Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Click here to subscribe

Patches, patches and more patches! This sums up the past couple of weeks. Patching remains a challenge for a lot of organizations as confirmed by a new report on the 2020 business threat landscape: 63% of reported unpatched vulnerabilities are more than two years old!

However, patching doesn’t cure all issues. Take video conferencing software for instance. Hackers can guess what people are typing based on their movements! So, how do we protect ourselves from these attacks?

Notable Security News

Microsoft November 2020 Patch Tuesday arrives with fix for Windows zero-day

Remember CVE-2020-17087, the Windows zero-day that Google Project Zero disclosed two weeks ago? Cybercriminals were exploiting it in the wild chained with a Chrome zero-day (CVE-2020-16009) to gain remote access to Windows 10 and 7 systems. Microsoft has released a patch to fix this as well as other vulnerabilities – 112 in total and 17 critical.

Google patches two more Chrome zero-days

Chrome patched no less than 5 zero-days in the past three weeks, all being exploited in the wild. That’s all you need to hurry with patching, but if you want more technical details, here’s a summary:

• CVE-2020-15999 affects Chrome’s Freetype font rendering library and was exploited in combination with the Windows zero-day mentioned before.

• CVE-2020-16009 is a Remote Code Execution in Chrome’s V8 JavaScript engine.

• CVE-2020-16010 impacts only Chrome for Android.

• CVE-2020-16013 is an implementation flaw in Chrome V8.

• CVE-2020-16017 is a memory corruption bug in Chrome’s Site Isolation.

Oracle Rushes Emergency Fix for Critical WebLogic Server Flaw

Oracle released a patch for CVE-2020-14750, an unauthenticated Remote Code Execution in WebLogic with a CVSS score of 9.8/10. If this sounds familiar, it is because it is related to CVE-2020-14882, another WebLogic RCE that was easy to bypass. I’ve got the feeling this isn’t the last we will hear about these vulnerabilities…

BitDefender 2020 – Business Threat Landscape Report

This report has interesting findings on how attacks are shifting in the context of the Coronavirus pandemic and Work From Home. For example, 63.63 % of all unpatched vulnerabilities reported during the first half of 2020 involve known vulnerabilities that are older than 2018!

Zoom Snooping: How Body Language Can Spill Your Password

Researchers are able to guess what people in Zoom calls are typing. By looking at their arms and shoulders movements, they can extrapolate the keystrokes being typed. Though the accuracy varies depending on many variables (e.g. the background, what the person is wearing, noise…), it is interesting to be informed that such attacks against video conferencing software are possible.

Other Interesting News

Cybercrime

• Microsoft Teams Users Under Attack in ‘FakeUpdates’ Malware Campaign

• Critical bug actively used to deploy Cobalt Strike on Oracle servers

• Hacker group uses Solaris zero-day to breach corporate networks

• Gitpaste-12 Worm Targets Linux Servers, IoT Devices

• Revamped DLL side-load attack hits Myanmar

• Rackspace Hosted Email Flaw Actively Exploited by Attackers

• Suspected Vietnamese cyber-spies targeting dissidents in Germany

Vulnerabilities

• Apple emits iOS, iPadOS, watchOS, macOS patches to fix three hijack-my-device flaws exploited in the wild

• Now-patched Ubuntu desktop vulnerability allows privilege escalation

• Cisco discloses AnyConnect VPN zero-day, exploit code available

• Google to GitHub: Time’s up – this unfixed ‘high-severity’ security bug affects developers

• ‘Triggerless’ backdoors can infect machine learning models without leaving a trace – research

Reports

• Windows 7 won’t die, still second most popular operating system

• Security AI and automation slashes the cost of data breaches – IBM study

Responsible disclosure

• Windows 10, iOS, Chrome, Firefox and Others Hacked at Tianfu Cup Competition

• CERT/CC launches Twitter bot to give security bugs random names

• PHP removed from Internet Bug Bounty program – but scripting language custodians were ‘never involved’ from the outset

• Vulcan frees up its huge database of IT vulnerability fixes

Tech

• Zoom settles FTC charges for misleading users about security features

• ‘Your connection is not private’ – One in three Android devices set to block Let’s Encrypt-certified websites in 2021

• ENISA Guidelines for Securing the Internet of Things

• Chrome will soon have its own dedicated certificate root store

• Google to launch VPN inside cloud storage app

Misc.

• Why, yes, you can register an XSS attack as a UK company name. How do we know that? Someone actually did it

• Alleged source code of Cobalt Strike toolkit shared online

• GitHub denies getting hacked

• DOJ says it seized over $1 billion in bitcoin from the Silk Road drugs marketplace

• Insider threat: Corrupt Microsoft testing engineer jailed over $10m gift card scam

Intigriti News

Congratulations to our new Intigriti 1337 hackers!