ACTION ALERTS (multiple!)! (Patreon)

Here are several action alerts I ran across while planning out this week's episode of ThreatWire!! Click the links below to read more about each alert:

https://threatpost.com/google-mac-windows-chrome-zero-day/164759/

Google fixed yet another zero day flaw in Chrome that could allow for RCE and DOS attacks. If your browser hasn't updated yet, use these steps:

• Google Chrome users can go to chrome://settings/help by clicking Settings > About Chrome
• If an update is available Chrome will notify users and then start the download process
• Users can then relaunch the browser to complete the update

https://threatpost.com/critical-security-smart-meter-offline/164753/

If you use the Schneider Electric PowerLogic ION/PM smart meters, this critical vulnerability could open them up to RCE or DOS attacks. Patches are now available in the updates released in January and March.

https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/

A new attack called RedXOR is targeting Linux systems for data exfiltration. The attack was detected by researchers at Intezer, so they recommend using their free tool for detection on your own networks.

https://www.bleepingcomputer.com/news/security/15-year-old-linux-kernel-bugs-let-attackers-gain-root-privileges/

Another Linux bug was also discovered - this one is 15 years old and was found in the iSCSI subsystem. It requires the attacker to have already gained access to the machine via another exploit, so it's not as critical. Patches ARE available.

https://www.cyberscoop.com/f5-critical-vulnerabilities-rce-patches/

F5 has released patches for several critical vulnerabilities in their enterprise network equipment that could allow for RCE. They did not report any active exploits using these flaws.

https://www.theverge.com/2021/3/9/22321733/t-mobile-privacy-policy-third-party-advertisers

T-Mobile will start sharing some customer info with third parties on April 26. Everyone will be opted in unless you manually opt out using the account privacy tools: https://www.t-mobile.com/privacy-center/take-control-of-your-data

https://www.bleepingcomputer.com/news/security/iphone-call-recorder-bug-gave-acess-to-other-peoples-conversations/

iOS app "automatic call recorder" or "acr call recorder" patched a bug which could allow anyone to access conversations recorded using these apps.

JUST PLAIN COOL:

https://www.theverge.com/2021/3/11/22320467/dashlane-one-click-password-changer-autofill-machine-learning

Dashlane has upgraded their one-click password changer! The new version is in beta.

https://www.theverge.com/2021/3/12/22327834/bitwarden-secure-text-file-transfer-encryption

Bitwarden has also just added text and file secure transfer - it's called Send. Paid users will be able to send both files and text messages, while free users can send just texts.

https://www.bleepingcomputer.com/news/software/7-zip-developer-releases-the-first-official-linux-version/

7-Zip is now officially available on Linux!!

https://www.bleepingcomputer.com/news/software/linux-foundation-unveils-sigstore-a-lets-encrypt-for-code-signing/

New code signing called Sigstore is now available for open source developers to verify their software and prevent supply chain attacks!

Keep an eye on the page tomorrow for this week's episode, feature 3 more stories about security and privacy news happening this week!