In brief Google on Friday released an emergency update for Chrome to address a zero-day security flaw.
The vulnerability, tracked as CVE-2023-2033, can be exploited by a malicious webpage to run arbitrary code in the browser. Thus, surfing to a bad website with a vulnerable browser could lead to your device being hijacked. Exploit code for this hole is said to be circulating, and may well be in use already by miscreants.
This high-severity type-confusion bug is present in at least Chrome for desktop versions prior to 112.0.5615.121. Google released that version on April 14 for Windows, Mac, and Linux to close the security hole, which lies in the V8 JavaScript engine.
That new version should be installed as soon as possible, either automatically or manually.
The vulnerability was found and reported by Clément Lecigne of Google’s Threat Analysis Group on April 11, according to the web giant. “Google is aware that an exploit for CVE-2023-2033 exists in the wild,” the outfit added. This fix would be the first zero-day in Chrome squashed by Google this year.
Full details on how exactly the bug could be or was exploited have not yet been released.
The updated Chrome also includes “various fixes from internal audits, fuzzing and other initiatives.”
Extortionists demand eight-figure sum from Western Digital to not release ’10TB of data’
Miscreants claiming to be behind a ransomware infection at disk-maker Western Digital earlier this month said they have yet to be ejected from the company’s systems, and are willing to leave, keep any stolen data under wraps, and share how they got in with WD if paid a ransom of at least eight figures.
The apparent thieves, who spoke to TechCrunch earlier this week, said they made off with what they claim to be around 10 terabytes of internal data from the company, including customer and employee information. Cryptographic keys were also reportedly found in the trove, giving crims the ability to digitally sign certificates as Western Digital and therefore create malicious files and pass them off as legit WD materials.
The attackers also made off with data from Western Digital’s SAP Backoffice instance, emails, and files stolen from other cloud services, it is claimed. None of the info was encrypted.
The perpetrator’s goal is apparently to make money by threatening further damage to Western Digital systems, more releases of company data, or otherwise making life difficult for the company.
“We only need a one-time payment, and then we will leave your network and let you know about your weaknesses. No lasting harm has been done. But if there are any efforts to interfere with us, our systems, or anything else. We will strike back,” the attackers allegedly told Western Digital in an email.
Western Digital has mostly stayed quiet about the attack, which the company disclosed on April 2. According to WD’s statements, the attack was identified on March 26, and was being investigated.
TechCrunch said WD wouldn’t provide any updates or verify the crooks’ claims, and that the miscreants would only share that they “exploited vulnerabilities within their infrastructure and spidered our way to global administrator of their [Microsoft] Azure tenant,” to pull the attack off.
The self-identified attackers also wouldn’t claim affiliation with any attack group, but said that if Western Digital doesn’t respond to their requests soon they’ll publish stolen data on a website belonging to the Alphv ransomware gang.
As of Wednesday, Western Digital reports access to its My Cloud service, which was offline since the attack, has been restored. Western Digital hasn’t released any update to its investigation status since first reporting the breakin.
Critical vulnerabilities of the week
Last week included Patch Tuesday week, so most recent critical vulnerabilities were covered already at The Register. But a few more critical-rated nasties emerged in industrial control systems that merit a mention.
- CVSS 9.8 – CVE-2023-28489: Siemens SICAM A8000 devices running firmware versions prior to CPCI85 contain a command injection vulnerability that could give an unauthenticated remote attacker RCE capabilities.
- CVSS 9.8 – Multiple CVEs: Siemens SCALANCE XCM332 devices running software prior to version 2.2 are vulnerable to an exploit chain that can cause denial-of-service and lead to code execution, data injection and unauthorized access.
- CVSS 9.8 – Multiple CVEs: Siemens SCALANCE X-200, X-200IRT and X-300 families are running firmware (varied per product) that’s vulnerable to an integer overflow or wraparound bug that could lead to memory corruption.
- CVSS 8.3 – CVE-2020-14521: Multiple Mitsubishi Electric Factory Automation software products contain a malicious code execution vulnerability that an attacker could use to steal or modify data and cause denial-of-service.
Patches are available for vulnerabilities listed above. You know the drill – go patch ’em.
Industry actors step up to protect good faith hackers
Tech industry actors, including the likes of Google and Intel, announced a project last week to create a legal environment that’s more favorable for good-faith security researchers, plus another to help foot the bills for researchers caught in a lawsuit.
Bug bounty platform HackerOne announced the formation of the Hacking Policy Council in collaboration with the Center for Cybersecurity Policy and Law. The Council’s operations will see it “advocate for policies encouraging vulnerability detection, management, and disclosure best practices and improved protections for good faith security research,” HackerOne said.
Along with founding members Intel, Bugcrowd and others, Google said it’s throwing its weight behind the Hacking Policy Council, citing the need for ensuring that “we get [disclosure reporting] laws right.”
Google described the Council as “a group of like-minded organizations and leaders who will engage in focused advocacy to ensure new policies and regulations support best practices for vulnerability management and disclosure, and do not undermine our user’s security.”
Google said it’s also providing seed funding for the Security Research Legal Defense Fund, which will “fund legal representation for individuals performing good-faith research in cases that would advance cybersecurity for the public interest,” the search giant said.
According to the Fund’s website, it won’t provide direct representation to researchers asking for help, but will provide legal referrals and funding to researchers who demonstrate financial need, aren’t engaged in any illegal behavior like extortion, are acting in good faith and who meet board approval.
Like the Hacking Policy Council, the Defense Fund is being coordinated by the Center for Cybersecurity Policy and Law. It’s not immediately clear when funding would be available, as the Fund’s website said it’s applying for 501c3 nonprofit status and “plans to begin operations in the coming months.” ®