Archive for the ‘vulnerabilities’ Category

Why a Windows flaw patched nine days ago is still spooking the Internet

May 23rd, 2019
Artist's impression of a malicious hacker coding up a BlueKeep-based exploit.

Enlarge / Artist's impression of a malicious hacker coding up a BlueKeep-based exploit. (credit: Getty Images / Bill Hinton)

It has been nine days since Microsoft patched the high-severity vulnerability known as BlueKeep, and yet the dire advisories about its potential to sow worldwide disruptions keep coming.

Until recently, there was little independent corroboration that exploits could spread virally from computer to computer in a way not seen since the WannaCry and NotPetya worms shut down computers worldwide in 2017. Some researchers felt Microsoft has been unusually tight-lipped with partners about this vulnerability, possibly out of concern that any details, despite everyone’s best efforts, might hasten the spread of working exploit code.

Until recently, researchers had to take Microsoft's word the vulnerability was severe. Then five researchers from security firm McAfee reported last Tuesday that they were able to exploit the vulnerability and gain remote code execution without any end-user interaction. The post affirmed that CVE-2019-0708, as the vulnerability is indexed, is every bit as critical as Microsoft said it was.

Read 16 remaining paragraphs | Comments

Posted in Biz & IT, exploits, microsoft, vulnerabilities, Windows | Comments (0)

Serial publisher of Windows 0-days drops exploits for 3 more unfixed flaws

May 23rd, 2019
Screenshot of Windows Explorer.

Enlarge (credit: SandboxEscaper)

A serial publisher of Microsoft zeroday vulnerabilities has dropped exploit code for three more unpatched flaws, marking the seventh time the unknown person has done so in the past year.

Technical details of the vulnerabilities, along with working proof-of-concept exploits, are the work of someone using the moniker SandBoxEscaper. A local privilege-escalation vulnerability in the Windows Task Scheduler that was disclosed on Tuesday allows an authenticated attacker to gain SYSTEM privileges on an affected system. On Thursday, the person released a privilege escalation code that exploits a bug in the Windows Error Reporting service. Attackers can use it to modify files that would normally be off limits. A third exploit, which was also released Wednesday, works against Internet Explorer 11 and allows attackers to execute a JavaScript that runs with higher system access than is normally permitted by the browser sandbox.

Decent deal

Like the other exploits SandboxEscaper has published over the past year, including this one Ars covered last October, the three recent ones don’t allow attackers to remotely execute malicious code. Still, as security defenses in recent versions of Windows and other operating systems have improved, the value of these types of exploits has grown, since they are often the only way to bypass security sandboxes and similar protections. Despite some limitations in the exploit that were transparently noted by SandBoxEscaper, the disclosures are significant if they work as purported against fully patched versions of Windows 10.

Read 5 remaining paragraphs | Comments

Posted in 0day, Biz & IT, exploits, microsoft, vulnerabilities, Windows, zeroday | Comments (0)

The radio-navigation planes use to land safely is insecure and can be hacked

May 15th, 2019
A plane in the researchers' demonstration attack as spoofed ILS signals induce a pilot to land to the right of the runway.

Enlarge / A plane in the researchers' demonstration attack as spoofed ILS signals induce a pilot to land to the right of the runway. (credit: Sathaye et al.)

Just about every aircraft that has flown over the past 50 years—whether a single-engine Cessna or a 600-seat jumbo jet—relies on radios to safely land at airports. These instrument landing systems are considered precision approach systems, because, unlike GPS and other navigation systems, they provide crucial real-time guidance about both the plane’s horizontal alignment with a runway and its vertical rate of descent. In many settings—particularly during foggy or rainy nighttime landings—this radio-based navigation is the primary means for ensuring planes touch down at the start of a runway and on its centerline.

Like many technologies built in earlier decades, the ILS was never designed to be secure from hacking. Radio signals, for instance, aren’t encrypted or authenticated. Instead, pilots simply assume that the tones their radio-based navigation systems receive on a runway’s publicly assigned frequency are legitimate signals broadcast by the airport operator. This lack of security hasn’t been much of a concern over the years, largely because the cost and difficulty of spoofing malicious radio signals made attacks infeasible.

Now, researchers have devised a low-cost hack that raises questions about the security of ILS, which is used at virtually every civilian airport throughout the industrialized world. Using a $600 software defined radio, the researchers can spoof airport signals in a way that causes a pilot’s navigation instruments to falsely indicate a plane is off course. Normal training will call for the pilot to adjust the plane’s descent rate or alignment accordingly and create a potential accident as a result.

Read 36 remaining paragraphs | Comments

Posted in aviation, Biz & IT, exploits, Features, ils, instrument landing systems, security, vulnerabilities | Comments (0)

Microsoft warns wormable Windows bug could lead to another WannaCry

May 14th, 2019
Image of ones and zeros with the word

(credit: Pixabay)

Microsoft is warning that the Internet could see another exploit with the magnitude of the WannaCry attack that shut down computers all over the world two years ago unless people patch a high-severity vulnerability. The software maker took the unusual step of backporting the just-released patch for Windows 2003 and XP, which haven’t been supported in four and five years, respectively.

