ISSSource White Papers

Posts Tagged ‘Google’

Friday, October 16, 2015 @ 03:10 PM gHale

Google released Chrome 46, which patches vulnerabilities and simplifies the security icon displayed for each website.

The stable channel of Chrome 46 for Windows, Mac and Linux fixes 24 security problems.

Chrome Release Fixes Security Holes
Browsers Dropping Cipher
Firefox Update Fixes 2 Security Flaws
Zero Day Flaws in Browsers for Android

The list of high severity flaws patched by Google and discovered by outside researchers includes a cross-origin bypass in the Blink rendering engine, a use-after-free in PDFium, a use-after-free in ServiceWorker and a bad cast issue in PDFium.

The medium severity flaws found from outside researchers are an information leakage bug in LocalStorage, an improper error handling issue in libANGLE and memory corruption vulnerabilities in FFMpeg.

The work of Google’s own security team resulted in various fixes and the patching of multiple flaws in the V8 open source JavaScript engine.

Google said Chrome 46 changes the way users learn about page security. Under the old way, HTTPS sites that had minor errors had little yellow “caution triangle” badges.

From now on, though, the icon for HTTPS sites with minor errors will be the same as for HTTP websites. By doing so, Google wants to reduce the number of icons Chrome users have to learn, and encourage website operators to speed up migration to proper HTTPS.

“We’ve come to understand that our yellow ‘caution triangle’ badge can be confusing when compared to the HTTP page icon, and we believe that it is better not to emphasize the difference in security between these two states to most users. For developers and other interested users, it will still be possible to tell the difference by checking whether the URL begins with ‘https://’,” Chrome officials said in a blog post.

Wednesday, October 7, 2015 @ 03:10 PM gHale

Google updated Nexus devices to fix critical security vulnerabilities in the media playback engine in Android, called Stagefright 2.0.

The issues, released by security firm Zimperium, affect libstagefright and libutils, and affect all Android devices, including those running under version 1.0 of the platform, which released seven years ago.

Android now Hit with Stagefright 2.0
Android Malware Tough to Remove
Android 5 Lockscreen Flaw Fixed
Google Search Console as Hacker Tool

The flaws rate as critical and could result in remote code execution on the affected devices.

Two vulnerabilities in libutils patched in Google’s October 2015 Nexus Security Bulletin, featuring Common Vulnerabilities and Exposures (CVE) identifiers CVE-2015-3875 and CVE-2015-6602. Both flaws exist in audio file processing and affect all devices running Android 5.1 and below.

Zimperium said the issue is in the processing of metadata within the files, which means the vulnerability could end up triggered even if the user simply previews the compromised MP3 audio or MP4 video file. Older devices running Android suffer if the vulnerable function in libutils ends up used via third party apps or pre-loaded vendor or carrier functionality.

To exploit the vulnerability, an attacker would have to push a specially crafted file to the affected device. As soon as the file ends up processed, it would cause memory corruption and remote code execution in a service that uses the libutils library, including mediaserver. Multiple applications use the functionality and remote content can reach it via email, MMS, and browser playback.

Newer Google Hangouts and Messenger applications remove the primary attack vector of MMS, which means an attacker interested in exploiting the vulnerability would need to use the Web browser to execute an attack by convincing a user to visit a URL directing to a malicious Web site.

The issue could end up exploited by an attacker on the same network with the affected device through a Man-in-the-Middle (MiTM) attack. Additionally, 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library can end up exploited.

Google’s new security update for Nexus devices patches 15 vulnerabilities in libstagefright, all of which could suffer exploitation during media file and data processing of a specially crafted file to cause memory corruption and remote code execution. Rated Critical, these vulnerabilities impact all Android 5.1 and below versions.

Thursday, September 17, 2015 @ 04:09 PM gHale

Google fixed a lockscreen bypass vulnerability for mobile devices running any Android 5 version, which an attacker could easily exploit, researchers said.

The attacker would need to have physical access to your device in order to execute the attack.

Google Search Console as Hacker Tool
Tough Ransomware Targets Android
Zero Day Flaws in Browsers for Android
Google Patches Android Mediaserver Flaw

“By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilize the lockscreen, causing it to crash to the home screen. At this point arbitrary applications can be run or adb developer access can be enabled to gain full access to the device and expose any data contained therein,” John Vernon Gordon III, a senior network security analyst at the University of Texas at Austin Information Security Office (ISO).

Google is aware of the flaw and fixed it in Android 5.1.1 build LMY48M pushed out a week ago.

The problem of other OEMs and device makers slowly shipping patches is not as big a problem because users can change their password into a PIN or pattern to be safe from such an attack.

Friday, September 4, 2015 @ 04:09 PM gHale

Google released Chrome 45 for Windows, Mac, and Linux this week, patching 29 vulnerabilities.

Ten of the 29 security issues ended up reported by external researchers.

Browsers Dropping Cipher
Firefox Update Fixes 2 Security Flaws
Zero Day Flaws in Browsers for Android
Emergency Patch for IE

Six of the vulnerabilities reported by external researchers ended up rated high severity, Google said.

