A Nord VPN bug, a(nother) bad Microsoft patch, Zynga data farmed out, and more

Roundup Here's the latest security news in handy digest form of stories you may have missed over the last week.

NordVPN bug causes connection confusion

Reg reader Tony H writes in to tell us of an interesting security bug that arises when running NordVPN in tandem with the Cloudflare 1.1.1.1 WARP service in iOS. The end result is a connection that looks to be protected by NordVPN, but in reality it is completely exposed.

Here's how it works:

The user first connects to 1.1.1.1 with Warp, then disables the app without turning off Warp. Then, when connecting to a NordVPN server with ikev2 protocol, the iOS device will report as being connected to NordVPN and secured, without actually being connected. In other words, you're connected and protected, but you're not.

Our man tells us he has already reported this issue to NordVPN, so if they deem it serious enough to patch, expect an update. If you use Nord and 1.1.1.1 in tandem, it might be a good idea to double-check your IP address is indeed being hidden.

ESET sounds alarm over Casabaneiro attack

The research team at ESET has detailed a bank hacking operation that is hitting both fiat and cryptocurrency operations in Mexico and Brazil.

Known as Casabaneiro, the attack uses fake pop-up windows to trick users into entering their account details, which are then sent by the malware to a command and control server.

What is particularly unique about this attack, says ESET, is the way it runs its command and control system. Infected machines do not go directly to the command server, but rather a YouTube page where a link to the C&C machine is embedded in the video description. The infected machines access the page then follow the link, making it appear to admins as if the user is just watching a video.

"What makes this technique dangerous is that it does not raise much suspicion without context," ESET explains.

"Connecting to YouTube is not considered unusual and even if the video is examined, the link at the end of the video description may easily go unnoticed."

It's 2019, and WhatsApp can be pwned by a GIF

If you haven't updated your copy of WhatsApp in a while, now would be a good time. That's because Singapore-based bug hunter Awakened has spilled the beans on a remote code execution flaw in the messaging tool.

The vulnerability, designated CVE-2019-11932, is exposed when the user opens or receives from a friend (and automatically opens) a specially-crafted GIF image. The file then triggers a double-free vulnerability that would potentially allow for code execution.

To avoid the bug, make sure you are running WhatsApp version 2.19.244 or later.

Microsoft pushes update for an update

Redmond has kicked out a second attempt at its patch of CCE-2019-1367.

The Windows maker had first tried to patch the remote code execution memory corruption bug last month, but had to recall and replace the update following reports that the patch was causing some machines to be unable to properly print. Users and admins will want to get this fix as soon as possible, at least before Tuesday when the October patch dump hits.

Signal breaks up call snooping flaw

The Signal messaging app has patched a logic error that would have potentially left users vulnerable to surveillance.

Google Project Zero's Natalie Silvanovich said that in the Android and iOS versions of the App would allow user with a modified app to call someone else and then force their client to accept the call.

In practice, this means a caller could place a call to their target and listen in on them without the recipient being any the wiser. Updating to the latest versions of Signal for iOS and Android will patch the bug.

But Signal's cofounder Moxie Marlinspike has pointed out that the flaw is only in the Android build of the secure messaging app, and has said it has now been fixed.

Bug found in NSA's Ghidra tool

The next time you make a dumb coding error, remember that everyone, even the NSA, goofs up from time to time. The intelligence bod says its experimental Ghidra security research tool contains CVE-2019-16941, a remote code execution bug that could be triggered with a specially-crafted XML file.

The flaw can be fixed by updating to the latest Ghidra build.

Bye-Zynga: mobile games maker loses data on 218 million users

Games company Zynga has been relieved by hackers of the names, email addresses, login IDs, and hashed passwords of more than 200 million players. The pilfered database is also said to contain in some cases phone numbers, password reset tokens, Facebook IDs, and Zynga account IDs.

If you play a Zynga game, it would not be a bad idea to change your password ASAP, and if you re-used the password on other sites (don't do that) you'll want to change those too. ®