“This vulnerability is pre-authentication and requires no user interaction,” Simon Pope, director of incident response at the Microsoft Security Response Center, wrote in a published post that coincided with the company’s May Update Tuesday release. “In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

As if a self-replicating, code-execution vulnerability wasn’t serious enough, CVE-2017-0708, as the flaw in Windows Remote Desktop Services is indexed, requires low complexity to exploit. Microsoft’s Common Vulnerability Scoring System Calculator scores that complexity as 3.9 out of 10. (To be clear, the WannaCry developers had potent exploit code written by, and later stolen from, the National Security Agency, to exploit the wormable CVE-2017-0144 and CVE-2017-0145 flaws, which had exploit complexities rated as "high.") Ultimately, though, developing reliable exploit code for this latest Windows vulnerability will require relatively little work.

Read 8 remaining paragraphs | Comments

Posted in Biz & IT, computer worm, exploits, microsoft, vulnerabilities, Windows | Comments (0)

WhatsApp vulnerability exploited to infect phones with Israeli spyware

May 14th, 2019
Photograph of a hand using WhatsApp on a smartphone.

Enlarge (credit: Santeri Viinamäki)

Attackers have been exploiting a vulnerability in WhatsApp that allowed them to infect phones with advanced spyware made by Israeli developer NSO Group, the Financial Times reported on Monday, citing the company and a spyware technology dealer.

A representative of WhatsApp, which is used by 1.5 billion people, told Ars that company researchers discovered the vulnerability earlier this month while they were making security improvements. CVE-2019-3568, as the vulnerability has been indexed, is a buffer overflow vulnerability in the WhatsApp VOIP stack that allows remote code execution when specially crafted series of SRTCP packets are sent to a target phone number, according to this advisory.

According to the Financial Times, exploits worked by calling either a vulnerable iPhone or Android device using the WhatsApp calling function. Targets need not have answered a call, and the calls often disappeared from logs, the publication said. The WhatsApp representative said the vulnerability was fixed in updates released on Friday.

Read 8 remaining paragraphs | Comments

Posted in Biz & IT, exploits, NSO Group, spyware, vulnerabilities, Whatsapp | Comments (0)

Open source bug poses threat to sites running multiple CMSes

May 9th, 2019
Image of ones and zeros with the word

(credit: Pixabay)

Websites running the Drupal, Joomla, or Typo3 content-management systems are vulnerable to attacks that could possibly execute malicious code until administrators install just-released patches, developers and security researchers warned.

The vulnerability resides in the PharStreamWrapper, a PHP component developed and open-sourced by CMS maker Typo3. Indexed as CVE-2019-11831, the flaw stems from a path-traversal bug that allows hackers to swap a site's legitimate phar archive with a malicious one. A phar archive is used to distribute a complete PHP application or library in a single file, in much the way a Java archive file bundles many Java files into a single file.

In an advisory published Wednesday, Drupal developers rated the severity of the vulnerability affecting their CMS as moderately critical. That's well below the highly critical rating of a recent Drupal vulnerability and earlier remote-execution flaws that took on the name "Drupalgeddon." Still, the vulnerability represents enough of a risk that administrators should patch it as soon as possible.

Read 8 remaining paragraphs | Comments

Posted in Biz & IT, CMS, content management systems, Drupal, Joomla, typo3, vulnerabilities | Comments (0)

Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak

May 7th, 2019
The National Security Agency headquarters in Fort Meade, Maryland.

Enlarge / The National Security Agency headquarters in Fort Meade, Maryland. (credit: National Security Agency)

On of the most significant events in computer security came in April 2017, when a still-unidentified group calling itself the Shadow Brokers published a trove of the National Security Agency’s most coveted hacking tools. The leak and the subsequent repurposing of the exploits in the WannaCry and NotPetya worms that shut down computers worldwide made the theft arguably one of the NSA’s biggest operational mistakes ever.

On Monday, security firm Symantec reported that two of those advanced hacking tools were used against a host of targets starting in March 2016, fourteen months prior to the Shadow Brokers leak. An advanced persistent threat hacking group that Symantec has been tracking since 2010 somehow got access to a variant of the NSA-developed DoublePulsar backdoor and one of the Windows exploits the NSA used to remotely install it on targeted computers. The revelation that the powerful NSA tools were being repurposed much earlier than previously thought is sure to touch off a new round of criticism about the agency’s inability to secure its arsenal.

Killing NOBUS

“This definitely should bring additional criticism of the ability to protect their tools,” Jake Williams, a former NSA hacker who is now a cofounder of Rendition Infosec, told Ars. “If they didn't lose the tools from a direct compromise, then the exploits were intercepted in transit or they were independently discovered. All of this completely kills the NOBUS argument.” “NOBUS” is shorthand for nobody but us, a mantra NSA officials use to justify their practice of privately stockpiling certain exploits, rather than reporting the underlying vulnerabilities so they can be fixed.

