Login
If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software.
Yes, you read that right. Microsoft today released updates to address 147 security holes in Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker, and Windows Secure Boot.
“This is the largest release from Microsoft this year and the largest since at least 2017,” said Dustin Childs, from Trend Micro’s Zero Day Initiative (ZDI). “As far as I can tell, it’s the largest Patch Tuesday release from Microsoft of all time.”
Tempering the sheer volume of this month’s patches is the middling severity of many of the bugs. Only three of April’s vulnerabilities earned Microsoft’s most-dire “critical” rating, meaning they can be abused by malware or malcontents to take remote control over unpatched systems with no help from users.
Most of the flaws that Microsoft deems “more likely to be exploited” this month are marked as “important,” which usually involve bugs that require a bit more user interaction (social engineering) but which nevertheless can result in system security bypass, compromise, and the theft of critical assets.
Ben McCarthy, lead cyber security engineer at Immersive Labs called attention to CVE-2024-20670, an Outlook for Windows spoofing vulnerability described as being easy to exploit. It involves convincing a user to click on a malicious link in an email, which can then steal the user’s password hash and authenticate as the user in another Microsoft service.
Another interesting bug McCarthy pointed to is CVE-2024-29063, which involves hard-coded credentials in Azure’s search backend infrastructure that could be gleaned by taking advantage of Azure AI search.
“This along with many other AI attacks in recent news shows a potential new attack surface that we are just learning how to mitigate against,” McCarthy said. “Microsoft has updated their backend and notified any customers who have been affected by the credential leakage.”
CVE-2024-29988 is a weakness that allows attackers to bypass Windows SmartScreen, a technology Microsoft designed to provide additional protections for end users against phishing and malware attacks. Childs said one of ZDI’s researchers found this vulnerability being exploited in the wild, although Microsoft doesn’t currently list CVE-2024-29988 as being exploited.
“I would treat this as in the wild until Microsoft clarifies,” Childs said. “The bug itself acts much like CVE-2024-21412 – a [zero-day threat from February] that bypassed the Mark of the Web feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass Mark of the Web.”
Update, 7:46 p.m. ET: A previous version of this story said there were no zero-day vulnerabilities fixed this month. BleepingComputer reports that Microsoft has since confirmed that there are actually two zero-days. One is the flaw Childs just mentioned (CVE-2024-21412), and the other is CVE-2024-26234, described as a “proxy driver spoofing” weakness.
Satnam Narang at Tenable notes that this month’s release includes fixes for two dozen flaws in Windows Secure Boot, the majority of which are considered “Exploitation Less Likely” according to Microsoft.
“However, the last time Microsoft patched a flaw in Windows Secure Boot in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000,” Narang said. “BlackLotus can bypass functionality called secure boot, which is designed to block malware from being able to load when booting up. While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.”
For links to individual security advisories indexed by severity, check out ZDI’s blog and the Patch Tuesday post from the SANS Internet Storm Center. Please consider backing up your data or your drive before updating, and drop a note in the comments here if you experience any issues applying these fixes.
Adobe today released nine patches tackling at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate.
KrebsOnSecurity needs to correct the record on a point mentioned at the end of March’s “Fat Patch Tuesday” post, which looked at new AI capabilities built into Adobe Acrobat that are turned on by default. Adobe has since clarified that its apps won’t use AI to auto-scan your documents, as the original language in its FAQ suggested.
“In practice, no document scanning or analysis occurs unless a user actively engages with the AI features by agreeing to the terms, opening a document, and selecting the AI Assistant or generative summary buttons for that specific document,” Adobe said earlier this month.
Article tags
Internet shopping has become an integral part of our daily lives, providing convenience, variety, and easy price comparisons. However, with this convenience comes potential risks. This article explores the dos and don’ts of online shopping to help you navigate this virtual marketplace safely and effectively.
Online shopping offers an amazing array of benefits. It saves time and effort, provides a platform where product comparison becomes a breeze, and allows us to avoid queues and crowds. Not to mention – it’s open all day, every day. However, it also exposes consumers to cyber threats, misinformation, and poor quality or non-existent products. This is why it is crucial to follow certain guidelines when buying online.
In this article, we will explore various dos and don’ts of online shopping centered around security, payment methods, product audits, return policies, and online behavior. The ultimate goal is to help you become a savvy, risk-aware internet shopper.
To make the most of your online shopping experience and secure your transactions, it’s crucial to adhere to some essential ‘do’s. These simple guidelines not only enhance your safety and satisfaction but also ensure a seamless and enjoyable transaction process.
Your first line of defense when shopping online should be to stick to well-known and trusted retailers. These retailers have established secure online shopping platforms and have robust security measures in place. They also typically have reliable customer support and return policies that protect you as the buyer. Online marketplaces such as Amazon, eBay, and Alibaba also provide customer protection mechanisms for purchases made through their platforms.
However, this does not mean you should completely avoid lesser-known online stores. Many fantastic independent retailers sell online exclusively. The key is to conduct a bit of research on these stores before handing over your money. A quick Google search can help you find reviews and ratings from other customers.
