Posts Tagged ‘Google’
Tuesday, March 4, 2014 @ 02:03 PM gHale
Patching 19 security vulnerabilities, Google issued Chrome 33.0.1750.146, the latest stable version of its web browser for Mac, Windows, and Linux computers.
Subscribers to Google’s Stable Channel for Chrome releases ended up notified the web browser underwent an update to version 33.0.1750.146 for Windows, Mac, and Linux.
Chrome 33.0.1750.146 is a security-centric update that fixes almost two dozen vulnerabilities, with a full list of addressed bugs taken care of as well, said Anthony Laforge on the Google Chrome Releases blog.
“This update includes 19 security fixes,” Laforge said. “We highlight fixes that were either contributed by external researchers or particularly interesting.”
LaForge said users should check out the Chromium security page for more information about this release. Quite a few of the security issues ended up detected using AddressSanitizer, a fast memory error detector that consists of a compiler instrumentation module and a runtime library.
Monday, February 24, 2014 @ 06:02 PM gHale
Adobe released an update for Flash Player to address three vulnerabilities, one of which is a Zero Day attackers are jumping on.
The Zero Day was a part of an attack involving multiple economic and foreign policy sites, said researchers at FireEye who along with Google reported the vulnerabilities to Adobe.
The visitors of at least three non-profit organizations, two of which deal with matters of U.S. national security, ended up redirected to a server hosting the Zero Day.
This attack appears to have a relationship to an older campaign in May 2012.
“The group behind this campaign appears to have sufficient resources (such as access to Zero Day exploits) and a determination to infect visitors to foreign and public policy websites. The threat actors likely sought to infect users to these sites for follow-on data theft, including information related to defense and public policy matters,” FireEye researchers said in their blog.
The existence of the Adobe Flash Player Zero Day released February 13, when researchers noticed visitors of the Peter G. Peterson Institute for International Economics ended up redirected to an exploit server via a hidden iframe.
Researchers found the visitors of two other sites, the American Research Center in Egypt and the Smith Richardson Foundation, also ended up redirected to the same server.
The attackers tried to bypass ASLR protections by targeting only computers running Windows XP, Windows 7 with Java 1.6, and Windows 7 running unpatched versions of Office 2007 and 2010.
The exploit downloads and install the PlugX/Kaba RAT, allowing the attackers to take control of the infected devices.
Wednesday, February 5, 2014 @ 05:02 PM gHale
Google just removed two ad-injecting Chrome extensions from the Chrome Web Store, but there may be more, researchers said.
Security researchers from Barracuda Labs have been monitoring rogue Chrome extensions since October 2012. A new spam campaign they’ve been observing over the past few weeks involves 12 Chrome extensions designed to inject ads on 44 popular sites.
Over 180,000 users have installed the extensions disguised as Logo Quiz, Counter Strike Portable, Pac Man, Snail Bob 2, Angry Halloween, Pong, Smart Soccer and other popular games.
The 12 rogue applications had been on the Chrome Web Store until at least January 30.
These pieces of software request permission to access website data, tabs and browsing activity. This way, when the victim visits a certain site, ads end up injected. Each time the ads display or end up clicked on, the developer of the rogue Chrome extensions makes a certain amount of money.
Researchers said the same group that developed ad-injecting extensions disguised as the Angry Birds game back in 2012 is responsible for this campaign. However, at the time, they operated under the name playook.info, while now they go by konplayer.com.
“As we always advised, Chrome users should be very careful if you intend to install Chrome extensions — even if it is from the Google Chrome web store. Use some common sense to judge whether you need to grant permissions to any extensions. If any of the permissions seem beyond the fence of what it should do, do not install it,” Barracuda Labs researchers said in a blog.
Wednesday, January 29, 2014 @ 03:01 PM gHale
A new stable version of the Chrome browser (version 32.0.1700.102) is out and it integrates security-related fixes.
The current release of Google Chrome implements 14 security patches, the most significant of the glitches addressed being two vulnerabilities identified as CVE-2013-6649 and CVE-2013-6650.
Revealing these issues earned Atte Kettunen of OUSPG $1,000, and Christian Holler received $3,000 from the Google awards program.
The rest of $6,000 went to contributors (cloudfuzzer and miaubiz) that worked with the Chrome team during the development cycle in order to keep other security glitches from reaching the stable build.
Google Chrome 32.0.1700.102 (currently available for all supported desktop platforms – Windows, Mac, and Linux) includes other fixes for issues that affected its functionality, such as failure to scroll horizontally using the trackpad, problems with file drag and drop, disappearance of the mouse pointer upon exiting full-screen, or crashing of the Quicktime plugin.
Wednesday, January 22, 2014 @ 04:01 PM gHale
When it comes to Android, there is a way to bypass active VPN configurations and intercept secure communications, researchers said.
In order to exploit this vulnerability, an attacker doesn’t require root permissions to capture data transmissions. The worst part of it is there’s nothing that would make victims realize that they’re being attacked, said researchers at Ben Gurion University (BGU) in Israel.
