LibreOffice and OpenOffice security risk found.

oovslibreLibreOffice, an open source clone of Microsoft Office, has patched a bug that allowed attackers to execute commands of their choosing on vulnerable computers. A similar flaw in Apache OpenOffice remains unfixed.

A Remote Code Execution (RCE) vulnerability was discovered in LibreOffice on Windows and Linux, and users are now recommended to update to the latest versions, as patches have already been issued.

While the vulnerability has already been resolved in LibreOffice, it looks like other Office productivity suites are affected as well, including OpenOffice.
OpenOffice is still unpatched right now, with no ETA as to when a fix could be shipped.

The security researcher confirms that OpenOffice 4.1.6 is the one vulnerable to attacks and the parent company acknowledged the issue, only that no known release date is available just yet.

Users are thus recommended to update to the latest version of LibreOffice as soon as possible, while those using OpenOffice should try to stay away from documents coming from untrusted sources as much as possible.

According to sources, OpenOffice users can mitigate the risk by removing or renaming the pythonscript.py file in the installation folder.

Netwise 09.02.19

defenderWindows 10 Defender Anti-Malware Update Problems

Microsoft warns that Windows 10 may not start on some computers after installing the latest monthly updates of the Windows Defender antimalware platform.

Affected resources

Computers with Windows 10 operating systems (Enterprise, Pro and Home) or Windows Server 2016.

Solution

According to Microsoft, it is working on a solution to the problem that will be published in a future update.

If your computer has been affected, follow the recommendations they offer from the Microsoft support center. If you have questions, go to a technical support service you trust to help you solve the problem.

However, remember that antimalware products must always be active and updated to be effective and protect you from viruses and fraud.

Technical Details

It is a bug that would affect those computers that have the Secure Boot function (version 4.18.1901.7) active in the BIOS. Additionally, this update could generate problems due to a change in the location of the update file path, which would cause many downloads to be blocked when the AppLocker, application execution control program and files are enabled.

Netwise 02.02.19

Vision Direct hack puts customers' money at risk

Vision Direct says a hack attack has exposed thousands of its customers' personal data including payment card numbers, expiry dates and CVV codes.

The contact lens retailer said anyone who had entered their details into its site between 3 and 8 November could be affected.

It added that it had identified 16,300 people as being at risk.

It said a fake Google Analytics script placed within its websites' code was the apparent cause.

The company's UK site was involved as well as local versions for Spain, Ireland, the Netherlands, France, Italy and Belgium.

Under investigation

A spokeswoman for Vision Direct told the BBC that 6,600 customers were believed to have had details including financial data compromised, while a further 9,700 people had had personal data but not card details exposed.

"This particular breach is known as Shoplift and was already known to our technology team, who installed a patch provided by our web platform provider to prevent this form of malware," she added.

"Unfortunately, this current incident appears to be a derivative against which the patch proved ineffective. We are continuing to investigate the breach and have made numerous steps to ensure this does not happen again."

One expert said the involvement of card security codes made the breach particularly serious.

"Being able to provide the CVV number usually indicates that you have the card in your hand when making a purchase," commented cyber-security researcher Scott Helme.

"Now the attackers have the full card details including the CVV number, these checks carry less value."

Apology

Vision Direct describes itself as Europe's biggest online seller of contact lenses and eye care products.

A statement on its site says that anyone who updated their details during the stated period, or had an order or update submitted on their behalf by its customer services team, should contact their banks and/or credit card providers.

"The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV," said the alert.

"We understand that this incident will cause concern and inconvenience to our customers. We are contacting all affected customers to apologise."

It added that customers who had used PayPal during the period might have had their names and addresses accessed, but said their payment details should still be safe.

 

The Vision Direct statement, who may be affected and what to do if you think you are at risk is on their website

Netwise 20.11.18

Do the police have your biometric digits?

Campaign group Big Brother Watch claims that many people who have been wrongly identified by police facial recognition systems still end up in police databases, despite their innocence.

There are growing concerns that governments and law enforcement agencies are collecting biometric data at the expense of privacy. Det Supt Bernie Galopin, from the Metropolitan Police, says any misidentification tends to be quickly recognised and dealt with by police officers at the scene. "It's technology that's assisting the police here, not the police assisting technology," he said.

"We have not had a single complaint from a member of the public [about misidentification]."

But what happens with the data after the event?

Politician Norman Lamb, who chairs the British government's science and technology select committee, says people can apply to have their image removed from police records. It seems not many appear to do so.

"There is significant doubt as to whether people are made aware of that right," he says. "The number of those who apply appears to be very low... and a significant portion of those who do apply are informed that their application has been rejected." One issue is that current legislation only covers DNA and fingerprints.

But biometrics commissioner Prof Paul Wiles says we should not expect any swift changes to the law. "Everybody knows that this country at the moment is totally focused on leaving the European Union and until that is finished... I don't think the government seems to have much appetite for anything very much," he explains.