Insufficient vetting of parameters passed with the
Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user’s computer.
Full security note
For anyone who’s worried that their phone might be hacked to track their location, who they call and when, and other metadata that describes the intimate details of their life, one cyberespionage group has provided a reminder that hackers don’t necessarily even need to reach out to your device to gain that access. It may be far easier and more efficient for sophisticated stalkers to penetrate a mobile provider, and use its data to surveil whichever customers they please.
A report published this week by the NASA Office of Inspector General
reveals that in April 2018 hackers breached the agency’s network and
stole approximately 500 MB of data related to Mars missions.
The point of entry was a Raspberry Pi device that was connected to the IT network of the NASA Jet Propulsion Laboratory (JPL) without authorization or going through the proper security review.
Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.
The New York Times
The United States is stepping up digital incursions into Russia’s electric power grid in a warning to President Vladimir V. Putin and a demonstration of how the Trump administration is using new authorities to deploy cybertools more aggressively, current and former government officials said.
As protests erupted in the streets of Hong Kong this week, over a proposed law that would allow criminal suspects to be extradited to mainland China, the secure messaging app Telegram was hit with a massive DDoS attack. The company tweeted on Wednesday that it was under attack. Then the app’s founder and CEO Pavel Durov followed up and suggested the culprits were Chinese state actors. He tweeted that the IP addresses for the attackers were coming from China.
Not so long ago, companies that cracked personal devices on behalf of governments did so in secret, closely guarding even the descriptions of their capabilities. Now, it seems, they proudly tweet about their updated abilities to hack into new iPhones, like a videogame firm offering an expansion pack.
On Friday afternoon, the Israeli forensics firm and law enforcement contractor Cellebrite publicly announced a new version of its product known as a Universal Forensic Extraction Device or UFED, one that it’s calling UFED Premium. In marketing that update, it says that the tool can now unlock any iOS device cops can lay their hands on, including those running iOS 12.3, released just a month ago.
Web-based DNA sequencer applications are under attack from a
mysterious hacker group using a still-unpatched zero-day to take control
of targeted devices.
The attacks have started two days ago, on June 12, and are still going on, according to Ankit Anubhav, a security researcher with NewSky Security, who shared his findings with ZDNet.
Anubhav says the group, which operates from an Iran-based IP address, has been scanning the internet for dnaLIMS, a web-based application installed by companies and research institutes to handle DNA sequencing operations.
The researcher told ZDNet the hacker is exploiting CVE-2017-6526, a vulnerability in dnaLIMS that has not been patched to this day after the vendor was notified back in 2017.
A young Czech bug hunter has found a security flaw in one of Google’s backend apps. If exploited by a malicious threat actor, the bug could have allowed hackers a way to steal Google employee cookies for internal apps and hijack accounts, launch extremely convincing spear-phishing attempts, and potentially gain access to other parts of Google’s internal network.
This attack vector was discovered by security researcher Thomas Orlita in February, this year, and has been patched in mid-April, but only now made public.