Zero-day vulnerabilities top the list of security risks, especially since companies are often unaware of hackers using such bugs. Now, in a recent development, Qualcomm has discovered three zero-day vulnerabilities in its GPU and Compute DSP drivers, which could have been leveraged by threat actors in attacks.
According to Google’s Threat Analysis Group (TAG) and Qualcomm, they discovered 17 vulnerabilities in total, out of which thirteen were ‘high’ risk, showing potential for low or medium impact on target systems, while one was ‘medium’ risk. Qualcomm deemed the remaining three vulnerabilities, CVE-2023-33106, CVE-2023-33107, and CVE-2022-22071, as critical, posing a risk for targeted exploitation. While the company has not found evidence of threat actors using the vulnerabilities, it suspects hackers may have used them as spyware.
What do these vulnerabilities affect?
While Qualcomm has refrained from sharing specific details about the vulnerabilities, these involve corrupting memory in Qualcomm’s Modem component during the processing of security-related configurations. Additionally, they corrupt memory in the WLAN firmware and exploit a critical cryptographic issue in the Data Modem component during the copying of pmk cache memory without proper size checks.
Qualcomm’s response
In response to the vulnerabilities, Qualcomm has released security updates and notified phone makers, such as Samsung, urging them to deploy these updates as soon as possible. Moreover, the company stated that they plan to provide more information regarding the bugs in the December report.
In other news, ARM also discovered new GPU vulnerabilities yesterday, which allow threat actors to gain access to a user’s memory and use it for installing malware or other malicious payloads.
These incidents once again highlight the growing importance of implementing strict security measures. This includes quickly updating your phone for the latest security patches, monitoring for any apps using excessive battery, and carefully checking all the permissions an app requests.
A recently discovered vulnerability in Microsoft Office Word has raised concerns over the security of the popular productivity suite.
This security flaw, classified as a Cross-Site Scripting (XSS) vulnerability, allows attackers to execute arbitrary JavaScript code within a Word document.
DocumentFREE Demo
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
The XSS Vulnerability
Various Office products, including Microsoft Word, offer a feature that allows users to insert external videos into documents through the “Online Videos” tab.
The XSS Vulnerability
When a user attempts to play an external video embedded in a document, the Office checks to determine whether the source of the external video is trustworthy.
This check involves applying a regular expression to the video’s URL, which includes trusted sources like YouTube.
If the source is deemed trustworthy, the Office requests to fetch data such as the video’s title or thumbnail. However, the vulnerability arises in how Office handles the video’s title within the HTML iframe tag.
The server responds with information, including the video’s title, description, and the HTML iframe tag.
The issue is that the server adds the video’s title to the “title” attribute of the iframe tag without proper validation.
As a result, attackers can manipulate the iframe tag by adding an “unload” attribute, enabling them to inject arbitrary JavaScript code.
Exploitation
To exploit this vulnerability, an attacker can create a YouTube video with a title that includes a payload for inserting the “onload” attribute, reads the PKsecurity report.
Then, they insert the URL of this malicious video into a Word document using the Online Videos tab. When the video is played, the injected JavaScript code is executed.
Exploitation
Here is a simplified overview of the steps an attacker would take to exploit this flaw:
Create a YouTube video with a payload in the title.
Insert the URL of the malicious video into a Word document.
Set up a web server to serve malicious JavaScript code.
Implications
This vulnerability allows attackers to execute arbitrary JavaScript code when a video embedded in a Word document is played.
While it may not seem immediately alarming, it’s worth noting that past critical exploits in Office applications often began with the execution of arbitrary JavaScript.
Exploiting this vulnerability could potentially lead to a critical Remote Code Execution (RCE) vulnerability if combined with a new vulnerable Uniform Resource Identifier (URI).
This makes it crucial for Microsoft to address and patch this issue promptly. The Microsoft Office XSS flaw underscores the importance of keeping software up to date and being cautious about the content embedded in documents.
Users should be aware of potential security risks associated with video content, especially when it comes from untrusted sources.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.
This week, at its Made by Google event, the search giant announced the new Pixel 8 and Pixel 8 Pro. It also announced that these two phones would get updates for the next seven years. That’s Android OS updates, feature drops, security updates and AI innovations until October 2030. Which is pretty crazy, and that forced Google to dig deeper into how they provide updates to Pixel users.
Google said in their blog post about this move to seven years of updates, that they will no longer be pushing out updates on a specific day each month.
