Posts Tagged ‘exploits’
Friday, July 19, 2013 @ 05:07 PM gHale
Code and everything that goes with it for the “master key” vulnerability in Android is out in the public, so that means the bad guys are busy working on new exploits.
So far there have been a few sightings on some applications on Google Play that exploit the vulnerability, said researchers at Bitdefender. The apps are Rose Wedding Cake Game and Pirates Island Mahjong Free, both updated in mid-May.
However, in this case, the bug is not malicious.
“The applications contain two duplicate PNG files which are part of the game’s interface. This means that the applications are not running malicious code – they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake,” said Bitdefender’s Bogdan Botezatu.
“In contrast, malicious exploitation of this flaw focuses on replacing application code,” he said.
While the apps are not malicious, the discovery does show applications leveraging the cryptographic signature vulnerability don’t raise any red flags when published on Google Play.
Google has already addressed the vulnerability and OEMs are working on it. However, because of Android’s fragmentation, it will take some time until the patch reaches end-users.
That’s why Android device owners should consider the alternatives. For instance, CyanogenMod users already have protection against the exploit.
Duo Security released an app called ReKey designed to address the vulnerability on rooted devices. In addition, Bitdefender and other security solutions providers have updated their mobile products for Android to make sure they detect applications that abuse the master key flaw.
Tuesday, May 21, 2013 @ 05:05 PM gHale
Google released Chrome 27, which includes a long list of security fixes for the browser, many of which are for high-risk vulnerabilities.
As a result of all the vulnerabilities, the company handed out more than $14,000 in rewards to researchers who reported bugs fixed in the latest iteration of Chrome.
Designed to provide incentives for security researchers to report vulnerabilities in Chrome and Chrome OS to the company privately rather than publicly disclosing them. Rewards can range from a few hundred dollars for minor flaws up to tens of thousands of dollars for especially severe issues.
None of the vulnerabilities addressed in Chrome 27 fit the latter description, with the highest payment being $3133.70 to Atte Kettunen for some memory safety issues. Chrome users should update their browsers as soon as possible to protect themselves against exploits.
Here are the bugs fixed in Chrome 27:
• High CVE-2013-2837: Use-after-free in SVG. Credit to Sławomir Błażek.
• Medium CVE-2013-2838: Out-of-bounds read in v8. Credit to Christian Holler.
• High CVE-2013-2839: Bad cast in clipboard handling. Credit to Jon of MWR InfoSecurity.
• High CVE-2013-2840: Use-after-free in media loader. Credit to Nils of MWR InfoSecurity.
• High CVE-2013-2841: Use-after-free in Pepper resource handling. Credit to Chamal de Silva.
• High CVE-2013-2842: Use-after-free in widget handling. Credit to Cyril Cattiaux.
• High CVE-2013-2843: Use-after-free in speech handling. Credit to Khalil Zhani.
• High CVE-2013-2844: Use-after-free in style resolution. Credit to Sachin Shinde (@cons0ul).
• High CVE-2013-2845: Memory safety issues in Web Audio. Credit to Atte Kettunen of OUSPG.
• High CVE-2013-2846: Use-after-free in media loader. Credit to Chamal de Silva.
• High CVE-2013-2847: Use-after-free race condition with workers. Credit to Collin Payne.
• Medium CVE-2013-2848: Possible data extraction with XSS Auditor. Credit to Egor Homakov.
• Low CVE-2013-2849: Possible XSS with drag+drop or copy+paste. Credit to Mario Heiderich.
Wednesday, January 9, 2013 @ 05:01 PM gHale
Microsoft is facing a Zero Day with Internet Explorer and while they work to patch the issue, they developed a workaround. The problem is there is a workaround around the workaround.
Security researchers at Exodus Intelligence developed a bypass for the Fix It Microsoft released as a temporary mitigation.
Their new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in watering hole attacks against political and manufacturing websites, including the Council on Foreign Relations in the U.S., and Chinese human rights site Uygur Haber Ajanski.
IE 6 and 7 also hold the same use-after free memory vulnerability (CVE-2012-4792), but are currently facing exploits. Microsoft said the impact of the attacks seems limited; IE 9 and 10 are not vulnerable, Microsoft said.
Brandon Edwards, vice president of Intelligence at Exodus, said his firm’s researchers looked at the Fix It to determine how much of the vulnerability it prevented.
“Usually, there are multiple paths one can take to trigger or exploit a vulnerability,” Edwards said. “The Fix It did not prevent all those paths.”
The Fix It, according to Microsoft, is an appcompat shim that modifies in memory a particular function to always return NULL, resulting in a safe crash of the browser rather than allowing for remote code execution.
“It comes down to clearly understanding the root cause and ways the browser can get to the affected code,” Edwards said. “The Fix It covered paths used by the exploit, but not all the ways the vulnerability can be reached. A full patch should eliminate all those possibilities.”
In the meantime, a handful of political, social and human rights sites in the U.S., Russia, China and Hong Kong remain infected and serving malware, for weeks in some cases, that exploits the IE Zero Day.
Microsoft is aware of the Exodus Intelligence exploit; researchers at Exodus said they will not disclose details of their exploit until Microsoft addresses the vulnerability.
Earlier this week, Exodus developed what it called a more advanced exploit of the IE vulnerability, which led them to look more closely at the Fix It. Unlike the original remote code injection exploit, this one does not require a heap spray to execute it.
Peter Vreugdenhil said they were able to take advantage of IE8’s support for HTML+TIME, which the company no longer supports in more current versions of the browser. The researchers were able to create an array with pointers to strings they controlled, he said, enabling them to control system calls without a heap spray.
