Posts Tagged ‘Google’

Wednesday, August 19, 2015 @ 12:08 PM gHale

Google patched a new Android vulnerability which was from a problem in the mobile operating system’s mediaserver component.

The vulnerability, a heap overflow in mediaserver’s Audio Policy Service (CVE-2015-3842), affects Android versions 2.3 through 5.1.1, according to Trend Micro mobile threat response engineer Wish Wu, who discovered the flaw.

Android Stagefright Flaw Fixed, Again
Another Android Security Flaw
Android Phones Open to Attack
Android Devices Vulnerable to Memory Hole

The problem allows a local application to execute arbitrary code with the privileges of the mediaserver process.

Android has had vulnerabilities identified of late in the mediaserver component. The list includes denial-of-service (DoS) flaws and Stagefright vulnerabilities, some of which allow remote attackers to take complete control of affected devices.

The latest mediaserver-related vulnerability disclosed by Trend Micro involves the AudioEffect component. The problem can undergo exploitation by getting the victim to install an app that doesn’t require any permissions. This malicious application can then execute arbitrary code.

“This attack can be fully controlled, which means a malicious app can decide when to start the attack and also when to stop. An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines. Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk,” Wu said in a blog post.

The flaw ended up reported to Google June 19 and the search giant patched it with the August 2015 security updates.

Trend Micro said it is not aware of active attacks leveraging this vulnerability.

“This issue is rated as a High severity due to the possibility of code execution as the privileged mediaserver service, from a local application. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access,” Google said.

Google said Wu is the first researcher to receive a reward as part of the Android Security Rewards program, which Google announced in June. According to the rules of the program, high severity vulnerabilities can earn bounty hunters up to $4,000. Since Wu also submitted a patch, he should have gained at least $2,000 for his findings.

Friday, July 24, 2015 @ 05:07 PM gHale

Google released Chrome version 44.0.2403.89 for Windows, Mac, and Linux to patch 43 security issues.

Exploitation of one of these vulnerabilities may allow an attacker to take control of an affected system.

Firefox Flash Block Lifted
Critical Holes Fixed in Firefox 39
High Severity Issues Fixed in Chrome
Unpatched IE11 Vulnerability Released

The most critical issues include universal cross-site scripting (UXSS) flaws in Chrome for Android and the Chrome Blink layout engine, heap-buffer-overflow errors, a flaw which allows executable files to run immediately after download and a content security policy (CSP) bypass in the Chrome browser.

As part of Google’s bug bounty program, researchers earned financial rewards based on the severity of the issue. A number of rewards remain up in the air, but the most critical flaws earned researchers cash rewards ranging from $500 to $7500. Around $40,000 went out to security researchers.

In addition to the outsiders finding issues, Chrome’s security team patched a variety of problems based on internal audits and fuzzing.

Thursday, April 16, 2015 @ 03:04 PM gHale

Chrome 42 for Windows, Mac and Linux is now up and running and this latest release fixes 45 security issues and removes NPAPI support, said Google officials.

The most serious vulnerability fixed in Chrome 42 is a cross-origin bypass flaw in the HTML parser (CVE-2015-1235). The discovery of this high severity bug earned an anonymous researcher $7,500.

Google Bans Bad Extensions from Chrome
Google Disavows CNNIC Certificates
Apple Fixes Safari Holes
Google Fixes Holes in Chrome Release

The list of high severity vulnerabilities also includes a type confusion in V8 (CVE-2015-1242) reported by Cole Forrester of Onshape, a use-after-free in IPC (CVE-2015-1237) reported by Khalil Zhani, and an out-of-bounds write bug in the Skia graphics engine (CVE-2015-1238) identified by cloudfuzzer.

The medium severity security issues reported by external researchers are a cross-origin-bypass in the Blink web browser engine, an out-of-bounds read in WebGL, a use-after-free in PDFium, a tap-jacking flaw, an HSTS bypass in WebSockets, an out-of-bounds read in Blink, scheme issues in OpenSearch, and a SafeBrowsing bypass.