Read 11 remaining paragraphs | Comments

Posted in APT3, Biz & IT, buckeye, exploits, National Security Agency, NSA, shadow brokers, vulnerabilities | Comments (0)

Zero-day attackers deliver a double dose of ransomware—no clicking required

April 30th, 2019
Screenshot of ransomware warning.

Enlarge (credit: Cisco Talos)

Attackers have been actively exploiting a critical zero-day vulnerability in the widely used Oracle WebLogic server to install ransomware, with no clicking or other interaction necessary on the part of end users, researchers from Cisco Talos said on Tuesday.

The vulnerability and working exploit code first became public two weeks ago on the Chinese National Vulnerability Database, according to researchers from the security educational group SANS ISC, who warned that the vulnerability was under active attack. The vulnerability is easy to exploit and gives attackers the ability to execute code of their choice on cloud servers. Because of their power, bandwidth, and use in high-security cloud environments, these servers are considered high-value targets. The disclosure prompted Oracle to release an emergency patch on Friday.

On Tuesday, researchers with Cisco Talos said CVE-2019-2725, as the vulnerability has been indexed, has been under active exploit since at least April 21. Starting last Thursday—a day before Oracle patched the zero-day vulnerability, attackers started using the exploits in a campaign to install “Sodinokibi,” a new piece of ransomware. In addition to encrypting valuable data on infected computers, the malicious program attempts to destroy shadow copy backups to prevent targets from simply restoring the lost data. Oddly enough, about eight hours after infection, the attackers exploited the same vulnerability to install a different piece of ransomware known as GandCrab.

Read 4 remaining paragraphs | Comments

Posted in Biz & IT, exploits, malware, oracle, ransomware, vulnerabilities, WebLogic | Comments (0)

Bloomberg claims Vodafone found backdoors in Huawei equipment; Vodafone disagrees

April 30th, 2019
5G Logo in the shape of a butterfly.

Enlarge / PORTUGAL - 2019/03/04: 5G logo is seen on an android mobile phone with Huawei logo on the background. (credit: Omar Marques/SOPA Images/LightRocket via Getty Images)

Vodafone, the largest mobile network operator in Europe, found backdoors in Huawei equipment between 2009 and 2011, reports Bloomberg. With these backdoors, Huawei could have gained unauthorized access to Vodafone's "fixed-line network in Italy." But Vodafone disagrees, saying that—while it did discover some security vulnerabilities in Huawei equipment—these were fixed by Huawei and in any case were not remotely accessible, and hence they could not be used by Huawei.

Bloomberg's claims are based on Vodafone's internal security documentation and "people involved in the situation." Several different "backdoors" are described: unsecured telnet access to home routers, along with "backdoors" in optical service nodes (which connect last-mile distribution networks to optical backbone networks) and "broadband network gateways" (BNG) (which sit between broadband users and the backbone network, providing access control, authentication, and similar services).

In response to Bloomberg, Vodafone said that the router vulnerabilities were found and fixed in 2011 and the BNG flaws were found and fixed in 2012. While it had documentation about some optical service node vulnerabilities, Vodafone continued, it had no information about when they were fixed. Further, the network operator said that it had no evidence of issues outside Italy.

Read 9 remaining paragraphs | Comments

Posted in 5G, backdoors, Biz & IT, china, cyberwar, Huawei, security, Tech, vulnerabilities | Comments (0)

Unexpected security feature in Microsoft Edge could allow for file theft

April 19th, 2019
Unexpected security feature in Microsoft Edge could allow for file theft

Enlarge (credit: Brian Smithson / Flickr)

A researcher has uncovered strange and unexpected behavior in Windows 10 that allows remote attackers to steal data stored on hard drives when a user opens a malicious file downloaded with the Edge browser.

The threat partially surfaced last week when a different researcher, John Page, reported what he called a flaw in Internet Explorer. Page claimed that when using the file manager to open a maliciously crafted MHT file downloaded with Internet Explorer, the browser uploaded one or more files to a remote server. According to Page, the vulnerability affected the most recent version of IE, version 11, running on Windows 7, Windows 10, and Windows Server 2012 R2 with all security updates installed. (It’s no longer clear whether any OS other than Windows 10 is affected, at least for some users. More about that in a moment.)

Below this paragraph in Page's post was a video demonstration of the proof-of-concept exploit Page created. It shows a booby-trapped MHT file triggering an upload of the host computer's system.ini file to a remote server. Interestingly, while Page's post says his exploit is triggered when the malicious file is downloaded by IE, and makes no mention of Edge at all, the video shows the file being downloaded with the newer Microsoft browser.

Read 15 remaining paragraphs | Comments

Posted in Biz & IT, EDGE, exploits, Internet Explorer, vulnerabilities, Windows | Comments (0)