Jump to content

Search the Community

Showing results for tags 'zero-day'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. Google patches 8th Chrome zero-day exploited in the wild this year Google has released Chrome 91.0.4472.164 for Windows, Mac, and Linux to fix seven security vulnerabilities, one of them a high severity zero-day vulnerability exploited in the wild. "Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild," the company revealed. The new Chrome release has started rolling out worldwide to the Stable desktop channel and will become available to all users over the following days. Google Chrome will automatically update itself on the next launch, but you can also manually update it by checking for the newly released version from Settings > Help > 'About Google Chrome.' Eighth exploited zero-day patched this year The zero-day patched on Thursday and reported by Google Project Zero's Sergei Glazunov is described as a type confusion bug in V8, Google's open-source C++-based and high-performance WebAssembly and JavaScript engine. Even though type confusion weaknesses would generally lead to browser crashes following successful exploitation by reading or writing memory out of the bounds of the buffer, they can also be exploited by threat actors to execute arbitrary code on devices running vulnerable software. While Google said that it is aware of CVE-2021-30563 in the wild exploitation, it did not share info regarding these attacks to allow the security update to deploy on as many systems as possible before more threat actors start actively abusing. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed." In all, Google has patched eight Chrome zero-day bugs exploited by attackers in the wild since the start of 2021. Besides CVE-2021-30563, the company previously addressed: CVE-2021-21148 - February 4th, 2021 CVE-2021-21166 - March 2nd, 2021 CVE-2021-21193 - March 12th, 2021 CVE-2021-21220 - April 13th, 2021 CVE-2021-21224 - April 20th, 2021 CVE-2021-30551 - June 9th, 2021 CVE-2021-30554 - June 17th, 2021 More details on previously patched Chrome zero-days The Google Threat Analysis Group (TAG) has shared additional details earlier this week regarding in-the-wild exploitation of CVE-2021-21166 and CVE-2021-30551 Chrome zero-days. "Based on our analysis, we assess that the Chrome and Internet Explorer exploits described here were developed and sold by the same vendor providing surveillance capabilities to customers around the world," Google said. On Thursday, Microsoft and Citizen Lab linked the vendor mentioned in Google TAG's report to Israeli spyware vendor Candiru Threat actors deployed the surveillance vendor's spyware to infect iOS, Android, macOS, and Windows devices using Chrome zero-days and Windows unpatched flaws. Microsoft researchers found that Candiru's malware was used to compromise the systems of "politicians, human rights activists, journalists, academics, embassy workers, and political dissidents." In all, Microsoft said it discovered "at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore." Google patches 8th Chrome zero-day exploited in the wild this year
  2. iOS zero-day let SolarWinds hackers compromise fully updated iPhones Flaw was exploited when government officials clicked on links in LinkedIn messages. The Russian state hackers who orchestrated the SolarWinds supply chain attack last year exploited an iOS zero-day as part of a separate malicious email campaign aimed at stealing Web authentication credentials from Western European governments, according to Google and Microsoft. In a post Google published on Wednesday, researchers Maddie Stone and Clement Lecigne said a “likely Russian government-backed actor” exploited the then-unknown vulnerability by sending messages to government officials over LinkedIn. Moscow, Western Europe, and USAID Attacks targeting CVE-2021-1879, as the zero-day is tracked, redirected users to domains that installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said. The campaign closely tracks to one Microsoft disclosed in May. In that instance, Microsoft said that Nobelium—the name the company uses to identify the hackers behind the SolarWinds supply chain attack—first managed to compromise an account belonging to USAID, a US government agency that administers civilian foreign aid and development assistance. With control of the agency’s account for online marketing company Constant Contact, the hackers could send emails that appeared to use addresses known to belong to the US agency. The federal government has attributed last year’s supply chain attack to hackers working for Russia’s Foreign Intelligence Service (abbreviated as SVR). For more than a decade, the SVR has conducted malware campaigns targeting governments, political think tanks, and other organizations in countries like Germany, Uzbekistan, South Korea, and the US. Targets have included the US State Department and the White House in 2014. Other names used to identify the group include APT29, the Dukes, and Cozy Bear. In an email, Shane Huntley, the head of Google's Threat Analysis Group, confirmed the connection between the attacks involving USAID and the iOS zero-day, which resided in the WebKit browser engine. “These are two different campaigns, but based on our visibility, we consider the actors behind the WebKit 0-day and the USAID campaign to be the same group of actors,” Huntley wrote. “It is important to note that everyone draws actor boundaries differently. In this particular case, we are aligned with the US and UK governments' assessment of APT 29.” Forget the sandbox Throughout the campaign, Microsoft said, Nobelium experimented with multiple attack variations. In one wave, a Nobelium-controlled web server profiled devices that visited it to determine what OS and hardware the devices ran on. If the targeted device was an iPhone or iPad, a server used an exploit for CVE-2021-1879, which allowed hackers to deliver a universal cross-site scripting attack. Apple patched the zero-day in late March. In Wednesday’s post, Stone and Lecigne wrote: After several validation checks to ensure the device being exploited was a real device, the final payload would be served to exploit CVE-2021-1879. This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo and send them via WebSocket to an attacker-controlled IP. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit. The exploit targeted iOS versions 12.4 through 13.7. This type of attack, described by Amy Burnett in Forget the Sandbox Escape: Abusing Browsers from Code Execution, is mitigated in browsers with Site Isolation enabled, such as Chrome or Firefox. It’s raining zero-days The iOS attacks are part of a recent explosion in the use of zero-days. In the first half of this year, Google’s Project Zero vulnerability research group has recorded 33 zero-day exploits used in attacks—11 more than the total number from 2020. The growth has several causes, including better detection by defenders and better software defenses that require multiple exploits to break through. The other big driver is the increased supply of zero-days from private companies selling exploits. “0-day capabilities used to be only the tools of select nation-states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use,” the Google researchers wrote. “In the mid-to-late 2010s, more private companies have joined the marketplace selling these 0-day capabilities. No longer do groups need to have the technical expertise; now they just need resources.” The iOS vulnerability was one of four in-the-wild zero-days Google detailed on Wednesday. The other three were: CVE-2021-21166 and CVE-2021-30551 in Chrome CVE-2021-33742 in Internet Explorer The four exploits were used in three different campaigns. Based on their analysis, the researchers assess that three of the exploits were developed by the same commercial surveillance company, which sold them to two different government-backed actors. The researchers didn’t identify the surveillance company, the governments, or the specific three zero-days they were referring to. Representatives from Apple didn’t immediately respond to a request for comment. iOS zero-day let SolarWinds hackers compromise fully updated iPhones
