20th Feb 2018 security roundup

Huge Security flaw in Microsoft’s Edge Browser which won’t be fixed until the end of March

FedEx leaks 119,000 customer identities including photos

Mac OS X has security flaw which allows any app to take a screenshot and see passwords

Google has released details of a bug in the Edge browser which comes with windows 10. The bug was reported to Microsoft in November with a 90 day cut off for a fix to be implemented, however Microsoft has failed to fix the issue.The problem allows malicious JavaScript to execute and predict memory space, which in turn allows the hackers to insert their own software when the browser thinks it’s still executing the JavaScript.

Microsoft has advised Google that “because of the complexity of the fix, they do not yet have a fixed date set as of yet.” which is surprising as Google provided a great amount of detail on the bug.

Fedex bought and a shut down a company recently that stored 119,000 pieces of scanned customer IDs on an Amazon cloud server which was not secured, leaving the scans online for anyone to find.Fedex bought Bongo International in 2014 which specialised in allowing North American companies to sell overseas. In April 2017 Fedex closed the company but did not perform an audit on it’s data-handling.

Fedex say they can’t find any trace of someone accessing the data, Kromtech, who made the discovery think the data may have been online since 2009.

Mac apps run in a sandbox to aid security and control what resources they can access, however one function they can all access is the screenshot function, which they can do without user intervention, and therefore monitor what you are doing including accessing the usernames and passwords you use.Here are the potential threats

  • Read password and keys from password managers
  • Detect what web services you use (e.g. email provider)
  • Read all emails and messages you open on your Mac
  • When a developer is targeted, this allows the attacker to potentially access sensitive source code, API keys or similar data
  • Learn personal information about the user, like their bank details, salary, address, etc.

There is currently no solution to this problem.

WhatsApp chat