Posts Tagged ‘exploits’
Tuesday, May 21, 2013 @ 05:05 PM gHale
Google released Chrome 27, which includes a long list of security fixes for the browser, many of which are for high-risk vulnerabilities.
As a result of all the vulnerabilities, the company handed out more than $14,000 in rewards to researchers who reported bugs fixed in the latest iteration of Chrome.
Designed to provide incentives for security researchers to report vulnerabilities in Chrome and Chrome OS to the company privately rather than publicly disclosing them. Rewards can range from a few hundred dollars for minor flaws up to tens of thousands of dollars for especially severe issues.
None of the vulnerabilities addressed in Chrome 27 fit the latter description, with the highest payment being $3133.70 to Atte Kettunen for some memory safety issues. Chrome users should update their browsers as soon as possible to protect themselves against exploits.
Here are the bugs fixed in Chrome 27:
• High CVE-2013-2837: Use-after-free in SVG. Credit to Sławomir Błażek.
• Medium CVE-2013-2838: Out-of-bounds read in v8. Credit to Christian Holler.
• High CVE-2013-2839: Bad cast in clipboard handling. Credit to Jon of MWR InfoSecurity.
• High CVE-2013-2840: Use-after-free in media loader. Credit to Nils of MWR InfoSecurity.
• High CVE-2013-2841: Use-after-free in Pepper resource handling. Credit to Chamal de Silva.
• High CVE-2013-2842: Use-after-free in widget handling. Credit to Cyril Cattiaux.
• High CVE-2013-2843: Use-after-free in speech handling. Credit to Khalil Zhani.
• High CVE-2013-2844: Use-after-free in style resolution. Credit to Sachin Shinde (@cons0ul).
• High CVE-2013-2845: Memory safety issues in Web Audio. Credit to Atte Kettunen of OUSPG.
• High CVE-2013-2846: Use-after-free in media loader. Credit to Chamal de Silva.
• High CVE-2013-2847: Use-after-free race condition with workers. Credit to Collin Payne.
• Medium CVE-2013-2848: Possible data extraction with XSS Auditor. Credit to Egor Homakov.
• Low CVE-2013-2849: Possible XSS with drag+drop or copy+paste. Credit to Mario Heiderich.
Wednesday, January 9, 2013 @ 05:01 PM gHale
Microsoft is facing a Zero Day with Internet Explorer and while they work to patch the issue, they developed a workaround. The problem is there is a workaround around the workaround.
Security researchers at Exodus Intelligence developed a bypass for the Fix It Microsoft released as a temporary mitigation.
Their new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in watering hole attacks against political and manufacturing websites, including the Council on Foreign Relations in the U.S., and Chinese human rights site Uygur Haber Ajanski.
IE 6 and 7 also hold the same use-after free memory vulnerability (CVE-2012-4792), but are currently facing exploits. Microsoft said the impact of the attacks seems limited; IE 9 and 10 are not vulnerable, Microsoft said.
Brandon Edwards, vice president of Intelligence at Exodus, said his firm’s researchers looked at the Fix It to determine how much of the vulnerability it prevented.
“Usually, there are multiple paths one can take to trigger or exploit a vulnerability,” Edwards said. “The Fix It did not prevent all those paths.”
The Fix It, according to Microsoft, is an appcompat shim that modifies in memory a particular function to always return NULL, resulting in a safe crash of the browser rather than allowing for remote code execution.
“It comes down to clearly understanding the root cause and ways the browser can get to the affected code,” Edwards said. “The Fix It covered paths used by the exploit, but not all the ways the vulnerability can be reached. A full patch should eliminate all those possibilities.”
In the meantime, a handful of political, social and human rights sites in the U.S., Russia, China and Hong Kong remain infected and serving malware, for weeks in some cases, that exploits the IE Zero Day.
Microsoft is aware of the Exodus Intelligence exploit; researchers at Exodus said they will not disclose details of their exploit until Microsoft addresses the vulnerability.
Earlier this week, Exodus developed what it called a more advanced exploit of the IE vulnerability, which led them to look more closely at the Fix It. Unlike the original remote code injection exploit, this one does not require a heap spray to execute it.
