Posts Tagged ‘Google’

Monday, April 14, 2014 @ 06:04 PM gHale

A flaw in Google Chrome’s old speech recognition API could end up exploited to steal the transcript generated by the web browser when the feature ends up used.

The vulnerable API started up with the introduction of Chrome 11, said Israeli Researcher Guy Aharonovsky. Google released a newer API since, but Aharonovsky believes there are several websites still using the old one.

Chrome Update Includes 31 Security Fixes
Security Fixes Highlight New Safari Release
Chrome Updated, 7 Holes Filled
Google Fixes Chrome Security Holes

To exploit the vulnerability an attacker can set up a website and place -x-webkit-speech feature on it. The speech widget is usually visible, but the attacker can make modifications to it.

For instance, the attacker can resize it so it activates regardless of where the user clicks. Furthermore, its opacity can end up positioned so it becomes invisible. The box which shows the user undergoing the recording process can end up moved outside the screen so the victim doesn’t see it.

All the attacker needs to do is lure the victim to his website and get them to click on the screen.

To demonstrate his findings, the expert set up a website that appears to be a game. As a part of the game, potential victims can plant tree seeds and as the trees grow they can make wishes, which they must say into the computer’s microphone.

What victims don’t know is everything they say while playing “the game” ends up collected by the attacker. That’s because the speech recognition feature activates each time they click on the screen.

Aharonovsky said Google is aware of the issue, but has not issued a release yet. Google said the issue is under investigation, but the search engine giant’s security team informed the researcher the bug is “low-severity” and they don’t view it as a top priority.

Thursday, April 10, 2014 @ 04:04 PM gHale

Google released stable versions of its Chrome browser with 31 security fixes, ChromeOS and other development versions of its products.

Google’s latest Chrome Web browser Version 34 is now rolling out, as well as a new ChromeOS Version 34 for all Chrome devices, as the company continues its regularly scheduled updates for its Chrome line of browsers and related applications.

Security Fixes Highlight New Safari Release
Chrome Updated, 7 Holes Filled
Google Fixes Chrome Security Holes
Adobe Patches Shockwave

The latest stable channel update of the Chrome browser, Version 34 is now available for Windows, Mac, and Linux, said Daniel Xie of the Google Chrome team.

The new version includes bug fixes and improvements, such as easier importing of supervised users onto new computers, several new apps and extension APIs, a different look for the Windows 8 Metro mode and many changes to improve stability and performance, Xie said. Version 34 also has 31 security fixes, including at least nine that are high priority and three that are medium priority.

The latest Chrome 34 also now includes the ability to remember and fill password fields even when the autocomplete function is off, Xie said. This is to encourage the use of the Chrome password manager so users can have more complex passwords.

Also released is the latest Stable Version 34 of ChromeOS for all Chrome devices, said Matthew Yuan of the Google Chrome team.

The new version, known officially as Version 34.0.1847.118, includes bug fixes, security updates and feature enhancements, he said. Chrome devices will be receiving the update automatically. Among the fixes and features are a new “side dock,” which allows users to dock small windows and panels to screen edges, and a default “on” status for Google Drive offline backup after a user’s first log-in, Yuan said.

The new versions of Chrome and ChromeOS follow the March release of the previous Version 33 releases of each of those products.

Chrome for Android has also received an update to Version 34, giving Android devices the latest edition of their customized browser.

Chrome 34 for Android, officially Version 34.0.1847.114, distributes through Google Play and contains crash fixes and performance improvements, including battery usage optimizations, wrote Kersey.

Google is also rolling out an update for its Chromecast TV dongle devices.

The Build 16664 update includes bug fixes and stability improvements, as well as the new ability for the Chromecast audio volume level to end up retained across sessions. It also includes improved IPv6 support and improved Domain Name System (DNS) robustness.

Thursday, March 13, 2014 @ 07:03 PM gHale

Google updated the stable channel of its web browser to address seven security holes, which means Chrome 33.0.1750.149 is available for download.