“We also dug into how we can deliver the highest quality, best tested updates to Pixel users on a consistent basis. As part of this effort, our security updates, bug fixes and feature updates won’t roll out on a specific day each month. Instead, we’ll deploy updates as soon as they’ve completed the necessary tests to ensure they improve the experience for all Pixel customers.”
Basically, instead of the first Monday of the month, announcing the new security update, it will instead be announced and start rolling out when it’s ready. That could be sooner or it could be later. This is a good thing for Google. Especially after how delayed some early updates were for the Pixel 6 and Pixel 7. It also means that Samsung may no longer be ahead of Google in pushing out updates.
7 years of updates is ludicrous
Google promising 7 years of updates for the new Pixel 8 series is pretty insane. So much so, that internally here at AndroidHeadlines it’s still hard to believe that this is really going to happen. Knowing how Google likes to ditch projects, they’ve never really stuck with anything for that long.
This is good to see, however. Previously, Apple was the king of updates (and Samsung on the Android side). Apple doesn’t promise updates for a certain number of years, instead they just keep updating their older phones. Since the iPhone 6s, most iPhones were getting six years of iOS updates. Samsung on the other hand, was doing four years of OS updates and five years of security updates. Now Google is almost doubling that, with seven years.
Now that doesn’t mean that the software is going to run as smoothly in 2030, as it does today, in 2023. But your phone will still be updated, and all security exploits patched. That’s excellent news.
It’s not much of a surprise when a large tech company develops an AI image generator. However, it’s shocking when a platform dedicated to human-created content develops one. Getty Images, a popular stock photo website, is soon to launch a generative AI image generator. While this is the case, the company is prioritizing safety for its creators (via The Verge).
During the latest Code tech conference, many figures in the tech community took to the stage to speak about their latest projects. Just recently, X CEO Linda Yaccarino spoke about Elon Musk’s plan to make X a fully paid platform. That conversation, however, sort of backfired.
Getty Images is launching a generative AI image generator
During the Code event, Getty Images CEO Craig Peters spoke about this new generative AI tool that the company is working on. As you can guess, this tool will use artificial intelligence to generate images based on text prompts. The tool hasn’t been released to the public just yet, but we’ve seen a few examples during the presentation. They have that classic AI image aesthetic.
While this seems like your run-of-the-mill AI image generator, Getty Images has plans to make this tool safer for the photographers on the platform. Getty Images has a workforce of photographers who capture professional-grade images for the company. While Peters didn’t state whether they were worried about this addition, one can imagine them not being too happy.
However, he did state that Getty Images plans on paying the photographers whose images contribute to the model. Right now, we don’t have too much information on how the company is going to do this, but Peters did say how it could work.
If a person purchases an AI-generated image, and it was trained on a photographer’s photo, then that photographer will get a small payment. The amount of money will be based on how much that image was influenced by the photo.
At the moment the payment structure could change before the official launch, so it’s not set in stone. In any case, it’s good to see that the company is looking to make it so that creators aren’t completely screwed with this deal. Thousands of photographers earn a living by going out and photographing different locations. The introduction of generative AI on their platform only further enhances the fears that creators have toward AI.
We will have to wait to see how this scenario plays out. You can watch the entire presentation below.
The widely adopted Atlassian Confluence has been discovered with a zero-day vulnerability, which could allow threat actors to create an admin account on the Confluence servers and perform malicious activities.
This particular issue has been reported by a lot of Atlassian customers and is known to be actively being exploited in the wild by attackers. The vulnerability is currently identified as CVE-2023-22515 and has a severity of 10.0 (Critical), as per Atlassian.
The details of this vulnerability haven’t been disclosed by Atlassian yet. However, as per reports, this vulnerability affects publicly accessible confluence data centers and servers in which threat actors were able to create unauthorized administrator accounts and access confluence instances.
DocumentFREE Demo
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously.” reads the security advisory by Atlassian.
8.3.3 or later8.4.3 or later8.5.2 (Long Term Support release) or later
Source: Atlassian
Mitigation and Threat Detection
As part of mitigating this issue, Atlassian has recommended its users block access to the /setup/* endpoints on Confluence instances which can be done by the following steps,
modify /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file):
As part of threat detection, Atlassian has recommended its users check all affected Confluence instances for the following indicators of compromise:
unexpected members of the confluence-administrators group
unexpected newly created user accounts
requests to /setup/*.action in network access logs
presence of /setup/setupadministrator.action in an exception message in Atlassian-confluence-security.log in the Confluence home directory
For additional information, the Atlassian security advisory can be followed, which can be found here.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.
