This NYTimes article caught my eye… I had heard of the WhatsApp vulnerability, but not the other two…
https://www.nytimes.com/2019/05/21/opinion/internet-security.html
There are links in the article to the researcher home pages or provide enough info to find on your own.
Summary:
1 WhatsApp. Exploited by one of those Isreali “security” companies that specialize in providing spy tools to governments and enforcement agencies, was found on a Saudi dissident phone. Upgrade to latest WhatsApp version to install patch.
2 Zombieload. Another speculative execution vulnerability like Meltdown and Spectre (Don’t know why it’s being given a new, separate name). Same type of vulnerability and exploitation, same mediation measures… older Intel CPUs can’t be patched so exploit vectors are blocked. Recent Intel CPUs will be patched automatically by your OS.
3 Thangrycat. Or, at least that’s the English approximation how to pronounce the Cisco vulnerability which is actually named by 3 angry cat emojis (The emojis will probably be pronounced differently in different languages). Similar to the Intel side-loading vulnerabities (Spectre, Meltdown, etc) with echoes of the TPM flaw, it’s a vulnerability of the most serious type, a flaw in the hardware chip that is the root authority for securing passwords on all Cisco products that use this chip since… well I don’t know. Although I don’t see any Linksys products on the affected product list, I assume anything that’s higher end, even common business routers to Internet backbone is affected. Since to date, the demonstrated exploit requires local Administrator access, the only line of defense is a password that can’t be guessed or hacked (and local login access, even over a network).
And, here is a bonus that might open the eyes of anyone who owns a phone or surfs the Internet…
https://www.buzzfeednews.com/article/craigsilverman/vidmate-app-download
Although only publicized exploit is this Chinese Vidmate app, the nuts and bolts look easy enough to implement by anyone unscrupulous. The point is that coders can “display” anything with any dimensions, possibly a single pixel so that it’s invisible but still present on a page. Although the accused exploit is ad fraud, consequences are really unlimited, subject only to the permissions granted to the application, and installed apps can ask for and be granted just about full access on a device.
Since there is literally no protection from such an app (and to a lesser extent Internet websites), the only real protection is to just not install any but the most needed apps, then pray. And, don’t ever visit an unscrupulous website.