Security News

Google on Tuesday announced the open source availability of OSV-Scanner, a scanner that aims to offer easy access to vulnerability information about various projects. The Go-based tool, powered by the Open Source Vulnerabilities database, is designed to connect "a project's list of dependencies with the vulnerabilities that affect them," Google software engineer Rex Pan in a post shared with The Hacker News.

Google has launched OSV Scanner, a new tool that allows developers to scan for vulnerabilities in open-source software dependencies used in their project. The scanner draws data from OSV.dev, the distributed vulnerability database for open source code that Google released in February 2021, to offer relevant information about known security issues affecting open-source code.

Google has officially begun rolling out support for passkeys, the next-generation passwordless login standard, to its stable version of Chrome web browser. This calls for websites to build passkey support on their sites using the WebAuthn API. Essentially, the technology works by creating a unique cryptographic key pair to associate with an account for the app or website during account registration.

Google says the latest release of Chrome for desktop devices now comes with a new performance-boosting feature designed to free up memory and make web browsing smoother. The new feature, dubbed Memory Saver, will release up to 30% of all memory by suspending inactive tabs, system memory which will be used by active tabs.

Google has disclosed more technical details about how Private Compute Core on Android works and keeps sensitive user data processed locally on protected devices. The isolation of PCC from all other apps is achieved by using the Android Framework API for all data inputs and outputs from and to the PCC, facilitated by permissions granted during OS installation.

An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware. "The group has historically focused their targeting on South Korean users, North Korean defectors, policy makers, journalists, and human rights activists," TAG said in a Thursday analysis.

Google's Threat Analysis Group revealed today that a group of North Korean hackers tracked as APT37 exploited a previously unknown Internet Explorer vulnerability to infect South Korean targets with malware. Once opened on the victims' devices, the document would deliver an unknown payload after downloading a rich text file remote template that would render remote HTML using Internet Explorer.

Google has patched CVE-2022-4262, a type confusion vulnerability in the V8 JavaScript engine used by Google Chrome, which is being exploited by attackers in the wild. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Srinivas Sista, Technical program manager for Google Chrome, explained.

Compromised Android platform certificate keys from device makers including Samsung, LG and Mediatek are being used to sign malware and deploy spyware, among other software nasties. Googler Łukasz Siewierski found and reported the security issue and it's a doozy that allows malicious applications signed with one of the compromised certificates to gain the same level of privileges as the Android operating system - essentially unfettered access to the victim's device.

The flaw was patched as an actively exploited zero-day bug in the Google Chrome web browser on Friday for Windows, Mac, and Linux users. In a security advisory published right before the weekend, Google said it "Is aware of reports that an exploit for CVE-2022-4262 exists in the wild."