April 25, 2014

Google pays out $10,000 in rewards for latest release of Chrome

Chrome-logo-2011-03-16Google has released a new stable version of its popular web browser Chrome, in the process it has paid out $10,000 to security researchers who helped find security flaws in the software. Google pays rewards to independent security researchers who dig into Chromium (the open source version of Chrome) and attempt to find security vulnerabilities. These vulnerabilities are often memory issues like use-after-free errors or memory corruptions that could be exploited by hackers to execute arbitrary code on the machine running the browser.

The latest release includes 14 security fixes, two of which received rewards from Google. The rewards are as follows:

  • [$1000]High CVE-2013-6649: Use-after-free in SVG images. Credit to Atte Kettunen of OUSPG.
  • [$3000]High CVE-2013-6650: Memory corruption in V8. This issue was fixed in v8 version 3.22.24.16. Credit to Christian Holler.

However the reward payouts didn’t stop there. As part of the release announcement for Google Chrome 32.0.1700.102 the search giant also thanked  cloudfuzzer and miaubiz for helping out during the latest development cycle to prevent security bugs from entering into a stable release. For their efforts Google paid out an additional $6000, making the total pay out $10,000 for this release.

“We would also like to thank cloudfuzzer and miaubiz for working with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Karen Grunberg and Daniel Xie on the Chrome release blog.

Google also fixed a number of non-security related bugs including problems where Chrome became unresponive and broken scrolling on in combo boxes.

Chrome can be downloaded from http://google.com/chrome and is available for Windows, Mac and Linux.

Microsoft and Adobe release patches to fix critical vulnerabilities

(LiveHacking.Com) – For March’s Patch Tuesday Microsoft has released seven bulletins, four Critical-class and three Important-class. The bulletins address 20 vulnerabilities in total across several Microsoft products including Windows, Office, Internet Explorer, Server Tools, and Silverlight. Likewise Adobe has released a security update for its popular Flash Player to address vulnerabilities that could potentially allow a hacker to take control of a vulnerable system.

Microsoft

Among the fixes is a patch for an issue in the Kernel-Mode Drivers (KMD) where an attacker could gain administrator privileges by inserting a malicious USB flash drive into a Windows machine. Since the attack works even when no user is currently logged on, it means that anyone with casual access, such as a security guard, office cleaner or anyone with access to office space, could simply plug in a USB flash drive into a PC and perform any action as an administrator. In total MS13-027 resolves three privately reported vulnerabilities correcting the way that a Windows kernel-mode USB drivers handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

Nine issues have also been fixed in Internet Explorer. The most severe of these could allow remote code execution if a user views a specially crafted webpage using IE. Upon successful exploit An attacker could gain the same rights as the current owner. All but one of these issues were privately reported to Microsoft and there are no reports of these vulnerabilities being used in the wild.

Microsoft Silverlight has also been patched to fix a vulnerability that could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.

Adobe

adobe-logoAdobe has released a security update for Adobe Flash Player for Windows, OS X, Linux and Android. These update addresses vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected Versions

  • Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.273 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.597 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.597 SDK and earlier versions
  • Adobe AIR 3.6.0.599 SDK & Compiler and earlier versions

The update address four known vulnerabilities  an integer overflow vulnerability that could lead to code execution (CVE-2013-0646), a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650), a memory corruption vulnerability that could lead to code execution (CVE-2013-1371), a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-1375).

As a result of the update, Google has also released a new version of Chrome.

 

Google fixes three High risk security bugs in Chrome 24.0.1312.56

Chrome-logo-2011-03-16(LiveHacking.Com) – Google has released Chrome 24.0.1312.56 with several important bug fixes along with five security related changes to patch vulnerabilities in the browser. Among the bug fixes are changes to improve mouse wheel scrolling performance and improvements to the installation process when the browser is installed as admin on Windows.

On the security side, Google paid out a $1000 reward to Atte Kettunen of OUSPG for finding a High priority use-after-free bug in the canvas font handling. Google considers a vulnerability High risk if it could could let an attacker read or modify confidential data belonging to other web sites. Also vulnerabilities that interfere with browser security features are also considered to have a high severity.

There were a further two High severity vulnerabilities fixed, both of which were found by employees of Google. The first was an unchecked array index in content blocking that was discovered by Chris Evans. The second was a crash that occurred with an unsupported RTC sampling rate. This Mac only vulnerability was found by Ted Nakamura.

