Google this week announced the first stable release of Chrome 105, which comes with patches for 24 vulnerabilities, including 13 use-after-free and heap buffer overflow bugs.

Twenty-one of the resolved security defects were reported by external researchers, including one critical-, eight high-, nine medium-, and three low-severity vulnerabilities.

A total of nine use-after-free issues were resolved with the latest browser update, the most important of which is a critical flaw in the Network Service component, reported by Google Project Zero researcher Sergei Glazunov, the company notes in an advisory.

Chrome 105 also patches five high-severity use-after-free vulnerabilities, impacting browser components such as WebSQL, Layout, PhoneHub, and Browser Tag.

https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html

Montenegro has been targeted in a disruptive cyberattack blamed on Russian hackers, and a known ransomware group may have been involved.

The country’s Agency for National Security announced last week that government servers had been targeted in an ongoing attack that was described as massive and coordinated.

The attack targeted government systems and other critical infrastructure, and managed to cause some disruptions. The US embassy warned citizens residing in the country that the attack could disrupt transportation, public utilities and telecommunications.

The WordPress team this week announced the release of version 6.0.2 of the content management system (CMS), with patches for three security bugs, including a high-severity SQL injection vulnerability.

Identified in the WordPress Link functionality, previously known as ‘Bookmarks’, the issue only impacts older installations, as the capability is disabled by default on new installations.

However, the functionality might still be enabled on millions of legacy WordPress sites even if they are running newer versions of the CMS, the Wordfence team at WordPress security company Defiant says.

With a CVSS score of 8.0, the security flaw requires administrative privileges and is not easy to exploit in default configurations, but there might be plugins or themes that allow it to be triggered by users with lower privileges (such as editor-level and below), Wordfence says.

“Vulnerable versions of WordPress failed to successfully sanitize the limit argument of the link retrieval query in the get_bookmarks function, used to ensure that only a certain number of links were returned,” Wordfence explains.

WordPress Core 6.0.2 Security & Maintenance Release – What You Need to Know
https://www.wordfence.com/blog/2022/08/wordpress-core-6-0-2-security-maintenance-release-what-you-need-to-know/

ndpoint security company McAfee warns of five malicious Chrome extensions designed to track users’ browsing activity and inject code into ecommerce platforms.

With a total install base of over 1.4 million, the extensions can modify cookies on ecommerce websites so that their creator receives affiliate payments for the purchased items, without the victim’s knowledge.

The five malicious extensions help users watch Netflix shows together (Netflix Party and Netflix Party 2, with a combined install base of 1.1 million), enable them to track online prices and coupons (FlipShope – Price Tracker Extension and AutoBuy Flash Sales, with 100,000 installs), and capture screenshots (Full Page Screenshot Capture – Screenshotting, with 200,000 installs).

McAfee’s analysis of the extensions has revealed that the user tracking and code injection behavior resides in a script named ‘b0.js’, which contains many other functions as well.

The extensions subscribe to events triggered when the user accesses a new URL in a tab, so they can send tracking data to the creator’s server (at langhort.com), which checks if the user navigates to a site for which an affiliate ID exists.

Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuffing-chrome-extensions-with-1-4-million-users/

Apple on Wednesday started shipping patches for older iPhone and iPad devices to address a recent, actively exploited vulnerability.

Tracked as CVE-2022-32893, the vulnerability impacts WebKit and it can be exploited to achieve arbitrary code execution when the user visits a malicious website.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple notes in an advisory.

The security flaw was resolved with the release of iOS 12.5.6, which is now rolling out to iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

The Cupertino-based company, which has credited an anonymous researcher for reporting the vulnerability, shipped the initial batch of patches for this zero-day roughly two weeks ago.

A second zero-day addressed at the time (with iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1) could lead to arbitrary code execution with kernel privileges. Tracked as CVE-2022-32894, the bug does not impact iOS 12, Apple says.