April 19, 2014

Google releases Chrome 22 with $28,500 worth of security fixes and a workaround for a Windows kernel memory corruption

(LiveHacking.Com) – Google has released Chrome 22 with a variety of new features including a new Mouse Lock API (used mainly by 3D games) and some very important security fixes including a Critical level fix for a Windows kernel memory corruption. Under its reward scheme, which pays security researchers real money for their efforts in finding vulnerabilities in Chrome, Google paid out $28500 for vulnerabilities fixed in Chrome 22, one of which (the Windows kernel memory corruption) was award $10,000 while two UXSS  vulnerabilities earned Sergey Glazunov $15,000.

There are no details yet on the Windows kernel memory corruption or the nature of the Universal XSS flaws as Google (wisely) keeps the bug details private until a majority of users have updated. The Critical flaw in Windows (146254 / CVE-2012-2897) is credited to Eetu Luodemaa and Joni Vähämäki, both from Documill.

The UXSS errors are rated has High:

  • [143439] High CVE-2012-2889: UXSS in frame handling. Credit to Sergey Glazunov.
  • [143437] High CVE-2012-2886: UXSS in v8 bindings. Credit to Sergey Glazunov.

Other security related bugs fixed (along with the related rewards) are:

  • [$2000] [139814] High CVE-2012-2881: DOM tree corruption with plug-ins. Credit to Chamal de Silva.
  • [$1000] [135432] High CVE-2012-2876: Buffer overflow in SSE2 optimizations. Credit to Atte Kettunen of OUSPG.
  • [$1000] [140803] High CVE-2012-2883: Out-of-bounds write in Skia. Credit to Atte Kettunen of OUSPG.
  • [$1000] [143609] High CVE-2012-2887: Use-after-free in onclick handling. Credit to Atte Kettunen of OUSPG.
  • [$1000] [143656] High CVE-2012-2888: Use-after-free in SVG text references. Credit to miaubiz.
  • [$1000] [144899] High CVE-2012-2894: Crash in graphics context handling. Credit to Sławomir Błażek.
  • [Mac only] [$1000] [145544] High CVE-2012-2896: Integer overflow in WebGL. Credit to miaubiz.
  • [$500] [137707] Medium CVE-2012-2877: Browser crash with extensions and modal dialogs. Credit to Nir Moshe.
  • [$500] [139168] Low CVE-2012-2879: DOM topology corruption. Credit to pawlkt.
  • [$500] [141651] Medium CVE-2012-2884: Out-of-bounds read in Skia. Credit to Atte Kettunen of OUSPG.
  • [132398] High CVE-2012-2874: Out-of-bounds write in Skia. Credit to Google Chrome Security Team (Inferno).
  • [134955] [135488] [137106] [137288] [137302] [137547] [137556] [137606] [137635] [137880] [137928] [144579] [145079] [145121] [145163] [146462] Medium CVE-2012-2875: Various lower severity issues in the PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [137852] High CVE-2012-2878: Use-after-free in plug-in handling. Credit to Fermin Serna of Google Security Team.
  • [139462] Medium CVE-2012-2880: Race condition in plug-in paint buffer. Credit to Google Chrome Security Team (Cris Neckar).
  • [140647] High CVE-2012-2882: Wild pointer in OGG container handling. Credit to Google Chrome Security Team (Inferno).
  • [142310] Medium CVE-2012-2885: Possible double free on exit. Credit to the Chromium development community.
  • [143798] [144072] [147402] High CVE-2012-2890: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [144051] Low CVE-2012-2891: Address leak over IPC. Credit to Lei Zhang of the Chromium development community.
  • [144704] Low CVE-2012-2892: Pop-up block bypass. Credit to Google Chrome Security Team (Cris Neckar).
  • [144799] High CVE-2012-2893: Double free in XSL transforms. Credit to Google Chrome Security Team (Cris Neckar).
  • [145029] [145157] [146460] High CVE-2012-2895: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

The new mouse lock API included in Chrome 22 allows 3D applications, such as first-person games, to offer users control of the in-game 3D perspective using the mouse, without moving outside the window or bumping into the edge of their screen. Google recommends this first-person shooter demo created by Mozilla.

