- Indian government sends notice to 21 companies over hacking fears
The Indian government has reportedly sent out notices to 21 smartphone companies over fears that users’ personal data could be compromised. Among the list of these companies are a bunch of Chinese smartphone manufacturers such as Xiaomi, Vivo, Gionee, and Oppo. Other companies include Samsung and Apple, as well as Indian manufacturers such as Micromax, Karbonn and Lava. The decision to send a notice to these smartphone companies was taken during a high-level meeting chaired by IT and law minister Ravi Shankar Prasad, ToI reports. The government wants smartphone manufacturers to build layered security measures to guard against unauthorised access to consumer data. The notice sent to these smartphone makers reads, “Under Section 70B (6) of the IT Act, you are hereby requested to provide a detailed, structured written response about the safety and security practices, architecture, frameworks, guidelines standards etc followed and implemented in your product services, provided in the country, according to the news published by BGR.
- Two Critical Zero-Day Flaws Disclosed in Foxit PDF Reader
Millions of users are using Foxit PDF reader, if you are one of them, then you need to watch your back. Security researchers have discovered two critical zero-day security vulnerabilities in Foxit Reader software that could allow attackers to execute arbitrary code on a targeted computer, if not configured to open files in the Safe Reading Mode. The first vulnerability (CVE-2017-10951) is a command injection bug discovered by researcher Ariele Caltabiano working with Trend Micro’s Zero Day Initiative (ZDI), while the second bug (CVE-2017-10952) is a file write issue found by Offensive Security researcher Steven Seeley. An attacker can exploit these bugs by sending a specially crafted PDF file to a Foxit user and enticing them to open it. The researchers said that a mitigation doesn’t patch the vulnerabilities completely, which if remained unpatched, could be exploited if attackers find a way to bypass safe reading mode in the near future.
- Unpatchable Flaw in Modern Cars Allows Hackers to Disable Safety Features
To make drive experience much better today, many automobiles companies are offering vehicles that run on the mostly drive-by-wire system, which means a majority of car’s functions from instrument cluster to steering, brakes, and accelerator are electronically controlled. Car hacking is not happened first time, the researcher have already demonstrated how to hijack a car remotely, how to disable car’s crucial functions like airbags, and even how to remotely steal cars. According to the latest report, security researchers have discovered a new hacking trick that can allow attackers to disable airbags and other safety systems of the connected cars, affecting a large number of vendors and vehicle models. The security researcher at Trend Micro discovered a critical security vulnerability in the CAN (controller area network) protocol that car components use to communicate to one another within the car’s network. If attacker able to exploit this vulnerability successfully, allow attackers to turn off crucial safety functions of a vehicle, such as airbags, power-steering, parking sensors, and the anti-lock brakes or almost any computerized component that’s connected to the car’s CAN bus.
Cyber Security Tips: If you are using a smart car you are recommended to contact your manufacturing company to get solution.
- Access Bypass Vulnerabilities Patched in Drupal 8
Drupal is an open source platform for building amazing digital experiences. It’s made by a dedicated community. A Drupal 8 security update released on Wednesday addresses several access bypass vulnerabilities affecting components such as views, the REST API and the entity access system. The most severe of the flaws patched by Drupal 8.3.7 is CVE-2017-6925, a critical issue affecting the entity access system. The weakness can be exploited to view, create, delete or update entities. Another access bypass vulnerability patched in the latest version of Drupal is CVE-2017-6924, which involves the REST API being able to bypass comment approval.
Cyber Security Tips: Users and administrators are strongly recommended that update your Drupal CMS with latest patches.