Posts Tagged ‘Google’
Tuesday, December 3, 2013 @ 04:12 PM gHale
A vulnerability in Android Jelly Bean (4.3) can end up exploited to the point where attackers could remove all device locks, like passwords, gestures, face recognition and PINs.
Attackers could take advantage of the security hole with the aid of rogue apps installed on the device, said researchers at security company Curesec.
The security firm came forward with its findings since the Android Security Team stopped responding to their inquiries and the issue remains unpatched.
“The bug exists on the ‘com.android.settings.ChooseLockGeneric class.’ This class is used to allow the user to modify the type of lock mechanism the device should have,” researchers said in their advisory.
This class contains a piece of code that requires the user to enter the previous lock in order to change settings. For example, if the user wants to change the PIN, he or she must enter the old one.
However, an attacker can exploit the vulnerability if the confirmation to change the lock mechanism ends up enabled or not.
Researchers reported the issue to Google October 11. After the initial response, which came the second day, the company stopped responding to Curesec’s emails.
The IT security firm has even published an app to demonstrate their findings. The POC application is capable of removing locks instantly or at a time defined by the user.
It appears that only Android 4.3 suffers from the issue. However, that’s enough considering that Jelly Bean is currently installed on over half of all Android devices.
Additional technical details, including the POC app, are available on Curesec’s blog.
Tuesday, November 19, 2013 @ 07:11 PM gHale
Google patched a critical vulnerability in Chrome that a researcher found during a hacking competition in Japan.
The security researcher known as Pinkie Pie demonstrated his findings on a Samsung Galaxy S4 and a Nexus 4. The security hole found by Pinkie Pie on Chrome for Android also impacts the Stable version of the web browser. Google updated the Android and the Stable Chrome version to fix the vulnerability.
The vulnerability Mobile Pwn2Own is an annual contest that rewards security researchers for highlighting security concerns on mobile platforms. The contest focuses on hardening the mobile attack surface through research and responsible disclosure. It’s the sister contest to Hewlett-Packard’s Zero Day Initiative Pwn2Own contest.
As it turns out, Google shipped the updates only hours after the researcher defeated Chrome in the second day of the competition.
The exploit developed by the hacker takes advantage of two Chrome flaws: An integer overflow, and a bug that can end up leveraged for a full sandbox escape, according to HP.
In order for the attack to be successful, the attacker must convince the victim to visit a website that stores the exploit. In a successful attack, the hacker can remotely execute arbitrary code on the targeted device.
Google catalogues CVE-2013-6632 as “multiple memory corruption issues.” However, the exact details will not be available until most users have updated their installations.
For his findings, Pinkie Pie won $50,000. Of this amount, $40,000 represents the top prize for the Mobile Web Browser category. The extra $10,000 is the prize from Google to the one who could hack Chrome on Galaxy S4 or Nexus 4.
BlackBerry and Google sponsored this year’s Mobile Pwn2Own.
It’s worth highlighting that the security hole identified by the researcher is critical, which means users should update their Chrome browsers as soon as possible.
Wednesday, October 23, 2013 @ 03:10 PM gHale
Google unveiled tools designed to protect sites from distributed denial of services (DDoS) attacks and also bypass censorship.
The DDoS protection tool is Project Shield and is currently by invitation only. The tool relies on the company’s existing PageSpeed service, which distributes resources throughout the Google infrastructure and among users of the service to improve website performance.
Now, the same concept can see use in defending sites against DDoS attacks. In essence, all users pool resources together so an attack against any of the sites faces the entire network and not just one server.
“Project Shield is an initiative to use Google’s infrastructure to protect free expression online. The service currently combines Google’s DDoS mitigation technologies and Page Speed Service (PSS), which allow websites to serve their content through Google to be better protected from DDoS attacks,” Google said.
Google’s service is free but it is only available by invitation. If users want to try it out, they can fill out the online form.
In time, Project Shield might evolve into a standard tool available for regular sites for free or for a price for larger organizations.
