Posts Tagged ‘Google’
Thursday, April 10, 2014 @ 04:04 PM gHale
Google released stable versions of its Chrome browser with 31 security fixes, ChromeOS and other development versions of its products.
Google’s latest Chrome Web browser Version 34 is now rolling out, as well as a new ChromeOS Version 34 for all Chrome devices, as the company continues its regularly scheduled updates for its Chrome line of browsers and related applications.
The latest stable channel update of the Chrome browser, Version 34 is now available for Windows, Mac, and Linux, said Daniel Xie of the Google Chrome team.
The new version includes bug fixes and improvements, such as easier importing of supervised users onto new computers, several new apps and extension APIs, a different look for the Windows 8 Metro mode and many changes to improve stability and performance, Xie said. Version 34 also has 31 security fixes, including at least nine that are high priority and three that are medium priority.
The latest Chrome 34 also now includes the ability to remember and fill password fields even when the autocomplete function is off, Xie said. This is to encourage the use of the Chrome password manager so users can have more complex passwords.
Also released is the latest Stable Version 34 of ChromeOS for all Chrome devices, said Matthew Yuan of the Google Chrome team.
The new version, known officially as Version 34.0.1847.118, includes bug fixes, security updates and feature enhancements, he said. Chrome devices will be receiving the update automatically. Among the fixes and features are a new “side dock,” which allows users to dock small windows and panels to screen edges, and a default “on” status for Google Drive offline backup after a user’s first log-in, Yuan said.
The new versions of Chrome and ChromeOS follow the March release of the previous Version 33 releases of each of those products.
Chrome for Android has also received an update to Version 34, giving Android devices the latest edition of their customized browser.
Chrome 34 for Android, officially Version 34.0.1847.114, distributes through Google Play and contains crash fixes and performance improvements, including battery usage optimizations, wrote Kersey.
Google is also rolling out an update for its Chromecast TV dongle devices.
The Build 16664 update includes bug fixes and stability improvements, as well as the new ability for the Chromecast audio volume level to end up retained across sessions. It also includes improved IPv6 support and improved Domain Name System (DNS) robustness.
Thursday, March 13, 2014 @ 07:03 PM gHale
Google updated the stable channel of its web browser to address seven security holes, which means Chrome 33.0.1750.149 is available for download.
Of the 7 vulnerabilities, three stand out. CVE-2014-1700 is a use-after-free issue in speech identified by Chamal de Silva. The researcher earned $4,000 for his findings.
The second flaw, CVE-2014-1701, reported by aidanhs, is an UXSS vulnerability, which brought in $3,000.
Collin Payne earned $1,000 for finding a use-after-free in the web database (CVE-2014-1702).
All those vulnerabilities ended up labeled as being high risk.
Google’s internal security team has also contributed to making Chrome more secure. They’ve identified a potential sandbox escape caused by a use-after-free in web sockets (CVE-2014-1703), and various vulnerabilities in V8 (CVE-2014-1704).
Users should update their browser soon as possible to secure their computers against cyberattacks that might leverage these flaws. The latest version of Chrome contains a Flash Player update to version 126.96.36.199.
Tuesday, March 4, 2014 @ 02:03 PM gHale
Patching 19 security vulnerabilities, Google issued Chrome 33.0.1750.146, the latest stable version of its web browser for Mac, Windows, and Linux computers.
Subscribers to Google’s Stable Channel for Chrome releases ended up notified the web browser underwent an update to version 33.0.1750.146 for Windows, Mac, and Linux.
Chrome 33.0.1750.146 is a security-centric update that fixes almost two dozen vulnerabilities, with a full list of addressed bugs taken care of as well, said Anthony Laforge on the Google Chrome Releases blog.
“This update includes 19 security fixes,” Laforge said. “We highlight fixes that were either contributed by external researchers or particularly interesting.”
LaForge said users should check out the Chromium security page for more information about this release. Quite a few of the security issues ended up detected using AddressSanitizer, a fast memory error detector that consists of a compiler instrumentation module and a runtime library.
Monday, February 24, 2014 @ 06:02 PM gHale
Adobe released an update for Flash Player to address three vulnerabilities, one of which is a Zero Day attackers are jumping on.
The Zero Day was a part of an attack involving multiple economic and foreign policy sites, said researchers at FireEye who along with Google reported the vulnerabilities to Adobe.
The visitors of at least three non-profit organizations, two of which deal with matters of U.S. national security, ended up redirected to a server hosting the Zero Day.
This attack appears to have a relationship to an older campaign in May 2012.
“The group behind this campaign appears to have sufficient resources (such as access to Zero Day exploits) and a determination to infect visitors to foreign and public policy websites. The threat actors likely sought to infect users to these sites for follow-on data theft, including information related to defense and public policy matters,” FireEye researchers said in their blog.
The existence of the Adobe Flash Player Zero Day released February 13, when researchers noticed visitors of the Peter G. Peterson Institute for International Economics ended up redirected to an exploit server via a hidden iframe.
Researchers found the visitors of two other sites, the American Research Center in Egypt and the Smith Richardson Foundation, also ended up redirected to the same server.
The attackers tried to bypass ASLR protections by targeting only computers running Windows XP, Windows 7 with Java 1.6, and Windows 7 running unpatched versions of Office 2007 and 2010.
The exploit downloads and install the PlugX/Kaba RAT, allowing the attackers to take control of the infected devices.