  3. Google fixes seventh Chrome zero-day exploited in the wild this year Google has released Chrome 91.0.4472.114 for Windows, Mac, and Linux to fix four security vulnerabilities, with one of them a high severity zero-day vulnerability exploited in the wild. This version, released today, June 17th, 2021, to the Stable desktop channel, has started rolling out worldwide and will become available to all users over the next few days. Google Chrome will automatically attempt to upgrade the browser the next time you launch the program, but you can perform a manual update by going to Settings > Help > 'About Google Chrome'. No details on zero-day attacks in the wild "Google is aware that an exploit for CVE-2021-30554 exists in the wild.," the company's announcement reads. The zero-day is caused by a use after free weakness in the WebGL (Web Graphics Library) JavaScript API used by the Chrome web browsers to render interactive 2D and 3D graphics without using plug-ins. Successful exploitation of this vulnerability could lead to arbitrary code execution on computers running unpatched Chrome versions. Although Google says that it is aware of CVE-2021-30554 in the wild exploitation, it did not share info regarding these attacks. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," the company said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed." Google fixed three more high severity use after free bugs today in Chrome's Sharing, WebAudio, and TabGroups components, tracked as CVE-2021-30555, CVE-2021-30556, and CVE-2021-30557. Seventh Chrome zero-day exploited in the wild this year Today's update fixes Google Chrome's sixth zero-day exploited in attacks this year, with the other five listed below: CVE-2021-21148 - February 4th, 2021 CVE-2021-21166 - March 2nd, 2021 CVE-2021-21193 - March 12th, 2021 CVE-2021-21220 - April 13th, 2021 CVE-2021-21224 - April 20th, 2021 CVE-2021-30551 - June 9th, 2021 In addition to these zero-days, Kaspersky reported that a threat actor group known as Puzzlemaker is chaining Chrome zero-day bugs to escape the browser's sandbox and install malware on Windows systems. "Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server," Kaspersky said. Project Zero, Google's zero-day bug-hunting team, also unveiled a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users within a single year. Google fixes seventh Chrome zero-day exploited in the wild this year
  4. Malware caught using a macOS zero-day to secretly take screenshots Image Credits: Made Kusuma Jaya / EyeEm (opens in a new window)/ Getty Images Almost exactly a month ago, researchers revealed a notorious malware family was exploiting a never-before-seen vulnerability that let it bypass macOS security defenses and run unimpeded. Now, some of the same researchers say another malware can sneak onto macOS systems, thanks to another vulnerability. Jamf says it found evidence that the XCSSET malware was exploiting a vulnerability that allowed it access to parts of macOS that require permission — such as accessing the microphone, webcam or recording the screen — without ever getting consent. XCSSET was first discovered by Trend Micro in 2020 targeting Apple developers, specifically their Xcode projects that they use to code and build apps. By infecting those app development projects, developers unwittingly distribute the malware to their users, in what Trend Micro researchers described as a “supply-chain-like attack.” The malware is under continued development, with more recent variants also targeting Macs running the newer M1 chip. Once the malware is running on a victim’s computer, it uses two zero-days — one to steal cookies from the Safari browser to get access to a victim’s online accounts, and another to quietly install a development version of Safari, allowing the attackers to modify and snoop on virtually any website. But Jamf says the malware was exploiting a previously undiscovered third zero-day in order to secretly take screenshots of the victim’s screen. macOS is supposed to ask the user for permission before it allows any app — malicious or otherwise — to record the screen, access the microphone or webcam, or open the user’s storage. But the malware bypassed that permissions prompt by sneaking in under the radar by injecting malicious code into legitimate apps. Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner explained in a blog post, shared with TechCrunch, that the malware searches for other apps on the victim’s computer that are frequently granted screen-sharing permissions, like Zoom, WhatsApp and Slack, and injects malicious screen recording code into those apps. This allows the malicious code to “piggyback” the legitimate app and inherit its permissions across macOS. Then, the malware signs the new app bundle with a new certificate to avoid getting flagged by macOS’ built-in security defenses. The researchers said that the malware used the permissions prompt bypass “specifically for the purpose of taking screenshots of the user’s desktop,” but warned that it was not limited to screen recording. In other words, the bug could have been used to access the victim’s microphone, webcam or capture their keystrokes, such as passwords or credit card numbers. It’s not clear how many Macs the malware was able to infect using this technique. But Apple confirmed to TechCrunch that it fixed the bug in macOS 11.4, which was made available as an update today. Source: Malware caught using a macOS zero-day to secretly take screenshots
  5. Compsci boffin publishes proof-of-concept code for 54-year-old zero-day in Universal Turing Machine Patch your devi... oh, hang on a sec A computer science professor from Sweden has discovered an arbitrary code execution vuln in the Universal Turing Machine, one of the earliest computer designs in history – though he admits it has "no real-world implications". In a paper published on academic repository ArXiv, Pontus Johnson, a professor at the KTH Royal Institute of Technology in Stockholm, Sweden, cheerfully explained that his findings wouldn't be exploitable in a real-world scenario because it pertained specifically to the 1967 implementation [PDF] of the simulated Universal Turing Machine (UTM) designed by the late Marvin Minsky, who co-founded the academic discipline of artificial intelligence. Yet what the amusing little caper really brings to the world is a philosophical point: if one of the simplest concepts of a computer is vulnerable to user meddling, where in the design process should we start trying to implement security features? "The universal Turing machine is generally considered to be the simplest, most abstract model of a computer," wrote Johnson in his paper. Through exploiting the Minsky-spec UTM's lack of input validation, he was able to trick it into running a program he had put together. The Minsky specification describes a tape-based machine that reads and executes very simple programs from a simulated tape. Instructions on the tape move the simulated tape reader head left or right across the "tape" itself, which is represented as a one-line alphanumeric string. While users can make inputs at the start of the tape, in the UTM model they're not supposed to alter the program that follows. "Regardless of the historical aspect of it, the fact [is] that the most simple [computer] we can describe seems to have had this propensity for vulnerability," Johnson told The Register. Security (if you could call it that) for UTM consists of a single digit that tells the machine "user input ends here, everything after this point is executable with the parameters you've just read." Johnson's exploit was as simple as writing that "input ends here" character in the user input field and then writing his own program after it. The UTM executes that and skips past the intended program. Parallels with modern vulnerabilities are obvious: scale it up a bit in complexity and this has all the hallmarks of a SQL injection vuln, for example – or any other unsanitised or unescaped user input field. Johnson told The Register today: "In this case, as in many cases, the vulnerability is based on confusing the machine… in academia, we scientists like to start with the basic principle: demonstrate something for a small system, then maybe it's true for a larger system. It seems to me that for the very smallest system, there is this intrinsic vulnerability, this propensity to be vulnerable." The compsci prof continued: "Obviously Marvin Minsky didn't have the intention to [create] either a secure or a vulnerable system. Nevertheless, what happened was [it] was vulnerable." Philosophically, Johnson's vuln (which has been assigned as CVE-2021-32471) raises deeper questions for hardware and firmware designers alike to think upon, he told us: "Some people say that security needs to be built in from the start; you can't add it later. But in this case, all the mitigations of this that I could think of, they need to be add-ons, you can't build it into this machine. "And if this is the mother of all computers, then it seems to me that you cannot build security in from the start." Professor Alan Woodward of the University of Surrey opined to El Reg: "It's an interesting and provocative thought as to whether or not there is some fundamental cause for the number of specific attacks we see. I don't think we need to panic that there is some fundamental flaw in modern computer architecture, more it's a reminder that complexity brings its own threats." Looking specifically at Johnson's vuln, he commented: "Interestingly, it seems to point more to issues with interpretations/implementations of the Turing machine. It seems to support the adage that nothing is totally secure once it's actually implemented." Source: Compsci boffin publishes proof-of-concept code for 54-year-old zero-day in Universal Turing Machine
