Weekly Update for 2020 Week 2 Show Notes

Welcome back to the Simple Cyber Defense Weekly Security Update. Today is January 11, 2020 and this week we will discuss major security issues in three popular software programs: Firefox, TikTok, and Android.

 

So let’s begin.

 

First lets talk about Firefox. Mozilla, the makers of Firefox, learned that Qihoo 360 researchers found a serious security flaw that could let an attacker “exploit this vulnerability to take control of an affected system.” Mozilla posted on January 8th that they were aware of targeted attacks in the wild that were abusing this flaw. Mozilla isn’t giving too much details about this flaw other than it is related to an error in the just-in-time JavaScript code compiler for Firefox. So what is just-in-time JavaScript code compiler? JavaScript basically is a set of instructions for a Web Browser to do a specific task. Since people and computers speak different languages there has to be a translation stage. This can slow things down and so just-in-time was created as a way to speed things up. Since different Web Browsers do this in different ways, this is why this flaw only affects Firefox.

 

So what can be done to protect yourself? Update your Firefox browser to the latest version; which is 72.0.1 or ESR 68.4.1. To check your version of Firefox, go to Help --> About Firefox on Windows, or Firefox --> About Firefox on a Mac. Many instances of Firefox update automatically when you launch them.

 

Now on to the popular video sharing app TikTok. Cybersecurity firm Check Point said it found flaws that could allow hackers to take control of TikTok accounts and manipulate the content, upload and delete videos and reveal personal information such as a private email address. This flaw was possible by using a feature that allows users to send standard text messages to any phone number on behalf of TikTok. This allows users to send text messages to themselves so they can download the app.

 

This useful feature could be abused by attackers to send fake messages to users that contained a malicious link. Once users clicked on the link, hackers could take control of the account. There was also a vulnerability in a TikTok web domain which allowed attackers to insert a malicious code. This was used to retrieve personal information of users.

 

So what can be done to protect yourself? Update to the latest version of the app. Check Point confirmed that the patch has fixed the flaw.

 

Finally there is the critical flaw in the Android Media framework. This flaw is a remote code execution flaw that can allow an attacker to remotely execute code on your Android device. Ultimately this could allow an attacker to install a malicious app onto your Android device remotely and without any interaction from you.

 

So what can be done to protect yourself? Again apply the Android January patch. However, this is where things get a little interesting because not everyone will be getting this patch right away or even at all. High end devices like Samsung and Google Pixel will be getting the patch now. Some budget devices like Motorola, may take a few months to roll out the patch. Then there are some low end devices that may not get the patch at all. To see if your Android device has the patch available go to your Settings > Security > Check for an update. If it’s there you can tap the security update.

 

This concludes this weeks security update and like always links to everything discussed are in the show notes. Don’t panic and be on the lookout for the next episode.

Links:

 

Patch Firefox right now to fix this zero-day security flaw: https://www.tomsguide.com/news/firefox-zero-day-patch

 

A security flaw in TikTok app was found: https://www.cnbc.com/2020/01/09/tiktok-security-flaw-found-that-allowed-hackers-to-access-accounts.html

 

Android Security Alert: https://www.forbes.com/sites/kateoflahertyuk/2020/01/08/android-security-alert-google-confirms-critical-flaw-impacting-android-8-and-9/