The researchers who contributed to making Chrome more secure gained $21,500, according to Google blog post.

“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Alex Mineer of the Google Chrome team.

In September 2013, Google said it would phase out support for the Netscape Plugin API (NPAPI). The company noted at the time the API’s 90s-era architecture was causing crashes, security issues and other problems.

In January 2014, Google blocked web page-instantiated NPAPI plugins by default, but whitelisted some of the most popular applications, such as Silverlight, Unity, Google Earth, Google Talk, and Facebook Video. Java was also on the list of most popular plugins using NPAPI, but it ended up disabled earlier for security reasons.

Now, NPAPI support is out by default in Chrome and extensions requiring NPAPI plugins will end up removed from the Chrome Web Store. Advanced users and enterprises can temporarily re-enable NPAPI until the plugins they use transition to alternative technologies.

Starting with Chrome 45, scheduled to release in September, this override will end up removed and NPAPI support will go away forever.

Monday, March 16, 2015 @ 03:03 PM gHale

Google fixed two serious vulnerabilities with the release of Android 5.1 Lollipop.

The flaws, which affect all Android versions prior to 5.1, ended up uncovered and reported by Guang Gong, a security researcher at the Chinese internet security company Qihoo 360.

Malware Attack Targets Android
Patch a Mobile Flaw? Not so Fast
Android Malware Won’t Allow Shutdown
Upgrade for Android Ransomware

One of the vulnerabilities (CVE-2015-1474) is an integer overflow that leads to heap corruption. The high-severity flaw, which has a CVSS base score of 10, allows a remote attacker to gain elevated privileges or cause a denial-of-service (DoS) condition on the targeted system.

“Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of file descriptors or integer values,” Gong said in an advisory.

The second vulnerability (CVE-2015-1530) can also end up exploited for privilege escalation or DoS. The flaw is the result of an integer overflow in the Android media package.

“An Integer overflow in the BnAudioPolicyService::onTransact function in frameworks/av/media/libmedia/IAudioPolicyService.cpp in Android through 5.0 allows attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of count value,” the advisory said.

Gong said malicious applications can exploit these vulnerabilities to surreptitiously carry out various tasks, including taking photos of the user and uploading them to a remote server, making phone calls, and sending messages.

Gong reported the vulnerabilities to Google in October and November 2014. In the case of CVE-2015-1474, the search giant had to release two patches because the first one was incomplete.

Google released Android 5.1 last Monday. The latest update introduces a new feature called Device Protection, which ensures lost or stolen devices remain locked until the owner signs in with their Google account.

Thursday, March 5, 2015 @ 01:03 PM gHale

Google’s latest version of its browser, Chrome 41, brings new apps and extension APIs, stability and performance improvements, and, of course, security fixes.

Fifty-one security issues ended up fixed in Chrome 41.0.2272.76, including 13 high-severity and six medium-severity vulnerabilities identified by external researchers.

Firefox 36 Fixes Vulnerabilities
IE Hole Allows Attackers to Phish
Zero Day Abused in Sony Hack: Report
Sony: Risk Management in Real Time

Anonymous researchers earned $14,500 for identifying an out-of bounds write flaw in media (CVE-2015-1212), a use-after-free in v8 bindings (CVE-2015-1216), and a type confusion in v8 bindings (CVE-2015-1217).

The researcher who uses the online moniker Cloudfuzzer reported three out-of-bounds write vulnerabilities in skia filters (CVE-2015-1213, CVE-2015-1214, CVE-2015-1215), a use-after-free in DOM (CVE-2015-1218), and an out-of-bounds read in PDFium. Cloudfuzzer earned $19,000 for his work.

The list of high-severity vulnerabilities also includes an integer overflow in WebGL (CVE-2015-1219) reported by Chen Zhang of the NSFOCUS Security Team, use-after-free flaws in web databases and service workers (CVE-2015-1221, CVE-2015-1222) reported by Collin Payne, a use-after-free in the gif decoder (CVE-2015-1220) found by Aki Helin of OUSPG, a use-after-free in DOM (CVE-2015-1223) identified by Maksymillian Motyl, and a type confusion issue in v8 (CVE-2015-1230) reported by Skylined.

