An unpatched zero-day in Microsoft Windows 10 allows attackers to corrupt an NTFS-formatted hard drive with a one-line command. Bleeping Computer reports: In August 2020, October 2020, and finally this week, infosec researcher Jonas L drew attention to an NTFS vulnerability impacting Windows 10 that has not been fixed. When exploited, this vulnerability can be triggered by a single-line command to instantly corrupt an NTFS-formatted hard drive, with Windows prompting the user to restart their computer to repair the corrupted disk records. The researcher told BleepingComputer that the flaw became exploitable starting around Windows 10 build 1803, the Windows 10 April 2018 Update, and continues to work in the latest version. What's worse is, the vulnerability can be triggered by standard and low privileged user accounts on Windows 10 systems. [...] It is unclear why accessing this attribute corrupts the drive, and Jonas told BleepingComputer that a Registry key that would help diagnose the issue doesn't work.

One striking finding shared by Jonas with us was that a crafted Windows shortcut file (.url) that had its icon location set to C:\:$i30:$bitmap would trigger the vulnerability even if the user never opened the file! As observed by BleepingComputer, as soon as this shortcut file is downloaded on a Windows 10 PC, and the user views the folder it is present in, Windows Explorer will attempt to display the file's icon. To do this, Windows Explorer would attempt to access the crafted icon path inside the file in the background, thereby corrupting the NTFS hard drive in the process. Next, "restart to repair hard drive" notifications start popping up on the Windows PC -- all this without the user even having opened or double-clicked on the shortcut file.

A security flaw in Ring's Neighbors app was exposing the precise locations and home addresses of users who had posted to the app. From a report: Ring, the video doorbell and home security startup acquired by Amazon for $1 billion, launched Neighbors in 2018 as a breakaway feature in its own standalone app. Neighbors is one of several neighborhood watch apps, like Nextdoor and Citizen, that lets users anonymously alert nearby residents to crime and public-safety issues. While users' posts are public, the app doesn't display names or precise locations -- though most include video taken by Ring doorbells and security cameras. The bug made it possible to retrieve the location data on users who posted to the app, including those who are reporting crimes. But the exposed data wasn't visible to anyone using the app. Rather, the bug was retrieving hidden data, including the user's latitude and longitude and their home address, from Ring's servers. Another problem was that every post was tied to a unique number generated by the server that incremented by one each time a user created a new post. Although the number was hidden from view to the app user, the sequential post number made it easy to enumerate the location data from previous posts -- even from users who aren't geographically nearby.

Google published a six-part report this week detailing a sophisticated hacking operation that the company detected in early 2020 and which targeted owners of both Android and Windows devices. From a report: The attacks were carried out via two exploit servers delivering different exploit chains via watering hole attacks, Google said. "One server targeted Windows users, the other targeted Android," Project Zero, one of Google's security teams, said in the first of six blog posts. Google said that both exploit servers used Google Chrome vulnerabilities to gain an initial foothold on victim devices. Once an initial entry point was established in the user's browsers, attackers deployed an OS-level exploit to gain more control of the victim's devices. The exploit chains included a combination of both zero-day and n-day vulnerabilities, where zero-day refers to bugs unknown to the software makers, and n-day refers to bugs that have been patched but are still being exploited in the wild.

Apple has removed a controversial feature from the macOS operating system that allowed 53 of Apple's own apps to bypass third-party firewalls, security tools, and VPN apps installed by users for their protection. From a report: Known as the ContentFilterExclusionList, the list was included in macOS 11, also known as Big Sur. The exclusion list included some of Apple's biggest apps, like the App Store, Maps, and iCloud, and was physically located on disk at: /System/Library/Frameworks/NetworkExtension.framework/Versions/Current/Resources/Info.plist.

Its presence was discovered last October by several security researchers and app makers who realized that their security tools weren't able to filter or inspect traffic for some of Apple's applications. Security researchers such as Patrick Wardle, and others, were quick to point out at the time that this exclusion risk was a security nightmare waiting to happen. They argued that malware could latch on to legitimate Apple apps included on the list and then bypass firewalls and security software.