“[The] communications are captured in Clear Text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure,” BGU’s Dudu Mimran said.
The experts tested the vulnerability on several Android devices from various vendors. A video proof of concept (PoC) they made uses a Samsung Galaxy S4.
SSL/TLS traffic can also end up intercepted using this attack method, but the content stays encrypted. The experiments were on a properly configured VPN, using Wi-Fi connections, and a computer connected on the same network as the targeted mobile device.
The vulnerability went out to Google.
A few weeks ago, BGU mobile security researchers found a vulnerability impacting the Samsung Knox platform. At the time, Samsung issued an official response saying the attack exploited legitimate Android network functions in an unintended way for a classic man-in-the-middle attack.
The company noted the researchers didn’t actually identify a vulnerability in Android or Knox.
Now, BGU researchers said the attack having an impact on VPN users is different from the one targeting the Samsung Knox platform. Additional technical details on the vulnerability will be available by the researchers at a later time.
Click here for the video POC.
Friday, January 17, 2014 @ 02:01 PM gHale
There is an increasing use of cloud services to distribute malware, a new report said.
Cybercriminals are leveraging the services of Amazon, Google and GoDaddy to create, host and delete their malicious websites, according to security provider Solutionary’s SERT Quarterly Threat Intelligence Report for Q4 2013. The cloud enables attackers to infect millions of computers at very low costs.
In addition to creating their own sites, malicious actors are also compromising legitimate domains. This enables them to distribute malware while avoiding detection and geographical blacklisting.
In addition, the Solutionary report found 44 percent of the malware identified by the company’s Security Engineering Research Team (SERT) ended up hosted in the United States. Germany comes in second with 9 percent of detected malware.
As far as antivirus engines go, Solutionary said they are still important, but they’ve become less and less efficient in detecting malware. In one case investigated by the company, none of the top 40 engines detected the over 750 malicious files served by OVH-hosted websites.
During a two-week period, one of the malicious domains, bb.rauzqivu.ru, operated across 20 countries, 67 services providers and 199 unique IP addresses to avoid being detected.
“The information in this report will show our readers how widespread the malware problem truly is and how close it hits to home. We aren’t just talking about foreign espionage campaigns, APTs and breaches; many of these malicious activities are taking place within U.S. borders,” said Solutionary SERT Director of Research Rob Kraus.
“Malware and, more specifically, its distributors are utilizing the technologies and services that make processes, application deployment and website creation easier. Now we have to maintain our focus not only on the most dangerous parts of the Web but also on the parts we expect to be more trustworthy.”
Click here to register for the SERT Quarterly Threat Intelligence Report Q4 2013.
Thursday, January 16, 2014 @ 05:01 PM gHale
In a move to hike it browser security, Google pushed out a new stable version of Chrome for Windows, Mac, and Linux Tuesday.
The company rewarded the contributors for uncovering two use-after-free vulnerabilities, one in web workers and the other related to forms.
In addition, the developer eliminated a security issue that could cause address bar spoofing in the Android version of the web browser.
As Google rewards researchers that find vulnerabilities, the largest payment ($3,000) went to Joao Lucas Melo Brasio, an information security researcher and specialist from Brazil, for revealing a flaw that caused an unprompted synchronization of data with the Google account of an attacker.
Internal security work also added to improved security of the browser and other fixes have come into play because of audits, fuzz testing (brute force vulnerability discovery), and other initiatives.
Tuesday, January 7, 2014 @ 05:01 PM gHale
The Android platform could soon be coming to a car near you.
Google is forming Open Automotive Alliance (OAA) and it invited Audi, GM, Honda, Hyundai and Nvidia to join in the effort.
With automobiles the ultimate mobile device, it only makes sense to have an operating system within the car. However, with Android a very popular system for attackers to hack into, how Google will go about ensuring a car will not fall victim to a cyber assault is still a bit murky.
“In this multi-screen world, switching between our different devices should be easy and seamless. Common platforms allow for one connected experience across our phone, tablet and PC, so we get the right information at the right time, no matter what device we’re using. But there’s still an important device that isn’t yet connected as seamlessly to the other screens in our lives – the car,” Google said.
Google said millions of people are already bringing their Android phones and tablets to the cars, but no automaker has optimized the experience. “Wouldn’t it be great if you could bring your favorite apps and music with you, and use them safely with your car’s built-on controls and in-dash display?” Patrick Brady, director for Android engineering, asked.
Alongside its partners, Google is working to enable new forms of integration with Android devices, but also to adapt Android for the car to make driving safer, easier and overall more enjoyable.
“Putting Android in the car will bring drivers apps and services they already know and love, while enabling automakers to more easily deliver cutting-edge technology to their customers. And it will create new opportunities for developers to extend the variety and depth of the Android app ecosystem in new, exciting and safe ways,” Brady said.