Peter Vreugdenhil said they were able to take advantage of IE8’s support for HTML+TIME, which the company no longer supports in more current versions of the browser. The researchers were able to create an array with pointers to strings they controlled, he said, enabling them to control system calls without a heap spray.
Thursday, October 25, 2012 @ 04:10 PM gHale
Korenix mitigated the undocumented hard-coded root credentials in the firmware of its Korenix JetPort 5600 system application, according to a report on ICS-CERT.
The remotely exploitable vulnerability, released by Digital Bond’s Reid Wightman without coordination with ICS-CERT, the vendor, or any other coordinating entity, would allow attackers to exploit the product by using the hard-coded credential to log into the device with administrative privileges and gain access to the attached serial devices.
The Korenix JetPort is an industrial serial device server to control multiple serial devices over Ethernet. Korenix produced an upgraded firmware version that removes the accounts. This product sees use worldwide, primarily in the communications and information technology sectors. Exploits that target this vulnerability are publicly available. All versions of the JetPort 5600 series suffer from the issue.
Once an attacker gains access, it would be possible to read and write to the file system and reconfigure the device. Attackers may also have access to other serial devices attached to this product.
Taiwan-based Korenix, acquired by Beijer Electronics in 2010, has offices in several countries around the world, including the U.S., China, and Spain.
The JetPort 5600 series is a 4-port redundant serial device server that provides users with four serial interfaces. The device can control up to four serial devices over the Ethernet. Users can configure the device over HTTPS/SSH or by using the Korenix JetPort Commander software.
The affected products are industrial serial device servers used for SCADA systems. According to Korenix, they are in several sectors including the communications (50%) and information technology (50%) sectors.
An attacker can log into the device using the hard-coded credentials that grant administrative access. Administrative credentials allow users to change device settings and read and write to the file system. This could result in a loss of confidentiality, integrity, or availability. CVE-2012-4577 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
Korenix developed an upgraded version of firmware (v2.01) for the affected products. The upgraded firmware removes the root and guest accounts. Developers also removed the current version of OpenSSL (v0.9.8b). The v2.01 firmware cannot downgrade to v1.X.2 once upgraded. The Windows-based JetPort configuration tool, JetPort Commander, also upgraded to v3.0. The user can download the firmware upgrade from the Korenix software update Web site.
Friday, August 17, 2012 @ 03:08 PM gHale
Nine of 13 consumer antivirus products tested failed to provide adequate protection against exploits targeting two recent critical Microsoft vulnerabilities, said NSS Labs.
Only 4 vendors – Avast, Kaspersky, McAfee and Trend Micro –blocked all attacks delivered over HTTP and HTTPS.
“This particular exploit test was a small part of a much more comprehensive endpoint security test underway at NSS Labs that will be published next month,” said Randy Abrams, research director at NSS Labs. “These results clearly demonstrate protection deficiencies for many vendors when their products are configured with default ‘out-of-the-box’ settings, which are what’s most commonly employed in the consumer market.”
“This test revealed that numerous vendors that protected against an exploit over HTTP failed to protect against the same exploit delivered via HTTPS,” said Bob Walder, chief research officer at NSS Labs. “Vendors who did not perform well might want to reconsider their default settings in this age of attacks against SSL and other protocols.”
“There are additional concerns for the enterprise,” Abrams adds. “Enterprises embracing the ‘bring your own device’ (BYOD) approach to workplace technology need to be aware of the ramifications the product selection choices their users make, as they impact the organization’s security posture and attack profile.”
NSS Labs is currently running in-depth consumer end point protection (EPP) group testing that will further test all 13 vendors in several key areas – exploits, evasions, performance and protection against live malware, drive-by attacks and phishing.
Reports featuring the results for each test area will release as testing wraps up.
Tested products include:
• Avast Internet Security 7
• AVG Internet Security 2012
• Avira Internet Security 2012
• CA Total Defense Internet Security Suite
• ESET Smart Security 5
• F-Secure Internet Security 2012
• Kaspersky Internet Security
• McAfee Internet Security 2012
• Microsoft Security Essentials
• Norman Security Suite Pro
• Norton Internet Security 2012
• Panda Internet Security 2012
• Trend Micro Titanium + Internet Security.
