Security Snacks #18 – Google’s Open Source Vulnerabilities, A US town’s water supply hack & Windows/Chrome security concerns

Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Hackers (from both sides) have been busy this past week!

A bug hunter published a clever new attack technique against which you probably want to protect your company… Read on for details about this attack and about criminal hackers’ attempt to poison a US town’s water supply, Google’s promising vulnerability database, and a bundle of software bugs patched or exploited in the wild.

Notable Security News

Zero-days under active exploit are keeping Windows users busy

Microsoft’s February Patch Tuesday fixes 56 vulnerabilities including a privilege escalation bug exploited in the wild to target Windows 10 and Windows Server 2019 users, and three vulnerabilities in the Windows implementation of TCP/IP that make all supported versions of Windows vulnerable to Denial of Service attacks and Remote Code Execution.

Adobe also patched a critical code execution flaw in Adobe Reader that’s been actively exploited.

Hackers try to contaminate Florida town’s water supply through computer breach

Florida’s water treatment network was tampered with by unidentified attackers that tried to add a dangerous level of chemicals making the water poisonous.

The attempt failed as a staffer was monitoring the computer being hacked. However, the attack highlights weaknesses of water supply facilities and prompted the FBI to warn against using Windows 7, weak passwords and TeamViewer (the combination leveraged for this attack).

Chrome users have faced 3 security concerns over the past 24 hours

Three security issues relevant to Chrome users:

Google patched a critical zero-day vulnerability (heap buffer overflow) in Chrome V8 that had been exploited in the wild. Tenable researchers suspect it to be one of the bugs used to attack security researchers in the ZINC campaign.

A researcher discovered a malicious extension that attackers dropped on compromised systems. It used Chrome’s sync feature to exfiltrate victims’ data. Google considers this a “local attack” and isn’t planning to change their sync feature.

The Great Suspender, a popular extension was booted from the Chrome Web Store because “This extension contains malware”. Note that users have to uninstall it themselves, as Google only removed it from their store.

Microsoft warns enterprises of new ‘dependency confusion’ attack technique

“Dependency confusion” is a new attack technique published by bug hunter Alex Birsan. It leverages a feature of package managers like npm, RubyGems, PyPI and others, used by developers to build apps inside enterprise environments. If an attacker creates a public library that has the same name as a package used internally, package managers would install the malicious external package instead of the internal one expected by developers. This leads to remote code execution inside the company’s network.

Microsoft’s whitepaper details three ways you can protect your company from this new attack.

Google: Our new tool makes open-source security bugs easier to spot

Google launched Open Source Vulnerabilities (OSV), a database of open source vulnerabilities aimed at both open source maintainers and consumers.

OSV doesn’t replace other vulnerability databases like the CVE but complements them. It collects vulnerabilities from different sources and provides an API  to fetch information on these vulnerabilities and determine if a precise version is vulnerable.

Other Interesting News

Cybercrime

Vulnerabilities

Responsible disclosure

Reports

Tech

Misc.