Of the 7 vulnerabilities, three stand out. CVE-2014-1700 is a use-after-free issue in speech identified by Chamal de Silva. The researcher earned $4,000 for his findings.

Google Fixes Chrome Security Holes
Adobe Patches Shockwave
IE Leads Patch Tuesday Fixes
Exploit for Patched Flash Bug

The second flaw, CVE-2014-1701, reported by aidanhs, is an UXSS vulnerability, which brought in $3,000.

Collin Payne earned $1,000 for finding a use-after-free in the web database (CVE-2014-1702).
All those vulnerabilities ended up labeled as being high risk.

Google’s internal security team has also contributed to making Chrome more secure. They’ve identified a potential sandbox escape caused by a use-after-free in web sockets (CVE-2014-1703), and various vulnerabilities in V8 (CVE-2014-1704).

Users should update their browser soon as possible to secure their computers against cyberattacks that might leverage these flaws. The latest version of Chrome contains a Flash Player update to version

Tuesday, March 4, 2014 @ 02:03 PM gHale

Patching 19 security vulnerabilities, Google issued Chrome 33.0.1750.146, the latest stable version of its web browser for Mac, Windows, and Linux computers.

Subscribers to Google’s Stable Channel for Chrome releases ended up notified the web browser underwent an update to version 33.0.1750.146 for Windows, Mac, and Linux.

Adobe Patches Shockwave
IE Leads Patch Tuesday Fixes
Exploit for Patched Flash Bug
Exploit for Patched Flash Bug

Chrome 33.0.1750.146 is a security-centric update that fixes almost two dozen vulnerabilities, with a full list of addressed bugs taken care of as well, said Anthony Laforge on the Google Chrome Releases blog.

“This update includes 19 security fixes,” Laforge said. “We highlight fixes that were either contributed by external researchers or particularly interesting.”

LaForge said users should check out the Chromium security page for more information about this release. Quite a few of the security issues ended up detected using AddressSanitizer, a fast memory error detector that consists of a compiler instrumentation module and a runtime library.

Monday, February 24, 2014 @ 06:02 PM gHale

Adobe released an update for Flash Player to address three vulnerabilities, one of which is a Zero Day attackers are jumping on.

The Zero Day was a part of an attack involving multiple economic and foreign policy sites, said researchers at FireEye who along with Google reported the vulnerabilities to Adobe.

Fix It Issued for IE Zero Day
IE Zero Day Part of Attack
Under Attack: XP Zero Day
Patch Tuesday Fixes Zero Day

The visitors of at least three non-profit organizations, two of which deal with matters of U.S. national security, ended up redirected to a server hosting the Zero Day.

This attack appears to have a relationship to an older campaign in May 2012.

“The group behind this campaign appears to have sufficient resources (such as access to Zero Day exploits) and a determination to infect visitors to foreign and public policy websites. The threat actors likely sought to infect users to these sites for follow-on data theft, including information related to defense and public policy matters,” FireEye researchers said in their blog.

The existence of the Adobe Flash Player Zero Day released February 13, when researchers noticed visitors of the Peter G. Peterson Institute for International Economics ended up redirected to an exploit server via a hidden iframe.

Researchers found the visitors of two other sites, the American Research Center in Egypt and the Smith Richardson Foundation, also ended up redirected to the same server.
The attackers tried to bypass ASLR protections by targeting only computers running Windows XP, Windows 7 with Java 1.6, and Windows 7 running unpatched versions of Office 2007 and 2010.

The exploit downloads and install the PlugX/Kaba RAT, allowing the attackers to take control of the infected devices.

Wednesday, February 5, 2014 @ 05:02 PM gHale

Google just removed two ad-injecting Chrome extensions from the Chrome Web Store, but there may be more, researchers said.

