Welcome to another week of the Security Wrap-Up! We’ve got a couple of RCE vulnerabilities and other security issues to share -
Chrome zero-day exploit posted on Twitter
Security researcher, Rajvardhan Agarwal, has dropped working exploit code on Twitter for a zero-day remote code execution (RCE) vulnerability, which affects the current versions of Google Chrome and potentially other browsers, like Microsoft Edge, that use the Chromium framework. The latest version of the Chrome V8 JavaScript engine patches the flaw, but it has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge, and others, leaving them potentially vulnerable to attacks. Google is expected to release a new Chrome version sometime on Tuesday, but it’s currently unclear if patches for the bug will be included.
Critical Zoom vulnerability triggers remote code execution without user input
Yes, yet another remote code execution (RCE) flaw has been discovered! This time around, researchers Daan Keuper and Thijs Alkemade from Computest demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction. At the time the above article was posted (April 9th), Zoom has not yet had the time to issue a patch for the vulnerability. As noted by Malwarebytes, the attack works on Windows and Mac versions of Zoom, but it hasn’t yet been tested on iOS or Android. The browser version is not impacted.
ParkMobile breach exposes license plate data and mobile numbers of 21M users
ParkMobile, a mobile parking app popular in North America, was recently subject to a breach resulting in the selling of account information for 21 million customers. Stolen data includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords, and mailing addresses. ParkMobile published a notification on March 26th about the incident, but has not asked or forced its users to change their passwords as a precautionary measure. But, if you are a ParkMobile user, it’s probably a great idea to change your account password.
Azure Functions weakness allows privilege escalation
A privilege-escalation vulnerability within Microsoft Azure’s Functions cloud container feature could allow a user to escape the container, according to researchers. Researchers at Intezer dubbed the bug “Royal Flush” after a flush-to-disk limitation that an exploit would need to evade. Flushing to disk means that data is handed off to the kernel, where it’s visible to other processes may not survive a reboot. The firm found that Azure Functions containers run with the -privileged Docker flag, which means that device files in the /dev directory can be shared between the Docker host and the container guest.
If you have any security updates of your own, share them in the comments below!