Windows Vulnerability Exploited as Zero-Day

Microsoft has recently highlighted a significant security vulnerability in Windows, known as CVE-2024-43461, which affects the retired Internet Explorer browser. Although Internet Explorer is no longer actively used, the underlying platform it utilized remains part of Windows and can still pose risks. This vulnerability allows attackers to run malicious code if a user inadvertently visits a harmful webpage or opens a tainted file. The flaw, which can mislead users about the true nature of a downloaded file, was exploited in the wild prior to its patching in September 2024.

The issue was reported by Trend Micro’s Zero Day Initiative, which explained that the vulnerability tricks users by concealing the actual file extension, making a harmful file seem harmless. Microsoft has linked this flaw to a previous vulnerability, CVE-2024-38112, which was exploited in attacks by a sophisticated group known as Void Banshee.

To safeguard against these threats, Microsoft advises users to ensure they have installed both the July and September 2024 security updates, as these patches address the vulnerabilities and help protect against potential exploits.

WhatsApp View Once Fix Fails in One Week

Meta's attempt to secure WhatsApp's "View Once" feature, which allows users to send photos, videos, and voice recordings that disappear after being viewed, has been quickly undermined by white-hat hackers. Originally introduced in August 2021 as a privacy measure, the feature was intended to prevent recipients from saving or sharing content. However, hackers from the crypto wallet startup Zengo discovered a way to recover these supposedly self-destructing messages, leading to a public disclosure of the flaw after Meta failed to respond to their earlier reports through its bug bounty program.

In response to the security breach, WhatsApp modified its code to make it harder to exploit the vulnerability, initially appearing successful as some users reported their content-saving extensions no longer worked. However, Zengo's co-founder noted that the core issue remains unresolved: the View Once messages are still being sent to servers that can access them, which allows the exploits to continue.

Although Meta has indicated that a more comprehensive solution is in progress, the vulnerability persists, raising concerns about the effectiveness of the current measures and the company's communication with those who reported the issue.

Spyware Case Dropped Against NSO by Apple

Apple has decided to voluntarily dismiss its lawsuit against NSO Group, a company that creates commercial spyware, due to concerns about exposing sensitive security information. Originally filed in November 2021, the lawsuit aimed to hold NSO accountable for using its Pegasus tool to target users illegally.

Apple noted that while its efforts and those of others have weakened NSO, the emergence of new malicious actors in the spyware industry poses additional risks. The company believes that continuing the lawsuit could jeopardize vital intelligence that helps protect users from such threats.

The decision to withdraw the lawsuit reflects broader changes in the spyware landscape, with various new companies emerging and existing ones adapting to avoid detection. For example, NSO Group has faced challenges from both Apple and other organizations, yet the spyware market continues to evolve, complicating efforts to combat it.

Apple remains committed to fighting against spyware, but it recognizes the potential risks involved in the legal process, which could inadvertently reveal valuable information to malicious actors.

Defensible Strategies

Learn from those who have been attacked

Access Sports Data Breach Impacts 88,000

Access Sports Medicine & Orthopaedics is notifying over 88,000 individuals that their personal and health information has been compromised following a cyberattack. The New Hampshire-based organization detected suspicious activity on its network on May 10, 2024, leading to an investigation that revealed unauthorized access to files containing sensitive data. The attack was attributed to a ransomware group known as Inc Ransom, which has targeted various sectors, including healthcare, and is known for encrypting data and stealing valuable information to extort ransom payments.

The breach has exposed a range of personal information, including names, Social Security numbers, dates of birth, financial details, and medical records. Although Access Sports has stated that there is currently no evidence of misuse of this information, they are offering fraud protection services to those affected. The situation is concerning, as Inc Ransom has claimed responsibility for the attack and has leaked significant amounts of data, including contracts and confidential documents, further complicating the issue for the affected individuals.

Class-Action Breach Suit Settled by 23andMe

Genetic testing company 23andMe has agreed to pay $30 million to settle a class action lawsuit related to a significant data breach that occurred in 2023. The breach affected about 6.4 million customers in the U.S., with hackers stealing sensitive data that was later found for sale on the dark web.

As part of the settlement, 23andMe will provide three years of privacy and medical monitoring services to those impacted. The breach specifically targeted Ashkenazi Jewish and Chinese customers, with the attacker gaining access to the company's systems for five months before the issue was discovered.

The settlement reflects 23andMe's challenging financial situation, exacerbated by the breach and ongoing litigation. The company has seen its stock value plummet and reported substantial losses, including a 34% drop in revenue year-over-year and a $69 million loss in a recent quarter. Despite these financial strains, 23andMe expects that around $25 million of the settlement will be covered by insurance, helping to mitigate the impact on its reserves.