Security Newsletter

11 March 2019

Serious Chrome zero-day exploited in the wild, update “right this minute”

You must update your Google Chrome immediately to the latest version of the web browsing application.

Security researcher Clement Lecigne of Google's Threat Analysis Group discovered and reported a high severity vulnerability in Chrome late last month that could allow remote attackers to execute arbitrary code and take full control of the computers. The vulnerability, assigned as CVE-2019-5786, affects the web browsing software for all major operating systems including Microsoft Windows, Apple macOS, and Linux.

What's more worrisome? Google warned that this zero-day RCE vulnerability is actively being exploited in the wild by attackers to target Chrome users. It appears to exploit this vulnerability, all an attacker needs to do is tricking victims into just opening, or redirecting them to, a specially-crafted webpage without requiring any further interaction.

To check that you’re up-to-date, go to the About Google Chrome… window, accessible from the address bar by typing in the special URL chrome://settings/help. This will not only show the current version but also do an update check at the same time, just in case any recent auto-updates have failed or your computer hasn’t called home yet.

 

W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins

Major browsers and platforms have built-in support for new web standard for easy and secure logins via biometrics, mobile devices and FIDO security keys.

The World Wide Web Consortium (W3C) and the FIDO Alliance today announced the Web Authentication (WebAuthn) specification is now an official web standard. This advancement is a major step forward in making the web more secure – and usable – for users around the world.

WebAuthn allows users to log into their internet accounts using their preferred device. Web services and apps can – and should – turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone.

 

PCI DSS: Looking Ahead to Version 4.0

PCI SSC has begun efforts on PCI Data Security Standard version 4.0 (PCI DSS v4.0). PCI DSS v4.0 will incorporate input received from global PCI SSC stakeholders during the 2017 request for comments (RFC) period.

Some of the specific areas that stakeholders asked PCI SSC to review include: Authentication, specifically consideration for the NIST MFA/password guidance; Broader applicability for encrypting cardholder data on trusted networks; Monitoring requirements to consider technology advancement and Greater frequency of testing of critical controls.

PCI DSS v4.0 is not anticipated for release prior to late 2020. Specific timing on the release is dependent upon feedback received during the development period.

 

More #News

 

#Patch Time!

 

#Tech and #Tools

This content was created by Kindred Group Security. Please share if you enjoyed!

Kindred Group in brief

Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and as an innovation driven company that builds on trust.