Search the Community
Showing results for tags 'security bug'.
Found 3 results
Edward Raja posted a topic in Security & Privacy NewsMicrosoft is expected to release a major software update on Tuesday, January 14 that will fix an "extraordinarily serious security vulnerability" affecting a core cryptographic component found in all versions of Windows. This will be the first Patch Tuesday release of 2020 from Microsoft. January 14 is also the day that Microsoft will end support for Windows 7. As reported by KrebsOnSecurity, Microsoft has already rolled out a patch to fix the bug for the U.S. military and other important high-profile clients and customers. These clients have been asked to sign agreements preventing them from disclosing details of the flaw on or before January 14, 2020. The flaw is found in the crypt32.dll system file which handles "certificate and cryptographic messaging functions in the CryptoAPI." It is also used by the Microsoft CryptoAPI that is used for securing cryptography applications and encrypting/decrypting digital certificates. This component is used by key Microsoft apps like Internet Explorer and Edge to securely handle sensitive data. A flaw in the crypt32.dll can be used to spoof digital signatures which can be used by attackers to make malware appear a safe and genuine app on your PC. The report also states that the NSA's Director of Cybersecurity Anne Neuberger is scheduled to host a press conference on January 14 where she will "provide advanced notification of a current cybersecurity issue." Microsoft on its part has already issued a statement saying that it does not discuss any vulnerabilities before rolling out a fix for them. It also made it clear that it does not roll out production-ready updates before its regular Update Tuesday schedule. Source: Microsoft expected to patch a serious security bug affecting all Windows versions today (via Neowin)
SwissMiss posted a topic in Security & Privacy NewsiOS 13 Bug Lets 3rd-Party Keyboards Gain 'Full Access' — Even When You Deny Following the release of iOS 13 and iPadOS earlier this week, Apple has issued an advisory warning iPhone and iPad users of an unpatched security bug impacting third-party keyboard apps. On iOS, third-party keyboard extensions can run entirely standalone without access to external services and thus, are forbidden from storing what you type unless you grant "full access" permissions to enable some additional features through network access. However, in the brief security advisory, Apple says that an unpatched issue in iOS 13 and iPadOS could allow third-party keyboard apps to grant themselves "full access" permission to access what you are typing—even if you deny this permission request in the first place. It should be noted that the iOS 13 bug doesn't affect Apple's built-in keyboards or third-party keyboards that don't make use of full access. Instead, the bug only impacts users who have third-party keyboard apps—such as popular Gboard, Grammarly, and Swiftkey—installed on their iPhones or iPads, which are designed to request full access from users. Though having full access allows app developers to capture all keystroke data and everything you type, it's worth noting that likely no reputable third-party keyboard apps would by default abuse this issue. Even if that doesn't satisfy you, and you want to check if any of the installed third-party keyboards on your iPhone or iPad has enabled full access without your knowledge by exploiting this bug, you can open the Settings → General → Keyboard → Keyboards. Apple assured its users that the company is already working on a fix to address this issue, which it plans to release in its upcoming software update. Until Apple comes up with a fix, you can mitigate this issue by temporarily uninstalling all third-party keyboards from your device just to be on the safer side. Source: iOS 13 Bug Lets 3rd-Party Keyboards Gain 'Full Access' — Even When You Deny
The AchieVer posted a topic in Security & Privacy NewsSevere security bug found in popular PHP library for creating PDF files Vulnerability patched last year, but many websites and web apps will most likely remain vulnerable for years. A security researcher has found a severe security flaw in one of the internet's most popular PHP libraries for creating PDF files. The vulnerability impacts TCPDF, one of the "big three" PHP libraries --together with mPDF and FPDF-- for converting HTML code to PDF docs or assembling PDF files on the fly. The security flaw can be exploited by an attacker to achieve "remote code execution" on websites and web apps that use the TCPDF library, allowing a threat actor to run malicious code and potentially take over these systems. The vulnerability, per-se, is actually a variation of another researcher's discovery. The initial flaw was found by Secarma researcher Sam Thomas who in a series of experiments showcased a new deserialization bug affecting PHP apps over the summer of 2018. He released a research paper detailing PHP serialization attacks against the WordPress and Typo3 CMS platforms, but also the TCPDF library embedded inside the Contao CMS. HOW THE NEW TCPDF ATTACK WORKS In a blog post published over the weekend, an Italian security researcher who goes online as Polict revealed a new PHP serialization flaw impacting TCPDF in the same way as the one discovered by Thomas last year. Polict says the vulnerability he found can be exploited in two ways. The first case is on websites that allow user input to be part of the PDF file generation process, such as when adding names or other details inside invoices. The second is on websites that contain cross-site scripting (XSS) vulnerabilities where an attacker can plant malicious code inside the HTML source code that will be fed to the TCPDF library to convert into a PDF. The trick is to supply malformed data to the TCPDF library. This data is modified in such a way to force the TCPDF library to call the PHP server's "phar://" stream wrapper, and later abuse the PHP deserialization process to run code on the underlying server. It's a very complex attack routine, and it requires advanced PHP coding knowledge to exploit. Deserialization exploits, in general, are hard to uncover and they're the bane of many programming languages, including Ruby, Java, and .NET --besides PHP. FLAW FIXED IN V6.2.20... ERM... V6.2.22 The researcher says he reported the vulnerability (CVE-2018-17057) to the TCPDF library author last August. The TCPDF team released TCPDF 6.2.20 in September to address the issue. However, users should update to at least version 6.2.22 because the TCPDF team accidentally re-introduced the vulnerability reported by Sam Thomas while attempting to patch the one reported by Polict. Both issues were deemed resolved in version 6.2.22. The Italian security researcher published details about this vulnerability only today, six months after the patch, because of the bug's severity and to allow website and web app owners enough time to patch. The TCPDF library is one of today's most popular PHP libraries and has been used all over the place --in standalone websites, in content management systems (CMSs), CMS plugins, CMS themes, enterprise intranets, CRMs, HRMs, invoicing solutions, many PDF-centered web apps, and others. Patching isn't as easy as it sounds. In some cases, this might mean replacing a file and editing a build instruction, but in other places, this might require rewriting large swaths of code. Source