Security researchers from Barracuda Labs have been monitoring rogue Chrome extensions since October 2012. A new spam campaign they’ve been observing over the past few weeks involves 12 Chrome extensions designed to inject ads on 44 popular sites.

New Chrome Fixes Memory Bug
Apple Fixes Safari in New OS Release
Password Leakage in Safari
Google Fixes Chrome Hole

Over 180,000 users have installed the extensions disguised as Logo Quiz, Counter Strike Portable, Pac Man, Snail Bob 2, Angry Halloween, Pong, Smart Soccer and other popular games.

The 12 rogue applications had been on the Chrome Web Store until at least January 30.

These pieces of software request permission to access website data, tabs and browsing activity. This way, when the victim visits a certain site, ads end up injected. Each time the ads display or end up clicked on, the developer of the rogue Chrome extensions makes a certain amount of money.

Researchers said the same group that developed ad-injecting extensions disguised as the Angry Birds game back in 2012 is responsible for this campaign. However, at the time, they operated under the name, while now they go by

“As we always advised, Chrome users should be very careful if you intend to install Chrome extensions — even if it is from the Google Chrome web store. Use some common sense to judge whether you need to grant permissions to any extensions. If any of the permissions seem beyond the fence of what it should do, do not install it,” Barracuda Labs researchers said in a blog.

Wednesday, January 29, 2014 @ 03:01 PM gHale

A new stable version of the Chrome browser (version 32.0.1700.102) is out and it integrates security-related fixes.

The current release of Google Chrome implements 14 security patches, the most significant of the glitches addressed being two vulnerabilities identified as CVE-2013-6649 and CVE-2013-6650.

Apple Fixes Safari in New OS Release
Password Leakage in Safari
Google Fixes Chrome Hole
Security Fixes for Firefox 25

These are a use-after-free error occurring with SVG images and a memory corruption vulnerability that affected the V8 JavaScript engine of the web browser.

Revealing these issues earned Atte Kettunen of OUSPG $1,000, and Christian Holler received $3,000 from the Google awards program.

The rest of $6,000 went to contributors (cloudfuzzer and miaubiz) that worked with the Chrome team during the development cycle in order to keep other security glitches from reaching the stable build.

Google Chrome 32.0.1700.102 (currently available for all supported desktop platforms – Windows, Mac, and Linux) includes other fixes for issues that affected its functionality, such as failure to scroll horizontally using the trackpad, problems with file drag and drop, disappearance of the mouse pointer upon exiting full-screen, or crashing of the Quicktime plugin.

Thursday, January 23, 2014 @ 05:01 PM gHale

Several security flaws in Chrome can turn the browser into a surreptitious listening device, a researcher said.

It was not too long ago, Chrome was able to support voice input, and there are already websites out there that offer speech recognition for interested users.

Apps Lack of Security
Mobile Alert: Bug in Smartphone
Pulling RSA Keys by Listening
Air Gaps Not Even Secure

In order for the voice aspect of the browser to work, the website explicitly asks users permission to use their computer’s microphone. If the user allows it, the site now has access to it and the browser indicates it by a blinking red light. When the user closes the site, Chrome automatically stops listening.

But Israeli developer Tal Ater said the functionality can end up misused by bad guys.

Most sites using speech recognition choose to use secure HTTPS connections. This doesn’t mean the site is safe, just that the owner bought a $5 security certificate. When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again. This is perfectly fine, as long as Chrome gives you clear indication there is the potential of someone listening, and the site can’t start listening to you in background windows hidden to you.

When you click the button to start or stop the speech recognition on the site, what you won’t notice is the site may have also opened another hidden popunder window. This window can wait until the main site closes, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there.

Even if the user does notice that window (which can end up disguised as a common banner), Chrome does not show any visual indication speech recognition is on in such windows — only in regular Chrome tabs.

Ater discovered that such an attack was possible last September, while working on a JavaScript Speech Recognition library. He shared his discovery with Google, and they confirmed the existence of the flaws and apparently prepared a fix less than two weeks later.

