#chrome

The SolarMarker group is exploiting a vulnerable WordPress-run website to encourage victims to download fake Chrome browser updates, part of a new tactic in its watering-hole attacks.

Plus: WhatsApp plugs holes that could be used for remote execution attacks, Microsoft patches a zero-day vulnerability, and more.

hms-staff.php in Projectworlds Hospital Management System Mini-Project through 2018-06-17 allows SQL injection via the type parameter.

By Jon Munshaw.  Welcome to this week’s edition of the Threat Source newsletter.  I’ve spent the past few months with my colleague Ashlee Benge looking at personal health apps’ privacy policies. We found several instances of apps that carry sensitive information stating they would share certain information with third-party advertisers and even law enforcement agencies, if necessary.  One of the most popular period-tracking apps on the Google Play store, Period Calendar Period Tracker, has a privacy policy that states it will "share information with law enforcement agencies, public authorities, or other organizations if We’re [sic] required by law to do so or if such use is reasonably necessary. We will carefully review all such requests to ensure that they have a legitimate basis and are limited to data that law enforcement is authorized to access for specific investigative purposes only."  A report from the Washington Post also released last week found that this app, as well...

Bus Pass Management System version 1.0 suffers from a cross site scripting vulnerability.

IBM Rational Change 5.3 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the SUPP_TEMPLATE_FLAG parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Double free in DOMStorage in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

External researchers contributed 16 of the 20 security updates included in the new Chrome 106 Stable Channel rollout, including five high-severity bugs.

Categories: News Tags: erbium Tags: malware Tags: data theft Tags: stealer Tags: wallets Tags: cryptocurrency Tags: browsers Tags: browser Tags: infection Tags: malware as a service We take a look at reports of new data theft malware relying on sold old tricks (Read more...) The post Erbium stealer on the hunt for data appeared first on Malwarebytes Labs.

Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers that deploy malware called NullMixer on compromised systems. "When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine," cybersecurity firm Kaspersky said in a Monday report. "It drops a wide variety