vulnerability – Page 2

A massive security vulnerability dubbed ‘Log4Shell’ that potentially impacts millions of devices has security teams scrambling to apply patches.

The vulnerability affects an open-source logging library called ‘log4j’ used by apps and services across the internet, according to The Verge. Logging, for those not familiar, is a common process where apps keep a running list of activities they perform that can be reviewed later in case of an error. Nearly every network security system runs some kind of logging process — that gives libraries like log4j significant reach and, by extension, huge impact when there’s a vulnerability like this.

The log4j flaw could allow remote code execution on vulnerable servers if exploited. That could give attackers the ability to import malware that would compromise machines.

Worse, the vulnerability is fairly easy to exploit. Attackers need to make an application save a special string of characters in the log — since apps often log a range of events, covering everything from chat messages to system errors — it’s not hard to inject the string.

For example, the exploit was first spotted on sites hosting Minecraft servers. Those sites discovered that attackers could trigger Log4Shell by posting chat messages. A new version of Minecraft that rolled out Friday includes a patch for the vulnerability.

However, Minecraft is far from the only impacted service. A blog post from security company LunaSec claims that Valve’s popular PC gaming platform Steam and Apple’s iCloud are both vulnerable to Log4Shell. Other vulnerable platforms will likely be discovered in the coming weeks.

The Verge reports that an update released for the log4j library mitigates the vulnerability. However, considering the sheer number of impacted apps and services, and the time it’ll take to update everything, Log4Shell will remain a significant problem.

Source: Ars Technica, The Verge

Vulnerabilities in the artificial intelligence (AI) and audio processing components of recent MediaTek chips could have allowed eavesdropping on device owners. However, the flaw was reportedly never exploited in the wild.

MediaTek has fixed the vulnerabilities as of October, according to Check Point Research (via Android Police). While resolved, the vulnerabilities were quite serious and impacted a wide range of devices. As of Q2 2021, MediaTek powered about 43 percent of the worldwide smartphone market, making it the number one phone chip manufacturer by volume.

Although a list of impacted devices and/or chipsets wasn’t made available, Android Police reports that it sounds like the vulnerabilities affected modern MediaTek Dimensity chips and other MediaTek chips that use the ‘Tensilica’ APU platform.

In total, Check Point found four vulnerabilities that, when exploited together, could allow an app to pass commands to the audio interface. In other words, a malicious app could interact with the audio interface in ways that it shouldn’t be able to do and, in some cases, could even hide malicious code in the audio chip itself.

Researchers claim that malicious apps could have eavesdropped on customers using the vulnerability. Worse, device manufacturers could have used to create an eavesdropping campaign. However, the vulnerabilities weren’t caught being exploited in the wild.

In a statement to Android Police, MediaTek said:

“Regarding the Audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”

If your phone has a MediaTek chip in it, you should make sure to install the latest security updates if you haven’t already.

Source: Check Point Research Via: Android Police