New WhatsApp Bug Could Have Let Hackers Secretly Install Spyware on Your Device

Yet again, WhatsApp is experiencing troubles related to the security infrastructure of its messaging platform. Last month, the company quietly patched another critical vulnerability which allowed a malicious actor to compromise devices remotely.

The vulnerability, CVE-2019-11931, is a stack-based buffer overflow issue that resides in the way WhatsApp parses the stream data of an MP4 file. This vulnerability results in denial-of-service or remote code execution attacks in which an attacker can steal secure chat messages and files you store in the application.

To exploit the vulnerability, an attacker first develops a malicious MP4 file and sends it to a vulnerable user. The file then installs a malicious backdoor on the device without the user’s knowledge.

The vulnerability affects all users of WhatsApp, including Apple iOS, Android, and Microsoft Windows devices.

According to a statement by Facebook, the affected app versions include:

Android versions before 2.19.274

iOS versions before 2.19.100

Enterprise Client versions before 2.25.3

Windows Phone versions before and including 2.18.368

Business for Android versions before 2.19.104

Business for iOS versions before 2.19.100

Read more here

TSX Speculative Attack Allows Theft of Sensitive Data from Latest Intel CPUs

A new vulnerability, CVE-2019-11135, which affects the latest Intel CPUs, has been disclosed. And criminals can exploit the vulnerability to launch a TSX Speculative attack.

Transactional Synchronization Extensions (TSX) is a feature within Intel processors that adds hardware transactional memory support. The TSX feature has been implemented within all Intel CPUs manufactured since 2013.

A local attacker or malicious code can exploit this feature to steal sensitive information from the operating system kernel. This type of attack also targets speculative execution that work to improve performance within the processors.

Researchers discovered that “aborting memory transactions may allow processes to compute the data found in other running processes, including operating system kernel data. An attacker could exploit the flaw to steal sensitive data, including passwords and encryption keys.”

You can find technical details on the Zombieload website.

Read more here Chrome, Edge, Safari Hacked at Elite Chinese Hacking Contest China’s top hacking competition, Tianfu Cup, is a two-day event, similar to Pwn2Own, where Chinese security researchers test zero-days against some of the most popular applications used throughout the world. On the first competition day, 32 hacking sessions were scheduled; of these, 13 were successful, seven failed, and 12 sessions were abandoned. According to ZDNet, security researchers were successful in breaking into: (3 successful exploits) Microsoft Edge (the old version based on the EdgeHTML engine, not the new Chromium version) [tweet]

(2) Chrome [tweet]

(1) Safari [tweet]

(1) Office 365 [tweet, tweet] (2) Adobe PDF Reader [tweet]

(3) D-Link DIR-878 router [tweet]

(1) qemu-kvm + Ubuntu [tweet, tweet] The organizers of the event plan to report all bugs to the respective organizations when the competition finishes. On the second day, eight out of the 16 sessions were successful. Successful exploits targeted: (4) D-Link DIR-878 [tweet]

(2) Adobe PDF Reader [tweet]

(1) VMWare Workstation [tweet, tweet] Team360Vulcan won the competition, earning them $382,500 for hacking “Microsoft Edge, Microsoft Office 365, qemu+Ubuntu, Adobe PDF Reader, and VMWare Workstation.”