{"id":34672,"date":"2025-10-12T12:47:45","date_gmt":"2025-10-12T19:47:45","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=34672"},"modified":"2025-10-12T12:51:01","modified_gmt":"2025-10-12T19:51:01","slug":"sb-2025-10-12","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2025\/10\/sb-2025-10-12\/","title":{"rendered":"Security Bits \u2014 12 October 2025"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Another interesting twist in the NSO Group Saga: <a href=\"https:\/\/techcrunch.com\/2025\/10\/10\/spyware-maker-nso-group-confirms-acquisition-by-us-investors\/\">Spyware maker NSO Group confirms acquisition by US investors \u2014 techcrunch.com\/\u2026<\/a> (via Allison)<\/li>\n<\/ul>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you, there is some action you should take.<\/aside>\n<ul>\n<li>Apple have already patched all their \uf8ffOS 26s, mostly to fix bugs, but they also patched one critical vulnerability in their font parser \u2014 <a href=\"https:\/\/tidbits.com\/2025\/09\/29\/%EF%A3%BFos-26-0-1-updates-fix-early-bugs\/\">tidbits.com\/\u2026<\/a>\n<ul>\n<li>The font parse bug affected older OSes too, so Apple have back-ported the fix to their older OSes \u2014 <a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32330\">isc.sans.edu\/\u2026<\/a> (iOS\/iPadOS 18, VisionOS 2, and macOS 14 Sonoma &amp; 15 Sequoia)<\/li>\n<\/ul>\n<\/li>\n<li>\u26a0\ufe0f <strong>WD MyCloud NAS Owners:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/critical-wd-my-cloud-bug-allows-remote-command-injection\/\">Critical WD My Cloud bug allows remote command injection \u2014 www.bleepingcomputer.com\/\u2026<\/a> (Supported models patched, but two older models are now unpatchable: My Cloud DL4100 &amp;\u00a0My Cloud DL2100!)<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>\u26a0\ufe0f <strong>Discord Users:<\/strong> There has definitely been some kind of serious data breach affecting Discord users. At least 70,000 users have had their government-issued IDs stolen, and the hackers claim they have data on 5.5M users \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-claim-discord-breach-exposed-data-of-55-million-users\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>It seems certain that Discord&#8217;s Zendesk support portal was breached, so anyone who ever contacted Discord support is probably affected<\/li>\n<li>The attackers claim there was a management app connected to Zendesk called ZenBar that let them perform admin actions against <strong>all<\/strong> Discord users, including stealing account data and altering MFA settings, but Discord are currently denying that.<\/li>\n<li>Discord have not been open and transparent about this breach, so it&#8217;s reasonable to assume they are not telling us everything, at least not yet.<\/li>\n<\/ul>\n<\/li>\n<li>\u26a0\ufe0f <strong>Gamers:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/steam-and-microsoft-warn-of-unity-flaw-exposing-gamers-to-attacks\/\">Steam and Microsoft warn of Unity flaw exposing gamers to attacks \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>The Unity engine is used by many major games, and they&#8217;re all going to need to be patched<\/li>\n<li>Microsoft\u2019s recommendation is to uninstall games until they are patched!<\/li>\n<\/ul>\n<\/li>\n<li>A timely reminder of the importance of not reusing passwords: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/draftkings-warns-of-account-breaches-in-credential-stuffing-attacks\/\">DraftKings warns of account breaches in credential stuffing attacks \u2014 www.bleepingcomputer.com\/\u2026<\/a> (<em>Password Stuffing<\/em> is trying passwords leaked by one site on another)<\/li>\n<li>A reminder that cheap uncertified knock-offs are genuinely dangerous: <a href=\"https:\/\/www.theverge.com\/news\/784966\/lumafield-x-ray-ct-scan-lithium-ion-battery-risks-manufacturing-defect\">X-ray scans reveal the hidden risks of cheap batteries \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>The many sides of AI on display again:\n<ul>\n<li>Two timely reminders that the cutting edge of AI tech is still a very dangerous place:\n<ul>\n<li><a href=\"https:\/\/cyberinsider.com\/comet-ai-browser-vulnerable-to-full-data-exfiltration-via-malicious-urls\/\">Comet AI Browser Vulnerable to Full Data Exfiltration via Malicious URLs \u2014 cyberinsider.com\/\u2026<\/a> <\/li>\n<\/ul>\n<blockquote><p>\n  A critical vulnerability in Perplexity\u2019s Comet browser allows attackers to silently exfiltrate emails, calendar data, and other sensitive user information using a single malicious URL.