By Anna Hammond
November 13, 2020
Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.
Patches, patches and more patches! This sums up the past couple of weeks. Patching remains a challenge for a lot of organizations as confirmed by a new report on the 2020 business threat landscape: 63% of reported unpatched vulnerabilities are more than two years old!
However, patching doesn’t cure all issues. Take video conferencing software for instance. Hackers can guess what people are typing based on their movements! So, how do we protect ourselves from these attacks?
Microsoft November 2020 Patch Tuesday arrives with fix for Windows zero-day
Remember CVE-2020-17087, the Windows zero-day that Google Project Zero disclosed two weeks ago? Cybercriminals were exploiting it in the wild chained with a Chrome zero-day (CVE-2020-16009) to gain remote access to Windows 10 and 7 systems. Microsoft has released a patch to fix this as well as other vulnerabilities – 112 in total and 17 critical.
Google patches two more Chrome zero-days
Chrome patched no less than 5 zero-days in the past three weeks, all being exploited in the wild. That’s all you need to hurry with patching, but if you want more technical details, here’s a summary:
CVE-2020-15999 affects Chrome’s Freetype font rendering library and was exploited in combination with the Windows zero-day mentioned before.
CVE-2020-16009 is a Remote Code Execution in Chrome’s V8 JavaScript engine.
CVE-2020-16010 impacts only Chrome for Android.
CVE-2020-16013 is an implementation flaw in Chrome V8.
CVE-2020-16017 is a memory corruption bug in Chrome’s Site Isolation.
Oracle Rushes Emergency Fix for Critical WebLogic Server Flaw
Oracle released a patch for CVE-2020-14750, an unauthenticated Remote Code Execution in WebLogic with a CVSS score of 9.8/10. If this sounds familiar, it is because it is related to CVE-2020-14882, another WebLogic RCE that was easy to bypass. I’ve got the feeling this isn’t the last we will hear about these vulnerabilities…
BitDefender 2020 – Business Threat Landscape Report
This report has interesting findings on how attacks are shifting in the context of the Coronavirus pandemic and Work From Home. For example, 63.63 % of all unpatched vulnerabilities reported during the first half of 2020 involve known vulnerabilities that are older than 2018!
Zoom Snooping: How Body Language Can Spill Your Password
Researchers are able to guess what people in Zoom calls are typing. By looking at their arms and shoulders movements, they can extrapolate the keystrokes being typed. Though the accuracy varies depending on many variables (e.g. the background, what the person is wearing, noise…), it is interesting to be informed that such attacks against video conferencing software are possible.
Microsoft Teams Users Under Attack in ‘FakeUpdates’ Malware Campaign
Critical bug actively used to deploy Cobalt Strike on Oracle servers
Hacker group uses Solaris zero-day to breach corporate networks
Suspected Vietnamese cyber-spies targeting dissidents in Germany
Now-patched Ubuntu desktop vulnerability allows privilege escalation
Cisco discloses AnyConnect VPN zero-day, exploit code available
Google to GitHub: Time’s up – this unfixed ‘high-severity’ security bug affects developers
‘Triggerless’ backdoors can infect machine learning models without leaving a trace – research
Windows 7 won’t die, still second most popular operating system
Security AI and automation slashes the cost of data breaches – IBM study
Windows 10, iOS, Chrome, Firefox and Others Hacked at Tianfu Cup Competition
CERT/CC launches Twitter bot to give security bugs random names
Zoom settles FTC charges for misleading users about security features
Chrome will soon have its own dedicated certificate root store
DOJ says it seized over $1 billion in bitcoin from the Silk Road drugs marketplace
Insider threat: Corrupt Microsoft testing engineer jailed over $10m gift card scam
Congratulations to our new Intigriti 1337 hackers!