Archive for the ‘vulnerabilities’ Category

Solved: Why in-the-wild Bluekeep exploits are causing patched machines to crash

November 11th, 2019
Solved: Why in-the-wild Bluekeep exploits are causing patched machines to crash

Enlarge (credit: hdaniel)

Recent in-the-wild attacks on the critical Bluekeep vulnerability in many versions of Windows aren’t just affecting unpatched machines. It turns out the exploits—which repurpose the September release from the Metasploit framework—are also causing many patched machines to crash.

Late last week, Windows users learned why: a separate patch Microsoft released 20 months ago for the Meltdown vulnerability in Intel CPUs. Word of the crashes first emerged five days ago, when researcher Kevin Beaumont discovered a malicious, in-the-wild Bluekeep exploit caused one of his honeypots to crash four times overnight. Metasploit developer Sean Dillon initially blamed the crashes on “mystical reptilian forces that control everything.” Then he read a Twitter post from researcher Worawit Wang:

In a post published on Thursday, Dillon wrote:

Read 8 remaining paragraphs | Comments

Posted in Biz & IT, Blue Screen of Death, bluekeep, crash, exploits, vulnerabilities, Windows | Comments (0)

Actively exploited bug in fully updated Firefox is sending users into a tizzy

November 5th, 2019
Actively exploited bug in fully updated Firefox is sending users into a tizzy

Enlarge (credit: Jérôme Segura)

Scammers are actively exploiting a bug in Firefox that causes the browser to lock up after displaying a message warning the computer is running a pirated version of Windows that has been hacked.

The message reads:

Please stop and do not close the PC... The registry key of your computer is locked. Why did we block your computer? The Windows registry key is illegal. The Windows desktop is using pirated software. The Window desktop sends viruses over the Internet. This Windows desktop is hacked. We block this computer for your safety.

The message then advises the person to call a toll-free number in the next five minutes or face having the computer disabled. Below is a GIF showing the attack flow:

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, exploits, Firefox, Mozilla, tech support scams, vulnerabilities | Comments (0)

Unpatched Linux bug may open devices to serious attacks over Wi-Fi

October 17th, 2019
Wi-FI logo.

Enlarge (credit: Wi-Fi Alliance)

A potentially serious vulnerability in Linux may make it possible for nearby devices to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher said.

The flaw is located in the RTLWIFI driver, which is used to support Realtek Wi-Fi cards in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi card is within radio range of a malicious device. At a minimum, exploits would allow denial-of-service attacks and could possibly allow a hacker to gain complete control of the computer. The flaw dates back to version 3.10.1 of the Linux kernel released in 2013.

"The bug is serious," Nico Waisman, who is a principal security engineer at Github, told Ars. "It's a vulnerability that triggers an overflow remotely through Wi-Fi on the Linux kernel, as long as you're using the Realtek (RTLWIFI) driver."

Read 8 remaining paragraphs | Comments

Posted in Biz & IT, exploits, linux, vulnerabilities, wi-fi | Comments (0)

Chrome rolls out new protections preventing password and data theft

October 17th, 2019
Chrome rolls out new protections preventing password and data theft

Enlarge (credit: Google)

Google is temporarily increasing the rewards it pays for hacks that exploit holes in a beefed-up security protection that debuted in desktop versions of Chrome last month. Chrome for Android, meanwhile, is receiving a slimmed-down version of the same protection.

For a limited time, Google will boost its normal bounty amounts for exploits that allow one site the browser is interacting with to steal passwords or other sensitive data from another accessed site. Google is also broadening its vulnerability reward program to include bugs in Blink—the core software that Chrome uses to render HTML and other resources—that allow similar types of cross-site data thefts.

Fortress of solitude

The changes come a month after the release of Chrome 77, which quietly strengthened an existing protection known as site isolation. Google developers first added site isolation in July 2018 in a highly ambitious engineering feat that required major architectural changes to the way the browser worked under the hood.

Read 9 remaining paragraphs | Comments

Posted in Biz & IT, chrome, exploits, meltdown, site isolation, Spectre, speculative execution, vulnerabilities | Comments (0)

Activists’ phones targeted by one of the world’s most advanced spyware apps

October 12th, 2019
Activists’ phones targeted by one of the world’s most advanced spyware apps

Enlarge (credit: ShellyS / Flickr)

Mobile phones of two prominent human rights activists were repeatedly targeted with Pegasus, the highly advanced spyware made by Isreal-based NSO, researchers from Amnesty International reported this week.

The Moroccan human rights defenders received SMS text messages containing links to malicious sites. If clicked, the sites would attempt to install Pegasus, which as reported here and here, is one of the most advanced and full featured pieces of spyware ever to come to light. One of the activists was also repeatedly subjected to attacks that redirected visits intended for Yahoo to malicious sites. Amnesty International identified the targets as activist Maati Monjib and human rights lawyer Abdessadak El Bouchattaoui.

Serial pwner

It’s not the first time NSO spyware has been used to surveil activists or dissidents. In 2016, United Arab Emirates dissident Ahmed Mansoor received text messages that tried to lure him to a site that would install Pegasus on his fully patched iPhone. The site relied on three separate zeroday vulnerabilities in iOS. According to previous reports from Univision, Amnest International, and University of Toronto-based Citizen Lab, NSO spyware has also targeted:

Read 16 remaining paragraphs | Comments

Posted in Biz & IT, exploits, malware, mobile phones, NSO Group, Policy, spyware, vulnerabilities | Comments (0)

Attackers exploit an iTunes zeroday to install ransomware

October 10th, 2019
The iTunes logo has been photoshopped onto a pistol target that has been shot multiple times.

