Application Security Weekly Review, Week 10 2019
0Days in Adobe ColdFusion and Google Chrome, privacy risks of Android VPN apps, an official approval for the WebAuthn Web standard, and more.
It’s the end of the week and here we are with our latest review of the most significant events in the world of cybersecurity, including two 0Days in Adobe ColdFusion and Google Chrome, privacy risks of Android VPN apps, an official approval for the WebAuthn Web standard, and more.
Hackers are exploiting a 0Day in Adobe ColdFusion
Adobe released emergency updates to address a critical bug in the ColdFusion web app development platform that could lead to remote code execution and already has been exploited in the wild. The flaw, which had received a CVE identifier CVE-2019-7816, allows an attacker to bypass the restrictions for uploading files. As Adobe notes, a successful attack requires an adversary to be able to upload executable code to a web-accessible directory. The code can then be executed via an HTTP request.
The bug affects ColdFusion 2018, ColdFusion 2016, ColdFusion 11 (all versions). The vendor released ColdFusion 11 Update 18, 2016 Update 10 and 2018 Update 3 to fix the security issue. Adobe didn’t reveal additional information about the attacks or how exactly this flaw was exploited in the wild.
Google patches a 0Day vulnerability in Chrome
Google's Threat Analysis Group reported a high severity bug in Chrome that could allow attackers to execute arbitrary code and gain a full control of the vulnerable systems. The flaw tracked as CVE-2019-5786 affects the web browsing application for all major desktop platforms including Microsoft Windows, Apple macOS, and Linux. Google has been tightlipped about technical details of the vulnerability only saying that the issue is a use-after-free vulnerability in the FileReader API that could be leveraged for remote code execution attacks.
Google has released a new fixed version of the web browsing software (Chrome 72.0.3626.121 for Windows, Mac, and Linux) on March 1, and confirmed that an exploit for CVE-2019-5786 exists in the wild. According to the tech giant’s advisory, technical details of the bug won’t be released until a majority of users are updated with the fix.
Some Android VPN apps seeking dangerous user permissions they don’t need
A few of the Android VPN apps available on the official Google Play Store request unnecessary and even dangerous user permissions that a normal VPN app would have no use for. Researchers from TheBestVPN.com analyzed several dozens Android VPN apps available through the Google Play Store and found that 50 out of 81 examined apps requested access to at least one ‘’dangerous’’ permission that accessed user data.
While many apps had legitimate reasons for such requests, a few of them requested access permissions that normally VPN apps don’t need. For example, some of the apps requested access to read/write permissions for external device storage, others asked for access to precise location data or the ability to change system settings. Some even requested access to call logs and local files.
While VPN apps do require some permission to function, a large number of requested ‘’dangerous’’ permissions cause suspicion and could pose a significant risk to user’ privacy, concluded the researchers.
Our readers can also conduct similar tests with our free Mobile App Security Test to see if the applications that you are using are safe and secure.
90% of the hacked CMS sites were managed on WordPress
WordPress accounted for 90% of all hacked websites in 2018, according to the statistics presented in a Sucuri’s report examining the latest trends in malware and hacked websites. Among all of the hacked WordPress sites only 56% had an up-to-date CMS, while 36% of the sites were running an outdated version.
Magento (4.6%), Joomla (4.3%), and Drupal (3.7%) took second, third and fourth places on the hacked sites list respectively and all of these CMS were not updated to their latest versions.
According to the researchers, cybercriminals actively exploiting vulnerabilities in plugins and themes, and take advantage of misconfiguration issues and a lack of maintenance by webmasters. In more than half of the cases (68%) hackers injected backdoors on the compromised sites. Around 56% of hacked sites were used to host malware, and 51% sites deployed SEO spam pages.
W3C officially approved WebAuthn web standard
The World Wide Web Consortium and the FIDO Alliance approved Web Authentication (or WebAuthn for short) – a new authentication standard designed to replace the password as a way for logging into accounts. Theoretically, the technology brings greater security and convenience than using credentials. Users can log in on sites that support WebAuthn using biometrics, mobile devices, and/or FIDO security keys.
The specification is already supported by Android, Chrome OS, Windows 10 and most common browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari. WebAuthn support also has been added on some popular sites such as Dropbox, Facebook, GitHub, and Twitter.