\n<\/p><\/blockquote>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-wont-fix-new-ascii-smuggling-attack-in-gemini\/\">Google won\u2019t fix new ASCII smuggling attack in Gemini \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<blockquote><p>\n  ASCII smuggling is an attack where special characters from the Tags Unicode block are used to introduce payloads that are invisible to users but can still be detected and processed by large-language models (LLMs). It\u2019s similar to other attacks that researchers presented recently against Google Gemini, which all exploit a gap between what users see and what machines read \u2026 Regarding Gemini, its integration with Google Workspace poses a high risk, as attackers could use ASCII smuggling to embed hidden text in Calendar invites or emails \u2026 the researcher states that \u201cfor users with LLMs connected to their inboxes, a simple email with hidden commands can instruct the LLM to search the inbox for sensitive items or send contact details, turning a standard phishing attempt into an autonomous data extraction tool. \u2026 Claude, ChatGPT, and Microsoft CoPilot proved secure against ASCII smuggling, implementing some form of input sanitization\n<\/p><\/blockquote>\n<\/li>\n<li>A reminder that AI helps the defenders too: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-drive-for-desktop-gets-ai-powered-ransomware-detection\/\">Google Drive for desktop gets AI-powered ransomware detection \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/p>\n<\/li>\n<li>\n<p>A reminder that the industry is evolving to secure AI: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/google\/googles-new-ai-bug-bounty-program-pays-up-to-30-000-for-flaws\/\">Google&#8217;s new AI bug bounty program pays up to $30,000 for flaws \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/apple-now-offers-2-million-for-zero-click-rce-vulnerabilities\/\">Apple now offers $2 million for zero-click RCE vulnerabilities \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/p>\n<blockquote><p>\n  Apple is announcing a major expansion and redesign of its bug bounty program, doubling maximum payouts, adding new research categories, and introducing a more transparent reward structure.\n<\/p><\/blockquote>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/arstechnica.com\/tech-policy\/2025\/10\/apple-and-google-reluctantly-comply-with-texas-age-verification-law\/\">Apple and Google reluctantly comply with Texas age verification law \u2014 arstechnica.com\/\u2026<\/a> &amp; <a href=\"https:\/\/cyberinsider.com\/apple-warns-of-privacy-risks-as-texas-age-verification-law-takes-effect\/\">Apple Warns of Privacy Risks as Texas Age Verification Law Takes Effect \u2014 cyberinsider.com\/\u2026<\/a>\n<ul>\n<li>The fundamental problem with this law is that it applies to <strong>all<\/strong> apps, not just apps with adult content, making it impossible to install <strong>any<\/strong> app without having the documentation to prove your age, and entrusting app stores with that very sensitive information. This is a critical difference to the also controversial UK law that came into force a few months ago, which only applies to apps presenting adult content.<\/p>\n<\/li>\n<li>\n<p>How Apple is complying: <a href=\"https:\/\/www.macobserver.com\/news\/apple-sets-new-rules-for-texas-under-states-age-verification-law\/\">Apple sets new Rules for Texas under State\u2019s Age Verification Law \u2014 www.macobserver.com\/\u2026<\/a><\/p>\n<\/li>\n<\/ul>\n<blockquote>\n<p>If you create a new Apple account in Texas next year, you\u2019ll have to confirm whether you\u2019re 18 or older. Anyone under 18 must join a Family Sharing group, and parents will need to approve every app download, purchase, and in-app transaction.\n<\/p><\/blockquote>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/cyberinsider.com\/ftc-sues-anonymous-messaging-app-sendit-for-collecting-children-data\/\">FTC Sues Anonymous Messaging App Sendit For Collecting Children Data \u2014 cyberinsider.com\/\u2026<\/a>\n<ul>\n<li>Based on this suit it sounds like Sendit is the kind of app parents should banish from their children&#8217;s phones ASAP<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddea\ud83c\uddfa There&#8217;s an important EU vote coming up on a controversial proposed law that would force chat clients to implement client-side scanning similar to the proposals Apple was forced to abandon a few years ago \u2013 the Netherlands will be voting against the proposal \u2014 <a href=\"https:\/\/cyberinsider.com\/netherlands-rejects-chat-control-proposal-which-threatens-encryption\/\">cyberinsider.com\/\u2026<\/a>\n<ul>\n<li><strong>Editorial by Bart:<\/strong> to my fellow EU citizens, please reach out to your relevant ministers and ask them to follow the Dutch lead and also vote this thing down!<\/li>\n<\/ul>\n<\/li>\n<li>Some nice new security enhancements:\n<ul>\n<li><a href=\"https:\/\/cyberinsider.com\/gmail-now-lets-you-send-fully-encrypted-emails-across-the-open-web\/\">Gmail Now Lets You Send Fully Encrypted Emails Across the Open Web \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<blockquote><p>\n  Recipients who are not using Gmail receive an email notification with a secure link to access the encrypted message. This link opens a restricted, web-based version of Gmail where they can read and respond securely using a temporary guest Workspace account.