It's Friday, the weekend has landed... and Microsoft warns of an Internet Explorer zero day exploited in the wild

Plus, WeLeakInfo? Not anymore!

Roundup Welcome to another Reg roundup of security news.

Still using Internet Explorer? Don't. There's another zero-day

Microsoft let slip on Friday an advisory detailing an under-attack zero-day vulnerability (CVE-2020-0674) for Internet Explorer. The scripting engine flaw can be exploited to gain remote code execution on a vulnerable machine by way of a specially crafted webpage. The flaw can be mitigated by restricting access to the JavaScript component JScript.dll, and thus far there is no patch available.

"Microsoft is aware of this vulnerability and working on a fix," the software giant noted.

"Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers. Microsoft is aware of limited targeted attacks."

Unless you're an enterprise still requiring IE for various apps, you should really consider moving off Exploder at this point. If you want to stay with Microsoft, there is the new Edge browser, or you can opt for Chrome, Firefox, Opera, Brave, or any number of other browser options.

In brief... A poorly configured Elasticsearch database left an app's baby photos and videos accessible from the public internet. AMD has proposed SEV-SNP, that's Secure Nested Pages, to further protect virtual machines from malicious cloud hosts.

MageCart crooks infect Australian fire fundraisers

An Australian family-run fishing gear shop raising money online for nearby Aussies caught up in the season's devastating bush fires was among those hit by the latest wave of MageCart infections this month.

Fergo's Tackle, based in Wollongong and Taren Point, in New South Wales, set up a page on its equipment web store where customers could donate cash via purchases, with the promise that "100% of all donations will go towards buying essential items (food, bedding, clothing, shelter etc.) for the victims of the fires" in Lake Conjola.

In a cruel twist of fate, the site – like many others – was infected by a variant of the card-skimming malware MageCart, as spotted by The Malwarebytes Threat Intelligence Team and confirmed by El Reg.

The shop has told The Register the offending code has been removed, which is true. Malwarebytes says the domain being used to aggregate the card data collected by the scripts has also been taken down. So hopefully all the other sites that this strain of Magecart are also now protected.

Grindr accused of misusing personal data

A report out of Norway claims that dating app Grindr - and a handful of other mobile apps - are illegally exposing user information to third-party advertisers.

The report claims that a violation of GDPR has occurred in the way the apps collect user habits and then sell them to advertisers who use the information to create detailed profiles on users.

"There are very few actions consumers can take to limit or prevent the massive tracking and data sharing that is happening all across the internet," the report reads.

"Authorities must take active enforcement measures to protect consumers against the illegal exploitation of personal data."

WeLeakInfo no longer living up to its name

US prosecutors say that the FBI has seized the domain of pilfered data-selling site WeLeakInfo.

The FBI joined a number of European law enforcement agencies to take down both the site and its operators: police in Northern Ireland and the Netherlands have arrested people they believe to be the administrators of the site.

"The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts," prosecutors said of the site.

"The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months)."

Georgia election server hacked in 2014

A new revelation has emerged in the battle over paperless voting systems in the US state of Georgia.

Politico reports that researchers found that, in 2014, one of the servers handling election reports was hacked.

While there is no evidence directly showing that elections were compromised, that hacked browser was used to handle results in both the 2016 and 2018 elections.

FBI to notify US states of local election hacks

US state governments will now be informed when one of their city or county governments fall victim to election system hacks.

The Hill reports that an internal directive at the FBI instructs agents to make sure state governments (if they don't already know) get word any time a network intrusion is reported.

While it's hard to imagine a scenario where a local government doesn't see fit to notify their state about an attack, the procedure will hopefully prevent any potential incidents from slipping through the cracks.

Stop us if you've heard this one: malicious apps sneak into Play Store

Yep, once again we have a report of an Android malware outbreak.

The team at BitDefender says it helped Google spot and remove 17 apps that were spreading "aggressive ads" on user devices once installed.

"While not malicious per se, the tactics they use to smuggle themselves into Google Play and dodge Google’s vetting system are traditionally associated with malware," said BitDefender.

The 17 apps had an estimated 550,000 combined downloads. ®

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022