Wednesday, February 5, 2014 @ 05:02 PM gHale
Google just removed two ad-injecting Chrome extensions from the Chrome Web Store, but there may be more, researchers said.
Security researchers from Barracuda Labs have been monitoring rogue Chrome extensions since October 2012. A new spam campaign they’ve been observing over the past few weeks involves 12 Chrome extensions designed to inject ads on 44 popular sites.
Over 180,000 users have installed the extensions disguised as Logo Quiz, Counter Strike Portable, Pac Man, Snail Bob 2, Angry Halloween, Pong, Smart Soccer and other popular games.
The 12 rogue applications had been on the Chrome Web Store until at least January 30.
These pieces of software request permission to access website data, tabs and browsing activity. This way, when the victim visits a certain site, ads end up injected. Each time the ads display or end up clicked on, the developer of the rogue Chrome extensions makes a certain amount of money.
Researchers said the same group that developed ad-injecting extensions disguised as the Angry Birds game back in 2012 is responsible for this campaign. However, at the time, they operated under the name playook.info, while now they go by konplayer.com.
“As we always advised, Chrome users should be very careful if you intend to install Chrome extensions — even if it is from the Google Chrome web store. Use some common sense to judge whether you need to grant permissions to any extensions. If any of the permissions seem beyond the fence of what it should do, do not install it,” Barracuda Labs researchers said in a blog.
Wednesday, January 29, 2014 @ 03:01 PM gHale
A new stable version of the Chrome browser (version 32.0.1700.102) is out and it integrates security-related fixes.
The current release of Google Chrome implements 14 security patches, the most significant of the glitches addressed being two vulnerabilities identified as CVE-2013-6649 and CVE-2013-6650.
Revealing these issues earned Atte Kettunen of OUSPG $1,000, and Christian Holler received $3,000 from the Google awards program.
The rest of $6,000 went to contributors (cloudfuzzer and miaubiz) that worked with the Chrome team during the development cycle in order to keep other security glitches from reaching the stable build.
Google Chrome 32.0.1700.102 (currently available for all supported desktop platforms – Windows, Mac, and Linux) includes other fixes for issues that affected its functionality, such as failure to scroll horizontally using the trackpad, problems with file drag and drop, disappearance of the mouse pointer upon exiting full-screen, or crashing of the Quicktime plugin.
Wednesday, January 22, 2014 @ 04:01 PM gHale
When it comes to Android, there is a way to bypass active VPN configurations and intercept secure communications, researchers said.
In order to exploit this vulnerability, an attacker doesn’t require root permissions to capture data transmissions. The worst part of it is there’s nothing that would make victims realize that they’re being attacked, said researchers at Ben Gurion University (BGU) in Israel.
“[The] communications are captured in Clear Text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure,” BGU’s Dudu Mimran said.
The experts tested the vulnerability on several Android devices from various vendors. A video proof of concept (PoC) they made uses a Samsung Galaxy S4.
SSL/TLS traffic can also end up intercepted using this attack method, but the content stays encrypted. The experiments were on a properly configured VPN, using Wi-Fi connections, and a computer connected on the same network as the targeted mobile device.
The vulnerability went out to Google.
A few weeks ago, BGU mobile security researchers found a vulnerability impacting the Samsung Knox platform. At the time, Samsung issued an official response saying the attack exploited legitimate Android network functions in an unintended way for a classic man-in-the-middle attack.
The company noted the researchers didn’t actually identify a vulnerability in Android or Knox.
Now, BGU researchers said the attack having an impact on VPN users is different from the one targeting the Samsung Knox platform. Additional technical details on the vulnerability will be available by the researchers at a later time.
Click here for the video POC.
Friday, January 17, 2014 @ 02:01 PM gHale
There is an increasing use of cloud services to distribute malware, a new report said.
Cybercriminals are leveraging the services of Amazon, Google and GoDaddy to create, host and delete their malicious websites, according to security provider Solutionary’s SERT Quarterly Threat Intelligence Report for Q4 2013. The cloud enables attackers to infect millions of computers at very low costs.
In addition to creating their own sites, malicious actors are also compromising legitimate domains. This enables them to distribute malware while avoiding detection and geographical blacklisting.
In addition, the Solutionary report found 44 percent of the malware identified by the company’s Security Engineering Research Team (SERT) ended up hosted in the United States. Germany comes in second with 9 percent of detected malware.
As far as antivirus engines go, Solutionary said they are still important, but they’ve become less and less efficient in detecting malware. In one case investigated by the company, none of the top 40 engines detected the over 750 malicious files served by OVH-hosted websites.
During a two-week period, one of the malicious domains, bb.rauzqivu.ru, operated across 20 countries, 67 services providers and 199 unique IP addresses to avoid being detected.
“The information in this report will show our readers how widespread the malware problem truly is and how close it hits to home. We aren’t just talking about foreign espionage campaigns, APTs and breaches; many of these malicious activities are taking place within U.S. borders,” said Solutionary SERT Director of Research Rob Kraus.
“Malware and, more specifically, its distributors are utilizing the technologies and services that make processes, application deployment and website creation easier. Now we have to maintain our focus not only on the most dangerous parts of the Web but also on the parts we expect to be more trustworthy.”
Click here to register for the SERT Quarterly Threat Intelligence Report Q4 2013.