  6. Adobe: Windows Users Hit by PDF Reader Zero-Day Adobe on Tuesday warned that a gaping security hole in one of the most widely deployed software products has been exploited in the wild in “limited attacks targeting Adobe Reader users on Windows.” Adobe’s confirmation of the zero-day attack was buried in a security bulletin that documents at least 11 security vulnerabilities affected Adobe Acrobat and Reader on both Windows and MacOS platforms. “These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user,” according to the bulletin. Adobe’s Acrobat Reader is widely used freeware to view, create, fill, print and format files in the Portable Document Format (PDF). The software has long been a rich target for advanced threat actors conducting targeted attacks. The under-attack flaw -- CVE-2021-28550 -- is described as a use-after-free memory corruption issue that was discovered and reported anonymously to Adobe. The company did not provide any additional details on the active exploitation. The mega-patch release from Adobe documents at least 23 flaws in a range of products, including a pair of security holes in the Adobe Experience Manager, a trio of security flaws in Adobe InDesign and five serious bugs in Adobe Illustrator. The company also patched security vulnerabilities in Adobe InCopy and Adobe Genuine Service. Source: Adobe: Windows Users Hit by PDF Reader Zero-Day
  7. New ransomware group uses SonicWall zero-day to breach networks A financially motivated threat actor exploited a zero-day bug in Sonicwall SMA 100 Series VPN appliances to deploy new ransomware known as FiveHands on the networks of North American and European targets. The group, tracked by Mandiant threat analysts as UNC2447, exploited the CVE-2021-20016 Sonicwall vulnerability to breach networks and deploy FiveHands ransomware payloads before patches were released in late February 2021. Prior to deploying the ransomware payloads, UNC2447 was also observed using Cobalt Strike implants for gaining persistence and installing a SombRAT backdoor variant, a malware first spotted in the CostaRicto campaign coordinated by a group of mercenary hackers. The zero-day was also exploited in attacks targeting SonicWall's internal systems in January and later abused indiscriminately in the wild. Undercover HelloKitty The FiveHands ransomware deployed in UNC2447 attacks was first observed in the wild during October 2020. It is also very similar to HelloKitty ransomware, both of them rewrites of DeathRansom ransomware. The former was used to encrypt the systems of video game development studio CD Projekt Red [1, 2], with the attackers later claiming to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and an unreleased version of Witcher 3. This ransomware operation has also targeted other large companies worldwide, including Brazilian power company CEMIG (Companhia Energética de Minas Gerais). As discovered by Mandiant, HelloKitty activity had slowly dwindled starting with January 2021 when FiveHands usage in attacks began to pick up. "Based on technical and temporal observations of HELLOKITTY and FIVEHANDS deployments, Mandiant suspects that HELLOKITTY may have been used by an overall affiliate program from May 2020 through December 2020, and FIVEHANDS since approximately January 2021," the researchers said. Besides their sharing feature, functionality, and coding similarities, the two malware strains were also linked by Mandiant earlier this month after observing a FiveHands ransomware Tor chat using a HelloKitty favicon. FiveHands ransomware Tor chat (Mandiant) BleepingComputer reported earlier today on Whistler resort municipality being hit by a new ransomware operation using a very similar Tor site, but it's not clear if there are any links to the FiveHands ransomware operation. FiveHands also has extra functionality since, unlike HelloKitty and DeathRansom, it can also "use the Windows Restart Manager to close a file currently in use so that it can be unlocked and successfully encrypted." It further differs by using different embedded encryption libraries, a memory-only dropper, and asynchronous I/O requests, not present in the two other ransomware strains in its family. Image: Mandiant Ragnar Locker ransomware also deployed by UNC2447 affiliates "UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant added in a report published today. "UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics." Mandiant says that UNC2447 affiliates have also been observed deploying Ragnar Locker ransomware activity in previous attacks. In March, Mandiant analysts discovered three more zero-day vulnerabilities in SonicWall’s on-premises and hosted Email Security (ES) products. These zero-days were also actively exploited by another group tracked as UNC2682 to backdoor systems using BEHINDER web shells to move laterally through the victims' networks and gain access to emails and files. Source: New ransomware group uses SonicWall zero-day to breach networks
  8. Hackers Exploit 0-Day Gatekeeper Flaw to Attack MacOS Computers Security is only as strong as the weakest link. As further proof of this, Apple released an update to macOS operating systems to address an actively exploited zero-day vulnerability that could circumvent all security protections, thus permitting unapproved software to run on Macs. The macOS flaw, identified as CVE-2021-30657, was discovered and reported to Apple by security engineer Cedric Owens on March 25, 2021. "An unsigned, unnotarized, script-based proof of concept application [...] could trivially and reliably sidestep all of macOS's relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements), even on a fully patched M1 macOS system," security researcher Patrick Wardle explained in a write-up. "Armed with such a capability macOS malware authors could (and are) returning to their proven methods of targeting and infecting macOS users." Apple's macOS comes with a feature called Gatekeeper, which allows only trusted apps to be run by ensuring that the software has been signed by the App Store or by a registered developer and has cleared an automated process called "app notarization" that scans the software for malicious content. But the new flaw uncovered by Owens could enable an adversary to craft a rogue application in a manner that would deceive the Gatekeeper service and get executed without triggering any security warning. The trickery involves packaging a malicious shell script as a "double-clickable app" so that the malware could be double-clicked and run like an app. "It's an app in the sense that you can double click it and macOS views it as an app when you right click -> Get Info on the payload," Owens said. "Yet it's also shell script in that shell scripts are not checked by Gatekeeper even if the quarantine attribute is present." According to macOS security firm Jamf, the threat actor behind Shlayer malware has been abusing this Gatekeeper bypass vulnerability as early as January 9, 2021. Distributed via a technique called search engine poisoning or spamdexing, Shlayer accounts for almost 30% of all detections on the macOS platform, with one in ten systems encountering the adware at least once, according to Kaspersky statistics for 2019. The attack works by manipulating search engine results to surface malicious links that, when clicked, redirects users to a web page that prompts users to download a seemingly benign app update for out-of-date software, which in this campaign, is a bash script designed to retrieve next-stage payloads, including Bundlore adware stealthily. Troublingly, this infection scheme could be leveraged to deliver more advanced threats such as surveillanceware and ransomware. In addition to the aforementioned vulnerability, Monday's updates also address a critical flaw in WebKit Storage (tracked as CVE-2021-30661) that concerns an arbitrary code execution flaw in iOS, macOS, tvOS, and watchOS when processing maliciously crafted web content. "Apple is aware of a report that this issue may have been actively exploited," the company said in a security document, adding it addressed the use-after-free weakness with improved memory management. Aside from these updates, Apple has also released iCloud for Windows 12.3 with patches for four security issues in WebKit and WebRTC, among others, that could allow an attacker to cross-site scripting (XSS) attacks (CVE-2021-1825) and corrupt kernel memory (CVE-2020-7463). Users of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the flaws. Source: Hackers Exploit 0-Day Gatekeeper Flaw to Attack MacOS Computers