In brief: Google Go language used to write malware

(LiveHacking.Com) – Google Go, a compiled, concurrent programming language developed by Google, has been used for the first time to write malware. The language, which was initially released in 2009 and has been growing in popularity ever since, is a viable alternative to C or C++ and is good for writing low level and sever type software. This has now been proved in a way that maybe Google didn’t want. According to Symantec a malware has been found in the wild with components which are written in Go. The Trojan, known as Trojan.Encriyoko, attempts to encrypt various file formats on a compromised computer and so render them unusable.

The original sample Symantec acquired was called GalaxyNxRoot.exe, a dropper written in .NET which disguises itself as a rooting tool to trick users into installing it. When run GalaxyNxRoot.exe drops and launches two executable files, both written in Go: PPSAP.exe and adbtool.exe. The first is an information-stealing Trojan that collects system information such as current running processes, user name, MAC address, etc., and sends it to a server on the Internet. The second file downloads an encrypted file from a different remote location. This downloaded file is decryped and executed in a attempt to encrypt various files on the infected computer.

In brief: Google adds OAuth 2.0 support for IMAP/SMTP and XMPP

(LiveHacking.Com) – Google has been a long time proponent of using OAuth 2.0 for its services and APIs. Now it has extended its use of the open standard authorization mechanism by adding OAuth 2.0 support for IMAP/SMTP and XMPP.

It was just over a year ago that Google announced its recommendation that OAuth 2.0 become the standard authentication mechanism for itsAPIs. Using it has several security benefits including access to Google’s two-factor authentication process.

“When clients use OAuth 2.0, they never ask users for passwords. Users have tighter control over what data clients have access to, and clients never see a user’s password, making it much harder for a password to be stolen. If a user has their laptop stolen, or has any reason to believe that a client has been compromised, they can revoke the client’s access without impacting anything else that has access to their data,” said Ryan Troll from Google’s Application Security Team.

Google has alos announced that it will deprecate the older authentication mechanisms such as XOAUTH for IMAP/SMTP and X-GOOGLE-TOKEN and SASL PLAIN for XMPP.

Google buys VirusTotal to boost its online protection services

(LiveHacking.Com) – VirusTotal, a free online service that analyzes files and URLs for malware, has been bought by Google. The purchase is seen by many as a way for Google to boost the protection it offers for its online services like Gmail and Google+. Since VirusTotal will continue to operate independently, the company plans to maintain its  partnerships with other antivirus companies and security experts.

VirusTotal works by aggregating warnings on user submitted files and URLs from all the major antivirus solutions, including Intel Corp’s McAfee and Symantec Corp. Once  a file or URL is received, VirusTotal performs the malware checks and then distributing the results to security vendors. Since those returned results include the original document and website in question, the service is sen as a valuable resource that allows the security industry to spot emerging threats.

“VirusTotal will continue to operate independently, maintaining our partnerships with other antivirus companies and security experts. This is an exciting step forward. Google has a long track record working to keep people safe online and we look forward to fighting the good fight together with them,” said the company on its blog.

Terms of the deal were not disclosed.

Google pays out $3500 to security researchers for fixes in Chrome 21.0.1180.89

(LiveHacking.Com) – Google has released Chrome 21.0.1180.89 for Linux, Mac and Windows to fix several bugs and address a number of security vulnerabilities. Under its rewards scheme, which Google set up to pay researchers who find security related bugs in the Chrome source code, Google paid out $3500 for five of the eight bugs squashed.

