Happy February!

Let's start with a new Sudo vulnerability that allows a low privileged user to run malicious code as root in macOS under a specific configuration. Sudo (superuser do) is a utility for UNIX- and Linux-based systems that provide an efficient way to give specific users permission to use specific system commands at the root (most powerful) level of the system. The vulnerability was discovered by Apple security expert and tracked as CVE-2019-18634.

The CVE-2019-18634 related to Sudo incorrectly handling memory operations when the ‘pwfeedback’ option is enabled in the Sudoers configuration file. The ‘pwfeedback’ option displays asterisk(*) when a user inputs password in the terminal and it is not enabled by default.

It can be disabled by changing  "Defaults pwfeedback" to "Defaults !pwfeedback" in the sudoers configuration and also there is a patch released to fix it.

Do you know a vulnerable smart bulb can expose your Wifi network to hackers? The answer is 'yes' because, a new high-severity vulnerability affecting Philips Hue Smart Light Bulbs that can be exploited over-the-air from over 100 meters away to gain entry into a targeted WiFi network.

It is tracked as CVE-2020-6007 and it is in the protocol used in Philips devices to communicate with each other known as ZigBee. An attacker can exploit the vulnerability using a laptop and antenna from over 100 meters by spreading spyware.

We have recently heard about a hacker who gave instructions to destroy things to a child by hacking a home security camera used by the mother to monitor that child. Even though smart home devices make life easier if it's not properly updated life may become in danger.

If automatic firmware update download feature is not enabled, affected users are recommended to manually install patches and change settings to revive future updates automatically.

If you are using Whatsapp Web version, you should be careful that a vulnerability (CVE-2019-18426) in it if exploited can steal data from your PC. When paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.

Affected Versions are WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10 and the patches are now available to fix it.