  9. Google Chrome Hit in Another Mysterious Zero-Day Attack Google late Tuesday shipped another urgent security patch for its dominant Chrome browser and warned that attackers are exploiting one of the zero-days in active attacks. This is the fourth in-the-wild Chrome zero-day discovered so far in 2021 and the continued absence of IOC data or any meaningful information about the attacks continue to raise eyebrows among security experts. The newest Chrome update -- 90.0.4430.85 -- is available for Windows, Mac and Linux users and is being rolled out via the browser’s automatic update mechanism. According to a Google Chrome advisory, the update patches at seven security vulnerabilities but the company only provided one-line documentation and CVE IDs for five bugs. The vulnerability being exploited is identified as CVE-2021-21224 and simply described as a “type confusion” in the V8 Chrome rendering engine. Google credited the Jose Martinez (tr0y4) from VerSprite Inc. for reporting the vulnerability. “Google is aware of reports that exploits for CVE-2021-21224 exist in the wild,” the company said. The Chrome update also fixes a heap buffer overflow in V8, an integer overflow bug in Mojo, an out-of-bounds memory access issue in V8 and a use-after-free vulnerability in Navigation. Source: Google Chrome Hit in Another Mysterious Zero-Day Attack
  10. Pulse Secure VPN zero-day used to hack defense firms, govt orgs Pulse Secure has shared mitigation measures for a zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited in attacks against worldwide organizations and focused on US Defense Industrial base (DIB) networks. To mitigate the vulnerability tracked as CVE-2021-22893 (with a maximum 10/10 severity score), Pulse Secure advises customers with gateways running PCS 9.0R3 and higher to upgrade the server software to the 9.1R.11.4 release. As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in the security advisory published earlier today. Pulse Secure also released the Pulse Connect Secure Integrity Tool to help customers determine if their systems are impacted. Security updates to solve this issue will be released in early May. The Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances. The PCS team has provided remediation guidance to these customers directly. The investigation shows ongoing attempts to exploit four issues: The substantial bulk of these issues involve three vulnerabilities that were patched in 2019 and 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE- 2020- 8243) and Security Advisory SA44601 (CVE- 2020- 8260). Customers are strongly recommended to review the advisories and follow the guidance, including changing all passwords in the environment if impacted.The new issue, discovered this month, impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system. PCS will issue a software update in early May. Visit Security Advisory SA44784 (CVE-2021-22893) for more information.Customers are also encouraged to apply and leverage the efficient and easy-to-use Pulse Secure Integrity Checker Tool to identify any unusual activity on their system. - Pulse Connect Secure Chinese-backed state hackers likely behind attacks CVE-2021-22893 was exploited in the wild in conjunction with other Pulse Secure bugs by suspected state-sponsored threat actors to hack the networks of dozens of US and European government, defense, and financial organizations and execute arbitrary code remotely on Pulse Connect Secure gateways. At least two threat actors tracked as UNC2630 and UNC2717 by cybersecurity firm FireEye have been deploying 12 malware strains in these attacks. FireEye also suspects that the UNC2630 threat actor may have ties to APT5, a known APT group that operates on behalf of the Chinese government, based on "strong similarities to historic intrusions dating back to 2014 and 2015" conducted by APT5. "Although we are not able to definitively connect UNC2630 to APT5, or any other existing APT group, a trusted third party has uncovered evidence connecting this activity to historic campaigns which Mandiant tracks as Chinese espionage actor APT5," FireEye said. "While we cannot make the same connections, the third party assessment is consistent with our understanding of APT5 and their historic TTPs and targets." According to the FireEye: UNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021. UNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE, AND PULSEJUMP. "These actors are highly skilled and have deep technical knowledge of the Pulse Secure product," Charles Carmakal, FireEye Mandiant SVP and CTO, told BleepingComputer. "They developed malware that enabled them to harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks. "They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets. This tradecraft enabled the actors to maintain access to victim environments for several months without being detected." UNC2630's primary goals are to maintain long-term access to networks, collect credentials, and steal proprietary data, according to Carmakal. At the moment, there is no evidence that these threat actors have introduced any backdoors through a supply chain compromise of Pulse Secure's network or software deployment process. Source: Pulse Secure VPN zero-day used to hack defense firms, govt orgs
  11. Legacy QNAP NAS Devices Vulnerable to Zero-Day Attack Some legacy models of QNAP network attached storage devices are vulnerable to remote unauthenticated attacks because of two unpatched vulnerabilities. Two critical zero-day bugs affect legacy QNAP Systems storage hardware, and expose devices to remote unauthenticated attackers. The bugs, tracked as CVE-2020-25099 and CVE-2021-36195, impact QNAP’s model TS-231 network attached storage (NAS) hardware, allowing an attacker to manipulate stored data and hijack the device. The vulnerabilities, also impact some non-legacy QNAP NAS gear. However, it is important to note that patches are available for non-legacy QNAP NAS hardware. A patch for the now-retired QNAP model TS-231 NAS device, first released in 2015, is scheduled to be released within weeks, QNAP representatives told Threatpost. Patches for current model QNAP devices need to be downloaded from the QNAP download center and applied manually. Zero-Day Disclosure Both bugs were disclosed on Wednesday by SAM Seamless Network researchers, who released limited technical details. The disclosure was ahead of official QNAP public disclosure of the vulnerabilities, and was in line with SAM Seamless Network’s disclosure policy of giving a vendor three months to disclose vulnerability details. Both flaws were found in the Oct. and Nov. 2020 timeframe and made public Wednesday. “We reported both vulnerabilities to QNAP with a four-month grace period to fix them,” researchers wrote. “Due to the seriousness of the vulnerabilities, we decided not to disclose the full details yet, as we believe this could cause major harm to tens of thousands of QNAP devices exposed to the internet.” QNAP would not specifically say how many additional legacy NAS devices may be impacted. The company, in a statement to Threatpost said: “There are many hardware models of NAS in QNAP. (See: https://www.qnap.com/en/product/eol.php). In the list, you can find the models, the period of hardware repair or replacement, the supported OS and App updates and maintenance and the status of technical support and security updates. Most of the models, the security update could be upgraded to the latest version, i.e. QTS 4.5.2. However, some old hardware models have limits of firmware upgrade. For example, TS-EC1679U-SAS-RP could support only the legacy QTS 4.3.4.” Breaking Down QNAP Bug One Tracked as CVE-2020-2509, this remote code execution (RCE) bug is tied to firmware used in both old and new hardware, according to QNAP. Firmware versions prior to QTS (build 20210202) and QTS (build 20201123) are affected. Patches for current (non-legacy) hardware can be downloaded via QTS (ZIP) and QTS (ZIP). The bug (CVE-2020-2509) resides in the NAS web server (default TCP port 8080), according to researchers. “Previous RCE attacks on QNAP NAS models relied on web pages which do not require prior authentication, and run/trigger code in server-side. We’ve therefore inspected some CGI files (which implement such pages) and fuzzed a few of the more relevant ones,” researchers described. They said that during the inspection, they were able to fuzz the web server with customized HTTP requests to different CGI pages, focusing on ones that didn’t require prior authentication. “We’ve been able to generate an interesting scenario, which triggers remote code execution indirectly (i.e., triggers some behavior in other processes),” researchers wrote. A fix for the vulnerability, suggested