Thursday, October 25, 2012 @ 04:10 PM gHale
Korenix mitigated the undocumented hard-coded root credentials in the firmware of its Korenix JetPort 5600 system application, according to a report on ICS-CERT.
The remotely exploitable vulnerability, released by Digital Bond’s Reid Wightman without coordination with ICS-CERT, the vendor, or any other coordinating entity, would allow attackers to exploit the product by using the hard-coded credential to log into the device with administrative privileges and gain access to the attached serial devices.
The Korenix JetPort is an industrial serial device server to control multiple serial devices over Ethernet. Korenix produced an upgraded firmware version that removes the accounts. This product sees use worldwide, primarily in the communications and information technology sectors. Exploits that target this vulnerability are publicly available. All versions of the JetPort 5600 series suffer from the issue.
Once an attacker gains access, it would be possible to read and write to the file system and reconfigure the device. Attackers may also have access to other serial devices attached to this product.
Taiwan-based Korenix, acquired by Beijer Electronics in 2010, has offices in several countries around the world, including the U.S., China, and Spain.
The JetPort 5600 series is a 4-port redundant serial device server that provides users with four serial interfaces. The device can control up to four serial devices over the Ethernet. Users can configure the device over HTTPS/SSH or by using the Korenix JetPort Commander software.
The affected products are industrial serial device servers used for SCADA systems. According to Korenix, they are in several sectors including the communications (50%) and information technology (50%) sectors.
An attacker can log into the device using the hard-coded credentials that grant administrative access. Administrative credentials allow users to change device settings and read and write to the file system. This could result in a loss of confidentiality, integrity, or availability. CVE-2012-4577 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
Korenix developed an upgraded version of firmware (v2.01) for the affected products. The upgraded firmware removes the root and guest accounts. Developers also removed the current version of OpenSSL (v0.9.8b). The v2.01 firmware cannot downgrade to v1.X.2 once upgraded. The Windows-based JetPort configuration tool, JetPort Commander, also upgraded to v3.0. The user can download the firmware upgrade from the Korenix software update Web site.
Friday, August 17, 2012 @ 03:08 PM gHale
Nine of 13 consumer antivirus products tested failed to provide adequate protection against exploits targeting two recent critical Microsoft vulnerabilities, said NSS Labs.
Only 4 vendors – Avast, Kaspersky, McAfee and Trend Micro –blocked all attacks delivered over HTTP and HTTPS.
“This particular exploit test was a small part of a much more comprehensive endpoint security test underway at NSS Labs that will be published next month,” said Randy Abrams, research director at NSS Labs. “These results clearly demonstrate protection deficiencies for many vendors when their products are configured with default ‘out-of-the-box’ settings, which are what’s most commonly employed in the consumer market.”
“This test revealed that numerous vendors that protected against an exploit over HTTP failed to protect against the same exploit delivered via HTTPS,” said Bob Walder, chief research officer at NSS Labs. “Vendors who did not perform well might want to reconsider their default settings in this age of attacks against SSL and other protocols.”
“There are additional concerns for the enterprise,” Abrams adds. “Enterprises embracing the ‘bring your own device’ (BYOD) approach to workplace technology need to be aware of the ramifications the product selection choices their users make, as they impact the organization’s security posture and attack profile.”
NSS Labs is currently running in-depth consumer end point protection (EPP) group testing that will further test all 13 vendors in several key areas – exploits, evasions, performance and protection against live malware, drive-by attacks and phishing.
Reports featuring the results for each test area will release as testing wraps up.
Tested products include:
• Avast Internet Security 7
• AVG Internet Security 2012
• Avira Internet Security 2012
• CA Total Defense Internet Security Suite
• ESET Smart Security 5
• F-Secure Internet Security 2012
• Kaspersky Internet Security
• McAfee Internet Security 2012
• Microsoft Security Essentials
• Norman Security Suite Pro
• Norton Internet Security 2012
• Panda Internet Security 2012
• Trend Micro Titanium + Internet Security.
Thursday, August 2, 2012 @ 05:08 PM gHale
Even though Windows and Mac remain well separated as platforms, there are a number of applications that run on both operating systems, including things such as Adobe Flash, Reader and Java.
Attackers and malware writers, like any other specialists, are focusing their skills in one discipline in order to maximize their chances for success.
Attackers, not wanting to waste any time on small target bases and looking to maximize their profits, are focusing their efforts on vulnerabilities in these applications.
Knowing that, Microsoft researchers analyzed a series of malware samples and exploits and found some attackers are beginning to target the same vulnerability across multiple platforms as a way to make the most out of their efforts.
Microsoft researchers looked at a specific set of vulnerabilities found in applications on Windows and Mac OS X and found some attackers are going after flaws from as far back as 2009 in Office documents, and 2010 in Flash and Java and Reader.
“This observation is limited and based on the samples we identified, acquired and processed, however, this understanding provides us with an opportunity to recognize a trend we can describe as economies of scale in cross-platform vulnerabilities. This method of distribution allows the attacker to maximize their capability on multiple platforms. Thus, regardless of a particular attacker’s motive, the value and demand for these vulnerabilities is likely to persist – we know for a fact that Java vulnerabilities CVE-2011-3544 and CVE-2012-0507 are widely used by cybercriminals’ in exploit kits, such as Blacole/Blackhole,” said Methusela Cebrian Ferrer of the Microsoft Malware Protection Center.
Microsoft’s investigation of the way attackers are using cross-platform vulnerabilities began about a year ago when the company’s researchers came across a backdoor aimed at Mac users. The malware disguised itself as a Google app on the infected machine and then initiated a remote connection to a command-and-control server.
“Once connected, the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download and navigate through files and directory. For more detail, have a look at the Backdoor:MacOS_X/Olyx.A description in our encyclopedia,” Ferrer said.