\n<\/p><\/blockquote>\n<ul>\n<li>Note that this is only for emails sent from Google Workspace (enterprise) accounts<\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-outlook-stops-displaying-inline-svg-images-used-in-attacks\/\">Microsoft Outlook stops displaying inline SVG images used in attacks \u2014 www.bleepingcomputer.com\/\u2026<\/a> (Attackers recently started abusing the rarely used JavaScript features supported in the SVG spec to sneak malicious code into emails)<\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/cyberinsider.com\/signal-adds-post-quantum-triple-ratchet-protocol-for-stronger-security\/\">Signal Adds Post-Quantum \u201cTriple Ratchet\u201d Protocol for Stronger Security \u2014 cyberinsider.com\/\u2026<\/a><\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/cyberinsider.com\/firefox-to-roll-out-streamlined-profile-management-with-data-isolation\/\">Firefox to Roll Out Streamlined Profile Management with Data Isolation \u2014 cyberinsider.com\/\u2026<\/a> (Profiles have existed in Firefox for decades, but they were extremely difficult to use, and required custom key combinations or obscure terminal commands to use, so this really is a meaningful improvement)<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>In 2018, California passed the California Consumer Privacy Act (CCPA) which required web services to allow users to opt out of tracking cookies. This is great, but every single web service has a different method and it&#8217;s tedious to do it on every single site. On October 8th, the California governor signed into law AB566 which requires web browsers to allow users to opt out of all third-party tracking with a single setting. Two additional bills were also signed into law, SB 361 gives consumers more information about what information is collected by data brokers, and AB 656 which requires social media companies to make canceling an account straightforward and clear and does full deletion of personal data.<\/p>\n<ul>\n<li><strong>Editorial by Allison:<\/strong> Yay!<\/li>\n<li><a href=\"https:\/\/www.engadget.com\/big-tech\/california-just-passed-three-bills-to-boost-internet-privacy-120031025.html?guccounter=1\">California just passed three bills to boost internet privacy<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tips, tricks, or advice that are likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li>\ud83c\udfa7 <strong>From Allison:<\/strong> \ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/randombutmemorable.simplecast.com\/episodes\/voice-clone-identity-theft\">Random But Memorable: How to protect yourself from digital identity theft with Eva Velasquez \u2014 randombutmemorable.simplecast.com\/\u2026<\/a>\n<ul>\n<li>1Password has an excellent podcast called Random But Memorable. Episode 15.6 included an interview with Eva Velasquez, CEO of the Identity Theft Resource Center. This is a non-profit organization people can turn to if their identity has been stolen, and they&#8217;ll be assigned a case manager to help them navigate untangling the situation. People can also call just to ask questions before something bad happens. The interview is very interesting, and knowing this resource is out there is important.<\/li>\n<li>The Identity Theft Resource Center \u2014 <a href=\"https:\/\/www.idtheftcenter.org\/\">www.idtheftcenter.org\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>An excellent overview of the current state of the built-in protections on macOS and where AV product can still play a potentially useful role: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/can-macs-get-viruses\/\">Can Macs Really Get Viruses in 2025? What Every Mac User Needs to Know \u2014 www.intego.com\/\u2026<\/a> (given the source, could easily have just been an ad,  but it&#8217;s surprisingly dispassionate and avoids scare mongering)<\/li>\n<li>\ud83c\udfa7 An excellent discussion of how NodeJS users can stay safe as attackers poison the NPM package ecosystem: <a href=\"https:\/\/overcast.fm\/+AAHZUdV28HM\">The Changelog: Software Development, Open Source: npm under siege, and what to do about it \u2014 overcast.fm\/\u2026<\/a>\n<ul>\n<li>Bart&#8217;s long-standing advice to avoid automatically-updating all packages all the time by committing <code>package-lock.json<\/code> to Git and always using <code>npm ci<\/code> rather than <code>npm install<\/code> to initialise fresh Git clones is backed up by the expert guest.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Allison:<\/strong> <a href=\"https:\/\/mastodon.uno\/@brozu\/114547013857941558\">502 Bad Gateway \u2014 brozu on mastodon.uno<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Another interesting twist in the NSO Group Saga: Spyware maker NSO Group confirms acquisition by US investors \u2014 techcrunch.com\/\u2026 (via Allison) \u2757 Action Alerts Calls to action, if any stories in this section are [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[170,2060,4709,2003,3469],"class_list":["post-34672","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-hack","tag-malware","tag-nso-group","tag-vulnerabilities","tag-western-digital"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/34672","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=34672"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/34672\/revisions"}],"predecessor-version":[{"id":34675,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/34672\/revisions\/34675"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=34672"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=34672"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=34672"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}