Gen Z fears violence. Adults fear identity theft. And only about one-third of everyone is using antivirus. These are the cybersecurity and online privacy findings in Malwarebytes’ latest research.
The “version history” of the internet was split by what we could do online—simple browsing across Web 1.0’s static web pages, instant connection throughout Web 2.0’s social platforms, and, into the future, potential new forms of ownership within Web 3.0’s dreams of decentralization.
But, as Malwarebytes has uncovered in new research, what we can do online produces its own, generational byproduct: Fear.
Gen Z, unlike any other age group, is most afraid of a vindictive internet that obtains their private photos and videos—and any personal details about sexual activity and mental health—and exposes it online for all to see. More than half worry that such exposure could hurt their relationships with family and friends (54%), and more than a third fear that it could lead to being bullied (36%) and physically harmed (34%).
By polling 1,000 internet users aged 13 – 77 in North America, Malwarebytes can now reveal, across all age groups and not just for Gen Z:
The 10 biggest concerns of going online, including hacked financial accounts, identity theft, and malware.
The 10 most common behaviors that can expose sensitive information to malicious actors, including sharing birthdays online, posting about children on social media, and participating in online giveaways that require personal details.
The worrying percentage of people who monitor their romantic partner online without consent.
The broad failure to use the most effective cybersecurity protections available, including antivirus, multi-factor authentication (MFA), and a password manager.
The eye-popping number of people who reuse passwords.
The most-feared and least-protected online threat (81% worry about it, only 13% do anything to stop it).
How many Gen Zers have used a generative AI tool, like ChatGPT, to cheat on a school assignment.
The uphill battle that cybersecurity companies face because of the number of people who think there’s “no point” in using cybersecurity products.
The internet is a constantly evolving space, and with new users—including many who are younger than the internet itself—the concerns, behaviors, and precautions around it will change. “Everyone’s afraid of the internet and no one’s sure what to do about it” provides an in-depth exploration into how people of all age groups approach their time online.
At first glance, the findings may look dour. The number of people who repeat passwords is too high. The number of people who use antivirus is too low.
And yet, within the data, there is opportunity.
Consider this: 41% of people said they “don’t fully understand how different cybersecurity products can protect me,” and 37% said “cybersecurity products only really help with things like viruses and malware.”
The next step, as usual, is education. Cybersecurity tools today provide far more protection against modern threats like malvertising and phishing, while related tools in online privacy can prevent online tracking.
We have the answers to safety. We can get there together.
The Google Pixel 8 Pro is a pretty stunning looking phone, especially in that Bay blue color. But the Porcelain and Obsidian colors are really good looking too, particularly because of that matte finish on the back. Now the camera bar is still glossy, and on the Bay color it’s actually a mirror-like finish, and will likely scratch up pretty easily. So you’ll want a case. And we’ve got you covered.
In this list of the best Google Pixel 8 Pro cases, we have rounded up the very best cases that are available right now. At launch, there’s quite a few cases missing, as they are not yet on sale. So we will be updating this post throughout the year with more and more cases that you should buy.
Bellroy Leather Case
The Bellroy Leather case for the Pixel 8 Pro is pretty stunning. It’s a really good leather case that does patina quite nicely. It has a nice microfiber lining too. It comes in four colors: Slate Blue, Black, Terracotta, and Simply Taupe. The Slate Blue looks really good on the Bay color Pixel 8 Pro. This is a $55 case, which is pretty standard for leather cases across all smartphones.
This leather case will do a good job at keeping your phone nice and protected, especially that camera bar. As there is a lip around the camera bar, to keep it from getting scratched up. That’s always good to see.
This case from Mous is definitely stunning. It’s their Limitless 5.0 Walnut Case, which is $64.99. It’s quite pricey, but this is walnut they’re using here. So the price isn’t surprising.
What might be surprising here is, MagSafe support. That’s right, Mous has included the MagSafe magnet, so all of your MagSafe accessories from the iPhone will work on the Pixel 8 Pro. Even ahead of Qi2 being supported.
Case-Mate has an interesting looking clear case here, it’s their Touch of Pearl case, which has some bling and sparkle to it. This case is going to set you back $49.99. But it is definitely unique.
