Weekly Cyber Security News 24/08/2018

A selection of this week’s more interesting vulnerability disclosures and cyber security news. We all know its great adding cool features to stuff, but what’s not great if its not thought through well enough so as to be a potential issue down the line. Looks like we have a bad idea which in retrospect is potentially out to get us…

• Severe PHP Exploit Threatens WordPress Sites with Remote Code Execution The issue impacts several content management systems, including Typo3 and WordPress, as well as widely-used PDF generation library TCPDF.

We see exposure of S3 and MongoDB on a regular basis, and I seem to remember a number of times pointing out that if something could be public and you don’t want it to be, check it out. Well… It appears someone made a boo-boo and set something public which I suspect should really have been private. I’m pretty sure other such services will be coming out as researchers (and villains) scour for similar issues across a whole set of likely SaaS solutions:

• British and Canadian Governments Accidentally Exposed Passwords and Security Plans to the Entire Internet Yael Grauer reports

Can’t let the week go by without the usual IoT hit, though to be honest, its not really a fault of IoT directly, just a protocol which shouldn’t really be exposed. Then again, where have we heard that before? Oh, the last paragraph right…

• 32,000 smart homes can be easily hacked due to misconfigured MQTT servers

 

In other news:

• ATM Heists Only Set to Accelerate After $13M Break-In The Cosmos Bank incident is only the latest, not the last, thanks to lagging security practices.

• Badge Reading App Exposed Details of Black Hat Conference Attendees

• China’s biggest ever bitcoin hacking case sees three held over theft of US$87 million in cryptocurrency Alice Yan reports

• Google Faces Legal Turmoil After Location Tracking Debacle After a report said Google tracks users even when they opt out

• It Takes an Average 38 Days to Patch a Vulnerability

• NCC Group Releases Open Source DNS Rebinding Attack Tool

• UK: Superdrug hack: Data thieves claim to have information on 20,000 customers Jon Sharman reports

• What are Amazon Zelkova and Tiros? AWS looks to reduce S3 configuration errors

• Code of App Security Tool Posted to GitHub

• Microsoft Rolls Out End-to-End Encryption in Skype

• Adobe Patches Critical Code Execution Flaws in Photoshop

• Airmail 3 Exploit Instantly Steals Info from Apple Users Attackers can abuse URL requests processed by an email program for Mac to steal files from the victim- sometimes without user interaction.

• Belkin IoT Smart Plug Flaw Allows Remote Code Execution in Smart Homes

• Reevaluate _low-risk_ PHP unserialization vulnerabilities, researcher says

• Researchers Blame ‘Monolithic’ Linux Code Base for Critical Vulnerabilities With an OS design based on a verified microkernel, researchers contend almost all Linux OS flaws could be mitigated to less than critical severity.

• Unpatched Ghostscript Flaws Allow Remote Takeover of Systems A remote, unauthenticated attacker could execute arbitrary commands on systems with the privileges of the Ghostscript code.