Issue 24

Critical flaw in Microsoft's anti-malware engine. Emergency patch released.

A flaw was found in Windows' malware scanning engine, which is used in Windows Defender among others. It can be trivially exploited without user interaction. Microsoft released an emergency patch within 48 hours. The flaw was found by Tavis Ormandy, again, with colleague Natalie Silvanovich.


The Intel AMT flaw is worse than thought

AMT's regular authentication mechanism flat out doesn't work, allowing you to log in with an empty password and take full sysadmin control. According to Shodan, 8.500 servers are Internet-exposed and vulnerable.


HandBrake mirror server hacked, application tainted with malware

HandBrake, the popular video transcoding app for Mac, was breached. If you installed HandBrake between May 2nd and May 6th, there is a 50% change of being infected by the Proton malware. HandBrake's original announcement can be seen here.


Hackers divert SMS verification messages to breach bank accounts

Hackers were able to use a flaw in the mobile phone protocol SS7 to forward two-factor SMS messages to a number under their control. They used it to log in to bank accounts and transfer money.
The article goes on to explain how SS7 is insecure, and with it SMS-based 2fa verification.


Google provides status update on open-source fuzzing service

OSS-Fuzz has found over 1,000 bugs, including several security vulnerabilities in SQLite, Wireshark and others. Google will reward large open-source projects between $1,000 and $20,000 to integrate with the service, to encourage increased security.


FTC publishes security guides for small businesses

They explain what to do in a data breach, what some basic security measures need to be, and more. Might be worth a look.


Troy Hunt: Password reuse, credential stuffing and another billion records in Have I been pwned

Great blogpost by Troy Hunt with regards to his "Have I Been Pwned" service. He discusses a new set of 1 billion breached accounts that he has added, explains what 'credential stuffing' means, and more. Nothing extremely specific, but just a really fascinating read :-)


Lyrebird: spoof other people's voices

Lyrebird is a service that duplicates anyone's voice based on samples it processed. Similar to Adobe Voco that I linked to a while ago. It's not perfect yet, but it's quite scary to realise that voices will soon be very easily faked.