Security News
VMware this week informed customers that it has patched a high-severity information disclosure vulnerability affecting its Workstation, Fusion and vSphere virtualization products. The flaw, tracked as CVE-2020-3960, was reported to VMware by Cfir Cohen, a researcher from Google's cloud security team.
Expiring root certificates will cause devices like smart TVs and refrigerators to fail in the next few years, security researcher Scott Helme has warned. In order to validate the certificate the client must have a trusted root certificate from the issuing authority, and this, says Helme, is a problem for devices that never get updated.
Canada's Citizen Lab laboratory has uncovered a hacks-for-hire phishing operation targeting anyone from political activists and oligarchs to lawyers and CEOs that hit more than 10,000 email inboxes over seven years. The North American outfit claims to have traced the so-called Dark Basin campaign to an Indian firm called BellTroX InfoTech Services - which denies all wrongdoing.
Japanese car maker Honda has been hit by ransomware that disrupted its production of vehicles and also affected internal communications, according to reports. Some Honda factories around the world were forced to suspend production, though output from Turkey, India, USA and Brazil locations remain on hold at the time of writing.
An online voting system approved in three US states is vulnerable to manipulation by hackers and may not protect ballot secrecy, according to an analysis by security researchers. The report comes with election officials scrambling following the outbreak of the coronavirus pandemic to enable remote voting in the November election to limit risks from crowded polling stations.
Members of Cisco's Talos threat intelligence and research group have identified two vulnerabilities in the Zoom client application that can allow a remote attacker to write files to the targeted user's system and possibly achieve arbitrary code execution. CVE-2020-6109 is related to the way Zoom processes GIF image files.
A team of researchers in Carnegie Mellon University's CyLab have developed a prototype IoT security and privacy "Nutrition label" that performed well in user tests. To develop the label, the team consulted with a diverse group of 22 security and privacy experts across industry, government, and academia.
For more than five months, Lastline security researchers have tracked the evolution of malicious Excel 4.0 macros, observing the fast pace at which malware authors change them to stay ahead of security tools. A central part of many organizations' productivity tools, Excel opens the door for phishing attacks where victims are tricked into enabling macros in malicious documents, which can results in the attackers gaining a foothold on the network, in preparation for additional activities.
"Don't spread disinformation and right now, all signs point to just that - the alleged Minneapolis Police Department 'breach' is fake," he wrote, in an analysis posted on Monday, adding that the data is likely not from the MPD at all, but rather a collection of widely available credentials from earlier breaches, and possibly some made-up combinations, that have been assembled into a new database for the purpose of perpetrating this hoax. Passwords like the all-lowercase "Linkedin"; "Le"; PIN-like passwords like "1603"; and the notoriously insecure "Password," "Qwerty" and "123456" are all represented.
An attacker exploiting the vulnerability could have taken over user accounts on the affected third-party applications, regardless of whether the victim was using a valid Apple ID or not, security researcher Bhavuk Jain explains. In the second step, the user is provided with the option to share the Apple Email ID with the third-party app.