Security News
Google on Thursday announced the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects. The tech giant pointed out Open Source Insights as a tool for analyzing packages and their dependency graphs, using it to determine "Whether a vulnerability in a dependency might affect your code."
A growing number of Android Google Chrome users in Russia are reporting errors when attempting to install the latest update for the web browser. According to Russian news outlets and numerous user comments on the Play Store, the issues started on May 9th, 2022, when Google released Chrome version 101 for Android.
Researchers have discovered several URL spoofing bugs in Box, Zoom and Google Docs that would allow phishers to generate links to malicious content and make it look like it's hosted by an organization's SaaS account. The vulnerabilities arise for a lack of validation of so-called vanity URLs, and they allow attackers with their own SaaS accounts to change the URL of the pages hosting malicious files, forms and landing pages, as to maximize their potential to trick users.
The ascension of the use of search engines to deliver malware over the past 12 months provides insight into how adept some attackers have become at SEO. Malware downloads referred by search engines were predominantly malicious PDF files, including many malicious fake CAPTCHAs that redirected users to phishing, spam, scam, and malware websites. The report also found that most malware over the past 12 months was downloaded from within the same region as its victim, a growing trend that points to the increasing sophistication of cybercriminals, which more frequently stage malware to avoid geofencing filters and other traditional prevention measures.
A new set of trojanized apps spread via the Google Play Store has been observed distributing the notorious Joker malware on compromised Android devices. Despite continued attempts on the part of Google to scale up its defenses, the apps have been continually iterated to search for gaps and slip into the app store undetected.
Google has released monthly security patches for Android with fixes for 37 flaws across different components, one of which is a fix for an actively exploited Linux kernel vulnerability that came to light earlier this year. Tracked as CVE-2021-22600, the vulnerability is ranked "High" for severity and could be exploited by a local user to escalate privileges or deny service.
Google is now blocking Russian users and developers from downloading or updating paid applications from the Google Play Store starting Thursday due to sanctions. "As part of our compliance efforts, Google Play is blocking the downloading of paid apps and updates to paid apps in Russia starting May 5, 2022," the company said in an update on its support website.
A bug in Google Docs is causing it to crash when a series of words are typed into a document opened with the online word processor. A Google Docs user, Pat Needham brought up the issue on Google Docs Editors Help forum.
"This will simplify sign-ins across devices, websites, and applications no matter the platform - without the need for a single password," Google said.The new Fast IDentity Online sign-in system does away with passwords entirely in favor of displaying a prompt asking a user to unlock the phone when signing into a website or an application.
Microsoft, Apple and Google - all longtime proponents of doing away with passwords for authentication purposes - are throwing their support behind standards developed by the FIDO Alliance and the World Wide Web Consortium that could eliminate the passphrases completely. Microsoft said there are 579 password attacks every second, or about 18 billion a year, and many of them are successful, mainly because people have a tendency to pick poor passwords or reuse them across multiple accounts.