IT News

Google has released a Chrome update which includes five security fixes. One of these security fixes is for a critical vulnerability in Autofill payments.

Google labels vulnerabilities as critical if they allow an attacker to run arbitrary code on the underlying platform with the user’s privileges in the normal course of browsing.

How to protect yourself

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. 114.0.5735.130/.131 for Android will become available on Google Play over the next few days.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome needs a relaunch to apply the update

After the update, your version should be 114.0.5735.133 for Mac and Linux, and 114.0.5735.133/134 for Windows, or later.

The critical vulnerability

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The critical CVE patched in these updates is listed as CVE-2023-3214:  Use after free in Autofill payments in Google Chrome prior to 114.0.5735.133 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Google is always very careful about providing information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the vulnerability description we can learn a few things.

The Autofill payments function is to automatically enter payment details in online forms.

Use after free (UAF) is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

A remote attack means that this vulnerability could potentially be exploited by tricking the user into visiting a specially crafted website.

Whether all this actually means that vulnerable Chrome versions will spill payments details on such a website remains to be seen, but it’s not the unlikeliest of scenarios.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

It’s that time of the month again: We’re looking at June’s Patch Tuesday roundup. Microsoft has released its monthly update, and compared to previous months, it’s actually not so bad. No actively exploited zero-days and only six critical vulnerabilities.

So, we’ll have the luxury of going over those in some more detail.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The critical CVEs patched in these updates are:

CVE-2023-29357 (CVSS score: 9.8 out of 10): a Microsoft SharePoint Server Elevation of Privilege  (EoP) vulnerability. Successful exploitation could provide an attacker with administrator privileges. For the exploitation, the attacker needs no privileges nor do they require user interaction.

The Microsoft advisory states:

“An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user.”

JWT is a token based stateless authentication mechanism. Basically, the identity provider generates a JWT that certifies the user identity and the resource server decodes and verifies the authenticity of the token by using secret salt or public key.

CVE-2023-29363 (CVSS score: 9.8 out of 10): a Windows Pragmatic General Multicast (PGM) Remote Code Execution (RCE) vulnerability.

PGM is a reliable and scalable multicast protocol that enables receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is a receiver-reliable protocol, which means the receiver is responsible for ensuring all data is received, absolving the sender of reception responsibility. It is mainly used for delivering multicast data such as video streaming or online gaming.

CVE-2023-32014 (CVSS score: 9.8 out of 10): another PGM RCE vulnerability.

CVE-2023-32015 (CVSS score: 9.8 out of 10): another PGM RCE vulnerability.

For all the PGM vulnerabilities, Microsoft points out that: when Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code.

The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel. You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine.

CVE-2023-32013 (CVSS score: 6.5 out of 10): a Windows Hyper-V Denial of Service (DoS) vulnerability. Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

Hyper-V is Microsoft’s hardware virtualization product. It lets you create and run virtual machines, which are software emulations of a computer system.

CVE-2023-24897 (CVSS score: 7.8 out of 10): a .NET, .NET Framework, and Visual Studio Remote Code Execution (RCE) vulnerability. The word “Remote” refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE) because the attack itself is carried out locally.

I’d like to throw one important vulnerability in the mix because we expect to hear more about it, because it is, well, you know, Exchange.

CVE-2023-32031 (CVSS score: 8.8 out of 10): a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability. An attacker could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call.

This is typically a vulnerability that is used in a chained attack, because the attacker will need access to a vulnerable host in the network to gain the necessary authentication they need to successfully exploit this vulnerability.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

• Cisco released security updates for several products
• Google released security updates for Google Chrome
• Google also released its Android June 2023 updates
• SAP has released its June 2023 Patch Day updates
• VMware released VMware ESXi updates

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Taylor Swift fans are being warned to be cautious when buying tickets for her current “Eras” tour, with scammers waiting in the wings to trick would-be gig goers. The Better Business Bureau says it has received somewhere in the region of 200 complaints from residents of Michigan, and there’s bound to be more from other locations.

The issue is so bad that Michigan’s Attorney General advised the local “Swifties” about fraud in relation to last weekend’s Michigan leg of the tour. His warning reads as follows:

“Michigan residents who are defrauded by online ticket scammers should not just shake it off,” said Nessel. “We know these scams all too well. If you believe you were taken advantage of, filing a complaint with my office is better than revenge.”

Reports of scammers taking advantage of Swift’s fans, called Swifties, indicate some have lost as much as $2,500 paying for tickets that don’t exist or that never arrive. The Better Business Bureau has reportedly received almost 200 complaints nationally related to the Swift tour. The complaints range from refund struggles to outright scams.