This case does have drop protection of about 12-feet. It also will still work with wireless charging, so you won’t have to worry about ditching your wireless charger.
Google is also offering some cases for the Pixel 8 Pro, including this one. It’s a soft-touch silicon case that actually is a big upgrade over last year’s model. This is going to cost you $34.99, and it comes in five colors: Bay, Coral, Mint, Porcelain and Charcoal. The Coral color can only be found at the Google Store.
This case is going to help safeguard your Pixel 8 Pro from any drops or scratches, and it also looks good while doing it. These do match the colors of the Pixel 8 Pro, so it’ll look like you have no case one, but you do. The inside has a nice soft microfiber lining which feels really nice and will keep your phone scratch-free.
The TUDIA DualShield Grip is a dual-layer shockproof case for the Google Pixel 8 Pro and it is just $19.99. Making it one of the cheaper cases on this list. Definitely worth picking up at that price too. It comes in five colors, including Indigo Blue, Green Lily, Matte Black, Pine Green and Smokey Pink.
This is a dual-layer case, which means that it is a bit thicker than some others here. But it has a hard shell, with a soft lining on the inside, to protect your phone from drops. With a softer and more grippy outer layer. That is going to help keep your phone in your hands, instead of falling out of them.
Those that are fans of clear cases, here is a good option for you. This is the Caseology Capella Crystal Clear Case. It’s a clear one, that costs just $20.99.
This is a good looking case, that has been drop tested to a military grade. So it will do a good job of protecting your new Pixel 8 Pro as well. There is also a nice lip over the cameras, that will keep the camera bar from getting scratched up. While also protecting the cameras as a whole.
The Caseology Parallax has long been a favorite here at AndroidHeadlines for cases. It’s a really neat looking case, with plenty of texture on the back to make it easy to hold onto. And it’s fairly inexpensive, at $21.99. This one does come in three colors: Matte Black, Bay Blue and Ash Gray.
Like the other Caseology cases on this list, this has been Military Grade Drop Tested. So you can slap this onto your new Pixel 8 Pro and not worry about it getting damaged if you drop your phone.
If you’re looking for something that has a bit of color, than the Caseology Nano Pop is the one for you. This case is $21.99 and comes in three colors: Black Sesame, Blueberry Navy and Burgundy Bean.
This is a two-tone case that looks like it is a dual-layer, but it is actually not. Which makes it thinner than those other dual layer cases on this list. It is still going to do a good job of protecting your new Google Pixel 8 Pro, however. Since it has been Military Grade Drop Tested. So you can be at ease with this case on your phone.
Huawei managed to upset quite a few people in the US government, it seems. The US Commerce Secretary, Gina Raimondo, finds Huawei’s chip progress “incredibly disturbing”, Bloomberg reports.
The US Commerce Secretary sees Huawei’s chip progress as “incredibly disturbing”
According to the report, Raimondo thinks that her department needs more ways to control things. She believes that more tools are needed to enforce an export-control regime.
While talking to a Senate Commerce Committee, she said that “different tools” are needed, while clarifying that “additional resources around enforcement” are required.
She basically highlighted a stalled legislative proposal that would expand her department’s authority over technology transactions. Well, it would do that only for technology transactions that are found to pose national security risks.
The Kirin 9000s SoC managed to ruffle some feathers in the US
Raimondo did not share any information on her probe into a new Huawei smartphone which is fueled by the chip in question. As a reminder, the Huawei Mate 60 series, and the Mate X5, are all fueled by the Kirin 9000s, Huawei’s new 7nm processor.
That processor was made by SMIC, and it seemingly doesn’t break any restrictions put in place by the US. The two companies managed to go around all that. The US found that hard to believe, which is why they’re investigating the issue.
Raimondo did mention the largest-ever fine that her department imposed earlier this year. That fine has to do with selling items to Huawei without a license. She also added that her department is as “tough as it needs to be”, but that it “needs more resources”.
It’s also worth noting that, last month, Raimondo said that she sees no evidence Huawei can develop advanced 7-nanometer chips at scale. Still, she believes that the controls need to be tightened as soon as possible.
This situation definitely does not help the US-China relations, which the two countries are attempting to improve.
Really Simple Systems exposed its database publicly without any password or security authentication.
KEY FINDINGS
Cybersecurity researcher Jeremiah Fowler discovered an unprotected database belonging to Really Simple Systems.
