By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Apple released iOS 12.4.1 today to fix a security flaw reintroduced with the release of iOS 12.4 and used by security researcher Pwn20wnd to develop and release a jailbreak tool for up-to-date iOS devices. The vulnerability patched today by Apple is a use after free tracked as CVE-2019-8605 targeted by the Sock Puppet exploit that was used to create jailbreak tools for iOS devices. The flaw was discovered by Google Project Zero's Ned Williamson, was previously patched by Apple with the iOS 12.3 release from May 13, and was now re-patched in iOS 12.4.1. As Apple's support document describing the security content of iOS 12.4.1 says, the flaw could have been abused by malicious applications which then could have been "able to execute arbitrary code with system privileges." The use after free security issue was addressed by Apple with the introduction of improved memory management thus blocking the access of maliciously crafter apps to pointers that have already been freed. Apple acknowledged Google Project Zero's Ned Williamson contribution in finding and fixing this security issue and provided additional recognition for Pwn20wnd's assistance. Besides allowing jailbreak developers to add support for Apple's latest iOS versions, the flaw fixed today by Apple is also a critical vulnerability that can open the doors to attackers targeting the company's large iOS user base. Follow this on OUR FORUM.

Microsoft introduced a new compatibility hold to block users of Zebra XSLATE B10 rugged tablets from installing or updating to Windows 10, version 1903 or Windows 10, version 1809. Redmond was prompted to add this new Windows 10 update block by multiple reports received from XSLATE B10 tablet users stating that the "touch may stop working on the devices after restarting the device." "To safeguard your update experience, we have applied a compatibility hold on these devices from installing or being offered Windows 10, version 1903 or Windows 10, version 1809," says Microsoft. "Upon rebooting the device (warm boot), the issue causes users to lose touch access," states Zebra on its support site. "This issue is currently under investigation by Microsoft. Additional information will be provided on this page as it is received." Redmond's developers are currently working on a resolution for this issue which will be provided to Zebra users with an upcoming release. Until a resolution for these compatibility issues will be offered in a future Windows 10 update, Microsoft advises all users to "not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved." Microsoft is still currently blocking some Windows devices with compatibility issues after receiving the May 2019 Feature Update, in an attempt to prevent users of incompatible computers from experiencing degraded performance after upgrading. Since May 29, Microsoft has resolved the issues behind seven Windows 10 v1903 update blocks 11, with three of them having been removed in a single day, on July 12. More complete details are posted on OUR FORUM.

Mastercard disclosed a data breach to the German and Belgian Data Protection Authorities (DPA) involving customer data from the company's Priceless Specials loyalty program. The data was made available on the Internet, with customers' names, payment card numbers, email addresses, home addresses, phone numbers, gender, and dates of birth being included in the leaked info. Mastercard says that "the incident is limited to the Specials program" and that the only payment card information leaked were the numbers of payment cards. After the data leak was discovered, Mastercard suspended the German Priceless Specials and took down its website, leaving up only a message saying that "This issue has no connection to MasterCard's payment network." "We have received a lot of questions and complaints since the announcement of this incident, we want to reassure users: we have contacted MasterCard in order to get additional information, and are following this case closely together with the Hessian data protection authority and all the other possible concerned authorities," says David Stevens, Chairman of the Belgian Data Protection Authority. The breach was discovered after the loyalty program data was released on the Internet on August 19 says Mastercard. "Thereafter, we acted promptly to remove the published personal information and to protect the interests of the affected users," adds the company. "On August 21, 2019, we became aware that a second file of personal information was published on the Internet. We are working to remove them as well." Heise Media reported that it saw the Excel spreadsheets containing lists of roughly 90,000 and 84,000 rows that were distributed on the internet after Mastercard's Priceless Specials loyalty program was breached. Follow this thread on OUR FORUM.