→ Dig Deeper: 8 Ways to Know If Online Stores Are Safe and Legit
Another important tip for safe online shopping is to use secure payment methods. Credit cards and secure online payment services, such as PayPal, have added security measures that protect you from fraud. Such services also often provide dispute resolution services in case something goes wrong with your transaction. When using a credit card, make sure you monitor your statements regularly for any suspicious charges.
→ Dig Deeper: PayPal Users: Here’s What You Need to Know About the New Phishing Scam
Furthermore, avoid using debit cards for online shopping as they lack many of the protections that credit cards provide. If a scammer gains access to your debit card information, they may have the ability to drain your bank account before you even notice.
McAfee Pro Tip: Do you use a digital wallet for online purchases? A digital wallet, or mobile wallet, is a smartphone app that securely stores payment information for tap-to-pay transactions at most point-of-sale terminals. Your digital wallet is secure as long as you safeguard your smartphone with the same level of attention as you would your physical wallet. If you use one, we have some tips to improve your digital wallet’s security.
One fundamental practice to uphold security is to exclusively patronize secure websites. These are platforms that have implemented robust measures to protect the confidentiality and integrity of the data exchanged during your online interactions. Shop only on secure websites that have a valid SSL certificate. Look for “https://” in the URL and a padlock icon in the address bar to ensure your personal information is protected.
The importance of using unique passwords for each online account cannot be overstated. In the event that one of your passwords is compromised, having distinct credentials for different platforms ensures that the security breach is contained, limiting potential damage. Reusing passwords across multiple accounts creates a vulnerability where a single compromised password could lead to unauthorized access to various aspects of your digital life.
Use a strong password, one that combines a mixture of uppercase and lowercase letters, numbers, and symbols and creates a complex sequence that is challenging for malicious actors or automated programs to decipher. Avoid easily guessable information such as birthdays, names, or common words.
Understanding the “Don’ts of Online Shopping” is as crucial as embracing the dos. From avoiding potential pitfalls to safeguarding your personal information, these guidelines serve as a compass, steering you away from common missteps that could compromise your online shopping journey.
Public Wi-Fi networks may be convenient, but they are often insecure. This makes it easy for cybercriminals to intercept your data, including credit card information or login details. So, as a rule of thumb, avoid making online purchases when you’re connected to public Wi-Fi.
→ Dig Deeper: Why You Need to Watch Out When Using Public Wi-Fi
Remember also to be cautious about which websites you visit and what personal information you provide while on public Wi-Fi. Even seemingly harmless activities, like checking email, can expose you to risks if a hacker is spying on your connection.
While shopping online, you might run into deals that seem too good to be true – and often, they are. Extremely low prices can be a sign of a scam, especially if they’re found on an obscure website. Be wary of online stores that require payment via wire transfer, provide vague or non-existent contact information, or have lots of negative reviews.
Keeping your devices, such as your computer, smartphone, or tablet, updated with the latest software is a simple but effective way to maintain a secure online shopping environment. Software updates often include patches for security vulnerabilities that have been discovered by the developers. By not updating your software, you are leaving your devices open to these vulnerabilities, which can be exploited by cybercriminals. Hence, always ensure that your devices are running the latest software versions.
In case of mobile devices, consider installing a trusted security app to help protect you from potential threats. These apps can help detect malware, prevent phishing attempts, and provide a host of other security features to keep you safe while shopping online.
→ Dig Deeper: Why Software Updates Are So Important
If you must shop online while on a public network, use a virtual private network (VPN) to encrypt your activity. A VPN is a tool that can provide an extra layer of security when you are shopping online. A VPN encrypts your internet connection, making your online activity invisible to anyone who might be snooping around, including hackers, your Internet Service Provider (ISP), or even the government. This can especially come in handy when you are shopping on a public Wi-Fi network, as mentioned earlier.
However, it’s important to choose a VPN carefully. Some VPNs can slow down your internet connection significantly or, worse, fail to provide the promised security features. Hence, always opt for a well-renowned and trusted VPN service provider.’
Return and refund policies are something you should never ignore while shopping online. These policies clarify what you can expect if the product turns out to be unsatisfactory, defective, or not as described. So, before making a purchase, always take the time to read and understand the return or refund policy of the online store. Avoid shopping from sites that have unclear, unfair, or non-existent return policies, as this could leave you stuck with unsatisfactory products.
Additionally, always print or save a copy of your order confirmation and receipt. This can be crucial for returning a product or disputing a charge in your credit card statement.
Phishing is a common online scam where cybercriminals trick you into providing sensitive information, such as your credit card details, by pretending to be a trustworthy entity. Often, these scams come in the form of fake emails or texts that look like they’re from reputable companies. Be wary of such communication, especially if it asks for personal or financial details.
Always verify whether the email or text is genuine by contacting the company through their official contact details. Never click on links from suspicious emails as this can also lead to malicious websites designed to steal your information. Remember, reputable companies will never ask for sensitive information through emails or texts.
Online shopping can be a convenient and enjoyable experience, but it also comes with its own set of risks. By following the dos and don’ts highlighted in this article, you can drastically reduce these risks and safeguard yourself from potential cyber threats. Remember to always stay vigilant while shopping online. Be aware of the common scams, stick to trusted retailers, and always protect your personal and financial information.