Three of the bugs are rated as High, which means the vulnerability could let an attacker read or modify confidential data belonging to other web sites. Also vulnerabilities that interfere with browser security features are also high severity. The first High severity bug earned $1000 for Miaubiz and was related to a bad cast with run-ins. The spotting of a bad cast in XSL transforms pocketed Nicolas Gregoire $1000 while the third High severity bug was found by Google itself, a fix to avoid stale buffers in URL loading.

The full list of bugs fixed is as follows:

  • [$500] [121347] Medium CVE-2012-2865: Out-of-bounds read in line breaking. Credit to miaubiz.
  • [$1000] [134897] High CVE-2012-2866: Bad cast with run-ins. Credit to miaubiz.
  • [135485] Low CVE-2012-2867: Browser crash with SPDY.
  • [$500] [136881] Medium CVE-2012-2868: Race condition with workers and XHR. Credit to miaubiz.
  • [137778] High CVE-2012-2869: Avoid stale buffer in URL loading. Credit to Fermin Serna of the Google Security Team.
  • [138672] [140368] Low CVE-2012-2870: Lower severity memory management issues in XPath. Credit to Nicolas Gregoire.
  • [$1000] [138673] High CVE-2012-2871: Bad cast in XSL transforms. Credit to Nicolas Gregoire.
  • [$500] [142956] Medium CVE-2012-2872: XSS in SSL interstitial. Credit to Emmanuel Bronshtein.
Note that the referenced bugs will be kept private until a majority of Chrome users have upgraded.

Google ups bounties for finding vulnerabilities in Chrome and offers over $2 million in prize money for Pwnium 2

(LiveHacking.Com) – Many people have benefited from Google’s Chrome Vulnerability Rewards Program which was created to reward security researchers who invest their time and effort in helping find security vulnerabilities in Chrome and its open source counterpart Chromium. Not only do Google get a securer browser, not only do users get a safer web experience but browers like Safari benefit as it is built on the same WebKit rendering engine.

Google, which has paid out over $1 million dollars in rewards, has recently made two big announcements with regards to the rewards it is offering researchers. First, three new $1000 rewards have been announced which will be added to the base reward for finding vulnerabilities that are at least particularly exploitable, for bugs in stable areas of the code base and for serious bugs which impact a significantly wider range of products than just Chrome (e.g. open source libraries).

Google has also announced that it will host a second Pwnium competition. Pwnium 2 will be held on Oct 10th, 2012 at the Hack In The Box 10 year anniversary conference in Kuala Lumpur, Malaysia. The prize money up for grabs totals $2 million:

  • $60,000: ‘Full Chrome exploit’: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
  • $50,000: ‘Partial Chrome exploit’: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows kernel bug.
  • $40,000: ‘Non-Chrome exploit’: Flash / Windows / other. Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver.
  • $Panel decision: ‘Incomplete exploit’: An exploit that is not reliable, or an incomplete exploit chain. For example, code execution inside the sandbox but no sandbox escape; or a working sandbox escape in isolation.

“For Pwnium 2, we want to reward people who get ‘part way’ as we could definitely learn from this work. Our rewards panel will judge any such works as generously as we can,” wrote  Chris Evans, a software engineer at Google.

Google fixes two more High priority security bugs in Chrome just days after fixing 26 others

(LiveHacking.com) — At the end of July, Google released Chrome 21 which, along with new features like a new API for high-quality video and audio communication, fixed 26 security related bugs. Now just 8 days later Google has released a new version of Chrome 21 (21.0.1180.75) for Mac, Linux and Windows which addresses two High priority security issues.

The two vulnerabilities comprise of five bug reports raised against Chrome and are all to do with the built-in PDF viewer. The details are as follows:

  • [136643] [137721] [137957] High CVE-2012-2862: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.
  • [136968] [137361] High CVE-2012-2863: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

Note that the referenced bugs will be kept private until a majority of Chrome users are up to date with the fix.