But the fix did not release. When he asked what the holdup was, they answered they are still debating with the W3C (World Wide Web Consortium) whether it should release.

Four months later, they still have not made a decision, so Ater revealed the existence of these flaws and to provide the source code for the exploit to the public, in the hope that this will prompt Google to finally do something about it.

Google has now responded by saying that “the feature is in compliance with the current W3C specification,” and that they continue to work on improvements.

Any Chrome user can change the browser’s settings to prevent websites from spying on them in this way (Settings > Show advanced settings > Content Settings > select: Do not allow sites to access my camera and microphone).

Wednesday, January 22, 2014 @ 04:01 PM gHale

When it comes to Android, there is a way to bypass active VPN configurations and intercept secure communications, researchers said.

In order to exploit this vulnerability, an attacker doesn’t require root permissions to capture data transmissions. The worst part of it is there’s nothing that would make victims realize that they’re being attacked, said researchers at Ben Gurion University (BGU) in Israel.

Android Malware Acts as Security Update
Android Platform Coming for Autos
Android Malware on Rise
Securing Automobile Software Updates

“[The] communications are captured in Clear Text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure,” BGU’s Dudu Mimran said.

The experts tested the vulnerability on several Android devices from various vendors. A video proof of concept (PoC) they made uses a Samsung Galaxy S4.

SSL/TLS traffic can also end up intercepted using this attack method, but the content stays encrypted. The experiments were on a properly configured VPN, using Wi-Fi connections, and a computer connected on the same network as the targeted mobile device.

The vulnerability went out to Google.

A few weeks ago, BGU mobile security researchers found a vulnerability impacting the Samsung Knox platform. At the time, Samsung issued an official response saying the attack exploited legitimate Android network functions in an unintended way for a classic man-in-the-middle attack.

The company noted the researchers didn’t actually identify a vulnerability in Android or Knox.

Now, BGU researchers said the attack having an impact on VPN users is different from the one targeting the Samsung Knox platform. Additional technical details on the vulnerability will be available by the researchers at a later time.

Click here for the video POC.

Friday, January 17, 2014 @ 02:01 PM gHale

There is an increasing use of cloud services to distribute malware, a new report said.

Cybercriminals are leveraging the services of Amazon, Google and GoDaddy to create, host and delete their malicious websites, according to security provider Solutionary’s SERT Quarterly Threat Intelligence Report for Q4 2013. The cloud enables attackers to infect millions of computers at very low costs.

Mobile Apps Growing in DDoS Attacks
Cyber Attacks Top Threat to Nation
Securing ‘Internet of Things’
Senior Mgt Biggest Security Violators

In addition to creating their own sites, malicious actors are also compromising legitimate domains. This enables them to distribute malware while avoiding detection and geographical blacklisting.

In addition, the Solutionary report found 44 percent of the malware identified by the company’s Security Engineering Research Team (SERT) ended up hosted in the United States. Germany comes in second with 9 percent of detected malware.

As far as antivirus engines go, Solutionary said they are still important, but they’ve become less and less efficient in detecting malware. In one case investigated by the company, none of the top 40 engines detected the over 750 malicious files served by OVH-hosted websites.

During a two-week period, one of the malicious domains,, operated across 20 countries, 67 services providers and 199 unique IP addresses to avoid being detected.
“The information in this report will show our readers how widespread the malware problem truly is and how close it hits to home. We aren’t just talking about foreign espionage campaigns, APTs and breaches; many of these malicious activities are taking place within U.S. borders,” said Solutionary SERT Director of Research Rob Kraus.

“Malware and, more specifically, its distributors are utilizing the technologies and services that make processes, application deployment and website creation easier. Now we have to maintain our focus not only on the most dangerous parts of the Web but also on the parts we expect to be more trustworthy.”

Click here to register for the SERT Quarterly Threat Intelligence Report Q4 2013.

Archived Entries