 

In Brief: Google releases Chrome 23.0.1271.95 and gives Pinkie Pie $7331

(LiveHacking.Com) –  Google has released a new version of its Chrome browser (23.0.1271.95) just three days after releasing the previous version. This new update is a purely security related release and it fixes two high rated security vulnerabilities.

In Google speak, High means that the vulnerability could let an attacker read or modify confidential data belonging to other web sites. Also vulnerabilities that interfere with browser security features are also high severity.

The first vulnerability fixed, found by Jüri Aedla of the Google Chrome Security Team, was a bug in file path handling. The second, found by Pinkie Pie, was a use-after-free in media source handling. Pinkie Pie’s bug earned the researcher $7331.

Chrome 23.0.1271.91 fixes some High risk security vulnerabilities but nothing Critical

(LiveHacking.Com) – Google has released Chrome 23.0.1271.91 for Windows, Mac and Linux. The release fixes several bugs including an audio problem with Flash when the speaker configuration was set to Quadraphonic, however more importantly it fixes several High risk security vulnerabilities, but nothing ranked as Critical.

This release fixes three vulnerabilities with the  High rating. High in this context means that the vulnerability could let an attacker read or modify confidential data belonging to other web sites. Also vulnerabilities that interfere with browser security features are also high severity.

Under the Chromium security rewards scheme, Justin Drake was given a special reward for finding a bug in OS X which was sufficiently severe or particularly hard to workaround that it affects Chrome indirectly. In this case the High level vulnerability was a connected with a corrupt rendering in the Apple OSX driver for Intel GPUs.

Miaubiz was also hard at work and is credited with finding a High risk use-after-free bug in the SVG filters. Use-after-free bugs are good potential candidates for a full exploit. The other High rated vulnerability was a buffer underflow in libxml. The credit for fining that one goes to Jüri Aedla of the Google Chrome Security Team.

The full list of bugs is as follows:

  • [$1000] [152746] High CVE-2012-5131: Corrupt rendering in the Apple OSX driver for Intel GPUs. Credit to Justin Drake.
  • [$1000] [156567] High CVE-2012-5133: Use-after-free in SVG filters. Credit to miaubiz.
  • [$500] [148638] Medium CVE-2012-5130: Out-of-bounds read in Skia. Credit to Atte Kettunen of OUSPG.
  • [155711] Low CVE-2012-5132: Browser crash with chunked encoding. Credit to Attila Szász.
  • [158249] High CVE-2012-5134: Buffer underflow in libxml. Credit to Google Chrome Security Team (Jüri Aedla).
  • [159165] Medium CVE-2012-5135: Use-after-free with printing. Credit to Fermin Serna of Google Security Team.
  • [159829] Medium CVE-2012-5136: Bad cast in input element handling. Credit to Google Chrome Security Team (Inferno).

It is worth noting that Google keep the referenced bugs private until a majority of Chrome users are up to date with the fixes.

Adobe has released a security update for Adobe Flash Player

(LiveHacking.Com) – Adobe has released a security update for Adobe Flash Player to address vulnerabilities that could cause a crash and potentially be exploited by an attacker to infect a PC with malware.

The update applies to Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.243 and earlier versions for Linux, Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x.

The update addresses six different memory issues and a security bypass vulnerability:

  • Buffer overflow vulnerabilities that could lead to code execution (CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5280).
  • Memory corruption vulnerabilities that could lead to code execution (CVE-2012-5279).
  • Security bypass vulnerability that could lead to code execution (CVE-2012-5278).

If you need to check the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. For those with multiple browsers installed you should perform the check for each browser. Android users should tap on Settings > Applications > Manage Applications > Adobe Flash Player x.x.

The built-in version of Flash Player has also been updated in Internet Explorer 10 and Chrome.

Adobe releases surprise update for Flash

(LiveHacking.Com) – Just one week after releasing a security update for its Flash Player, Adobe has now released a second security update and, unlike last week’s update, it also covers Android. The update for Adobe Flash Player brings the version number for Windows, Macintosh and Linux to 11.4.402.265, users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x devices can now upgrade to Adobe Flash Player 11.1.115.17. The updates fix multiple vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

There are six critical bug fixes in this release.  This means that, if exploited, these bugs  would allow malicious native-code to execute, potentially without a user being aware. The first four bugs are memory corruption vulnerabilities that could lead to code execution, the fifth is an integer overflow vulnerability and the last is a cross-domain information leak vulnerability.