The list includes cross-origin bypass flaws in DOM (CVE-2015-1291, CVE-2015-1293), a cross-origin bypass in Service Worker (CVE-2015-1292), use-after-free flaws in Skia (CVE-2015-1294) and Printing (CVE-2015-1295), and a character spoofing bug in the Omnibox address bar (CVE-2015-1296).

Google has paid out $7,500 for each of the cross-origin bypass vulnerabilities, $5,000 for the use-after-free in Skia, $3,000 for the use-after-free in Printing, and $1,000 for the Omnibox spoofing issue.

The medium impact flaws patched with the release of Chrome 45.0.2454.85 are a permission scoping error in WebRequests, a URL validation error in extensions, and information leak and use-after-free bugs in the Blink web browser engine.

The vulnerabilities fixed in Chrome 45 ended up reported by anonymous researchers, Mariusz Mlynski, Rob Wu, Alexander Kashev, and experts using the online monikers, cgvwzq, cloudfuzzer, and zcorpan.

The amount of money paid out by Google so far to those who contributed to making Chrome more secure is $40,500, but not all vulnerabilities underwent review by the search giant’s reward panel.

Google’s own security team has also identified many flaws through internal audits, fuzzing and other initiatives.

With the release of Chrome 45, Google has also started killing Flash ads. The company decided to pause certain plugin content, including Flash ads, in an effort to improve performance and reduce power consumption.

Wednesday, August 19, 2015 @ 12:08 PM gHale

Google patched a new Android vulnerability which was from a problem in the mobile operating system’s mediaserver component.

The vulnerability, a heap overflow in mediaserver’s Audio Policy Service (CVE-2015-3842), affects Android versions 2.3 through 5.1.1, according to Trend Micro mobile threat response engineer Wish Wu, who discovered the flaw.

Android Stagefright Flaw Fixed, Again
Another Android Security Flaw
Android Phones Open to Attack
Android Devices Vulnerable to Memory Hole

The problem allows a local application to execute arbitrary code with the privileges of the mediaserver process.

Android has had vulnerabilities identified of late in the mediaserver component. The list includes denial-of-service (DoS) flaws and Stagefright vulnerabilities, some of which allow remote attackers to take complete control of affected devices.

The latest mediaserver-related vulnerability disclosed by Trend Micro involves the AudioEffect component. The problem can undergo exploitation by getting the victim to install an app that doesn’t require any permissions. This malicious application can then execute arbitrary code.

“This attack can be fully controlled, which means a malicious app can decide when to start the attack and also when to stop. An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines. Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk,” Wu said in a blog post.

The flaw ended up reported to Google June 19 and the search giant patched it with the August 2015 security updates.

Trend Micro said it is not aware of active attacks leveraging this vulnerability.

“This issue is rated as a High severity due to the possibility of code execution as the privileged mediaserver service, from a local application. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access,” Google said.

Google said Wu is the first researcher to receive a reward as part of the Android Security Rewards program, which Google announced in June. According to the rules of the program, high severity vulnerabilities can earn bounty hunters up to $4,000. Since Wu also submitted a patch, he should have gained at least $2,000 for his findings.

Friday, July 24, 2015 @ 05:07 PM gHale

Google released Chrome version 44.0.2403.89 for Windows, Mac, and Linux to patch 43 security issues.

Exploitation of one of these vulnerabilities may allow an attacker to take control of an affected system.

Firefox Flash Block Lifted
Critical Holes Fixed in Firefox 39
High Severity Issues Fixed in Chrome
Unpatched IE11 Vulnerability Released

The most critical issues include universal cross-site scripting (UXSS) flaws in Chrome for Android and the Chrome Blink layout engine, heap-buffer-overflow errors, a flaw which allows executable files to run immediately after download and a content security policy (CSP) bypass in the Chrome browser.

As part of Google’s bug bounty program, researchers earned financial rewards based on the severity of the issue. A number of rewards remain up in the air, but the most critical flaws earned researchers cash rewards ranging from $500 to $7500. Around $40,000 went out to security researchers.

In addition to the outsiders finding issues, Chrome’s security team patched a variety of problems based on internal audits and fuzzing.

Thursday, April 16, 2015 @ 03:04 PM gHale

Chrome 42 for Windows, Mac and Linux is now up and running and this latest release fixes 45 security issues and removes NPAPI support, said Google officials.

The most serious vulnerability fixed in Chrome 42 is a cross-origin bypass flaw in the HTML parser (CVE-2015-1235). The discovery of this high severity bug earned an anonymous researcher $7,500.

Google Bans Bad Extensions from Chrome
Google Disavows CNNIC Certificates
Apple Fixes Safari Holes
Google Fixes Holes in Chrome Release

The list of high severity vulnerabilities also includes a type confusion in V8 (CVE-2015-1242) reported by Cole Forrester of Onshape, a use-after-free in IPC (CVE-2015-1237) reported by Khalil Zhani, and an out-of-bounds write bug in the Skia graphics engine (CVE-2015-1238) identified by cloudfuzzer.

