Time for another Threat Thursday, and this time it’s Apple and Microsoft’s turn for a major OS invasion. Elsewhere, there’s a double whammy of data breaches on popular online retailers.
Apple’s iOS 13.1 is Bad Luck for Privacy Buffs
Apple has confirmed that its recent 13.1 update for iPhone suffers from a location privacy bug that is impacting potentially millions of iPhone users.
The update, which specifically touts improved security and privacy features, is currently failing to remember users’ security settings, opting for defaulting to the ‘Ask Next Time’ option for location access requests, even if users select ‘Never’ as their preference. While not all apps are affected by the bug, Facebook – everyone’s favourite ravenous data slurper – is, so if you’re particularly protective of your personal data, maybe wait for Apple’s next update before entrusting its security provisions too readily. Thankfully, by the time you read this report, that fix should be available – so make sure you update your iPhone immediately.
Slightly more pressing is the OS’s lockscreen bypass exploit. Though only achievable through a specific set of actions, it could nonetheless compromise personal details that phone owners might want to keep private. If the iPhone receives a FaceTime call while in lockscreen, they are given access to Siri’s voiceover feature and, from here, can pull up a list of the phone’s contacts. This means the owner of a stolen phone can retrieve the rightful owner’s contact list, numbers and email addresses following a simple call.
Microsoft Issues Security Update for….*Squints*….Internet Explorer?
Internet Explorer’s been around for so many years now, you can forgive Microsoft for not wanting to let go - even as Edge succeeds it in almost every way. Nonetheless, Internet Explorer still finds an audience in users of legacy systems such as Windows 7 and Microsoft’s oft-derided Windows 8.1.
As such, Microsoft has issued a security update for this legacy software, designed to combat a vulnerability which could lead to potentially devastating results. The catchily-titled CVE-2019-1367 flaw could, at its most drastic, allow an attacker to run code, install programmes, view and edit files and create new user accounts, all while piggy-backing off the legitimate admin account.
Typically, we’d advise you to update your Internet Explorer if you’ve not moved to another browser. Yet with support for Microsoft’s older platforms dropping in 2020, we’d insist on moving to a new OS and internet browser altogether. Get yourself over to Microsoft 10 and use a browser such as Edge or Firefox as soon as possible – because while new security threats will pop up continually, security updates like these will not.
Mac Malware Makes Mockery of Money-Moving Measures
A new Mac Malware, disguised as a legitimate trading app, has been discovered.
The Malware, masquerading as the Stockfolio app, is shared in a ZIP file and contains a modified version of the renowned software which carries the Trojan.MacOS.GMERA.A malware. The malware collects and encrypts the owner’s information and uploads it to a web domain now believed to be inactive.
As always, it’s advised that you only ever download your apps from reputable sources and equip your operating system with a trusted and recognised anti-virus software – lest you fall afoul of such trickery as this.
Thinkful not Thankful for Data Theft
Developer learning site Thinkful has suffered an unauthorised third party breach on its systems. In an email to its members, Thinkful Vice President of Operation Erun Rosenblatt stated:
“We recently discovered than an unauthorised party may have gained access to certain Thinkful company credentials so, out of an abundance of caution, we are notifying all of our users. As soon as we discovered this unauthorised access, we promptly changed the credentials, took additional steps to enhance the security measures we have in place, and initiated a full investigation”.
So far, there’s no evidence to suggest that any account data, financial data or identification has been compromised, but it’s best to amend your Thinkful account credentials as soon as possible, and ensure you keep separate passwords across all online accounts.
CafePress Serves up Fresh Mug of Poor Security
CaféPress is under scrutiny for a double-decker of security blunders. Not only were sensitive customer credentials snatched thanks to poor password encryption, but the site owners have taken months to identify the breach - despite the suspicions of cyber security buffs. The data theft dates to February of this year, but recipients didn’t receive any official warning from the T-shirt and stationery retailer until the 24th of this month.
It’s been reported that CafePress were using a notoriously weak password encryption system, and roughly half of its 23 million users have had names, addresses, passwords and select debit card details compromised as a result. Ouch.
It’s absolutely imperative to check that you’re not sharing your CafePress password with any other sites you visit, and if you are, to amend one and all immediately. In the meantime, check haveibeenpwned.com to see where else your details may have been compromised and amend them all accordingly.
Concerned about cyber attacks or how viruses and malware could impact your business operations?
Our eBook, Recovering from Common Cyber Attacks details how to respond to cyber threats.
Download it now.