Google define a bug to be of high severity if the vulnerability lets an attacker read or modify confidential data belonging to other web sites.  Additionally, Google recommend rating issues that let an attacker execute arbitrary code within the confines of the sandbox as high. Also vulnerabilities that interfere with browser security features are also high severity.

Other non-security fixes in this release include:

  • Flash videos not longer remaining in fullscreen when clicking a secondary monitor while the video is playing  (Issue: 140366).
  • Flash video full screen displays on wrong monitor (Issue: 137523)
  • REGRESSION: Rendering difference in Chrome 21 and 22 that affected on Persian Wikipedia (Issue: 139502)
  • Some known crashes (Issues: 137498138552128652140140)
  • Audio objects are not “switched” immediately (Issue: 140247)
  • Print and Print Preview ignore paper size default in printer config (Issue: 135374)
  • Candidate windows is shown in wrong place in Retina display (Issue: 139108)
  • more of the choppy and distorted audio issues  (Issue: 136624)
  • Japanese characters showing in Chinese font (Issue: 140432)
  • Video playback issues with flash-based sites (Issue: 139953)
  • Sync invalidation notification broken after restart (Issue: 139424)

 

 

Google fixes three High severity vulnerabilities in Chrome

(LiveHacking.Com) – Google has released a new version of its Chrome web browser to address three High severity vulnerabilities. According to Google’s severity ratings, a vulnerability is considered High if the vulnerability lets an attacker read or modify confidential data belonging to other web sites. Google also say that vulnerabilities that interfere with browser security features are also high severity.

Google paid out $2000 to security researcher Miaubiz for his work in finding two of the three security vulnerabilities. Miaubiz has received thousands of dollars from Google under its Chromium rewards scheme. Both Miaubiz bugs are use-after-free type bugs, one in counter handling and the other in layout height tracking. The third bug is a bad object access with JavaScript in PDF.

As well as the three security fixes, Chrome 20.0.1132.57 also includes a new version of Flash, a new version of the V8 Javascrpt engine (3.10.8.20) and some stability/bug fixes.

Google pays out $11500 to security researchers for improvements added to Chrome 20

(LiveHacking.Com) – Google has released Chrome 20 (20.0.1132.43) for Windows, Mac,  and Linux. In doing so it also paid out some $11500 in rewards to security researchers who found potential High risk security vulnerabilities in Chrome and its supporting libraries.

One securty researcher, who goes by the name of Miaubiz, stands out. In Chrome 20 he was awarded $7000 for his efforts in finding securty vulnerabilities in Chrome. The majority of the bugs found were use-after-free bugs which are often used by hackers to develop exploits. The list of Maiubiz’s bugs are:

  • [$1000] [120222] High CVE-2012-2817: Use-after-free in table section handling.
  • [$1000] [120944] High CVE-2012-2818: Use-after-free in counter layout.
  • [$1000] [124356] High CVE-2012-2823: Use-after-free in SVG resource handling.
  • [$1000] [125374] High CVE-2012-2824: Use-after-free in SVG painting.
  • [$1000] [129947] High CVE-2012-2829: Use-after-free in first-letter handling.
  • [$1000] [129951] High CVE-2012-2830: Wild pointer in array value setting.
  • [$1000] [130356] High CVE-2012-2831: Use-after-free in SVG reference handling.
Only one other bug received a bounty reward from Chrome, an integer overflow in Matroska container:
  • [$1000] [132779] High CVE-2012-2834: Integer overflow in Matroska container. Credit to Jüri Aedla.
The remaining bugs that were found and fixed didn’t get any bounty. This is because either they were discovered by Google themsleves or the low level severity of the bug didn’t warrant a  payout:
  • [118633] Low CVE-2012-2815: Leak of iframe fragment id. Credit to Elie Bursztein of Google.
  • [Windows only] [119150] [119250] High CVE-2012-2816: Prevent sandboxed processes interfering with each other. Credit to Google Chrome Security Team (Justin Schuh).
  • [120977] High CVE-2012-2819: Crash in texture handling. Credit to Ken “gets” Russell of the Chromium development community.
  • [121926] Medium CVE-2012-2820: Out-of-bounds read in SVG filter handling. Credit to Atte Kettunen of OUSPG.
  • [122925] Medium CVE-2012-2821: Autofill display problem. Credit to “simonbrown60”.
  • [various] Medium CVE-2012-2822: Misc. lower severity OOB read issues in PDF. Credit to awesome ASAN and various Googlers (Kostya Serebryany, Evgeniy Stepanov, Mateusz Jurczyk, Gynvael Coldwind).
  • [128688] Medium CVE-2012-2826: Out-of-bounds read in texture conversion. Credit to Google Chrome Security Team (Inferno).
  • [Mac only] [129826] Low CVE-2012-2827: Use-after-free in Mac UI. Credit to the Chromium development community (Dharani Govindan).
  • [129857] High CVE-2012-2828: Integer overflows in PDF. Credit to Mateusz Jurczyk of Google Security Team and Google Chrome Security Team (Chris Evans).
  • [Windows only] [130276] Low CVE-2012-2764: Unqualified load of metro DLL. Credit to Moshe Zioni of Comsec Consulting.
  • [131553] High CVE-2012-2832: Uninitialized pointer in PDF image codec. Credit to Mateusz Jurczyk of Google Security Team.
  • [132156] High CVE-2012-2833: Buffer overflow in PDF JS API. Credit to Mateusz Jurczyk of Google Security Team.
Google, like all major software, uses a range of external libraries which are also used by other projects. Google paid out $3500 for issues with a wider scope than just Chrome:
  • [$500] [127417] Medium CVE-2012-2825: Wild read in XSL handling. Credit to Nicholas Gregoire.
  • [64-bit Linux only] [$3000] [129930] High CVE-2012-2807: Integer overflows in libxml. Credit to Jüri Aedla.

Note that the referenced bugs are kept private until a majority of Chrome users are up to date with the fixes.

The Internet is a dangerous place says Google

(LiveHacking.Com) – To mark the five-year anniversary of the launch of its Safe Browsing initiative Google has released some interesting facts and figures about the dangers of the Internet, the most shocking being that Google find about 9,500 new malicious websites every day. The Internet is truly a dangerous place.

Of the 9,500 new malicious websites which Goolge detects daily,  some are innocent websites that have been hacked to serve up malware, while the others that are built specially for the purpose of distributing malware. As a result of these daily finds, Google displays over 300,000 download warnings every day via its download protection service that is built-in to Chrome.

Elements of the Safe Browsing service are built into Chrome, Firefox, and Safari and as a result some 600 million users are protected by this service. According to Google, approximately 12-14 million Google Search queries per day result in a web browser showing a warning advising users not to visit a currently compromised site.

Google’s service checks for two types of danger on the Internet – Phishing and Malware. Phishing sites are those who try to trick a user into revealing a username and password for a well-known site like eBay or PayPal. Modern phishing strategies include fast turn-around and the additional use of malware. In this context fast turn-around means sites that come and go very quickly in an attempt to avoid detection. Some phishing webpages (URLs) remain online for less than an hour. Phishing sites can also use the look and feel of popular sites to trick users into installing malware by offering it as browser extension. The number of phishing sites has peaked in 2012 with over 300,000 new phishing sites found per month.

The good news on the malware front is that the number of dangerous sites found due to hacking has dropped to “just” 150,000 per month, down from over 300,000 a month in 2009. However the number of specially created websites, designed just to deliver malware, remains high with about 10,000 site discovered per month. This is slightly down from a high of 12,000 per month at the end of 2010.

How to stop yourself becoming a victim? Don’t ignore browser warnings. Since legitimate sites can be hacked and modified to contain malware, don’t visit a website if a browser warning is shown, no matter how well-known the website is to you.