Singapore Airlines (SIA) says a software glitch was the cause of a data breach that affected 285 members of its frequent flyer programme, compromising various personal information including passport and flight details.
The “software bug” surfaced after changes were made to the Singapore carrier’s website on January 4 and enabled some of its Krisflyer members to view information belonging to other travellers, SIA told ZDNet in an email.
Read more about the Singapore Airlines data breach on ZDNet.
A passel of privilege-escalation vulnerabilities in MacPaw’s CleanMyMac X software would allow a local attacker to gain root access to an Apple machine in various ways. CleanMyMac X is a cleanup application for MacOS that optimizes the drives and frees up space by scanning for unused, redundant or unnecessary files and deleting them. No fewer than a dozen flaws plague 4.0 and earlier versions of the software, all of them in the package’s “helper protocol.”
The helper functions of the software run as root functions and the flaws arise from the fact that they can be accessed by applications without validation – thus giving those applications root access.
Read more about the critical flaws in CleanMyMac X software on Threatpost.
A new version of the NRSMiner is actively spreading in the southern region of Asia. The majority of detections (54%) have been found in Vietnam, followed by Iran (16%) and Malaysia (12%). The new version either updates existing NRSMiner infections, or spreads to new systems using the EternalBlue exploit.
EternalBlue is one of the NSA exploits stolen by the Shadow Brokers and leaked to the public. It was patched by Microsoft in March 2017, leaked by Shadow Brokers in April 2017, and used by WannaCry in May 2017. That EternalBlue is still being used to spread malware nearly two years after it was patched by Microsoft points to a massive failure in patching.
Adobe released security bulletin APSB19-02 that describes two security updates for critical vulnerabilities in Adobe Acrobat and Reader. In these updates only two vulnerabilities were fixed, but they are classified as Critical because they allow privilege escalation and arbitrary code execution.
The first vulnerability was assigned ID CVE-2018-16011 and is a use after free bug that could allow arbitrary code execution. The second vulnerability was assigned CVE-2018-19725 and allows attackers to execute code at a higher privilege level.
A vulnerability recently patched by Google in Chrome for Android was an information disclosure bug that was originally reported in 2015, but not patched until the release of Chrome 70 in October 2018, security researchers say.
The issue is that the browser – along with WebView and Chrome Tabs for Android – discloses information about the hardware model, firmware version, and security patch level of the device it is installed on. Applications using Chrome to render web content are also impacted.
Read more about the Chrome for Android vulnerability on SecurityWeek.
Vein authentication, a biometric security method that scans the veins in your hand, has been cracked. Using a fake handmade out of wax, Jan Krissler and Julian Albrecht demonstrated how they were able to bypass scanners made by both Hitachi and Fujitsu, which they claim covers around 95 percent of the vein authentication market. The method was demonstrated at Germany’s annual Chaos Communication Congress.
While imprints of fingerprints can often be left behind on surfaces just by touching them, vein patterns cannot, and are considered to be much more secure as a result. However, this wasn’t a problem for the researchers, who were able to copy their target’s vein layout from a photograph taken with an SLR camera modified to remove its infrared filter.
Read more about how vein authentication can be bypassed on MSN.
Hardware based cryptocurrency wallets may not be as secure as promised. That’s the judgement of three security researchers who presented their research at a session at the 35c3 conference.”
The researchers demonstrated firmware, side-channel, microcontroller and supply-chain attacks that impact a range of wallets including Trezor One, Ledger Nano S, and Ledger Blue. Naturally, the manufacturers responded, claiming the research had holes and attacks were impractical and their hardware was safe to use. “The sad reality is there is just not a lot of security in cryptocurrency [development]. And that is painful to hear,” said one of the researchers.
Read more about the shortcomings of crypto wallet security on Threatpost.
Voicemail systems are vulnerable to compromise via brute-force attacks against the four-digit personal identification numbers (PINs) that protect them. Researchers say a malicious user can thus access the voicemail system to then take over online accounts for services like WhatsApp, PayPal, LinkedIn and Netflix.
Martin Vigo, a mobile security expert who presented his research at 35C3, warns that PINs that protect voicemail systems are far easier to crack than traditional passwords. “Automated phone calls are a common solution for password resets, account verification and other services,” Vigo said. “These can be compromised by leveraging old weaknesses and current technology to exploit this weakest link – voicemail systems.”
Read more about the vulnerabilities of voicemail systems on Threatpost.
A security researcher has disclosed exploit code for a fourth zero-day vulnerability in Windows operating system in just as many months. The latest bug enables overwriting a target file with arbitrary data.
Running the proof-of-concept (PoC) code provided by the researcher that uses the online alias SandboxEscaper results in overwriting ‘pci.sys’ with information about software and hardware problems, collected through the Windows Error Reporting (WER) event-based feedback infrastructure. The researcher warns that the exploit she wrote works with some limitations and may not have the expected effect on some CPUs. For instance, she could not reproduce the bug on a machine with one CPU core.
Exploit code demonstrating a memory corruption bug in Microsoft’s Edge web browser has been published by the researcher that discovered and reported the vulnerability in the first place. The code can lead to remote code execution on unpatched machines.