYG Editor TinyMCE

If you are using TinyMCE, please update As Soon As Possible.

Excerpt from the article:

A potentially serious cross-site scripting (XSS) vulnerability affecting the TinyMCE rich text editor can be exploited — depending on the implementation — for privilege escalation, obtaining information, or account takeover.

Google to Run Experiment in Fight Against URL Spoofing in Chrome

The title says it all.

Excerpt from the article:

In an effort to prevent URL spoofing, web browser vendors have started testing various methods, such as only displaying the registrable part of the domain — or highlighting it in the address bar — rather than displaying the full URL.

Google is also planning on experimenting with such features. Chrome 86, scheduled for release in October, will only show the domain name by default and the full URL when the user hovers over the address. Alternatively, users will be able to right-click on the URL and select the “Always show full URLs” if they don’t like the new feature.


That's it for this week, I'll see you next Friday.

Discussion (0)