Medium-severity issues include an out-of-bounds read in vpxdecoder, a validation issue in the debugger, an uninitialized value in the Blink rendering engine, an uninitialized value in rendering, and a cookie injection via proxies.

Several vulnerabilities also ended up discovered by the Chrome Security Team.

So far, Google paid out $50,000 to those who contributed to making Chrome 41 more secure.

Google decided to turn the single-day Pwnium competition into a year-round program. Researchers who find a Pwnium-style bug chain in Chrome or Chrome OS and report it through the Chrome Vulnerability Reward Program (VRP) can get up to $50,000.

Thursday, January 15, 2015 @ 06:01 PM gHale

Google released details of a new privilege escalation vulnerability in Windows just as Microsoft was getting ready to send out a patch.

The issue is the vulnerability first came to Microsoft’s attention over 90 days ago and Google’s Project Zero automatically released the details when the Redmond software giant did not release a patch within the 90-day disclosure deadline.

Unpatched Windows 8.1 Hole Exposed
Router Flaw Found
Re-engaged: Multi GAE Sandbox Bypasses
Vulnerabilities with Google App Engine

“When a user logs into a computer the User Profile Service is used to create certain directories and mount the user hives (as a normal user account cannot do so),” Google said in its report. “In theory the only thing which needs to be done under a privileged account (other than loading the hives) is creating the base profile directory. This should be secure because c:\users requires administrator privileges to create. The configuration of the profile location is in HKLM so that can’t be influenced.”

“However, there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through. Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs every time the user logs in to their account, it isn’t something that only happens during the initial provisioning of the local profile,” Google said.

A proof-of-concept (PoC) demonstrating the attack on Windows 8.1 published, but researchers said the vulnerability also affects Windows 7.

In November, Microsoft informed Google of plans to address the issue in February 2015 and asked for an extension of the deadline. However, Google told Microsoft the 90 day deadline is “fixed for all vendors and bug classes and so cannot be extended.” Later, Microsoft promised to address the vulnerability in January, but Google still refused to extend its deadline even by two days.

In late December, Project Zero published the details and a proof-of-concept for a different Windows 8.1 privilege escalation flaw after the 90-day deadline expired.

Monday, October 13, 2014 @ 07:10 PM gHale

Google released Chrome 38 for Windows, Linux and Mac, which patches 159 security vulnerabilities.

In late September, Google said it was going to start paying more money to researchers who contribute to making Chrome more secure. More precisely, it promised between $500 and $15,000 per bug. The company rewarded researchers who reported Chrome vulnerabilities with a total of $75,000.

Patch Tuesday: IE Zero Day Fixed
Chrome Update Brings 50 Security Fixes
Google Fixes 12 Chrome Vulnerabilities
Security Updates for Firefox

According to the company, of the 159 flaws fixed in Chrome 38, 113 are relatively minor bugs found with the aid of MemorySanitizer, a tool designed to detect uninitialized memory reads in C/C++ programs.

The largest reward went out to Jüri Aedla, who identified a combination of V8 and IPC bugs that can lead to remote code execution outside the sandbox (CVE-2014-3188). Aedla earned $27,633.70 for finding this critical issue which affects Chrome and Chrome OS. The researcher also got $4,500 for an information leak in V8 (CVE-2014-3195).

According to Google’s new payment scheme, the maximum reward for a well-documented sandbox escape is $15,000. However, the company pays much more for great reports.

A researcher using the online moniker “cloudfuzzer” earned $11,000 for identifying four high-severity vulnerabilities. The researcher uncovered three use-after-free issues in Events, Rendering and DOM, and an out-of-bounds read in PDFium.

James Forshaw earned $3,000 for a permission bypass in the Windows sandbox. Miaubiz and Takeshi Terada each received $1,500 for a high-severity type confusion in session management, respectively a medium-severity information leak in XSS Auditor.

Atte Kettunen of OUSPG and Collin Payne got $1,500 and $2,000 for finding vulnerabilities. However, Google gave them an additional $23,000 for working with the company during the development cycle to ensure security flaws don’t make their way to the stable channel.

