Security News > 2023 > April

The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode. The flaw, which affects all versions, including and prior to 3.9.14, was reported by researchers from South Korea-based KAIST WSP Lab on April 6, 2023, prompting vm2 to release a fix with version 3.9.15 on Friday.

Apple's App Store rules mean that all browsers on iPhones and iPads must use WebKit, making this sort of bug a truly cross-browser problem for mobile Apple devices.Kernel code execution bugs are inevitably much more serious than app-level bugs, because the kernel is responsible for managing the security of the entire system, including what permissions apps can acquire, and how freely apps can share files and data between themselves.

Owners of MSI-brand motherboards, GPUs, notebooks, PCs, and other equipment should exercise caution when updating their device's firmware or BIOS after the manufacturer revealed it has recently suffered a cyberattack. In a statement shared on Friday, MSI urged users "To obtain firmware/BIOS updates only from its official website," and to avoid using files from other sources.

On Friday, U.S. Cybersecurity and Infrastructure Security Agency increased by five its list of security issues that threat actors have used in attacks, three of them in Veritas Backup Exec exploited to deploy ransomware. Of the five vulnerabilities that CISA added to the catalog of Known Exploited Vulnerabilities today, only one was rated critical, an issue in Veritas' data protection software tracked as CVE-2021-27877 that allows remote access and command execution with elevated privileges.

Vas pup April 7, 2023 5:56 PM. The phones that detect earthquakeshttps://www. "Google's Android operating system have on-board accelerometers - the circuitry which detects when a phone is being moved. These are most commonly used to tell the phone to re-orientate its display from portrait to landscape mode when it is tilted, for example, and also helps provide information about step-count for Google's onboard fitness tracker."

The issue was discovered by Federico Andres Lois while reviewing the tweet recommendation engine that's said to power Twitter's For You timeline. According to Lois's study of the engine bug he found, coordinated efforts to unfollow, mute, block and/or report a targeted user applies global reputation penalties to the account that are practically impossible to overcome based on how Twitter's recommendation algorithm treats negative actions.

Apple has released emergency security updates to address two new zero-day vulnerabilities exploited in attacks to compromise iPhones, Macs, and iPads. Last week, Google TAG and Amnesty International exposed two recent series of attacks using exploit chains of Android, iOS, and Chrome zero-day and n-day flaws to deploy mercenary spyware.

A new Proofpoint report indicates that in late 2022, threat actor TA473 targeted elected officials and staffers in the U.S., as well as experts in European politics and economics. TA473 is a threat actor, known since 2021, that has targeted several countries aligned against the interests of Belarus and Russia; the group is also known as Winter Vivern for some security companies and governmental entities.

IPFS is a peer-to-peer network protocol designed to provide a decentralized and distributed web. In a usual phishing case, the target is enticed to visit a fraudulent phishing page that will steal their credentials and possibly their credit card information; however, this fraudulent page can be hosted on IPFS and accessed via a gateway.

Proof-of-concept exploit code has been released for a recently disclosed critical vulnerability in the popular VM2 library, a JavaScript sandbox that is used by multiple software to run code securely in a virtualized environment. The researchers who found that the VM2 library handled improperly the host objects passed to the 'Error.