Other locations for the tour are trying to get ahead of the scam curve, issuing their own warnings ahead of events where possible. For example, Cincinnati has highlighted tales of woe related to fake ticket sales on Facebook. Detroit flagged fake ticket sales on Instagram. CBC covered multiple fake sale attempts cheating folks in Canada out of significant chunks of money. Elsewhere, teens have lost out on $1,200 thanks to Craigslist scammers.

With something like 19 dates left in the US alone stretching from Minneapolis and Pittsburgh to Los Angeles and Seattle, there’s still plenty of opportunity for scammers to crawl out of the woodwork. These are undoubtedly the hottest music tickets around at the moment, so you’ll want to follow some common sense rules before trying to get your hands on some. This is especially the case given that the only ticket source left may be resellers.

How to avoid ticket scams

• Research the ticket seller. Anybody can set up a fake ticket website, and sponsored ads showing at the top of search engines can be rife with bogus sellers. You may also run into issues buying tickets from sites like ebay. Should you decide to use sites other than well known entities like Ticketmaster, check for feedback on the BBB website.
• Use a credit card if possible. You’ll almost certainly have more protection than if you pay using your debit card, or cash. We definitely recommend that you avoid using cash. If someone decides to rip you off, that money is gone forever.
• A “secure” website isn’t all it seems. While sites that use HTTPS (the padlock) ensure your communication is secure, this does not guarantee the site is legitimate. Anyone can set up a HTTPs website, including scammers.
• It’s ticket inspector time. One of the best ways to know for sure that your ticket is genuine is to actually look at it. Is the date and time correct? The city, the location? Are the seat numbers what you were expecting to see? It may well be worth calling the event organisers or the event location and confirming that all is as it should be. Some events will give examples of what a genuine ticket should look like on the official website.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A relatively new service provided by Microsoft’s browser Edge sends images you’ve viewed online back to Microsoft. A new feature labelled Enhance images in Microsoft Edge has raised some privacy concerns. The feature is designed to upscale low resolution images, making them sharper, and improving the lighting and contrast.

Unlike the Video Super Resolution which uses local resources to enhance the quality of video viewed in Microsoft Edge, the pictures submitted to the Enhance images service are sent to Microsoft for processing as Edge loads them. This is enabled by default, so users have to opt out if they don’t want their images to be sent.

Observant Edge Canary users spotted a difference in the description of the feature after an update. Under Enhance images in Microsoft Edge in settings, it now says “Image URLS will be sent to Microsoft to provide super resolution.”

Microsoft offers Edge users different update channels. The Canary Channel ships daily and is the most bleeding edge of all the channels. If you want access to the newest updates, they’ll appear here first. The downside is that it also comes with a certain amount of bugs.

This recent update also came with the option to have a more granular control about images from which sites should be enhanced.

Image courtesy of Neowin

How to disable the service

If you prefer to turn of the Enhance image service, here’s how to do it:

• In Edge, open the Settings menu and select Privacy, search, and services (edge://settings/privacy)
• Scroll down to the Services section and find the Enhance images in Microsoft Edge entry
• Switch the toggle to Off.

And while we have your attention and you are in the Privacy menu anyway, if you scroll up a little bit, you may see the Show Collections and follow content creators in Microsoft Edge. If you are not actively using this feature you may want to disable that as well. The feature was found to track every single URL you visited and send them to Microsoft.

Reportedly, Microsoft is working on resolving this unintentional behavior.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

In early June, we reported on the discovery of a critical vulnerability in MOVEit Transfer—known as CVE-2023-34362. 

After the first vulnerability was discovered, MOVEit’s owner Progress Software partnered with third-party cybersecurity experts to conduct further detailed code reviews of the software. Now, Progress says it has discovered multiple SQL injection vulnerabilities in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database.

There are no CVEs yet available for the new vulnerabilities, but Progress has released patches.

Users of Progress MOVEit Transfer versions released before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), 2023.0.2 (15.0.2) should follow the recommendations in the security bulletin about the new vulnerabilities.

This code review was undoubtedly triggered by the severe consequences of the first vulnerability that was exploited by the Cl0p ransomware gang. Cl0p confirmed it was behind these attacks in responses to inquiries by Reuters and BleepingComputer

Cl0p is showing a very different behavior from other ransomware groups. The gang either found or bought the CVE-2023-34362 vulnerability and reportedly started testing it against victims as far back as 2021.

They felt comfortable enough to wait with actively deploying their ransomware, and didn’t launch a large scale campaign until the 2023 Memorial Day weekend in the US. This demonstrates a level of sophistication and planning that we don’t see in other ransomware groups.

Victims of this exploitation wave are plentiful and new ones keep coming forward. All the victims of this attack have been told to contact the Cl0p ransomware group before June 14, 2023 or “face the consequences,” which tends to suggest that their data will be published online.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Researchers at NC State University have outlined potential privacy issues with popular fitness app Strava which could lead to users’ homes being pinpointed. The researchers’ findings are detailed in a paper called Heat marks the spot: de-anonymising users’ geographical data on the Strava heat map. 