Chrome for iOS also ended up updated. In addition to better support for iPhone 6, the latest release also includes a fix for a low-severity issue with FaceTime and FaceTime-audio URL schemes identified by Matias Brutti.

Friday, August 29, 2014 @ 02:08 PM gHale

Thinking security while creating software is a must that more designers need to consider these days because not going that route is a recipe for disaster. Just ask Target.

That is why security researchers from Cigital, Google, Twitter, HP, McAfee, EMC, RSA, Harvard University, George Washington University, Athens University of Economics and Business, the Sandosky Foundation, and the University of Washington joined up with the IEEE Center for Secure Design and published a report looking at 10 of the most common software security design flaws.

New Threats Emerging: Cisco Report
Social Network Security Risks Rampant
Faux Security Program is a RAT
Android RAT can Take Control

IEEE Computer Society Center for Secure Design Participants are, Iván Arce, Sadosky Foundation; Neil Daswani, Twitter; Jim DelGrosso, Cigital; Danny Dhillon, RSA; Christoph Kern, Google; Tadayoshi Kohno, University of Washington; Carl Landwehr, George Washington University; Gary McGraw, Cigital; Brook Schoenfield, McAfee, Part of Intel Security Group; Margo Seltzer, Harvard University; Diomidis Spinellis, Athens University of Economics and Business; Izar Tarandach, EMC, and Jacob West, HP.

The organizations came up with a top 10 list during a workshop session this spring, where each brought examples of design flaws it had experienced.

So far the security industry targets finding and eradicating security vulnerabilities. But design flaws, such as using encryption incorrectly or not validating data properly, can also end up exploited by attackers or lead to security bugs. As a matter of fact, these issues could be more difficult to eradicate as they built in. That is one reason why software designers need to think about security as they create the software.

Target’s data breach ended up being a design flaw leading to a hack.

The report recommends how to prevent each of the 10 most common software security design flaws:
1. Earn or give, but never assume, trust.
2. Use an authentication mechanism that cannot end up bypassed or tampered with.
3. Authorize after you authenticate.
4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources.
5. Define an approach that ensures all data end up explicitly validated.
6. Use cryptography correctly.
7. Identify sensitive data and how you should handle it.
8. Always consider the users.
9. Understand how integrating external components changes your attack surface.
10. Be flexible when considering future changes to objects and actors.

Click here to view the full report.

Friday, August 15, 2014 @ 03:08 PM gHale

Google rolled out version 36 of the Chrome browser for Windows, Mac and Linux, including a set of security fixes, along with the latest revision of Flash Player.

Twelve vulnerabilities ended up fixed in this release, with some found by external security researchers, who earned cash for their efforts through Google’s bug bounty program.

Security Updates for Firefox
IE Browser of Choice for Attacks
Flaw in Chrome Speech Recognition API
Chrome Update Includes 31 Security Fixes

For a use-after-free security flaw (CVE-2014-3165) in web sockets, Google paid $2,000 to researcher Collin Payne; additional information about this flaw is not available right now.

From another external researcher, the Google team received details about a security glitch that could lead to information disclosure in SPDY. Identified as CVE-2014-3166, the discovery goes to Antoine Delignat-Lavaud, second year PhD student in team Prosecco at Inria Paris.

In order to prevent the information leakage, Chrome developers decided to disable SPDY and QUIC session pooling in the latest revision of the web browser.

SPDY is a network protocol designed to increase page load speed and security, by manipulating HTTP traffic.

Disabling it translates to the user into slower page loads on websites using this protocol, but the latency is not as significant as to affect browsing at all.

Additional input came from the internal security team, who discovered an undisclosed number of glitches through internal audits or code fuzzing operations.

Build 36.0.1985.143 of the web browser also updates the Adobe Flash Player plug-in to the recently released version

Adobe patched seven critical vulnerabilities, most of them referring to memory leaks that could end up taken advantage of for bypassing memory protection mechanisms (address randomization).

Archived Entries