Security Alerts & News
by Tymoteusz A. Góral

#1913 Firefox 51 arrives with warning for HTTP websites that collect passwords, WebGL 2 and FLAC support
Mozilla today launched Firefox 51 for Windows, Mac, Linux, and Android. The new version includes a new warning for websites that collect passwords but don’t use HTTPS; WebGL 2 support for better 3D graphics; and FLAC (Free Lossless Audio Codec) playback.

Firefox 51 for the desktop is available for download now on, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play.

Mozilla doesn’t break out the exact numbers for Firefox, though the company does say “half a billion people around the world” use the browser. In other words, it’s a major platform that web developers target — even in a world increasingly dominated by mobile apps.
#1912 Don't use Android pattern lock to protect secrets, researchers warn
Researchers have demonstrated an attack that can crack 95 percent of Android pattern locks within the five attempts allowed.

The side-channel attack, devised by researchers from China and the UK, uses video footage from a smartphone's camera and a computer vision algorithm to crack Android's geometric lock patterns. Lock patterns are an alternative to PINs and passwords.

As noted by the researchers, the attack doesn't require footage of the screen itself, only a line of sight to the user's hand movements. The algorithm tracks fingertip motions and reconstructs the lock pattern. The researchers tested the attack on 120 unique patterns from 215 users and report that the method can crack 95 percent of patterns within five attempts.

Additionally, they found that more complex patterns are easier to crack, with 97.5 percent falling within the first attempt, compared with 60 percent of simple patterns and 87 percent of median complex patterns.
#1911 Cisco patches critical flaw in WebEx Chrome plugin
A vulnerability in the Cisco WebEx Chrome Plugin, used by tens of millions for web conferencing in business environments, exposed computers to remote code execution.

Cisco has patched the flaw, details of which were disclosed Monday by Google Project Zero researcher Tavis Ormandy, who has made a number of high-profile discoveries and disclosures in popular enterprise and security software.

The core issue is what Ormandy calls a “magic URL” used by the extension during WebEx sessions. The researcher said attacks could be carried out so long as a URL request contains the string cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html; attackers could use this in an iframe, leaving users unaware of an active exploit.
#1910 Online security 101: Tips for protecting your privacy from hackers and spies
Got nothing to hide? Think again.

Privacy is what sets us apart from the animals. It's also what sets many countries and citizens apart from dictatorships and despots. People often don't think about their rights until they need them -- whether it's when they're arrested at a protest or pulled over for a routine traffic stop.

Surveillance is also a part of life, and it's getting progressively more invasive. Government eavesdropping is increasing, carried out in wider secrecy, and it's becoming far more localized. In fact, the last three presidents have pushed for greater surveillance: Clinton introduced mandated wiretapping laws, Bush expanded mass domestic surveillance, and Obama expanded the intelligence service's reach -- just in time for Trump.
#1909 Apple patches critical kernel vulnerabilities
Apple today released new versions of iOS and macOS Sierra and addressed some overlapping code execution vulnerabilities in both its mobile and desktop operating systems.

The updates were part of a bigger release of security updates from Apple that also included Safari, iCloud for Windows, and watchOS.

The most critical of the bugs were a pair of kernel vulnerabilities, CVE-2017-2370 and CVE-2017-2360, which could allow a malicious application to execute code with the highest kernel privileges. The two bugs, a buffer overflow and use-after-free vulnerability, were reported by Google Project Zero’s Ian Beer and were patched in iOS 10.2.1 and macOS Sierra 10.12.3.
#1908 Virulent Android malware returns, gets >2 million downloads on Google Play
A virulent family of malware that infected more than 10 million Android devices last year has made a comeback, this time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users.

HummingWhale, as the professionally developed malware has been dubbed, is a variant of HummingBad, the name given to a family of malicious apps researchers documented in July invading non-Google app markets. HummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the malware root privileges in older versions of Android. Before Google shut it down, it installed more than 50,000 fraudulent apps each day, displayed 20 million malicious advertisements, and generated more than $300,000 per month in revenue. Of the 10 million people who downloaded HummingBad-contaminated apps, an estimated 286,000 of them were located in the US.
#1907 Widely used WebEx plugin for Chrome will execute attack code—patch now!
The Chrome browser extension for Cisco Systems WebEx communications and collaboration service was just updated to fix a vulnerability that leaves all 20 million users susceptible to drive-by attacks that can be carried out by just about any website they visit.

A combination of factors makes the vulnerabilities among the most severe in recent memory. First, WebEx is largely used in enterprise environments, which typically have the most to lose. Second, once a vulnerable user visits a site, it's trivial for anyone with control of it to execute malicious code with little sign anything is amiss. The vulnerability and the resulting patch were disclosed in a blog post published Monday by Tavis Ormandy, a researcher with Google's Project Zero security disclosure service.

Martijn Grooten, a security researcher for Virus Bulletin, told Ars:

"If someone with malicious intentions (Tavis, as per Google's policy, disclosed this responsibly) had discovered this, it could have been a goldmine for exploit kits. Not only is 20 million users a large enough number to make it worthwhile in opportunistic attacks, I assume people running WebEx are more likely to be corporate users. Imagine combining this with ransomware!"
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12