Strava, used by more than 100 million people, includes features you’d commonly see in this kind of product like heart rate, GPS data, and so on. Users can build up a picture of their health related activities over time and make informed decisions based on the findings of the service. 

The mobile tracking app is designed to track exercise activity, but it also includes a social component, allowing users to connect with each other. The primary concern of researchers focused on the heat map feature, which aggregates user data and allows you to see how many people are doing forms of exercise in various locations.

Although there are attempts to anonymise user data, the study highlighted ways in which some personal information—including home address—could be found. Researchers claim they found a “loophole” to ignore the anonymity of aggregated heatmap data. From their post:

Specifically, the researchers found it is possible for anyone to look up all of the Strava users in a given area. It is also possible for users to look at the aggregate data on a heatmap and see where each of the anonymous users’ routes begin and end.

In a densely populated area, with lots of routes and lots of users, there is so much data that it would be extremely difficult to track any specific person,” Das says. “However, in areas where there are few users and/or few routes, it becomes a simple process of elimination – particularly if the person someone is looking for is a highly active Strava user. Even users who have marked their accounts as private show up when anyone searches for a list of all the users in a given municipality, so marking an account private doesn’t necessarily provide additional protection against this tracking technique.

Strava told the researchers that heat map data isn’t shared unless several users are active in any given area, but the researchers still managed to identify the home addresses of some users via the heatmap. These locations were confirmed using voter registration data. Note that depending on which country you live in, voter data may not be available to use in this manner (or even be available in the first place).

While this may all sound very straightforward to do, the actual process involved is fairly involved. As Bleeping Computer highlights, the process is as follows:

• Collect data on your chosen location for a period of roughly a month.
• Overlay OpenStreetMaps (an open geographic database maintained by volunteers) at a zoom level which allows for singling out residence addresses.
• Compare heatmap endpoints and user data accessible from search to establish connections between “high activity points” and home addresses.

This, combined with public profiles displaying real names, photographs, and data related to specific activities means that singling out certain users was achievable. A word of caution: the success rate for this kind of needle in a haystack activity is not fantastic. The study mentions that more active users will be potentially easier to track down, but for “average” users of the app the likelihood of being discovered is 37.5%.

The paper highlights a few of the ways Strava users can reduce the possibility of falling victim to this attack, but a lot depends on the app developers implementing them or the randomness of your personal circumstances. For example, living in a heavily populated area will go a long way toward blending you into the crowd.

Another is large exclusion zones around your home area, to make it impossible to figure out which specific location you’re exiting and entering. You can set your Strava profile to private, and also disable the heatmap feature if you don’t need any of the social features available to you. If you use another form of fitness tracking app, this is the ideal moment to see what data you may be sharing and lock down as needed.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

We’ve got into the habit of expecting internet access wherever we go. But data costs can be expensive, and out of your own home often the only WiFi available is public, passwordless and free.

In security, we’ve been trained to carefully contemplate anything that’s free, because, well, often when something is free, you turn out to be the product. So should we be concerned about free Wi-Fi?

A few years ago, we wrote:

“A WiFi connection’s safety depends on its security settings and the source of the WiFi connection. In public, using shared WiFi carries risks. If you have to use public WiFi hotspots, it’s wise to also use a VPN to keep your activity private while you use that connection.  A VPN wraps your network traffic (including web browsing, email, and other things) in a protective tunnel and makes up for any weaknesses in their encryption.”

While this is still basically true, the internet has changed since then. Most websites have switched to HTTPS (Hypertext Transfer Protocol Secure), which means that any traffic to and from the website you are trying to access is encrypted. That means that it couldn’t be read by anyone trying to intercept the traffic in order to snoop on your data. 

So nowadays, my advice is this: For day-to-day use, I wouldn’t recommend setting up a new banking account over public WiFi, but I wouldn’t fret about using public Wi-Fi for everyday browsing either.

How to reduce public WiFi security risks

In order to see if a website is using HTTPS, check for the padlock symbol in the browser address bar, and make sure the website starts with “https://”.

If you really want to be sure, or you need to do something like set up a bank account, then you can use a Virtual Private Network (VPN) to secure your traffic when using public WiFi.

By wrapping your traffic in a single, impenetrable tunnel, the best VPN services will keep your data safe from attempts to intercept your communications.

