Posts Tagged ‘Google’
Thursday, May 15, 2014 @ 01:05 PM gHale
Bad guys are looking to steal Google account passwords via a new and well-written phishing attack that is hard to catch with traditional heuristic detection, researchers said.
The way Google Chrome displays data: URIs (Uniform Resource Identifiers) makes Chrome users most vulnerable, however the phishing attack also targets Mozilla Firefox users, said researchers at security provider Bitdefender.
“With access to users’ Google accounts, hackers can buy apps on Google Play, hijack Google+ accounts and access confidential Google Drive documents,” said Catalin Cosoi, chief security strategist at Bitdefender. “The scam starts with an email allegedly sent by Google, with “Mail Notice” or “New Lockout Notice” as a subject.”
“This is a reminder that your email account will be locked out in 24 hours,” the email said. “Due to not being able to increase your Email storage Quota. Go to the INSTANT INCREASE to increase your Email storage automatically.”
When clicking the INSTANT INCREASE link, users end up redirected to a Google login web page that imitates the authentic one and asks for their credentials.
“What is interesting about this phishing attack is that users end up having the ‘data:’ in their browser’s address bar, which indicates the use of a data URI scheme,” Cosoi said.
The data URI scheme allows scammers to include data in-line in web pages as if they were external resources. The scheme uses Base64 encoding to represent file contents, in this case supplying the content of the fake web page in an encoded string within the data URI.
As Google Chrome doesn’t show the whole string, regular users have a hard time figuring out they are the target of a phishing attack and may give their data to cyber-criminals.
Scammers usually pose as services that contact people by email for announcements or notifications. Google, Facebook, eBay, phone services and financial institutions are among phishers’ favorite disguises to invade inboxes worldwide.
Tuesday, May 6, 2014 @ 07:05 AM gHale
Google fixed a cross-site scripting (XSS) vulnerability in its Google Search Appliance (GSA), a device that enables organizations to index and search through web content, databases, and content management systems.
The device is vulnerable to reflected XSS attacks when the dynamic navigation feature ends up enabled, according to an advisory published by the Computer Emergency Response Team’s Coordination Center (CERT/CC). The appliance combines Dell hardware with Google software.
Google fixed the vulnerability with the release of versions 7.2.0.G.114 and 7.0.14.G.216. Customers can download the updates from Google’s Enterprise Support Portal.
As a workaround, users can disable the dynamic navigation feature. Instructions on how to do so are available on the GSA support page.
Will Dormann, a vulnerability analyst with the CERT/CC, reported the existence of the issue to Google on March 20.
Thursday, April 10, 2014 @ 04:04 PM gHale
Google released stable versions of its Chrome browser with 31 security fixes, ChromeOS and other development versions of its products.
Google’s latest Chrome Web browser Version 34 is now rolling out, as well as a new ChromeOS Version 34 for all Chrome devices, as the company continues its regularly scheduled updates for its Chrome line of browsers and related applications.
The latest stable channel update of the Chrome browser, Version 34 is now available for Windows, Mac, and Linux, said Daniel Xie of the Google Chrome team.
The new version includes bug fixes and improvements, such as easier importing of supervised users onto new computers, several new apps and extension APIs, a different look for the Windows 8 Metro mode and many changes to improve stability and performance, Xie said. Version 34 also has 31 security fixes, including at least nine that are high priority and three that are medium priority.
The latest Chrome 34 also now includes the ability to remember and fill password fields even when the autocomplete function is off, Xie said. This is to encourage the use of the Chrome password manager so users can have more complex passwords.
Also released is the latest Stable Version 34 of ChromeOS for all Chrome devices, said Matthew Yuan of the Google Chrome team.
The new version, known officially as Version 34.0.1847.118, includes bug fixes, security updates and feature enhancements, he said. Chrome devices will be receiving the update automatically. Among the fixes and features are a new “side dock,” which allows users to dock small windows and panels to screen edges, and a default “on” status for Google Drive offline backup after a user’s first log-in, Yuan said.
