Welcome back to this week's Security Bulletins, end of November edition.
Last week we talked about popular web browsers such as Google Chrome and Mozilla Firefox embracing DNS over HTTPS (DoH). This week Microsoft announced that they will be adding DoH as Windows 10 component in the future. Although there are no details regarding when this will be available, the transition of DoH from a browser feature to something which is baked into the Operating System is a welcoming change, especially when Windows being the predominant OS as it comes to PCs. Microsoft is said to be providing this as an optional feature and will rely on user feedback to improve its implementation.
Applications invading user privacy has been a huge concern nowadays. Last week's report on Facebook app for iOS strangely opening the camera has been a scary "bug" for most users. Now when we come to the Android side of things, it gets even scarier. Checkmarx posted a detailed dive into how Android manages its permissions and identified some issues which would allow rogue applications to record videos or take pictures using the Android camera app. Further analysis shows that it was possible with the permissions associated with the SD card used in the device. Once an application has been given access to the SD card, it has almost full access to that which includes camera files. Android has addressed this issue and patched the camera app in the Google Play Store.
Virtual Network Computing, or commonly known as VNC, is one of the most popular desktop sharing systems, which is supported by multiple OSs. Kaspersky, in their recent article on the implementations of VNC, found around 37 vulnerabilities including one RCE flaw. Fortunately, they all have been fixed by the project maintainers apart from one linked to TightVNC 1.x, which is no longer supported. The obvious patch here is to upgrade to TightVNC 2.