The medium severity security issues reported by external researchers are a cross-origin-bypass in the Blink web browser engine, an out-of-bounds read in WebGL, a use-after-free in PDFium, a tap-jacking flaw, an HSTS bypass in WebSockets, an out-of-bounds read in Blink, scheme issues in OpenSearch, and a SafeBrowsing bypass.

The researchers who contributed to making Chrome more secure gained $21,500, according to Google blog post.

“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Alex Mineer of the Google Chrome team.

In September 2013, Google said it would phase out support for the Netscape Plugin API (NPAPI). The company noted at the time the API’s 90s-era architecture was causing crashes, security issues and other problems.

In January 2014, Google blocked web page-instantiated NPAPI plugins by default, but whitelisted some of the most popular applications, such as Silverlight, Unity, Google Earth, Google Talk, and Facebook Video. Java was also on the list of most popular plugins using NPAPI, but it ended up disabled earlier for security reasons.

Now, NPAPI support is out by default in Chrome and extensions requiring NPAPI plugins will end up removed from the Chrome Web Store. Advanced users and enterprises can temporarily re-enable NPAPI until the plugins they use transition to alternative technologies.

Starting with Chrome 45, scheduled to release in September, this override will end up removed and NPAPI support will go away forever.

Monday, March 16, 2015 @ 03:03 PM gHale

Google fixed two serious vulnerabilities with the release of Android 5.1 Lollipop.

The flaws, which affect all Android versions prior to 5.1, ended up uncovered and reported by Guang Gong, a security researcher at the Chinese internet security company Qihoo 360.

Malware Attack Targets Android
Patch a Mobile Flaw? Not so Fast
Android Malware Won’t Allow Shutdown
Upgrade for Android Ransomware

One of the vulnerabilities (CVE-2015-1474) is an integer overflow that leads to heap corruption. The high-severity flaw, which has a CVSS base score of 10, allows a remote attacker to gain elevated privileges or cause a denial-of-service (DoS) condition on the targeted system.

“Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of file descriptors or integer values,” Gong said in an advisory.

The second vulnerability (CVE-2015-1530) can also end up exploited for privilege escalation or DoS. The flaw is the result of an integer overflow in the Android media package.

“An Integer overflow in the BnAudioPolicyService::onTransact function in frameworks/av/media/libmedia/IAudioPolicyService.cpp in Android through 5.0 allows attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of count value,” the advisory said.

Gong said malicious applications can exploit these vulnerabilities to surreptitiously carry out various tasks, including taking photos of the user and uploading them to a remote server, making phone calls, and sending messages.

Gong reported the vulnerabilities to Google in October and November 2014. In the case of CVE-2015-1474, the search giant had to release two patches because the first one was incomplete.

Google released Android 5.1 last Monday. The latest update introduces a new feature called Device Protection, which ensures lost or stolen devices remain locked until the owner signs in with their Google account.

Thursday, March 5, 2015 @ 01:03 PM gHale

Google’s latest version of its browser, Chrome 41, brings new apps and extension APIs, stability and performance improvements, and, of course, security fixes.

Fifty-one security issues ended up fixed in Chrome 41.0.2272.76, including 13 high-severity and six medium-severity vulnerabilities identified by external researchers.

Firefox 36 Fixes Vulnerabilities
IE Hole Allows Attackers to Phish
Zero Day Abused in Sony Hack: Report
Sony: Risk Management in Real Time

Anonymous researchers earned $14,500 for identifying an out-of bounds write flaw in media (CVE-2015-1212), a use-after-free in v8 bindings (CVE-2015-1216), and a type confusion in v8 bindings (CVE-2015-1217).

The researcher who uses the online moniker Cloudfuzzer reported three out-of-bounds write vulnerabilities in skia filters (CVE-2015-1213, CVE-2015-1214, CVE-2015-1215), a use-after-free in DOM (CVE-2015-1218), and an out-of-bounds read in PDFium. Cloudfuzzer earned $19,000 for his work.

The list of high-severity vulnerabilities also includes an integer overflow in WebGL (CVE-2015-1219) reported by Chen Zhang of the NSFOCUS Security Team, use-after-free flaws in web databases and service workers (CVE-2015-1221, CVE-2015-1222) reported by Collin Payne, a use-after-free in the gif decoder (CVE-2015-1220) found by Aki Helin of OUSPG, a use-after-free in DOM (CVE-2015-1223) identified by Maksymillian Motyl, and a type confusion issue in v8 (CVE-2015-1230) reported by Skylined.

Medium-severity issues include an out-of-bounds read in vpxdecoder, a validation issue in the debugger, an uninitialized value in the Blink rendering engine, an uninitialized value in rendering, and a cookie injection via proxies.

Several vulnerabilities also ended up discovered by the Chrome Security Team.

So far, Google paid out $50,000 to those who contributed to making Chrome 41 more secure.

Google decided to turn the single-day Pwnium competition into a year-round program. Researchers who find a Pwnium-style bug chain in Chrome or Chrome OS and report it through the Chrome Vulnerability Reward Program (VRP) can get up to $50,000.

Archived Entries