by researchers, is “adding input sanitizations to some core processes and library APIs, but it has not been fixed as of this writing.” Breaking Down QNAP Bug Two The second bug, tracked as CVE-2021-36195, is an unauthenticated RCE and arbitrary file-write flaw. It impacts QNAP TS-231’s latest firmware (version, released in September. The flaw allows two types of attacks. One allows a remote attacker – with access to the web server (default port 8080) – to execute arbitrary shell commands, without prior knowledge of the web credentials. The second attack “allows a remote attacker with access to the DLNA server (default port 8200) to create arbitrary file data on any (non-existing) location, without any prior knowledge or credentials. It can also be elevated to execute arbitrary commands on the remote NAS as well,” according to researchers at SAM Seamless Network. To exploit the bug, researchers created a proof-of-concept attack. “[We used] a python script that we wrote in order to hack into the device. We achieve full takeover of the device by using a simple reverse shell technique. After that, we access a file that’s stored on the QNAP storage. Any file stored can be accessed similarly.” QNAP said a fix for supported hardware can be downloaded from the QNAP App Center and is identified as Multimedia Console 1.3.4. QNAP Patch Timeline “Currently, we have released the fix in the latest firmware and related app,” QNAP representatives told Threatpost. “Since the severity level is high, we would like to release the security update for legacy versions. It is expected to be available in a week. In addition, we hope there will be another week for users’ updates.” Source: Legacy QNAP NAS Devices Vulnerable to Zero-Day Attack
  12. Google fixes the third actively exploited Chrome 0-Day since January Google has addressed a new zero-day flaw in its Chrome browser that has been actively exploited in the wild, the second one within a month Google has fixed a new actively exploited zero-day in its Chrome browser, this is the second zero-day issue addressed by the IT giant within a month. The flaw, tracked as CVE-2021-21193, is a use after free vulnerability in the Blink rendering engine. Google addressed the issue with the 89.0.4389.90 version for Windows, Mac, and Linux, which will be available in the coming days. The flaw was reported to Google by an anonymous researcher on March 9, at the time of this writing the company did not reveal details about the vulnerability to avoid those other threat actors could exploit the issue in the wild. Google also addressed other 4 vulnerabilities. “This update includes 5 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.” reads the post published by Google. [$500][1167357] High CVE-2021-21191: Use after free in WebRTC. Reported by raven (@raid_akame) on 2021-01-15 [$TBD][1181387] High CVE-2021-21192: Heap buffer overflow in tab groups. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-23 [$TBD][1186287] High CVE-2021-21193: Use after free in Blink. Reported by Anonymous on 2021-03-09“ “Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild.” Chrome Technical Program Manager Prudhvikumar Bommana added that Google has detected some of the bugs using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL. CVE-2021-21193 is the third zero-day flaw in Chrome actively exploited that has been addressed since January. In early February, Google has addressed an actively exploited zero-day vulnerability, tracked as CVE-2021-21148, with the release of the Chrome 88.0.4324.150 version. The vulnerability is a Heap buffer overflow that resides in the V8, which is an open-source high-performance JavaScript and WebAssembly engine, written in C++. Earlier this month, Google addressed another zero-day issue, tracked as CVE-2021-21166, actively exploited in the wild. In 2020, Google addresses five Chrome zero-days actively exploited in the wild. In October, the IT giant addressed the following three zero-days: CVE-2020-15999 – The flaw is a memory corruption bug that resides in the FreeType font rendering library, which is included in standard Chrome releases. CVE-2020-16009 – is a Heap buffer overflow in Freetype in Google Chrome. CVE-2020-16010 – affects the browser’s user interface (UI) component in Chrome for Android. In November, the company addressed two other zero-day vulnerabilities, actively exploited in the wild. Both zero-day flaws, tracked as CVE-2020-16013 and CVE-2020-16017, were reported by anonymous sources. Source: Google fixes the third actively exploited Chrome 0-Day since January
  13. Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild Google has addressed yet another actively exploited zero-day in Chrome browser, marking the second such fix released by the company within a month. The browser maker on Friday shipped 89.0.4389.90 for Windows, Mac, and Linux, which is expected to be rolling out over the coming days/weeks to all users. While the update contains a total of five security fixes, the most important flaw rectified by Google concerns a use after free vulnerability in its Blink rendering engine. The bug is tracked as CVE-2021-21193. Details about the flaw are scarce except that it was reported to Google by an anonymous researcher on March 9. As is usually the case with actively exploited flaws, Google issued a terse statement acknowledging that an exploit for CVE-2021-21193 but refrained from sharing additional information until a majority of users are updated with the fixes and prevent other threat actors from creating exploits targeting this zero-day. "Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild," Chrome Technical Program Manager Prudhvikumar Bommana noted in a blog post. With this update, Google has fixed three zero-day flaws in Chrome since the start of the year. Earlier this month, the company issued a fix for an "object lifecycle issue in audio" (CVE-2021-21166) which it said was being actively exploited. Then on February 4, the company resolved another actively-exploited heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine. Chrome users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw. Source: Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild
  14. Google fixes Chrome zero-day actively exploited in the wild Google has addressed an actively exploited zero-day security vulnerability in the Chrome 88.0.4324.150 version released today, February 4th, 2020, to the Stable desktop channel for Windows, Mac, and Linux users. "Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild," the Google Chrome 88.0.4324.150 announcement reads. This version is rolling out to the entire userbase during the next days/weeks. Windows, Mac, and Linux desktop users can upgrade to Chrome 88 by going to Settings -> Help -> About Google Chrome. The Google Chrome web browser will then automatically check for the new update and install it when available. V8 vulnerability under active exploitation The vulnerability rated by Google as high severity is being tracked as CVE-2021-21148 and was reported by Mattias Buelens on January 24th, 2021. The zero-day is described as a heap buffer overflow bug in V8, Google's open-source and C++ based high-performance WebAssembly and JavaScript engine. While buffer overflows generally lead to crashes, they can also be exploited by attackers to execute arbitrary code on systems running vulnerable software. While Google says that it "is aware of reports that an exploit for CVE-2020-16009 exists in the wild," the company did not provide any details regarding the threat actors behind these attacks. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google adds. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed." This should provide Chrome users with additional time to install the security update released today and to prevent attackers from creating other exploits targeting this zero-day bug. Last year, Google fixed five Chrome zero-days actively exploited in the wild, all within a single month, between October 20 and November 12. Source: Google fixes Chrome zero-day actively exploited in the wild
