Search the Community

A new report claims that there is a serious flaw in Microsoft's Skype chat mobile apps that could allow a hacker to detect a user's IP address. The flaw is reportedly enabled just by sending a link through Skype's text message feature, and the link does not have to be clicked on for the IP address to be revealed. The new flaw, as reported by 404Media.co, was first discovered by an independent security researcher who goes by the handle "Yossi". The article describes how this issue worked: To start, Yossi sent me a link via Skype text chat to google.com. The link was to the real Google site, and not an imposter. I then opened Skype on an iPad and viewed the chat message. I didn’t even click the link. But very soon after, Yossi pasted my IP address into the chat. It was correct. The article adds that this issue only affects Skype's mobile apps and does not appear to work on Skype on the desktop. Details about how this issue works on the hacker side were not revealed for security reasons, but the article claims the flaw is "trivially easy to exploit and involves changing a certain parameter related to the link." Yossi sent over his info about the flaw to Microsoft. The company's initial response to Yossi was that the IP address exposure in Skype "does not meet the definition of a security vulnerability for servicing which would require immediate servicing." However, when 404media.com asked Microsoft for comment, the company did state that while this issue with Skype was not an immediate security issue based just on the IP address exposure, "we will be addressing it in a future product update as a defense in depth improvement to help keep customers protected." As of this writing, Microsoft has yet to fix this problem. Source

Paint 3D for Windows 10 had a Remote Code Execution flaw Microsoft’s Paint 3D was never popular, but it turns out the app was also actually dangerous to your system health after ZDI researchers discovered a Remote Code Execution Flaw in the 3D modelling software. The exploit, which was discovered by fuzzing, requires a user to load a compromised file and has now been patched by Microsoft in the latest Patch Tuesday. The issue is described in CVE-2021-31946 and reads as such: Microsoft Paint 3D GLB File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Paint 3D. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of GLB files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process at low integrity. The flaw had a medium severity, as it required that the attacker had already escalated their privileges on your system. Microsoft has issued an update to the software which fixes the issue, but Windows 11 users need not worry, as the software is no longer pre-installed in that OS. Paint 3D for Windows 10 had a Remote Code Execution flaw

An exploit patched last month could have allowed attackers to access anyone’s browser just by knowing their user ID. A security researcher revealed a “catastrophic” vulnerability in the Arc browser that would have allowed attackers to insert arbitrary code into other users’ browser sessions with little than an easily findable user ID. The vulnerability was patched on August 26th and disclosed today in a blog post by security researcher xyz3va, as well as a statement from The Browser Company. The company says that its logs indicate no users were affected by the flaw. The exploit, CVE-2024-45489, relied on a misconfiguration in The Browser Company’s implementation of Firebase, a “database-as-a-backend service,” for storage of user info, including Arc Boosts, a feature that lets users customize the appearance of websites they visit. In its statement, The Browser Company writes: Or, in the words of xyz3va, You can get someone’s creatorID in several ways, including referral links, shared easels, and publicly shared Boosts. With that info, an attacker could have created a boost with arbitrary code in it and added it to the victim’s Arc account without any action on the victim’s part. That’s bad. The Browser Company responded quickly — xyz3va reported the bug to cofounder Hursh Agrawal, demonstrated it within minutes, and was added to the company Slack within half an hour. The bug was patched the next day, and the company’s statement details a list of security improvements it says it’s implementing, including setting up a bug bounty program, moving off of Firebase, disabling custom Javascript on synced Boosts, and hiring additional security staff. Source RIP Matrix | Farewell my friend Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every single day for many years. 2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts