This Month in Cybersecurity - June 2024

Hey passbolt community!

Welcome to the “This Month in Cybersecurity - May 2024” edition. :wave:

This month, we’ve seen some interesting developments, from alarming vulnerabilities in popular tools like Visual Studio Code to critical updates on open-source projects. As always, our goal is to keep you informed and prepared to tackle these evolving threats. We know your time is valuable, so we’ve summarized the key highlights to ensure you’re up-to-date with the most crucial news. Let’s dive in! :closed_lock_with_key: :newspaper:

1. Nasty bug with very simple exploit hits PHP just in time for the weekend

A critical vulnerability in PHP allows attackers to execute malicious code on Windows servers, particularly those using the XAMPP platform. Discovered by security researchers at Devcore, the vulnerability (CVE-2024-4577) stems from how PHP converts Unicode characters to ASCII, exploiting a Windows feature called Best Fit. This bug enables attackers to bypass previous protections and inject commands into PHP processes. Researchers have noted active scanning for vulnerable servers, urging admins to apply patches or mitigation measures immediately. Affected PHP versions include 8.3, 8.2, 8.1, and unsupported versions 8.0, 7, and 5, necessitating prompt action to secure systems.

Date: Jun 7, 2024
Source: Ars TECHNICA
Author: Dan Goodin

2. Meta pauses AI Training on EU user data amid privacy concerns

Meta has paused its plans to use public content from Facebook and Instagram for AI training in the EU after a request from the Irish Data Protection Commission. Meta had planned to use this data without explicit user consent, relying on “Legitimate Interests,” but faced regulatory pushback. The company expressed disappointment, stating that this delay hampers European AI innovation and competition. Meta plans to work with regulators to address privacy concerns while asserting that their practices are transparent and compliant with laws. The pause follows complaints about GDPR violations and concerns from UK regulators.

Date: Jun 15, 2024
Source: The Hacker News
Author: Newsroom

3. Polyfill supply chain attack hits 100K+ sites

The Polyfill JS project, widely used to support older browsers, experienced a supply chain attack after being acquired by a Chinese company. The attackers injected malware into the code served via the cdn.polyfill.io domain, impacting over 100,000 websites. This malware specifically targets mobile users, redirecting them to a fake Google Analytics site and other malicious domains. Major users like JSTOR, Intuit, and the World Economic Forum were affected. In response, Cloudflare and Namecheap have taken measures to mitigate the risk, and experts recommend removing references to polyfill.io from websites.

Date: Jun 25, 2024
Source: Sansec
Author: Sansec Forensic Team

4. Apple patches AirPods bluetooth vulnerability that could allow eavesdropping

Apple has released a firmware update to address a critical authentication vulnerability (CVE-2024-27867) in various AirPods and Beats models, which could allow attackers in Bluetooth range to spoof connections and gain unauthorized access. This flaw, discovered by Jonas Dreßler, has been patched in recent firmware updates. Additionally, Apple addressed 21 vulnerabilities in visionOS, including a significant denial-of-service flaw in the WebKit browser engine reported by Ryan Pickren, who demonstrated how it could be exploited to forcefully spawn persistent 3D objects without user interaction, bypassing Apple’s permissions model.

Date: Jun 26, 2024
Source: The Hacker News
Author: Newsroom

5. CISA: Most critical open source projects not using memory safe code

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported that over half of 172 critical open-source projects analyzed contain code written in memory-unsafe languages, increasing susceptibility to memory-related vulnerabilities. This report, co-signed by the FBI and cybersecurity agencies from Australia and Canada, follows a December 2023 initiative to promote memory-safe coding. Despite the risks, developers often resort to memory-unsafe languages due to performance needs, particularly for low-level functions. CISA recommends developers adopt memory-safe languages like Rust, Java, and Go, and emphasizes the importance of safe coding practices, dependency management, and rigorous testing to mitigate these issues.

Date: Jun 26, 2024
Source: Bleeping Computer
Author: Bill Toulas

6. Abusing VSCode: From Malicious Extensions to Stolen Credentials

Recent research highlights vulnerabilities in Visual Studio Code (VSCode) that adversaries can exploit through malicious extensions. By creating and publishing malicious extensions to the VSCode marketplace, attackers can execute arbitrary code, establish command and control channels, and steal credentials from developers. These extensions exploit VSCode’s integration with various services and its lack of sandboxing, allowing full access to sensitive data and functionalities. Additionally, weaknesses in VSCode’s SecretStorage API and Electron’s safeStorage API, including the use of a hardcoded password fallback in Chromium on Linux, further expose user credentials to potential theft. These vulnerabilities highlight the importance for developers to install only trusted extensions and for improved security measures within the VSCode ecosystem.

Date: Jun 26, 2024
Source: Control Plane
Author: Kevin Ward & Fabian Kammel

Conclusion

Thanks for catching up with us in this month’s cybersecurity roundup. We hope these updates provide you with valuable insights and actions to consider. :earth_americas: :computer:
The recent vulnerabilities in Visual Studio Code are particularly concerning—have you encountered similar security issues in your tools? We’d love to hear your experiences and thoughts. :thinking:

Head over to the passbolt community forum to share your stories and join the discussion. If there’s any important news we missed, don’t hesitate to post it in the “In the News” section: In the news - Passbolt community forum.
Let’s keep the conversation alive and stay informed together!

3 Likes