Security Alerts & News
by Tymoteusz A. Góral

History
#958 Telegram calls claims of bug in messaging service bogus
A flaw in the popular Telegram Messenger app that allows attackers to crash devices and run up wireless data charges is being disputed by the app maker who calls the claims false.

According to two Iranian-based researchers, Sadegh Ahmadzadegan and Omid Ghaffarinia, Telegram users are vulnerable to attacks via specially crafted messages that can bypass size limits and crash devices that receive the messages. Additionally, researchers claim if Telegram users are using paid and metered cellular data plans, those malicious messages could also be costly to recipients’ because data plans are depleted and possible overage charges are incurred.
#957 Is that email really from your boss? FBI warns fake CEO scams now $3.1bn crime
The Federal Bureau of Investigation (FBI) reports that "exposed dollar losses" to CEO fraud emails total $3.1bn since October 2013.

The FBI revealed the figure in a new public-service announcement (PSA) on the Internet Crime Complaint Centre (IC3) to warn businesses about criminals who use bogus email accounts to pose as CEOs to trick financial controllers into wiring funds to the fraudsters' bank accounts.

The new numbers suggest CEO fraud or "business email compromise" may be a vastly bigger problem for businesses than previously thought.

In April the FBI reported victims worldwide had lost $2.3bn to the scam between October 2013 and February 2016.
#956 Verizon patches serious email flaw that left millions exposed
Verizon fixed a critical flaw in its Verizon.net messaging system that permitted attackers to hack the email settings of other customers and forward email to any email account.

The flaw, found by Randy Westergren, a senior software developer with XDA Developers, impacted any of Verizon’s estimated 7 million FiOS subscribers who depended on their Verizon.net email accounts. Westergren initially reported the vulnerability to Verizon on April 14. The vulnerability was fixed by Verizon on May 12. Public disclosure of the flaw was Monday.

“I confirmed a very serious vulnerability: any user with a valid Verizon account could arbitrarily set the forwarding address on behalf of any other user and immediately begin receiving his emails — an extremely dangerous situation given that a primary email account is typically used to reset passwords for other accounts that a user might have, .e.g banking, Facebook, etc.,” Westergren wrote in a technical description of the vulnerability.
#955 Microsoft June patch Tuesday fixes 44 vulnerabilities
Microsoft pushed out 16 bulletins on Tuesday addressing 44 different vulnerabilities in its software, including Windows, Exchange Server, Office, Edge, and Internet Explorer.

Five of the bulletins have been branded critical because each vulnerability associated with them could be used to carry out remote code execution; the remaining 11 are marked important.

According to experts, one of the more concerning critical fixes involves a use after free vulnerability that affects Microsoft Windows DNS server for Windows Server 2012 and 2012 R2. If an attacker sent a specially crafted request to a DNS server, they could convince it to run arbitrary code, Microsoft’s advisory warns.
#954 Hacker steals 45 million accounts from hundreds of car, tech, sports forums
A hacker has stolen tens of millions of accounts from over a thousand popular forums, which host popular car, tech, and sports communities.

The stolen database contains close to 45 million records from 1,100 websites and forums hosted by VerticalScope, a Toronto-based media company with dozens of major properties, including forums and sites run by AutoGuide.com, PetGuide.com, and TopHosts.com.

The company didn't outright confirm the breach, but said it was investigating.

"We are aware of the possible issue and our internal security team has been investigating and will be collecting information to provide to the appropriate law enforcement agencies," said Jerry Orban, vice-president of corporate development, in an email.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12