Enlarge (credit: Aurich Lawson / Getty Images)

Attackers exploited a zeroday vulnerability in Apple's iTunes and iCloud programs to infect Windows computers with ransomware without triggering antivirus protections, researchers from Morphisec reported on Thursday. Apple patched the vulnerability earlier this week.

The vulnerability resided in the Bonjour component that both iTunes and iCloud for Windows relies on, according to a blog post. The bug is known as an unquoted service path, which as its name suggests, happens when a developer forgets to surround a file path with quotation marks. When the bug is in a trusted program—such as one digitally signed by a well-known developer like Apple—attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious.

Morphisec CTO Michael Gorelik explained it this way:

Read 8 remaining paragraphs | Comments

Posted in apple, Biz & IT, Bonjour, exploits, icloud, iTunes, ransomware, vulnerabilities | Comments (0)

Attackers exploit 0day vulnerability that gives full control of Android phones

October 4th, 2019
Attackers exploit 0day vulnerability that gives full control of Android phones

Enlarge (credit: Maurizio Pesce)

Attackers are exploiting a critical vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night.

There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. Exploits require little or no customization to fully root vulnerable phone models. The vulnerability can be exploited two different ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.

“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Stone wrote. “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”

Read 10 remaining paragraphs | Comments

Posted in Android, Biz & IT, exploits, pixel, vulnerabilities, zeroday | Comments (0)

Apple takes flak for disputing iOS security bombshell dropped by Google

September 7th, 2019
Apple takes flak for disputing iOS security bombshell dropped by Google

Enlarge (credit: Maurizio Pesce)

Apple is taking flak for disputing some minor details of last week’s bombshell report that, for at least two years, customers' iOS devices were vulnerable to a sting of zeroday exploits, at least some of which were actively exploited to install malware that stole location data, passwords, encryption keys, and a wealth of other highly sensitive data.

Google’s Project Zero said the attacks were waged indiscriminately from a small collection of websites that “received thousands of visitors per week.” One of the five exploit chains Project Zero researchers analyzed showed they “were likely written contemporaneously with their supported iOS versions.” The researcher’s conclusion: “This group had a capability against a fully patched iPhone for at least two years.”

Earlier this week, researchers at security firm Volexity reported finding 11 websites serving the interests of Uyghur Muslims that the researchers believed were tied to the attacks Project Zero identified. Volexity’s post was based in part on a report by TechCrunch citing unnamed people familiar with the attacks who said they were the work of nation—likely China—designed to target the Uyghur community in the country’s Xinjiang state.

Read 14 remaining paragraphs | Comments

Posted in apple, Biz & IT, exploits, google, iOS, iPads, iPhones, Project Zero, vulnerabilities | Comments (0)

Exploit for wormable BlueKeep Windows bug released into the wild

September 6th, 2019
Exploit for wormable BlueKeep Windows bug released into the wild

Enlarge (credit: Aurich Lawson)

For months, security practitioners have worried about the public release of attack code exploiting BlueKeep, the critical vulnerability in older versions of Microsoft Windows that’s “wormable,” meaning it can spread from computer to computer the way the WannaCry worm did two years ago. On Friday, that dreaded day arrived when the Metasploit framework—an open source tool used by white hat and black hat hackers alike—released just such an exploit into the wild.

The module, which was published as a work in progress on Github, doesn’t yet have the polish and reliability of the EternalBlue exploit that was developed by the NSA and later used in WannaCry. For instance, if the people using the new module specify the wrong version of Windows they want to attack, they’ll likely wind up with a blue-screen crash. Getting the exploit to work on server machines also requires a change to default settings in the form of a registry modification that turns on audio sharing.

By contrast, the wormable EternalBlue exploit—which a still-unidentified group calling itself the Shadow Brokers released into the wild in April 2017—worked seamlessly against a wide range of Windows versions in their default settings. A month after the leak, EternalBlue was folded into the Wannacry ransomware worm that shut down computers worldwide. A month later, another EternalBlue-driven attack called NotPetya created still more worldwide destruction.

Read 8 remaining paragraphs | Comments

Posted in Biz & IT, bluekeep, exploits, microsoft, vulnerabilities, Windows, Worms | Comments (0)

Zero-day privilege escalation disclosed for Android

September 5th, 2019
Zero-day privilege escalation disclosed for Android

Enlarge (credit: portal gda / Flickr)

Researchers have disclosed a zero-day vulnerability in the Android operating system that gives a major boost to attackers who already have a toe-hold on an affected device.

The privilege-escalation flaw is located in the V4L2 driver, which Android and other Linux-based OSes use to capture real-time video. The vulnerability results from a "lack of validating the existence of an object prior to performing operations on the object," researchers with Trend Micro's Zero Day Initiative said in a blog post published Wednesday. Attackers who already have untrusted code running with low privileges on a device can exploit the bug to access privileged parts of the Android kernel. The severity score is rated a 7.8 out of a possible 10 points.

Modern OSes have become increasingly hard to compromise in recent years thanks to exploitation mitigations that prevent untrusted code from interacting with hard drives, kernels, and other sensitive resources. Hackers have responded by chaining two or more exploits together. A buffer overflow, for instance, may allow an attacker to load malicious code into memory, and a privilege-escalation flaw gives the code the privileges it needs to install a persistent payload.

Read 6 remaining paragraphs | Comments

Posted in Android, Biz & IT, exploits, privilege escalation, vulnerabilities, zeroday | Comments (0)