  15. The unpatched flaw allows an attacker to delete any kind of file on a victim machine, including system data. A proof-of-concept exploit for a Windows zero-day that works on full patched Windows 10 machines has been released by a security researcher. It allows an attacker to delete any kind of file on a victim machine, including system data. The flaw (no CVE has been assigned since it was just exposed on Wednesday) is an elevation-of-privilege zero-day vulnerability in Microsoft’s Data Sharing Service (dssvc.dll). This is a local service that runs as a LocalSystem account with extensive privileges, and enables data to be brokered between applications. According to SandboxEscaper, who released the PoC, the bug allows an adversary to delete application libraries (DLL files) – which means that the affected applications will then go look for their libraries elsewhere. If an application finds its way to a user-writeable location, it gives an attacker an opportunity to upload his or her own malicious library, resulting in machine compromise. “This could be exploited to facilitate lateral movement within an organization or even potentially destructive purposes – such as deletion of key system files, rendering a system inoperable,” Tom Parsons, head of research at Tenable, said in an emailed breakdown. To the latter point, in the POC, a program that SandboxEscaper dubbed “Deletebug.exe” deletes a system file – pci.sys – on the target computer, which means a user can no longer restart it. The machine is rendered unbootable. Will Dormann, vulnerability analyst at CERT/CC, and 0patch’s Mitja Kolsec both confirmed the vulnerability and were able to exploit it on fully patched and updated Windows 10 machines. Via Twitter, Dormann added that Data Sharing Service does not seem to be present on Windows 8.1 and earlier systems. Researcher Kevin Beaumont confirmed the exploit as working on “Windows 10 and Server 2016 (and 2019) only.” He added that it “allows non-admins to delete any file by abusing a new Windows service not checking permissions again.” “It reportedly affects the very latest versions of Microsoft operating systems and not older ones, so users may have wrongly assumed they were more secure,” said Parsons. “In addition, given that it affects both server and client operating systems, and with Windows 10 the second-most prevalent MS desktop/client OS after Windows 7, will also make this attractive to attackers.” However, don’t expect a raft of attacks incorporating the exploit just quite yet: SandboxEscaper describes the bug as “low-quality” and a “pain to exploit.” Tenable’s Parsons elaborated: “To put the threat into perspective, an attacker would already need access to the system or to combine it with a remote exploit to leverage the vulnerability,” he said. Beaumont also weighed in on the exploitability, noting that meaningful exploitation would take some doing: While Microsoft has not yet commented on the bug, 0Patch has released a micropatch for the flaw, which it said “successfully blocks the exploit by adding impersonation to the DeleteFileW call… the Delete operation now gets an “ACCESS DENIED” due to impersonation.” Source
  16. Details are about to emerge about a zero-day remote code execution vulnerability in the Microsoft Edge web browser, as two researchers plan to reveal a proof-of-concept and publish a general write up. Microsoft has not been told the details of this vulnerability. A tweet on November 1 announced that Microsoft Edge had been compromised once more. The proof was an image with the web browser that appeared to launch the popular Windows Calculator app. Exploit developer Yushi Liang informed his followers that the objective was to escape the browser sandbox and that he had teamed up with Alexander Kochkov to work on achieving it. The efforts of the two experts were hampered by a "crash bug in the text editor" Liang was using to write the exploit code. In a conversation with BleepingComputer, Liang said that they were focusing on developing a stable exploit and attaining full sandbox escaping of the code. The duo was also looking for a method to escalate execution privileges to SYSTEM, which would be the equivalent of taking complete control of the machine. The expert found the zero-day bug with the help of the Wadi Fuzzer utility from SensePost. He told us that he has already created the PoC (demo available below) code that validated his findings. Payouts for an Edge RCE exploit The market for 0days is robust and there are plenty of exploit brokers ready to offer attractive compensation to developers of fresh penetration code targeting web browsers. Zerodium pays $50,000 for a remote code execution (RCE) 0day exploit in Edge and doubles the payout for when sandbox escaping is achieved. Coseinc's Pwnorama payout program offers up to $30,000 for a previously undisclosed RCE exploit in Microsoft's browser and increases the reward up to $80,000 if it is accompanied by local privilege escalation. Vulnerability brokers are not the only ones offering juicy payouts for exploits. This year's edition of the Pwn2Own computer hacking contest Trend Micro's ZeroDay Initiative program offered $60,000 for a sandbox escape exploit for Microsoft Edge. Liang's web browser exploits Zero-days in web browsers seem to have captured Liang's focus lately as the developer recently wrote an exploit chain that achieved RCE on Firefox that took advantage of three bugs. The developer said that this proved to be a difficult task to wrap because of a third bug that required more work to get to obtain the coveted result. In another recent project, Liang set sight on Chromium browser where he was able to achieve code execution without sandbox escape, a task he relayed to a friend of his. To show that his PoC works, Liang shared with BleepingComputer the video below. To add a fun twist, the developer made Edge launch Mozilla Firefox and load the download page for Google Chrome: Source
  17. Mozilla has released a second security update this week to patch a second zero-day that was being exploited in the wild to attack Coinbase employees and other cryptocurrency organizations. Firefox 67.0.4 and Firefox ESR 60.7.2 are now available for Firefox users through the browser's built-in update mechanism. This second bug was used together with another one that Mozilla patched two days ago, through the release of Firefox 67.0.3 and Firefox ESR 60.7.1. The two zero-days The first one was described as a "remote code execution" vulnerability that allowed remote attackers to run malicious code inside Firefox's native process. The bug (CVE-2019-11707) was discovered on April 15 by a Google Project Zero researcher and reported to Mozilla, who only patched it this week after the Coinbase security team reported attacks exploiting the vulnerability, together with a second zero-day (CVE-2019-11708). This second zero-day, which Mozilla described as a "sandbox escape" allowed malicious threat actors to escape from the Firefox protected process and execute code on the underlying operating system. When combined, the two bugs provide a quick avenue for running malicious code from within a website on a visiting user's computer. The two zero-days used in the same attacks As ZDNet broke the news earlier today, these two zero-days were being used by an unknown hacking group in attempts to infect the Coinbase staff. Coinbase employees would receive spear-phishing emails that would contain links to malicious sites. If they clicked the links and visited the sites -- if they used Firefox -- the page would download and run an info-stealer on their systems that would collect and exfiltrate browser passwords, and other data. The attacks were tailored for both Mac and Windows users, with different malware strains delivered for each OS. The attacks have been going on for weeks before being detected, and Coinbase said they also targeted other cryptocurrency organizations, and not just their employees. The Firefox bugfix for the second zero-day is expected to land in the Tor Browser in the coming days. Today, the Tor Browser team updated to version 8.5.2, which includes the fix for the first zero-day. Source
  18. Oracle has recently addressed a critical vulnerability affecting its WebLogic servers. Users must ensure they update their systems quickly as this WebLogic zero-day bug is presently under active exploitation. The bug, upon exploit, can allow an attacker to hijack a users’ systems. Actively Exploited WebLogic Zero-Day Bug Reportedly, a critical WebLogic zero-day vulnerability has posed a threat to users’ online security. This bug can allow an attacker to take control of the target devices and execute remote code. As stated in Oracle’s advisory, This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. This vulnerability, CVE-2019-2729 has earned a critical severity level, with a CVSS base score of 9.8. According to a study by KnownSec 404 Team, this vulnerability is presently under wild exploits. While they considered this vulnerability a bypass for the patch of a previously known bug (CVE-2019–2725), Oracle clarified that the recent vulnerability is unrelated to it. In a blog post, John Heimann, VP Security Program Management, clarified, Please note that while the issue addressed by this alert is a deserialization vulnerability, like that addressed in Security Alert CVE-2019-2725, it is a distinct vulnerability. Oracle Released A Fix A number of researchers reported the new WebLogic zero-day vulnerability to Oracle. The bug allegedly affects Oracle WebLogic Server versions,, Consequently, the vendors patched the bug and released the fix. Because of the severity of the vulnerability, and the active exploitations, Oracle recommends users to ensure a quick update of their respective systems. Due to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible. The KnownSec 404 Team also recommended some temporary solutions to mitigate the flaw. Scenario-1: Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service. Scenario-2: Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control. Source