The database contained over 3 million records, making countless companies and customers associated with Really Simple Systems vulnerable to diverse online threats.
Many impacted businesses are located in the UK, USA, EU, and Australia.
Exposed data includes medical records, credit reports, identification documents, tax documents, legal documents, etc.
A global CRM (customer relationship management) systems provider, Really Simple Systems, has suffered a data security incident in which more than 3 million customer records were exposed to the public without any password or security authentication.
These records were stored in an unprotected database discovered by cybersecurity researcher Jeremiah Fowler of vpnMentor.
Fowler had access to limited sampling, which indicated that a wide range of documents belonging to organizations from different sectors/sizes were part of the leaked database. Most were well-reputed, high-profile organizations, located in EU countries, the USA, the UK, and Australia.
One of the passports among the trove of leaked information (vpnMentor)
Fowler wrote that most exposed records can be considered ‘highly sensitive’ for exposing PII data (personally identifiable information). These records were publicly accessible to any user with an internet connection.
The exposed data includes internal communications/invoice records and customers’ CRM files containing valuable user data such as names, phone numbers, addresses, email IDs, and payment information.
Further probing revealed that the database also contained medical records, real estate contracts, identification documents, credit reports, disability claims, tax/legal documents, and non-disclosure agreements.
Many of the documents contained Social Security Numbers and tax identification numbers. One of the client folders had a large collection of confidential child psychological assessment files.
Moreover, many internal document templates belonging to Really Simple Systems were part of the database and contained billing data, emails, invoices, service agreements, etc. One of the folders belonged to a managed educational platform offering school management services.
After discovering the database, Fowler sent a responsible disclosure notice. The school management service’s folder was removed from public access on the same day, whereas other folders remained accessible online for a few more days. Fowler then sent a follow-up email to the CRM solutions provider, in response to which the company stated:
“As of Tuesday 29th August, we, at the CRM Success Team, understand that: Further settings changes/code changes are being applied to further resolve, over the next few days. The relevant company directors and GDPR officers have been notified, by the development manager”.
Real Simple Reason
There’s no clarity over how long this database remained exposed or whether someone accessed it before the company restricted access.
Really Simple Systems has launched an investigation and has improved its security mechanisms to prevent such incidents in the future. Impacted customers have been notified and requested to monitor their credit reports and change passwords.
Google has patched 53 vulnerabilities in its Android October security updates, two of which are known to be actively exploited.
Google has patched 53 vulnerabilities in its Android October security updates, two of which are known to be actively exploited. Google’s security bulletin notes that there are indications that these two vulnerabilities may be under limited, targeted exploitation.
If your Android phone is at patch level 2023-10-06 or later then the two issues discussed below have been fixed. The updates have been made available for Android 11, 12, 12L and 13. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.
The Cybersecurity & Infrastructure Security Agency (CISA) has already added these two actively exploited vulnerabilities to its catalog of known to be exploited vulnerabilities. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities before a given due date. CVE-2023-4863 was due on October 4, 2023 and CVE-2023-4211 has to be patched by October 24, 2023.
You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also manually check for updates.
For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs listed as actively exploited are:
CVE-2023-4863: a heap buffer overflow in libwebp which affects many applications that use this library to encode and decode images in the WebP format, allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
This is a vulnerability that impacts many applications, which we have discussed at length in our article explaining how it was used to install spyware. The vulnerability is patched if your phone is at patch level 2023-10-05.
But the next one isn’t. Your phone needs to be at patch level 2023-10-06 for that.
CVE-2023-4211: a local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory. This vulnerability affects multiple versions of Arm Mali GPU drivers which are used in a broad range of Android device models, including on Android phones developed by Google, Samsung, Huawei, and Xiaomi, as well as in some Linux devices. A GPU is a specific type of chip mostly used for graphics-related tasks, such as rendering images and videos, but also for resource-heavy calculations, such as training artificial intelligence and crypto-mining.
Normally Google uses two different patch levels for each round of updates, so Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. The higher the patch level number, the more vulnerabilities will be fixed. In this round the only difference between patch levels 2023-10-05 and 2023-10-06 is the important patch for CVE-2023-4211.
In its own October security bulletin, chip manufacturer Qualcomm said that there are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation. It is unclear when patches for these issues will be included in security updates by the respective vendors.
Let’s hope that all these patches reach our devices soon.
We don’t just report on Android security—we provide it