The new versions of Chrome and ChromeOS follow the March release of the previous Version 33 releases of each of those products.
Chrome for Android has also received an update to Version 34, giving Android devices the latest edition of their customized browser.
Chrome 34 for Android, officially Version 34.0.1847.114, distributes through Google Play and contains crash fixes and performance improvements, including battery usage optimizations, wrote Kersey.
Google is also rolling out an update for its Chromecast TV dongle devices.
The Build 16664 update includes bug fixes and stability improvements, as well as the new ability for the Chromecast audio volume level to end up retained across sessions. It also includes improved IPv6 support and improved Domain Name System (DNS) robustness.
Thursday, March 13, 2014 @ 07:03 PM gHale
Google updated the stable channel of its web browser to address seven security holes, which means Chrome 33.0.1750.149 is available for download.
Of the 7 vulnerabilities, three stand out. CVE-2014-1700 is a use-after-free issue in speech identified by Chamal de Silva. The researcher earned $4,000 for his findings.
The second flaw, CVE-2014-1701, reported by aidanhs, is an UXSS vulnerability, which brought in $3,000.
Collin Payne earned $1,000 for finding a use-after-free in the web database (CVE-2014-1702).
All those vulnerabilities ended up labeled as being high risk.
Google’s internal security team has also contributed to making Chrome more secure. They’ve identified a potential sandbox escape caused by a use-after-free in web sockets (CVE-2014-1703), and various vulnerabilities in V8 (CVE-2014-1704).
Users should update their browser soon as possible to secure their computers against cyberattacks that might leverage these flaws. The latest version of Chrome contains a Flash Player update to version 188.8.131.52.
Tuesday, March 4, 2014 @ 02:03 PM gHale
Patching 19 security vulnerabilities, Google issued Chrome 33.0.1750.146, the latest stable version of its web browser for Mac, Windows, and Linux computers.
Subscribers to Google’s Stable Channel for Chrome releases ended up notified the web browser underwent an update to version 33.0.1750.146 for Windows, Mac, and Linux.
Chrome 33.0.1750.146 is a security-centric update that fixes almost two dozen vulnerabilities, with a full list of addressed bugs taken care of as well, said Anthony Laforge on the Google Chrome Releases blog.
“This update includes 19 security fixes,” Laforge said. “We highlight fixes that were either contributed by external researchers or particularly interesting.”
LaForge said users should check out the Chromium security page for more information about this release. Quite a few of the security issues ended up detected using AddressSanitizer, a fast memory error detector that consists of a compiler instrumentation module and a runtime library.
Monday, February 24, 2014 @ 06:02 PM gHale
Adobe released an update for Flash Player to address three vulnerabilities, one of which is a Zero Day attackers are jumping on.
The Zero Day was a part of an attack involving multiple economic and foreign policy sites, said researchers at FireEye who along with Google reported the vulnerabilities to Adobe.
The visitors of at least three non-profit organizations, two of which deal with matters of U.S. national security, ended up redirected to a server hosting the Zero Day.
This attack appears to have a relationship to an older campaign in May 2012.
“The group behind this campaign appears to have sufficient resources (such as access to Zero Day exploits) and a determination to infect visitors to foreign and public policy websites. The threat actors likely sought to infect users to these sites for follow-on data theft, including information related to defense and public policy matters,” FireEye researchers said in their blog.
The existence of the Adobe Flash Player Zero Day released February 13, when researchers noticed visitors of the Peter G. Peterson Institute for International Economics ended up redirected to an exploit server via a hidden iframe.
Researchers found the visitors of two other sites, the American Research Center in Egypt and the Smith Richardson Foundation, also ended up redirected to the same server.
The attackers tried to bypass ASLR protections by targeting only computers running Windows XP, Windows 7 with Java 1.6, and Windows 7 running unpatched versions of Office 2007 and 2010.
The exploit downloads and install the PlugX/Kaba RAT, allowing the attackers to take control of the infected devices.