It’s Friday, the weekend has landed… and Microsoft warns of an Internet Explorer zero day exploited in the wild

Roundup Welcome to another Reg roundup of security news.

Still using Internet Explorer? Don’t. There’s another zero-day

Microsoft let slip on Friday an advisory detailing an under-attack zero-day vulnerability (CVE-2020-0674) for Internet Explorer. The scripting engine flaw can be exploited to gain remote code execution on a vulnerable machine by way of a specially crafted webpage. The flaw can be mitigated by restricting access to the JavaScript component JScript.dll, and thus far there is no patch available.

“Microsoft is aware of this vulnerability and working on a fix,” the software giant noted.

“Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers. Microsoft is aware of limited targeted attacks.”

Unless you’re an enterprise still requiring IE for various apps, you should really consider moving off Exploder at this point. If you want to stay with Microsoft, there is the new Edge browser, or you can opt for Chrome, Firefox, Opera, Brave, or any number of other browser options.

In brief… A poorly configured Elasticsearch database left an app’s baby photos and videos accessible from the public internet. AMD has proposed SEV-SNP, that’s Secure Nested Pages, to further protect virtual machines from malicious cloud hosts.

MageCart crooks infect Australian fire fundraisers

An Australian family-run fishing gear shop raising money online for nearby Aussies caught up in the season’s devastating bush fires was among those hit by the latest wave of MageCart infections this month.

Fergo’s Tackle, based in Wollongong and Taren Point, in New South Wales, set up a page on its equipment web store where customers could donate cash via purchases, with the promise that “100% of all donations will go towards buying essential items (food, bedding, clothing, shelter etc.) for the victims of the fires” in Lake Conjola.

In a cruel twist of fate, the site – like many others – was infected by a variant of the card-skimming malware MageCart, as spotted by The Malwarebytes Threat Intelligence Team and confirmed by El Reg.

The shop has told The Register the offending code has been removed, which is true. Malwarebytes says the domain being used to aggregate the card data collected by the scripts has also been taken down. So hopefully all the other sites that this strain of Magecart are also now protected.

Grindr accused of misusing personal data

A report out of Norway claims that dating app Grindr – and a handful of other mobile apps – are illegally exposing user information to third-party advertisers.

The report claims that a violation of GDPR has occurred in the way the apps collect user habits and then sell them to advertisers who use the information to create detailed profiles on users.

“There are very few actions consumers can take to limit or prevent the massive tracking and data sharing that is happening all across the internet,” the report reads.

“Authorities must take active enforcement measures to protect consumers against the illegal exploitation of personal data.”

WeLeakInfo no longer living up to its name

US prosecutors say that the FBI has seized the domain of pilfered data-selling site WeLeakInfo.

The FBI joined a number of European law enforcement agencies to take down both the site and its operators: police in Northern Ireland and the Netherlands have arrested people they believe to be the administrators of the site.

“The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts,” prosecutors said of the site.

“The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months).”

Georgia election server hacked in 2014

A new revelation has emerged in the battle over paperless voting systems in the US state of Georgia.

Politico reports that researchers found that, in 2014, one of the servers handling election reports was hacked.

While there is no evidence directly showing that elections were compromised, that hacked browser was used to handle results in both the 2016 and 2018 elections.

FBI to notify US states of local election hacks

US state governments will now be informed when one of their city or county governments fall victim to election system hacks.

The Hill reports that an internal directive at the FBI instructs agents to make sure state governments (if they don’t already know) get word any time a network intrusion is reported.

While it’s hard to imagine a scenario where a local government doesn’t see fit to notify their state about an attack, the procedure will hopefully prevent any potential incidents from slipping through the cracks.

Stop us if you’ve heard this one: malicious apps sneak into Play Store

Yep, once again we have a report of an Android malware outbreak.

The team at BitDefender says it helped Google spot and remove 17 apps that were spreading “aggressive ads” on user devices once installed.

“While not malicious per se, the tactics they use to smuggle themselves into Google Play and dodge Google’s vetting system are traditionally associated with malware,” said BitDefender.

The 17 apps had an estimated 550,000 combined downloads. ®

Sponsored: Detecting cyber attacks as a small to medium business

READ MORE HERE