SHAREit fixes security holes
The app’s publisher issued an update to the SHAREit Android apps to fix glaring security holes. We reported last week that Trend Micro discovered the flaws months ago, but had not received any response from the SHAREit team. SHAREit says it only became aware of the security issues when Trend Micro went public with its filings. Regardless, the app had been left open to attacks that exploited its use of external storage on Android that could allow a malicious app to read all data sent to and from external storage, as well as execute arbitrary code. SHAREit had been download over a billion times from the Play Store, so this flaw could have impacted a large number of users, while being very hard to detect.
Organizations feel the impact of the Accellion exploit
The number of organizations impacted by a vulnerability in Accellion’s File Transfer Appliance software continues to grow. We previously reported that the law firm Jones Day was dealing with an extortion attempt linked to an Accellion breach. Now the Washington State Auditor’s Office reports personal data on one million applications for unemployment might have been accessed. The Reserve Bank of New Zealand and the Singapore telco Singtel also report related data leaks. Accellion says less than 50 customers were impacted, that it notified all customers using the software weeks ahead of public disclosure, and will replace its FTA software by April 30, with plans to migrate customers to its newer Kiteworks solution.
China spyware cribs the NSA
Security researchers at Check Point discovered this after analyzing features in a piece of China-linked malware it calls “Jian,” saying that they were so similar to tools leaked online from the National Security Agency in 2017 that they must be a direct copy. The security researchers say that Jian dates back until at least 2014, indicating the NSA has repeatedly lost control of its own malware over the years. Some in the security community have been critical of the NSA keeping discovered software exploits secret rather than patching them, saying this copied malware shows the danger in the strategy.
Brave browser leaks onion addresses
The Brave browser has a number of privacy focused features, including a Tor mode that lets users browse .onion domains inside Brave private browsing windows. However an anonymous security researcher claimed that the browser’s Tor mode was sending queries for .onion domains to public internet DNS resolvers rather than Tor nodes. These claims were later confirmed by reputable sources. After ZDNet initially published this story, Brave announced a fix would be delivered in the next stable release of the browser, having already been introduced in nightly builds two weeks ago.
Thanks to our episode sponsor, PlexTrac
Samsung now provides four years of security updates
The company committed to provide security updates to devices at least four years after their initial release, extending back to hardware originally released in 2019. This extends to even entry-level phones, although some lower end phones will be limited to quarterly security upgrades. Samsung previously offered two years of timely updates on premium phones, with a third year of security updates delivered on a quarterly basis.
Google ends political ad ban
Google informed its advertising partners that it will lift its ban on political ads on February 24th. Google had instituted the ban on January 13th as part of its “sensitive events” policy after violent events in the US Capitol on Jan. 6th. In order to resume buying ads, advertisers will need to use the self-service appeals tool in the Google Ads portal to have their existing ads re-reviewed. Facebook’s political ad ban that was put in place ahead of the US Presidential election is still in effect.
NurseryCam shuts down IoT camera service after hack
The Daycare camera product NurseryCam was informed its systems had been hacked by The Register, leading the company to inform parents and the 40 nurseries in the UK about the incident over the weekend. A hacker notified the Register that they had published real names, usernames, emails and SHA-1 hashed passwords from 12,000 NurseryCam accounts online, which were later verified as genuine. NurseyCam has suspended all camera service while it investigates the incident. The Register notes that NurseryCam’s parent company had been warned of insecure practices for years, which included unsecured FTP servers and using insecure URL parameters that would allow access to other users’ accounts by changing single characters.
Apple to make zero-click attacks harder
The beta for iOS 14.5 makes changes to how iOS secures code to make zero-click and sandbox escape attacks significantly harder. iOS 14.5 changes how the OS handles ISA pointers, which are part of a system that tells apps what code to run. In 14.5, ISA Pointers now fall under Apple’s Platform Security Guide, which cryptographically authenticates these pointers and validates them before they’re used. This authentication makes it harder to corrupt these pointers to manipulate objects in the system, a key for most zero-click and sandbox escape exploits.