We don’t just report on encryption—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Last week on Malwarebytes Labs:

• Trusting AI not to lie: The cost of truth: Lock and Code S04E12
• 5 unusual cybersecurity tips that actually work
• The 2023 State of Ransomware in Education: 84% increase in attacks over 6-month period
• Information stealer compromises legitimate sites to attack other sites
• Play ransomware gang compromises Spanish bank, threatens to leak files
• Vice Society: The #1 cyberthreat to schools, colleges, and universities
• Cl0p ransomware gang claims first victims of the MOVEit vulnerability
• Microsoft illegally collected and retained children’s data, says FTC
• Facebook clickbait leads to money scam for users
• How Coffee County Schools safeguards 7500 students and 1200 staff
• Update Chrome now! Google patches actively exploited zero-day
• Warning: Victims’ faces placed on explicit images in sextortion scam
• Unveiling Nebula’s Report 2.0: A new approach to security reporting
• VMware patches critical vulnerabilities in Aria Operations for Networks
• Update your Cisco System Secure Client now to fix this AnyConnect bug
• Ransomware review: June 2023
• Former TikTok exec: Chinese Communist Party had “God mode” entry to US data

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

VMware has released security updates to fix three vulnerabilities in Aria Operations for Networks which could result in information disclosure and remote code execution.

The vulnerabilities were found in Aria Operations for Networks which was formerly known as vRealize Network Insight. Users of versions VMware Aria Operations for Networks 6.x are under advise to applying the patches listed in the VMware KB article about these vulnerabilities.

Before you download and apply the security patch for your Aria Operations for Network deployment, it is advised to perform clean up using steps mentioned in VMware KB 88977 to avoid issues with patch upgrade failing with “Insufficient disk space toast message.”

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-20887 (CVSS score: 9.8 out of 10): Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution (RCE).

CVE-2023-20888 (CVSS score: 9.1 out of 10): Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid ‘member’ role credentials may be able to perform a deserialization attack resulting in remote code execution (RCE).

CVE-2023-20889 (CVSS score: 8.8 out of 10): Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.

Command injection is an attack method that aims to execute arbitrary commands on a system. Typically, the threat actor injects the commands by exploiting an application vulnerability, such as insufficient input validation.

Deserialization is the process of extracting data from files, networks or streams and rebuilding the data as objects. Deserialization of user input is considered a security misconfiguration, and can have serious consequences.

VMware Aria Operations for Networks helps IT teams to monitor, discover, and analyze networks and applications to build an optimized, highly available and secure network infrastructure across clouds.

Virtualization technology has taken the scalability of IT systems to the next level. Cybercriminals are very much aware of that and have a vested interest in hypervisor software and network mapping tools, because they make it easier to control a host of virtual machines. Which is much more effective than attacking individual systems.

So, vulnerabilities in such software are guaranteed to be researched by malicious actors.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

A former executive at TikTok’s parent company ByteDance has claimed in court documents that the Chinese Communist Party (CCP) had access to TikTok data, despite the data being stored in the US. The allegations were made in a wrongful dismissal lawsuit which was filed in May in the San Francisco Superior Court.

The former executive is Yintao “Roger” Yu, who worked as head of engineering for ByteDance. Yu worked for ByteDance between 2017 and 2018. According to his claims, the CCP had its own office inside ByteDance’s headquarters.

In the lawsuit he also accuses ByteDance of pushing nationalistic content that served to both increase engagement on ByteDance’s websites and to promote support of the CCP, and that the Communist Party could access American user data through what he called a backdoor channel in the code.

That statement was supported by recent events. The Australian Financial Review has been shown a sample of code to secretly suppress or elevate content that supports Communist Party narratives or sows division within democracies. This is exactly the reason why General Paul Nakasone, Director of the National Security Agency (NSA) called TikTok a loaded gun. Speaking at a US Senate hearing, the general said “one third of Americans get their news from TikTok,” adding “one sixth of American youth say they’re constantly on TikTok.”

Even more shocking is the claim that the CCP not only could access US user data via a backdoor channel in the code but also that some members of the ruling Communist Party used data held by the company to identify and locate protesters in Hong Kong.

Hong Kong is a semi-autonomous region in China with its own government. TikTok is no longer available there. Anyone who tries to open TikTok from within Hong Kong will see a message that reads “We regret to inform you that we have discontinued operating TikTok in Hong Kong.”

He also accused ByteDance of scraping data from competitors, mainly Instagram and Snapchat, without users’ permission.

After being banned from devices of employees of several—mostly government—organizations, TikTok is battling to convince politicians that it operates independently of ByteDance, which has deep ties to the CCP. Yu’s suit alleges that ByteDance was aware that if the Chinese government’s backdoor was removed from the US version of the app, the Chinese government would likely ban the company’s valuable Chinese-version apps.

Responding to Yu’s allegations, ByteDance said it will “vigorously oppose what we believe are baseless claims and allegations in this complaint.” It is “committed to respecting the intellectual property of other companies” and obtains data “in accordance with industry practices and our global policy.”

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW