Three companies have already announced major security flaws in their products this week, and we haven’t even made it to Wednesday. And that’s not counting an additional location bug announced by Twitter with a more limited—though still worrisome—impact.
While it’s not uncommon for tech firms to disclose vulnerabilities on a regular basis, the number of severe problems this week seems particularly egregious—and potentially hard to keep track of. Here’s a quick rundown of everything you should know.
Intel Chip Vulnerability
Security researchers from Graz University of Technology announced that they had discovered a vulnerability affecting nearly every Intel chip manufactured since 2011, which would allow a hacker to steal data from a victim’s processor using four different bugs.
Researchers named the attack “ZombieLoad” and are comparing it to the Spectre and Meltdown flaws discovered last year. Zombieload allows hackers to take advantage of existing flaws in Intel chips, rather than having to implant malware onto the target devices. Intel, Apple, Microsoft, and Google have all released patches to address the vulnerability.
Cisco Router Bugs
Red Balloon, a cybersecurity firm, announced on Monday that it had been able to compromise Cisco’s 1001-X routers using two different bugs. The first bug allows the hacker to remotely gain root access to the router, which essentially grants a user administrative privileges on the device. Once the hackers have root access, they can then circumvent the router’s security protections using the second bug and infiltrate all the devices on the network. Given the popularity of Cisco’s routers, the vulnerability could have wide-ranging implications. Cisco announced on Monday that it would be releasing a patch.
WhatsApp, the encrypted messenger service owned by Facebook, announced on Monday that unidentified hackers tried to exploit a vulnerability in the platform by injecting spyware onto a victim’s phone via voice call. Even if the target didn’t answer the call, the hackers would still be able to infiltrate the device.
A source familiar with the situation told CNN that the NSO Group, a company based in Israel, designed the malware. (The NSO Group denied any involvement in executing the attack.) A United Kingdom lawyer for a human rights organization claimed to the Guardian that he was a target of the attempted hack, and that he is currently involved in a civil case against the NSO Group. The New York Times further reported that a Saudi dissident, Mexican journalists and activists, and a Qatari citizen were also among the targets.
WhatsApp is advising that all users to download the latest version of the app, which has a patch for the vulnerability.
Twitter Location Glitch
Twitter announced on Monday that a bug was sharing users’ location data with a “trusted partner” in some cases without consent. The company says that the bug would only have affected users who had multiple accounts and had opted to share precise location data on one of the accounts. However, the company claims that only a user’s city or ZIP code, not precise address, would have been sent to the partner, and that this location data has already been deleted. Twitter has declined to disclose the identity of the partner or the length of time that this bug was sharing the data.