Improve your online shopping experience with McAfee+, which goes beyond traditional antivirus measures and provides an integrated suite of tools that shield your personal and financial information from evolving cyber threats!
The post Online Shopping: The Dos and Don’ts appeared first on McAfee Blog.
Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States.
.US is the “country code top-level domain” or ccTLD of the United States. Most countries have their own ccTLDs: .MX for Mexico, for example, or .CA for Canada. But few other major countries in the world have anywhere near as many phishing domains each year as .US.
That’s according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. Interisle’s newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, and found 30,000 .US phishing domains.
.US is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. Department of Commerce. However, NTIA currently contracts out the management of the .US domain to GoDaddy, by far the world’s largest domain registrar.
Under NTIA regulations, the administrator of the .US registry must take certain steps to verify that their customers actually reside in the United States, or own organizations based in the U.S. But Interisle found that whatever GoDaddy was doing to manage that vetting process wasn’t working.
“The .US ‘nexus’ requirement theoretically limits registrations to parties with a national connection, but .US had very high numbers of phishing domains,” Interisle wrote. “This indicates a possible problem with the administration or application of the nexus requirements.”
Dean Marks is emeritus executive director for a group called the Coalition for Online Accountability, which has been critical of the NTIA’s stewardship of .US. Marks says virtually all European Union member state ccTLDs that enforce nexus restrictions also have massively lower levels of abuse due to their policies and oversight.
“Even very large ccTLDs, like .de for Germany — which has a far larger market share of domain name registrations than .US — have very low levels of abuse, including phishing and malware,” Marks told KrebsOnSecurity. “In my view, this situation with .US should not be acceptable to the U.S. government overall, nor to the US public.”
Marks said there are very few phishing domains ever registered in other ccTLDs that also restrict registrations to their citizens, such as .HU (Hungary), .NZ (New Zealand), and .FI (Finland), where a connection to the country, a proof of identity, or evidence of incorporation are required.
“Or .LK (Sri Lanka), where the acceptable use policy includes a ‘lock and suspend’ if domains are reported for suspicious activity,” Marks said. “These ccTLDs make a strong case for validating domain registrants in the interest of public safety.”
Sadly, .US has been a cesspool of phishing activity for many years. As far back as 2018, Interisle found .US domains were the worst in the world for spam, botnet (attack infrastructure for DDOS etc.) and illicit or harmful content. Back then, .US was being operated by a different contractor.
In response to questions from KrebsOnSecurity, GoDaddy said all .US registrants must certify that they meet the NTIA’s nexus requirements. But this appears to be little more than an affirmative response that is already pre-selected for all new registrants.
Attempting to register a .US domain through GoDaddy, for example, leads to a U.S. Registration Information page that auto-populates the nexus attestation field with the response, “I am a citizen of the US.” Other options include, “I am a permanent resident of the US,” and “My primary domicile is in the US.” It currently costs just $4.99 to obtain a .US domain through GoDaddy.
GoDaddy said it also conducts a scan of selected registration request information, and conducts “spot checks” on registrant information.
“We conduct regular reviews, per policy, of registration data within the Registry database to determine Nexus compliance with ongoing communications to registrars and registrants,” the company said in a written statement.
GoDaddy says it “is committed to supporting a safer online environment and proactively addressing this issue by assessing it against our own anti-abuse mitigation system.”
“We stand against DNS abuse in any form and maintain multiple systems and protocols to protect all the TLDs we operate,” the statement continued. “We will continue to work with registrars, cybersecurity firms and other stakeholders to make progress with this complex challenge.”
Interisle found significant numbers of .US domains were registered to attack some of the United States’ most prominent companies, including Bank of America, Amazon, Apple, AT&T, Citi, Comcast, Microsoft, Meta, and Target.
“Ironically, at least 109 of the .US domains in our data were used to attack the United States government, specifically the United States Postal Service and its customers,” Interisle wrote. “.US domains were also used to attack foreign government operations: six .US domains were used to attack Australian government services, six attacked Great’s Britain’s Royal Mail, one attacked Canada Post, and one attacked the Denmark Tax Authority.”
The NTIA recently published a proposal that would allow GoDaddy to redact registrant data from WHOIS registration records. The current charter for .US specifies that all .US registration records be public.
Interisle argues that without more stringent efforts to verify a United States nexus for new .US domain registrants, the NTIA’s proposal will make it even more difficult to identify phishers and verify registrants’ identities and nexus qualifications.
In a written statement, the NTIA said DNS abuse is a priority issue for the agency, and that NTIA supports “evidence-based policymaking.”
“We look forward to reviewing the report and will engage with our contractor for the .US domain on steps that we can take not only to address phishing, but the other forms of DNS abuse as well,” the statement reads.
Interisle sources its phishing data from several places, including the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus. For more phishing facts, see Interisle’s 2023 Phishing Landscape report (PDF).’
Update, Sept. 5, 1:44 p.m. ET: Updated story with statement provided today by the NTIA.
woo-1200
FreshRSS