  19. Study: Majority of zero-day vulnerabilities now failed against Windows 10 Microsoft has proved their latest operating system is the safest around; with only 40% of all Windows zero-days successfully exploited against the latest Windows versions since 2015. Matt Miller, security engineer with the Microsoft Security Response Centre, analysed zero-day exploitation attempts between 2015 and 2019. Back in February, Miller gave a talk at the BlueHat Israel security conference. He showed that Windows vulnerabilities are mostly exploited before a patch is released or when a patch fails months after. Thanks to Control Flow Guard and Device Guard security systems, amongst others, users with an updated OS are mostly safeguarded. In two out of three cases, the zero-days didn’t work against recent versions of Windows because of the mitigations added to the OS. Additionally, his findings show that 70% of all security bugs addressed by Microsoft in the past 12 years were memory management-related issues. Miller’s MSRC colleagues are currently exploring Rust as an alternative to C and C++. The language’s security features could cause a reduction in the number of memory-related bugs. So with these statistics in mind, it seems that attackers are better off keeping zero-days attacks to older Windows versions. Source: Study: Majority of zero-day vulnerabilities now failed against Windows 10 (MSPoweruser)
  20. Mozilla releases Firefox 67.0.3 to fix actively exploited zero-day. The Mozilla team has released earlier today version 67.0.3 of the Firefox browser to address a critical vulnerability that is currently being abused in the wild. "A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop," Mozilla engineers wrote in a security advisory posted today. "This can allow for an exploitable crash," they added. "We are aware of targeted attacks in the wild abusing this flaw." Samuel Groß, a security researcher with Google Project Zero security team, and the Coinbase Security team were credited with discovering the Firefox zero-day -- tracked as CVE-2019-11707. Outside of the short description posted on the Mozilla site, there are no other details about this security flaw or the ongoing attacks. Based on who reported the security flaw, we can safely assume the security flaw was being exploited in attacks aimed at cryptocurrency owners. Groß did not respond to a request for comment from ZDNet seeking additional details about the attacks. Firefox zero-days are quite rare. The last time the Mozilla team patched a Firefox zero-day was in December 2016, when they fixed a security flaw that was being abused at the time to expose and de-anonymize users of the privacy-first Tor Browser. Fellow browser maker Google patched a zero-day in its browser in March this year. The zero-day was being used together with a Windows 7 zero-day as part of a complex exploit chain. Source
  21. Updated: Google is preparing a patch for late April 2019. Some of the suspicious PDF files exploiting this bug don't appear to be malicious in nature. A security firm said this week that it discovered PDF documents exploiting a Google Chrome browser zero-day. The vulnerability allowed attackers to collect data from users who opened PDF files inside Chrome's built-in PDF viewer. Exploit detection service EdgeSpot, the company that found the files, says the PDF documents would contact a remote domain with information on the users' device --such as IP address, OS version, Chrome version, and the path of the PDF file on the user's computer. This phone-home behavior did not take place when researchers opened the same PDF files in desktop PDF viewer apps, such as Adobe Reader and others, but was limited to Chrome only. The company said it spotted two distinct sets of malicious PDF files exploiting this Chrome bug, with one series of files being circulated circa October 2017, and the second set in September 2018. The first batch of malicious PDF files sent user data back to the "readnotify.com" domain, while the second sent it to "zuxjk0dftoamimorjl9dfhr44vap3fr7ovgi76w.burpcollaborator.net," researchers said. There was no additional malicious code in the PDF files that EdgeSpot discovered. However, collecting data on users who open a PDF file can aid attackers in fine-tuning future attacks and exploits. But in a conversation with ZDNet after the publication of this story, Mac malware security expert Patrick Wardle explained that the first batch of files that EdgeSpot detected weren't meant to be malicious in nature, despite exploiting the Chrome bug. He said they were assembled using ReadNotify's PDF tracking service that lets users track when someone views their PDF files, a service that has been around since 2010. "What the researchers 'uncovered' is just a document tagged by ReadNotify," Wardle told us, "but yes, Chrome should alert the user." There is no information available on the second set of PDF files (the ones circulated in September 2018) and their nature --if they were assembled by a threat actor, if they're just tests, or were generated for benign user tracking purposes. For its part, EdgeSpot said it notified Google over the Christmas holiday, last year, when they first discovered the documents. The Chrome team acknowledged the zero-day and promised a fix for late April. "We decided to release our finding prior to the patch because we think it's better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away," researchers said in a blog post yesterday. The blog post also contains samples and indicators of compromise (IOCs) for the PDF files the company discovered. Until a patch is out, EdgeSpot is recommending that users either use a desktop app to view PDF files or disable their internet connection while they open PDF documents in Chrome. In unrelated research, but also connected to the world of PDF documents, earlier this week, security researchers revealed vulnerabilities that allowed them to fake signatures on 21 of 22 desktop PDF viewer apps and 5 out of 7 online PDF digital signing services. Article updated with Wardle's analysis. Source
  22. The same day Apple released its latest macOS Mojave operating system, a security researcher demonstrated a potential way to bypass new privacy implementations in macOS using just a few lines of code and access sensitive user data. On Monday, Apple started rolling out its new macOS Mojave 10.14 operating system update to its users, which includes a number of new privacy and security controls, including authorization prompts. Mojave 10.14 now pops up authorization prompts that require direct and real user interaction before any unprivileged third-party application can tap into users' sensitive information, such as address books, location data, message archives, Mail, and photos. Patrick Wardle, an ex-NSA hacker and now chief research officer at Digita Security, discovered a zero-day flaw that could allow an attacker to bypass authorization prompts and access users' personal information by using an unprivileged app. Wardle tweeted a video Monday showing how he was able to bypass the permission requirements on a dark-themed Mojave system by running just a few lines of code simulating a malicious app called "breakMojave," which allowed him to access to the address book and copy it to the macOS desktop. However, Wardle goes on to say that not just Mojave's Dark Mode, but all modes are affected by the privacy bypass vulnerability. Well, the privacy bypass flaw in Mojave seems to be concerning due to its simplicity of carrying out personal data pilfering, with no permissions required. It should be noted that the flaw does not work with all of the new privacy protection features implemented by Apple in macOS Mojave, and hardware-based components, like the webcam and microphone, are not affected. Since there is no public macOS bounty program to report the vulnerabilities, Wardle said on Twitter that he's still looking for a way to report the flaw to Apple. Wardle has not released details beyond just the proof-of-concept video until the company patches the issue in order to prevent abuse. Until then, Mojave users are recommended to be cautious about what apps they run. Wardle is set to release more technical details of the vulnerability in his upcoming Mac Security conference in November. Last month, Wardle publicly disclosed a different macOS zero-day flaw that could allow a malicious application installed on a targeted Mac system running Apple's High Sierra operating system to virtually "click" objects without any user interaction or consent, leading to full system compromise. Source