Tuesday, October 22, 2013 @ 10:10 AM gHale
A new Chrome release last week means Google patched more security flaws.
This time around Chrome 30.0.1599.101 released for Windows, Mac, Linux and Chrome Frame and Google fixed five security issues, three of which ended up reported by external researchers.
Atte Kettunen of OUSPG has identified a high-severity use-after-free issue in XHR for which he earned $1,000 in reward money from Google.
Cloudfuzzer found two high-severity use-after-free vulnerabilities – one in editing and one in forms. For each of the flaws earned $2,000.
Google’s internal security team has also identified various problems as a result of audits, fuzzing and other initiatives.
The technical details of these vulnerabilities will remain secret until a majority of users have updated their web browser.
Google also just unveiled it is rewarding researchers who develop security patches for open source software.
Wednesday, October 2, 2013 @ 04:10 PM gHale
With the Chrome 30 release, Google fixed 50 security issues.
The list of vulnerabilities reported by external researchers includes ten high-impact and six medium-impact flaws.
The high-impact issues refer to use-after-free vulnerabilities in inline-block rendering, in PPAPI, in XML document parsing, in DOM, in resource loader, in the Windows color chooser dialog, and in template element. A memory corruption in V8 and an address bar spoofing bug related to the “204 No Content” status code also fall into this category.
The medium-impact vulnerabilities include a use-after-free in Web Audio, an out of bounds read in the same component, and an out of bounds read in URL parsing.
The security researchers credited for finding vulnerabilities are Atte Kettunen of OUSPG, Boris Zbarsky, Chamal de Silva, Byoungyoung Lee, and Tielei Wang of Georgia Tech, cloudfuzzer, Khalil Zhani, Wander Groeneveld, Masato Kinugawa, Adam Haile of Concrete Data, and Jon Butler.
They earned a total of $19,000 for their work.
Atte Kettunen, cloudfuzzer, and miaubiz earned an additional $8,000 for working with Google on addressing security issues during the development cycle.
Click here for a list of the vulnerabilities.
Wednesday, September 11, 2013 @ 12:09 PM gHale
Faux Android apps appear on Google Play quite frequently, but AVG Technologies researchers said they found at least 33 applications that contain aggressive advertising components.
Of these apps, some look like legitimate apps from Microsoft, Google and Twitter. However, some of the programs end up disguised as AVG Antivirus, including the recently launched AVG 2014.
The researchers said the developers of these fake applications have designed all sorts of new AVG icons to make their creations look more legitimate.
Once installed, the fake security programs change the device’s search options, and start pushing all sorts of advertisements for adult services.
As a word of warning, if you are looking to install an AVG Antivirus on your Android phone, make sure the developer is AVG Mobile.
Thursday, August 22, 2013 @ 03:08 PM gHale
Google Chrome’s newest version comes complete with 25 security fixes, including patches for a number of high-severity vulnerabilities. Chrome 29 also includes a number of performance enhancements.
Google sends out new versions of its browser every few weeks, and sometimes will only have a handful of security fixes. Chrome 29, though, is different as it contains a large number of fixes. Three of the fixes in Chrome 29 are for use-after-free vulnerabilities, each of which earned the finder a $1,000 bug bounty.
The list of bugs fixed in Chrome 29 includes:
•  High CVE-2013-2900: Incomplete path sanitization in file handling. Credit to Krystian Bigaj.
•  Low CVE-2013-2905: Information leak via overly broad permissions on shared memory files. Credit to Christian Jaeger.
•  High CVE-2013-2901: Integer overflow in ANGLE. Credit to Alex Chapman.
•  High CVE-2013-2902: Use after free in XSLT. Credit to cloudfuzzer.
•  High CVE-2013-2903: Use after free in media element. Credit to cloudfuzzer.
•  High CVE-2013-2904: Use after free in document parsing. Credit to cloudfuzzer.
Chrome users should update their browsers as soon as possible to protect against attacks using these vulnerabilities.