Security News > 2020 > December

Spotify this week started informing users that their personal information might have been inadvertently shared with some of the company's business partners. "We deeply regret to inform you that your Spotify account registration information was inadvertently exposed to certain of Spotify's business partners. Firstly, we want to apologize that there has been an incident," the company told users.

When searching for things online, has a greater number of ads than usual been popping up at the top of your search results? If it has, and you're using Microsoft Edge, Google Chrome, Yandex Browser, or Mozilla Firefox, you might have fallen prey to the ad-injecting Adrozek malware. Modifying browser extensions by adding malicious scripts to them, which fetch additional scripts to injecting advertisements into search results.

Subway patrons in the UK received suspicious emails this morning and infosec researchers fear this is linked to the theft of customer details - and a Trickbot malware campaign. "I've just had an email purporting to be from Subway and sent to an address used only for Subway," Reg reader Alan told us.

Reading the proprietary FireEye information can help the adversary understand what parts of the attacker's arsenal has been figured out by FireEye and what hasn't, thereby providing invaluable intelligence that can be used to refine the attacker's arsenal. Reading FireEye's playbook may also provide the nation-state actor clues on new tools they should develop to neutralize FireEye tools and tactics, techniques and procedures.

This week Samsung has started rolling out Android's December security updates to mobile devices to patch critical security vulnerabilities in the operating system and related components. This comes after Android had published their December 2020 security updates bulletin, which includes patches for critical vulnerabilities impacting the latest devices.

The Aspen Institute's Aspen Cybersecurity Group - I'm a member - has released its cybersecurity policy agenda for the next four years. The next administration and Congress cannot simultaneously address the wide array of cybersecurity risks confronting modern society.

Three months after addressing a critical flaw in Jabber for Windows, Cisco released patches for a similar vulnerability in the video conferencing and instant messaging client. The bug, which exists because the content of messages is not properly validated, affects both Jabber for Windows and Jabber for macOS. "An attacker could exploit this vulnerability by sending specially crafted XMPP messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution," Cisco explains.

Microsoft has addressed critical remote code execution vulnerabilities in multiple SharePoint versions with this month's Office security updates. Redmond also issued the December 2020 Patch Tuesday security updates, with security updates for 58 vulnerabilities, nine of them rated as Critical.

France's CNIL data privacy watchdog slapped 135 million euros in fines on US tech titans Google and Amazon for placing advertising cookies on users' computers without consent. The 100-million-euro fine against Google is the largest sanction the regulator has ever imposed, which it justified by the fact 90 percent of French internet users use the firm's search engine.

Details and a proof-of-concept exploit have been released for an unpatched privilege escalation vulnerability in Windows related to the PsExec administration tool. According to Wells, the vulnerability is a local privilege escalation issue that can be exploited by a non-admin process to elevate privileges to SYSTEM when PsExec is executed remotely or locally on the targeted computer.