Just another week in ThreatWatch, our regularly updated index of noteworthy data breaches.
In case you missed our coverage this week in ThreatWatch, Nextgov’s
Google again released information about a flaw in a Microsoft product without an available security patch.
This time, Google Project Zero Team shared the details for how a bug in the Windows graphic device interface dynamic link library could leak private user data. The team said the vulnerability also affects Internet Explorer and Office Online.
The team shared the information with Microsoft on Nov. 16, but released the information publicly Monday when 90 days passed without a security patch, IT News reported. Microsoft previously addressed the issue with a June patch, but the Google team said problems remained, according to Threatpost.
It’s at least the third time Google went public with an unresolved Microsoft issue. In January 2015, Google released information 90 days after it notified Microsoft about a security hole in Windows 8.1 that allowed improper access to server functions. In November, Google disclosed what it called a critical zero-day in Windows 10. Microsoft hit back, disagreeing with the critical designation and saying Google’s announcement put Windows customers at potential risk.
Music lovers who in the past have or are planning to attend the Coachella festival may want to change their email passwords.
A data trader alleges to have more than 950,000 Coachella website user accounts for sale on a dark web marketplace called Tochka, Motherboard reported. The data includes email addresses, usernames and hashed passwords for Coachella.com and its message board.
Payment information doesn’t appear to be included, according to Motherboard.
Still, if Coachella attendees reuse usernames and passwords, they may want to brush up on how to choose a secure password and select a unique password for every site they visit.
Cloudflare, a company that provides optimization and security services for websites, disclosed a bug that may have exposed passwords, authentication tokens, private messages and other sensitive information since September.
Cloudflare notified its customers Thursday, according to Fortune. Average website users, however, probably wouldn’t know if they were affected because they don’t sign up for Cloudflare’s services, websites do.
“I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything,” wrote Google Project Zero Team Member Tavis Ormandy, who alerted Cloudflare to the problem.
The problem, now mitigated, stemmed from a new HTML parser chain, a specific combination of tools, and an “ancient piece of software that contained a latent security problem,” Cloudflare Chief Technology Officer John Graham-Cumming wrote in a blog.
The company also worked with search engines that may have cached the data.
“We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence,” Graham-Cumming wrote.
Ormandy applauded the company’s fast response to the problem, but said Cloudflare’s response “severely downplays the risk to customers.”
More than 5.5 million sites use Cloudflare, according to Fortune.