Apple Safari now blocks all third-party cookies by default

By Lisa Vaas

“The long wait is over,” Apple WebKit engineer John Wilander announced on Tuesday: the latest update to the Safari browser is blocking third-party cookies by default for all users.

Safari 13.1 was released on Tuesday, bringing full cookie blocking and other updates to Apple’s Intelligent Tracking Prevention (ITP) privacy feature. What it means: online advertisers and analytics firms will no longer be able to use our browser cookies to follow us around like bloodhounds as we wander from site to site, tracking and mapping our interests and behavior for whatever profit-motivated, privacy-wrecking purposes they might have.

Is this is a big deal? Not really, Wilander said in a post on the WebKit team’s blog, given that previous work has meant that most cookies are already blocked:

It might seem like a bigger change than it is.

But we’ve added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari.

Safari thus joins other browsers that either plan to or are already blocking third-party tracking cookies by default, including the Tor browser. Mozilla rolled out the privacy enhancement in September 2019, announcing that Firefox would block both tracking cookies and cryptomining by default.

Read more at https://nakedsecurity.sophos.com/2020/03/26/apple-safari-now-blocks-all-third-party-cookies-by-default/

Adobe issues emergency fix for file-munching bug

By Danny Bradbury

Adobe has released another security patch outside of its usual routine this month to deal with a strange bug that can allow attackers to delete victims’ files.

The file-deleting bug, CVE-2020-3808, stems from a time-of-check to time-of-use race condition vulnerability, which happens when two system operations try to access shared data at the same time. That allows an attacker to manipulate files on the victim’s system. The company warned:

Successful exploitation could lead to arbitrary file deletion.

To successfully exploit the flaw, an attacker would need to convince a victim to open a malicious file, Adobe has said.

Creative Cloud is a subscription-based service that lets users access its range of creative software products from Adobe online, and to use some cloud-based services that support them. Users get well-known Adobe titles like Acrobat, After Effects, Dreamweaver, Illustrator, InDesign, and Photoshop. It replaced Creative Suite, which was its perpetual license software.

Read more at https://nakedsecurity.sophos.com/2020/03/26/adobe-issues-emergency-fix-for-file-munching-bug/

Hijacked Twitter accounts used to advertise face masks

By Lisa Vaas

As of Tuesday, hijacked Twitter accounts were spewing out hundreds of tweets hawking a dodgy looking face mask/toilet paper/digital forehead thermometer online store, according to Motherboard’s Vice.

When Vice’s Joseph Cox searched for the masks site on Tuesday, he found what he called a “heavy stream” of other accounts that posted a link to the site. Some at least appeared to have been hijacked, given that they were created years ago and posted what Cox called “relatively normal content” before tweeting out the link to the masks site.

As of Wednesday afternoon, two Twitter accounts were still advertising masksfast[.]us. One of the accounts, created in April 2012, had zero followers and had only ever created one post: the ad for masks that it posted on Tuesday. Another account advertising the (potentially scammy) site hadn’t previously posted anything since July 2019, has only retweeted and has never posted original content, all of which gives off the aroma of a bot network and/or having been hacked away from their rightful account owners.

I reported both accounts to Twitter.

Vice knows for sure that one of the accounts pumping out mask advertising was hijacked, given that the account belonged to one of its own: Motherboard’s Todd Feathers. On Tuesday, the journalist confirmed on Twitter that his account had been hijacked and used to send out direct messages, purportedly about face masks.

Vice found another hijacked account that posted tweets to a website called “Masks 2 U” and which included this message in broken English:

Wearing mask make you away from COVID-19

Motherboard’s Feathers told Vice that about 40 minutes before he logged into Twitter and realized that his account had been hacked, the platform had informed him that his account was last accessed by a computer in Virginia. That doesn’t mean much: whoever took over his account could have been located anywhere.

Read more at https://nakedsecurity.sophos.com/2020/03/26/hijacked-twitter-accounts-used-to-advertise-face-masks/

Apple iOS 13.4 offers fixes for 30 vulnerabilities

By John E Dunn

Apple has just announced its latest something for everyone security and feature updates for iOS, iPadOS, macOS, watchOS, and tvOS.

In terms of security, the attention grabber is iOS/iPad 13.4, which fixes 30 CVEs. Apple doesn’t rate the severity of vulnerabilities in its advisories, but we can pick out a few highlights from their descriptions.

The following apply to supported devices, namely the iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.

Kernel bugs

The standout here is CVE-2020-9785, through which a rogue application could execute with kernel privileges, mirroring CVE-2020-3919, an identical-sounding issue connected to the IOHIDFamily.

A third kernel flaw fixed is CVE-2020-3914, information disclosure by reading restricted memory.

WebKit

As usual, WebKit browser engine and Safari gave Apple plenty to fix, all bar one of which were found by sources outside the company, including an arbitrary code execution flaw, CVE-2020-3899, credited to Google’s open source fuzzing tool, OSS-Fuzz.

Of the 10 CVEs in WebKit, another four allow arbitrary code execution, including CVE-2020-3901 and CVE-2020-9783, which could be exploited through maliciously crafted web content. The same goes for CVE-2020-3902, in which maliciously crafted content could make possible a cross-site scripting attack.

Read more at https://nakedsecurity.sophos.com/2020/03/26/apple-ios-13-4-offers-fixes-for-30-vulnerabilities/