Pre-authentication, remote root hole in call-center software? Thanks, Cisco. Just what a long weekend needs

This and more bits and bytes from infosec world

4 Reg comments Got Tips?

Roundup It's once again time to catch up on the latest happenings from the world of infosec.

Cisco emits critical fix in latest patch bundle

We have a bunch of new security patches from Switchzilla, including one for a critical hole in its call-center software.

CVE-2020-3280 is a remote-code-execution vulnerability in the Java remote management interface for Unified Contact Center Express.

An unauthenticated, remote attacker able to exploit the flaw by supplying a malformed Java object (this is possible through various user input fields) can gain get root control over the management system. Admins are being advised to update Unified CCX as soon as possible.

Zoom hatches crypto plan, wants your help

After addressing complaints about its lax security and privacy practices, and reaching out to the industry for help, Zoom has put forward a plan to implement what it says is end-to-end encryption on its video calls.

The online conferencing giant, suddenly one of the most vital service providers on the planet thanks to the coronavirus lockdowns, has uploaded a whitepaper [PDF] describing how it will improve its encryption to thwart eavesdroppers.

The aim here, says Zoom, is to gradually overhaul its call encryption and security features, starting with public key management and then moving on to addressing identity management, transparency, and eventually adding real-time security protections.

These plans, however, are not yet set in stone, and Zoom has invited netizens to weigh in on its GitHub page with their thoughts on the matter. An open comment period on the paper is being held from May 22 through June 5.

Talos warns of WolfRAT

Cisco's Talos team has taken a detailed look at a spyware operation sounds like a high school garage band: WolfRAT.

The malware has so far been concentrated in Thailand and spreads through fake versions of popular Android apps in third-party markets. The software nasty is believed to be related to the DenDroid malware, though Talos is not particularly impressed with the quality of build.

"This malware is simplistic in comparison to some modern-day Android malware," the researchers noted. "The best example of that is that it doesn't take advantage of the accessibility framework, collecting information on non-rooted devices."

Hackers try to exploit flaws in Sophos firewall product

Sophos says a set of hastily pushed hotfixes recently helped to avert disaster.

The corp reported an SQL injection vulnerability in its XG Firewall was being targeted by an unspecified ransomware crew, though thanks to the emergency updates, the attempts to exploit the bug were unsuccessful, apparently.

As the bug is still under active attack, any admins who haven't applied the software update would be well-advised to make sure they are running the most current version of XG Firewall to keep their networks safe.

Microsoft pushes Edge Chromium fix

A security fix has been issued for Chromium, which means that Microsoft has to follow suit with an update for its Chromium-based Edge browser.

Redmond reported that CVE-2020-1195 is an elevation of privilege hole that can be exploited when the Feedback extension receives malformed input from the user.

"The vulnerability by itself does not allow arbitrary code to run," notes Microsoft.

"However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running."

Hackers tout 40m Wishbone credentials

Anyone running Wishbone, a mobile app that lets users vote on stuff, will want to change their password and any other services where that password was reused.

This is because hackers have stolen and leaked the details on some 40 million accounts from the app, including hashed passwords, mobile numbers, date of birth and profile images.

Signal cleans up 'coarse tracking' vulnerability

Tenable laid claim to the discovery and reporting of a coarse tracking flaw in the Signal secure phone app.

The bug, which has already been fixed, would have potentially allowed an attacker to observe the location of a target's DNS server via webRTC.

Here's where we should emphasize that the word tracking is pretty generous here, because Tenable estimates that the location info is only accurate to a radius of around 400 miles. So in theory, it could have exposed the person's country, but not a lot else.

Either way, just make sure you're running the latest version of Signal and everything should be fine.

macOS Notification Center holds a surprising amount of info

Kinga Kieczkowska dug into the inner-workings of the Mac's notification hub (used by various apps to produce pop-up alerts) and found that it logs an unexpected amount of information.

What Kieczkowska revealed was a sizable database that the hub maintains with things like location history, images and message content, even the contents of Twitter private messages (should that notification option be turned on). While this isn't a huge security risk (it's all stored locally, after all) it is definitely an eye-opener and the full report is worth a read.

Tapplock settles with FTC

When we last heard from Tapplock, the Canadian smart lock company with under fire from the FTC after it was found that the security of its products, physical and online, was woeful.

Now, the Indiegogo darling will be placing itself under the watchful eye of auditors as it has agreed to a settlement deal with the US trade body.

There's no money involved in the settlement, but that's pretty standard with these sort of deals. When the FTC makes a settlement like this with a first-time offender, they're really just hoping the company is scared straight and will stop doing whatever it was that got them in trouble.

Should Tapplock be found to be neglecting its security, this deal pretty much puts it at the mercy of the FTC as far as penalties.

Hacker 'Sanix' arrested with massive data cache

A suspected hacker has been arrested in Ukraine, though the plod did not give a name nor any info on the individual cuffed. They did say the person is thought to be Sanix, the notorious hacker who last year was offering a collection of more than 770 million purloined email addresses and millions of credentials.

Adobe Character Animator draws up fix for critical bug

Adobe posted a series of security updates recently for some of its more obscure media tools. While most were relatively minor information disclosure bugs, one was a bit more serious.

Those who use Adobe Character Animator will want to update their software to protect against CVE-2020-9586, an arbitrary code execution flaw. Users can update Creative Cloud to get the fix, while admins can push it via Admin Console.

While Character Animator doesn't have the reach of Flash Player or Reader, and is highly unlikely to be targeted, it's worth keeping your software up to date, and any code execution flaw is one worth fixing ASAP. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020