  23. The security flaw, an out-of-bounds (OOB) write in the JET Database Engine that could be exploited for remote code execution, was reported to the vendor in early May. ZDI disclosed the issue publicly as 120 days had passed after they notified the vendor, although a patch hadn’t been released. The bug resides in the manner in which indexes are managed in JET. Crafted data in a database file can trigger a write past the end of an allocated buffer and an attacker could exploit this to execute code under the context of the current process. Exploitation, however, requires user interaction. Despite not being considered critical, attackers could use social engineering to trick users into opening malicious files capable of triggering the exploit. Now, 0patch, a community project focused on resolving software vulnerabilities by delivering tiny fixes to users worldwide, says they were able to devise a patch for the bug less than a day after ZDI went public with their findings. In a blog post detailing the fix, ACROS Security CEO Mitja Kolsek explains that, with JET only working on 32-bit systems, the proof-of-concept (PoC) code provided by ZDI would cause an error message on 64-bit systems, unless launched with wscript.exe. Because it attempts to write past the allocated memory block, the PoC causes a crash in wscript.exe, and this is where the security researchers started from when building their patch. Kolsek notes that a micro-patch was ready for Windows 7 only 7 hours after ZDI had published their PoC and that the fix would work on all platform iterations sharing the exact same version of msrd3x40.dll as Windows 7. Windows 10, however, has a slightly different msrd3x40.dll, and the security researchers had to make a small tweak to the initial micro-patch to address the issue in this platform iteration as well. According to Kolsek, they used the exact same source code, just a different file hash. “These two micropatches for a published 0day were then issued less than 24 hours after the 0day was dropped, and distributed to our users' computers within 60 minutes, where they were automatically applied to any running process with vulnerable msrd3x40.dll loaded. Which nicely demonstrates the speed, simplicity and user-friendliness of micropatching when it comes to fixing vulnerabilities,” Kolsek notes. The patches are free for everyone. Users interested in getting them only need to install and register the 0patch Agent. Even with these micro-patches, however, users are still advised to install Microsoft’s official fixes once they arrive. Source
  24. Windows 10 zero-day could allow hackers to seize control of your computer Vulnerability has yet to be patched, with Windows 10 users warned to be on their guard (Image credit: Shutterstock.com) A security bug has been discovered that affects every version of the Windows operating system, from Windows 7 to Windows 10. The vulnerability can be found within the Windows Kernel Cryptography Driver and enables attackers to gain admin-level control of a victim’s computer. The flaw was discovered by Google’s Project Zero security team, which subsequently notified Microsoft. The Redmond-based firm was given seven days to patch the bug before Google published further details – a task that proved beyond the company. Although the ramifications of the security flaw sound scary, Microsoft is urging caution for the time being. The technology giant has claimed that any threat is limited, with no evidence of widespread exploits taking place. As of yet, there is also no indication that attackers are using the exploit to target the US presidential election. A patch is coming One of the reasons why Microsoft can be so calm regarding the vulnerability (tracked as CVE-2020-17087) is that in order to be exploited, it requires another vulnerability, CVE-2020-15999. This earlier bug is browser-based and has already been patched. So, if your browser is up-to-date, you should be protected. Microsoft has not commented on when a patch for the newly-discovered vulnerability is likely to be launched, but it wouldn’t be a surprise if it was packaged within the Patch Tuesday update set to be released on November 10. A Microsoft spokesperson told Forbes that "developing a security update is a balance between timeliness and quality,” which is why the Project Zero deadline was missed. Any zero-day exploit is understandably a cause for concern but perhaps Microsoft is right not to be too panicked over this one. As long as Windows users make sure their browsers are updated, they’ll probably be fine until the patch arrives. Windows 10 zero-day could allow hackers to seize control of your computer
  25. Microsoft Put Off Fixing Zero Day for 2 Years A security flaw in the way Microsoft Windows guards users against malicious files was actively exploited in malware attacks for two years before last week, when Microsoft finally issued a software update to correct the problem. One of the 120 security holes Microsoft fixed on Aug. 11’s Patch Tuesday was CVE-2020-1464, a problem with the way every supported version of Windows validates digital signatures for computer programs. Code signing is the method of using a certificate-based digital signature to sign executable files and scripts in order to verify the author’s identity and ensure that the code has not been changed or corrupted since it was signed by the author. Microsoft said an attacker could use this “spoofing vulnerability” to bypass security features intended to prevent improperly signed files from being loaded. Microsoft’s advisory makes no mention of security researchers having told the company about the flaw, which Microsoft acknowledged was actively being exploited. In fact, CVE-2020-1464 was first spotted in attacks used in the wild back in August 2018. And several researchers informed Microsoft about the weakness over the past 18 months. Bernardo Quintero is the manager at VirusTotal, a service owned by Google that scans any submitted files against dozens of antivirus services and displays the results. On Jan. 15, 2019, Quintero published a blog post outlining how Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer files (those ending in .MSI) signed by any software developer. Quintero said this weakness would particularly acute if an attacker were to use it to hide a malicious Java file (.jar). And, he said, this exact attack vector was indeed detected in a malware sample sent to VirusTotal. “In short, an attacker can append a malicious JAR to a MSI file signed by a trusted software developer (like Microsoft Corporation, Google Inc. or any other well-known developer), and the resulting file can be renamed with the .jar extension and will have a valid signature according Microsoft Windows,” Quintero wrote. But according to Quintero, while Microsoft’s security team validated his findings, the company chose not to address the problem at the time. “Microsoft has decided that it will not be fixing this issue in the current versions of Windows and agreed we are able to blog about this case and our findings publicly,” his blog post concluded. Tal Be’ery, founder of Zengo, and Peleg Hadar, senior security researcher at SafeBreach Labs, penned a blog post on Sunday that pointed to a file uploaded to VirusTotal in August 2018 that abused the spoofing weakness, which has been dubbed GlueBall. The last time that August 2018 file was scanned at VirusTotal (Aug 14, 2020), it was detected as a malicious Java trojan by 28 of 59 antivirus programs. More recently, others would likewise call attention to malware that abused the security weakness, including this post in June 2020 from the Security-in-bits blog. Image: Securityinbits.com Be’ery said the way Microsoft has handled the vulnerability report seems rather strange. “It was very clear to everyone involved, Microsoft included, that GlueBall is indeed a valid vulnerability exploited in the wild,” he wrote. “Therefore, it is not clear why it was only patched now and not two years ago.” Asked to comment on why it waited two years to patch a flaw that was actively being exploited to compromise the security of Windows computers, Microsoft dodged the question, saying Windows users who have applied the latest security updates are protected from this attack. “A security update was released in August,” Microsoft said in a written statement sent to KrebsOnSecurity. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.” Update, 12:45 a.m. ET: Corrected attribution on the June 2020 blog article about GlueBall exploits in the wild. Microsoft Put Off Fixing Zero Day for 2 Years
  • Create New...