The Internal Revenue Service (IRS) issued today a warning to alert taxpayers and tax professionals of an active IRS impersonation scam campaign sending spam emails to deliver malicious payloads. This warning was issued after the IRS received several reports from taxpayers during this week regarding unsolicited messages with "Automatic Income Tax Reminder" or "Electronic Tax Return Reminder" subjects, coming from scammers impersonating the U.S. revenue service with the help of spoofed email addresses. "The emails have links that show an IRS.gov-like website with details pretending to be about the taxpayer's refund, electronic return or tax account," says IRS' warning. "The emails contain a 'temporary password' or 'one-time password' to 'access' the files to submit the refund. But when taxpayers try to access these, it turns out to be a malicious file." More to the point, after entering the password issued in the spam message, the targets would unintentionally download malware that could allow the malicious actors to either harvest sensitive info or take control of their victims' compromised systems. "The IRS does not send emails about your tax refund or sensitive financial information," stated IRS Commissioner Chuck Rettig. "This latest scheme is yet another reminder that tax scams are a year-round business for thieves. We urge you to be on guard at all times." The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also urges users and administrators to review the CISA Tip on how to avoid phishing and social engineering attacks. This warning comes after the IRS issued a joint news release with the US tax industry and state tax agencies in late July to remind professional tax preparers that they are required by federal law to have a data security plan in place. Learn more on OUR FORUM.

A vulnerability in the free version of Bitdefender Antivirus could be exploited by an attacker to get SYSTEM-level permissions, reserved for the most privileged account on a Windows machine. Privilege escalation vulnerabilities are used in a later stage of an attack after the threat actor already compromised the target host and needs elevated permissions to establish persistence or execute code with the privileges of the most powerful user. Identified as CVE-2019-15295, the vulnerability is owed to lack of verification that loaded binaries are signed and come from a trusted location. Peleg Hadar of SafeBreach Labs says that Bitdefender's security service (vsserv.exe) and the updater service (updatesrv.exe) started assigned processes with SYSTEM authority. However, they tried to load a missing DLL file ('RestartWatchDog.dll') from various locations in the PATH environment variable. One of the locations is 'c:/python27,' which comes with an access control list (ACL) open to any authenticated user. This makes privilege escalation trivial because a user to normal permissions could write the missing DLL and have it loaded by Bitdefender's signed processes. Hadar tested the theory with an unsigned DLL that wrote to a text file the name of the process loading it, the name of the user executing it, and the name of the DLL file. His assumption was confirmed, and his 'RestartWatchDog.dll' file was loaded without a hitch. The root of the issue is the ServiceInstance.dll library that attempts to load the missing DLL. SafeBreach disclosed the vulnerability responsibly to Bitdefender on July 17 and on August 14 received validation from the antivirus maker. On Monday, Bitdefender rolled out a patch for its Antivirus Free 2020 product. Users with an internet connection received the update automatically. Get better informed by stopping by OUR FORUM.

Contractors working for Microsoft have listened to the audio of Xbox users speaking in their homes in order to improve the console’s voice command features, Motherboard has learned. The audio was supposed to be captured following a voice command like “Xbox” or “Hey Cortana,” but contractors said that recordings were sometimes triggered and recorded by mistake. The news is the latest in a string of revelations that show contractors working on behalf of Microsoft listen to audio captured by several of its products. Motherboard previously reported that human contractors were listening to some Skype calls as well as audio recorded by Cortana, Microsoft’s Siri-like virtual assistant. "Xbox commands came up first as a bit of an outlier and then became about half of what we did before becoming most of what we did," one former contractor who worked on behalf of Microsoft told Motherboard. Motherboard granted multiple sources in this story anonymity as they had signed non-disclosure agreements. The former contractor said they worked on Xbox audio data from 2014 to 2015 before Cortana was implemented into the console in 2016. When it launched in November 2013, the Xbox One had the capability to be controlled via voice commands with the Kinect system. Straight away, some users and commentators were concerned with the idea of Kinect listening to Xbox users, waiting for commands such as "Xbox on." Microsoft said in a statement at the time "Kinect for Xbox 360 was designed and built with strong privacy protections in place and the new Kinect will continue this commitment."  For further details please visit OUR FORUM.

 

GTranslate