Latest News


Two Windows Privilege Escalation Vulnerabilities Exploited in Attacks

Microsoft’s July 2019 Patch Tuesday updates fix nearly 80 vulnerabilities, including two Windows zero-day flaws and six issues whose details were previously made public.

One of the zero-day vulnerabilities is CVE-2019-0880, which Microsoft describes as a local privilege escalation issue related to how the splwow64.exe component in Windows handles certain calls.

Splwow64.exe is designed to allow 32-bit applications to use a 64-bit printer spooler service on 64-bit versions of Windows.

“An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity,” Microsoft said in its advisory. “This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted.”

Marriott Faces $123 Million GDPR Fine Over Starwood Data Breach

After fining British Airways with a record fine of £183 million earlier this week, the UK's data privacy regulator is now planning to slap world's biggest hotel chain Marriott International with a £99 million ($123 million) fine under GDPR over 2014 data breach.
This is the second major penalty notice in the last two days that hit companies for failing to protect its customers' personal and financial information compromised and implement adequate security measures.
In November 2018, Marriott discovered that unknown hackers compromised their guest reservation database through its Starwood hotels subsidiary and walked away with personal details of approximately 339 million guests.

Over 1,300 Android Apps Caught Collecting Data Even If You Deny Permissions

Smartphones are a goldmine of sensitive data, and modern apps work as diggers that continuously collect every possible information from your devices.
The security model of modern mobile operating systems, like Android and iOS, is primarily based on permissions that explicitly define which sensitive services, device capabilities, or user information an app can access, allowing users decide what apps can access.
However, new findings by a team of researchers at the International Computer Science Institute in California revealed that mobile app developers are using shady techniques to harvest users' data even after they deny permissions.

Post-Data Breach, British Airways Slapped With Record $230M Fine

A record $230 million fine has been proposed against British Airways after a 2018 data breach impacted 500,000 of the airline’s customers. If approved, the fee would be the biggest General Data Protection Regulation (GDPR) fine to be issued to a company so far.

On Monday, the Information Commissioner’s Office (ICO), a U.K. privacy watchdog organization, said it will fine British Airways £183.39 million ($230.5 million) for infringements of GDPR. Privacy experts say that the penalty represents a “wake-up” call for companies when it comes to ramifications for data privacy incidents.

“Companies need to do a better job assessing and managing the risk associated with third parties in their cyber supply chain,” Matan Or-El, CEO of Panorays said in an email. “The £183 million fine that British Airways is facing is likely just the tip of the iceberg for what is to come, and should serve as a wake-up call for organizations that GDPR is here and being enforced.”

17-Year-Old Weakness in Firefox Let HTML File Steal Other Files From Device

Except for phishing and scams, downloading an HTML attachment and opening it locally on your browser was never considered as a severe threat until a security researcher today demonstrated a technique that could allow attackers to steal files stored on a victim's computer.
Barak Tawily, an application security researcher, shared his findings with The Hacker News, wherein he successfully developed a new proof-of-concept attack against the latest version of Firefox by leveraging a 17-year-old known issue in the browser.
The attack takes advantage of the way Firefox implements Same Origin Policy (SOP) for the "file://" scheme URI (Uniform Resource Identifiers), which allows any file in a folder on a system to get access to files in the same folder and subfolders.