A roundup of the top news stories in information security this week, including a slew of vulnerabilities addressed by Microsoft and Adobe, researchers claim to have cracked the new iPhone X's Face ID, and more.
FireFox to Offer Tracking Protection in Upcoming Update
The Firefox 57 update that’s will be released on November 14 will feature Tracking Protection that protects users from having their browsing habits being snooped on. Known as Quantum, the update “will ship with a list of sites which have been identified as engaging in cross-site tracking of users,” according to Firefox. Although it will debut on Firefox 57, it currently is not featured in the version 57 beta.
HACKING
Researchers Successfully Hack Boeing 757
A team of public and private security professionals successfully hacked a Boeing 757 airliner. An official with the Department of Homeland Security disclosed the “remote, non-cooperative penetration” event at a recent conference. Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology Directorate said the hack was accomplished without having to touch the airplane’s systems physically.
PATCHES
Oracle Issues Emergency Patch for Critical Tuxedo Server Flaws
Oracle has pushed two emergency patches for vulnerabilities impacting application server Tuxedo. The two flaws achieved a severity rating of 10 and 9.9 respectively. A total of five vulnerabilities were discovered, according to the company, but the two major flaws received high CVSS ratings. The application server software allows enterprise cloud customers to develop and manage applications.
VULNERABILITIES
Adobe Addresses More Than 50 Bugs in Reader and Acrobat
Adobe patched a slew of remote execution vulnerabilities in their Acrobat and Reader products this week. Additionally, the company also addressed a handful of critical flaws in its Flash Player. A total of 56 bugs were patched in Acrobat and Reader, while five critical flaws were fixed in the Flash Player. According to Adobe, none of the patched vulnerabilities are under active attack.
MOBILE SECURITY
Researchers Claim They’ve Cracked iPhone X Face ID
Researchers with Vietnamese security firm Bkav have claimed to have cracked the iPhone X’s new Face ID authentication technology. According to a video released by the experts, they were able to crack the technology with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, according to a report by Wired. The demo has yet to be confirmed publicly by other security researchers.
Microsoft Issues Security Update Patching 53 Security Flaws
Microsoft’s November edition of Patch Tuesday featured fixes for a total of 53 security vulnerabilities. The flaws were found in the company’s Windows OS, Office, Internet Explorer, Microsoft Edge, ASP.NET Core, and Chakra Core browser engine products. The good news? No zero-day flaws were discovered this month.
FBI and DHS Issue Alerts About Hidden Cobra Espionage Campaign
Two alerts issued by jointly by the FBI and DHS detail the malicious cyber activity of North Korean state-sponsored hackers. Dubbed Hidden Cobra, the espionage campaign has been leveraging a North Korean remote administration tool (RAT) called FALLCHILL since 2016 to target aerospace, telecommunications, and finance industries.
ReFirm Labs Lands $1.5 Million in Funding
A startup founded by two NSA veterans has received $1.5 million in seed money from DataTribe, an incubator that focuses on government research lab technology. ReFirm’s is focused on launching its Centrifuge Platform, which aims to automatically detect security flaws in connected devices such as consumer electronics.
VULNERABILITIES
Cisco Warns Customers of Flaw in Voice OS-Based Products
Users of Cisco Systems’ Voice Operating Systems software platform were vulnerable to attack after the company discovered a flaw in the widely-used software. The company issued a security advisory warning to its customers this week, after spotting the flaw that could allow a remote hacker to gain unauthorized and elevated access to affected devices.