Thursday, August 2, 2012 @ 05:08 PM gHale
Even though Windows and Mac remain well separated as platforms, there are a number of applications that run on both operating systems, including things such as Adobe Flash, Reader and Java.
Attackers and malware writers, like any other specialists, are focusing their skills in one discipline in order to maximize their chances for success.
Attackers, not wanting to waste any time on small target bases and looking to maximize their profits, are focusing their efforts on vulnerabilities in these applications.
Knowing that, Microsoft researchers analyzed a series of malware samples and exploits and found some attackers are beginning to target the same vulnerability across multiple platforms as a way to make the most out of their efforts.
Microsoft researchers looked at a specific set of vulnerabilities found in applications on Windows and Mac OS X and found some attackers are going after flaws from as far back as 2009 in Office documents, and 2010 in Flash and Java and Reader.
“This observation is limited and based on the samples we identified, acquired and processed, however, this understanding provides us with an opportunity to recognize a trend we can describe as economies of scale in cross-platform vulnerabilities. This method of distribution allows the attacker to maximize their capability on multiple platforms. Thus, regardless of a particular attacker’s motive, the value and demand for these vulnerabilities is likely to persist – we know for a fact that Java vulnerabilities CVE-2011-3544 and CVE-2012-0507 are widely used by cybercriminals’ in exploit kits, such as Blacole/Blackhole,” said Methusela Cebrian Ferrer of the Microsoft Malware Protection Center.
Microsoft’s investigation of the way attackers are using cross-platform vulnerabilities began about a year ago when the company’s researchers came across a backdoor aimed at Mac users. The malware disguised itself as a Google app on the infected machine and then initiated a remote connection to a command-and-control server.
“Once connected, the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download and navigate through files and directory. For more detail, have a look at the Backdoor:MacOS_X/Olyx.A description in our encyclopedia,” Ferrer said.
Wednesday, July 25, 2012 @ 04:07 PM gHale
By Gregory Hale
It is inevitable, attacks are happening and they are going to get more powerful and persistent, so to fend of attacks and to go on the offensive against attackers, security models need to change.
“We need a paradigm shift,” said Shawn Henry, retired executive assistant for the FBI and is president of start-up company CrowdStrike Services, during his keynote address Wednesday at Black Hat USA 2012 in Las Vegas. “The old information metric cannot stop (attackers) from getting on the network. We need to understand who the adversary is, this way we can be proactive.”
Henry said the days of perimeter defense are gone. Yes, we need to continue using them, but security professionals need to go on the offensive and find out who is attacking and then fight back.
“We have been focused on perimeter defense for a long time. Defense in depth is very important, but the adversary is jumping over the fence; going through the firewall,” Henry said.
Security professionals should change their approach because attackers are sure changing theirs, Henry said.
“Cyber terrorism is a threat and we should be concerned about the threats against industrial control systems because they are real,” he said. “The adversary understands where to attack: Take their water away; take away their electricity.”
Henry said the biggest threat he sees today is computer network exploitation.
“I believe it is the most significant threat we face today. The DNA of your company is available to the bad guys.”
The catch is, Henry said, there are still leaders of companies with their heads buried in the sand.
“I still hear from CEOs saying why would we be attacked? They just don’t understand. The threats are much deeper and the pool of adversaries is constantly expanding. They are overcoming the defenses placed against them.”
Attacks continue to occur, but companies continue to keep them quiet – at least publicly. Henry said there is a great disparity between the classified cases of attacks and the unclassified ones.
“The unclassified environment is like the tip of the iceberg,” Henry said. In all his years in the FBI, Henry said he saw more versions of attacks that ended up classified.
Security is getting better, but professionals cannot stand still. There needs to be a new way to attack the problem and it has to happen soon.
“You have to be more strategic,” Henry said. “The more granular the information, the better you can protect.”
“The stakes are high.”