INFOSEC IN BRIEF We gather everyone’s still easing themselves into the New Year. Deleting screens of unread emails, putting on a brave face in meetings, and slowly getting up to speed. While you’re recovering from the Christmas break, Meta has been busy introducing fresh ways to monetize your web surfing habits while dressing it up as a user experience improvement.
The latest attempt to extract more sellable data comes in the form of link history, which lists the webpages you’ve visited using the browser built into Meta’s apps. Link history stores records for 30 days, can be used to recall pages previously read, and excludes links sent in messages. This could be convenient, to be sure.
Less prominently mentioned on help pages describing the feature on Facebook and Instagram is, of course, perhaps the real reason for the capability: “We may use link history information from our browser to improve your ads across Meta technologies.”
And there we have it: A new feature that’s actually a way to boost targeted advertising after changes by Apple and others hobbled Meta’s ability to collect info on its users. If you don’t want to be hit with adverts tailored to your browsing habits, see the above links to opt out.
Critical vulnerabilities: A very patchy new year
There’s no rest for security teams heading into 2024, with the past week bringing us several security fixes for critical vulnerabilities, including several newly-reported issues in Chrome.
The latest stable channel release for Chrome Desktop includes six security fixes, four of which Google singled out for recognition in the release notes. Two issues in ANGLE were addressed, as were use after free issues in WebAudio and WebGPU. Patch ASAP!
Elsewhere:
- CVSS 9.8 – Multiple CVEs: Rockwell Automation FactoryTalk Activation Manager software v4.00 contains a couple of out-of-bounds write bugs that could give an attacker full system control.
- CVSS 9.8 – CVE-2023-6448: Unitronics Vision Series PLCs and HMIs are being shipped with default administrative passwords that need changing and CISA warns it’s under active exploitation.
- CVSS 9.6 – CVE-2023-39336: Ivanti Endpoint manager 2022 SU4 and all prior versions are vulnerable to SQL injection from anyone with access to the same network as a vulnerable machine.
A couple of new exploits have been detected being used in the wild this week, too:
- CVSS 8.8 – CVE-2023-7024: We reported on this Chrome heap buffer overflow at the end of last year.
- CVE-2023-7101: There’s no CVSS score available for this newly-discovered vulnerability in Spreadsheet::ParseExcel, a Perl module used to parse Excel files. Input isn’t being validated properly, opening up an RCE window.