The BSI report on the state of IT security in Germany presents alarming figures: In 2023, the Federal Office for Information Security registered an average of 68 new vulnerabilities in software products every day, resulting in almost 25,000 new vulnerabilities per year.
Security-related errors were counted in programs of all kinds, from specialist applications for industry to server software for companies and smartphone apps.
Most of these vulnerabilities, around 47 percent, enabled the execution of unauthorized commands or program code. In this way, the attackers could, for example, install ransomware on a computer, bypass security measures, extend their own access rights, or read out data in order to sell it to other groups or blackmail the owners.
Winrar executes embedded scripts and loads malicious code
In an earlier version of Winrar, attackers were able to smuggle scripts onto the user’s computer via a prepared archive.
IDG
In August 2023, a security vulnerability was discovered in the popular Winrar packing program that allowed criminal hackers to execute scripts on the user’s computer. The cause was an error in the tool’s handling of file name extensions.
On this basis, it was possible to prepare RAR archives in such a way that a script was automatically started when a file was opened and, for example, additional files were downloaded from the internet.
In August, Win.rar GmbH released the revised version 6.23, which fixed the error. Version 6.24 is now available. However, it is likely that many users are still working with an earlier, vulnerable version of the program.
Another major problem is that many other manufacturers have licensed Winrar’s compression mechanism and incorporated it into their own products. One example is the Total Commander file manager. Therefore, if a program offers to open and create RAR archives, you should definitely update it to the latest version.
Further reading: The best antivirus for Windows
VLC Media Player is now available in version 3.0.20, in which the vulnerability has been fixed.
IDG
The open source software VLC Media Player has been attracting media attention for several years now, as security vulnerabilities have been discovered time and again. However, some of these were false reports, such as a news item from 2019.
The error only affected the Linux version of the VLC player and, according to the VLC developers, the cause was not in their software but in a faulty program library in some Linux distributions.
However, it has been confirmed that some VLC downloads from unofficial sites contain a foreign DLL file that is loaded when the tool is called up and subsequently enables access to the computer from outside. The lesson learned: Only ever download software from the manufacturer’s website or from trustworthy sites.
In 2022, however, a number of critical security vulnerabilities in VLC Player also became known. These made it possible for an attacker to cause the tool to crash via a prepared file, for example, and retrieve malicious code from external sources or trigger a denial of service, i.e. paralyze the computer. All the user had to do was play a video file or open a playlist.
The manufacturer Videolan fixed the problems with version 3.0.18; the current version is 3.0.20.
Images in the graphic format Webp bring malicious code with them
In addition to Google Chrome, the entry in the NIST vulnerability database lists several other programs and operating systems that were vulnerable to the flaw in the Webp graphics format.
IDG
Last September, Google registered a vulnerability in its Chrome browser that allowed attackers to trigger a buffer overflow and execute malicious code. The widely used graphic format Webp, which is characterized by particularly small file sizes, was affected.
All a user had to do was open a crafted image in this format and the code was executed on their computer. With Google Chrome, it was sufficient to open a website with a Webp image.
Just a few hours later, the company corrected itself and explained that a number of other applications besides Chrome were vulnerable. In fact, the bug was not in the browser itself, but in the open library libwebp, which the program accesses when opening webp images. This library is also used by numerous other programs, including Chrome, Firefox, and Edge as well as applications such as Gimp, Inkscape, Libreoffice, Signal, Thunderbird, and 1Password.
While patches have long been available for browsers, which are also installed automatically, many programs on users’ PCs are probably still running in outdated, unpatched versions. You should therefore immediately update any software that can read Webp graphics to the latest version number.
How to protect yourself from vulnerabilities in programs
Recently, numerous serious security vulnerabilities have been discovered in widely used programs. These pose a massive threat to PC security. We will show you which vulnerabilities are involved and how you can close them.
- Install available patches and new software versions immediately. Use a tool such as the free Ucheck to regularly check for new releases.
- Use a password manager such as Dashlane or Bitwarden. Define a different password for each service, shop, account, etc. and choose long and complex character combinations.
- Wherever possible, you should use two-factor authentication.
- Regularly back up your most important data to an external medium, which you then disconnect from your computer.
- Be aware of the dangers of phishing mails. Check the sender’s address and the links contained in messages from banks, streaming providers and delivery services in particular.
Memory errors in Foxit PDF Reader allow malicious code to run
A previous version of Foxit PDF Reader had a vulnerability that allowed malicious code to be executed when opening prepared PDF files. It is not known whether Foxit users were actually attacked.
IDG
In November 2023, several vulnerabilities were discovered in Foxit PDF Reader and Foxit PDF Editor that could lead to memory errors when opening manipulated document files. It was then possible for an attacker to execute arbitrary malicious code on the computer.
The manufacturer has now released version 2023.3, which closes these vulnerabilities.
Further reading: The best password managers
Watch out: New Outlook version passes on login data
When setting up the new Outlook, you will be asked for your IMAP access data, which will then be saved in the Microsoft cloud.
IDG
The days of the Windows programs Mail and Calendar are numbered. Microsoft wants to establish an email program with a standardized interface and the name Outlook across all operating system platforms. The web version of Outlook is to be the model.
The two Windows apps mentioned above will also fall victim to these plans, and users will be more or less gently urged to switch to the new Outlook in Windows 11 in the coming months. It is already included in the current Windows 11. However, this is not the planned new Outlook version from Microsoft 365, which will only be introduced at a later date.
To make the switch, users have to set up their IMAP accounts in the new Outlook and also enter their user names and passwords. As has now been revealed, this data does not remain on the local computer, but is transferred to the Microsoft cloud and stored there.
Microsoft’s reasoning: this makes it possible to synchronize all of the user’s existing email accounts so that they only need one email program for all of their mailboxes. However, if Microsoft has the access data, the company can read all of a person’s emails, both the messages in its own services such as Outlook.com and the emails in the inboxes of other providers.
This article was translated from German to English and originally appeared on pcwelt.de.