The update has taken many IT managers and security experts by surprise. Adobe (in recent times) releases security updates for its products on the second Tuesday of the month. However it has also remained committed to being flexible when faced with a zero-day attack. Since this new release could be considered out-of-band (as last week’s update also covered Shockwave Player and Acrobat Reader), does Adobe know something about a zero day attack which hasn’t yet been published? Or was last weeks update the out-of-band release as the CVE-2012-1535 vulnerability was being exploited in the wild (via a malicious Word document) and this release is the normal monthly security update?

As a result of the updates Google has released a new version of the Chrome web browser.

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh and Linux operating systems
  • Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.3.0.3670 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) and earlier versions
  • Adobe AIR 3.3.0.3650 and earlier versions for Android

Google Hands Out $4500 in Rewards for Chrome 17.0.963.83

(LiveHacking.Com) – Google has released Chrome 17.0.963.83 to fix several ‘High’ level security bugs. In doing so it handed out $4500 to security researchers who found and reported security related bugs in Google’s web browser. The new update also include the start of hardening measures based on study of the exploits submitted to the Pwnium competition.

Security fixes and rewards:

  • [$1000] [113902] High CVE-2011-3050: Use-after-free with first-letter handling. Credit to miaubiz.
  • [116162] High CVE-2011-3045: libpng integer issue from upstream. Credit to Glenn Randers-Pehrson of the libpng project.
  • [$1000] [116461] High CVE-2011-3051: Use-after-free in CSS cross-fade handling. Credit to Arthur Gerkis.
  • [116637] High CVE-2011-3052: Memory corruption in WebGL canvas handling. Credit to Ben Vanik of Google.
  • [$1000] [116746] High CVE-2011-3053: Use-after-free in block splitting. Credit to miaubiz.
  • [117418] Low CVE-2011-3054: Apply additional isolations to webui privileges. Credit to Sergey Glazunov.
  • [117736] Low CVE-2011-3055: Prompt in the browser native UI for unpacked extension installation. Credit to PinkiePie.
  • [$2000] [117550] High CVE-2011-3056: Cross-origin violation with “magic iframe”. Credit to Sergey Glazunov.
  • [$500] [117794] Medium CVE-2011-3057: Invalid read in v8. Credit to Christian Holler.

Google also listed a low severity issue that was fixed in a previous patch but the company had forgotten to issue a proper credit:

  • [108648] Low CVE-2011-3049: Extension web request API can interfere with system requests. Credit to Michael Gundlach.

Note that the referenced bugs may be kept private until a majority of Chrome users are up to date with the fix.

 

Google Sponsored Report Says Chrome is the Safest Browser

(LiveHacking.Com) - Accuvant has published a report, commissioned by Google, called “Browser Security Comparison: A Quantitative Approach” which evaluates the security of Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer. The report finds that Google Chrome is currently the browser that is most secured against attacks.

“Anybody who surfs the internet is familiar with malware, spyware and viruses. These malicious programs can lead to system pop-ups, slowdowns, account takeovers, and theft of credit card data, social security numbers and other personally identifiable information. While antivirus and anti-malware can help prevent infection, the first line of defense is using a secure web browser,” said Ryan Smith, chief scientist for Accuvant. “Accuvant is dedicated to providing essential services, like this in-depth, proactive research, that help protect vendors, companies, government agencies, and the public-at-large against those with malicious intent.”

Although the report was commissioned by Google, Accuvant says its analysis is independent and based on the premise that all software of sufficient complexity has vulnerabilities. As such the web browser with the best anti-exploitation techniques is the most resistant to attack.

“Our researchers used a completely different and more extensive methodology than previous, similar studies,” said Chris Valasek, Accuvant LABS senior research scientist. “We compared web browsers from a layered perspective, taking into account security architecture and anti-exploitation techniques. Like antivirus or anti-malware software, each provides an additional layer of defense. This methodology requires a greater depth of technical expertise than statistical analysis of vulnerabilities, and also provides a more accurate window into the security of each browser.”

The Conclusion

The reports executive conclusion reads “the URL blacklisting services offered by all three browsers will stop fewer attacks than will go undetected. Both Google Chrome and Microsoft Internet Explorer implement state-of-the-art antiexploitation technologies, but Mozilla Firefox lags behind without JIT hardening. While both Google Chrome and Microsoft Internet Explorer implement the same set of anti-exploitation technologies, Google Chrome’s plug-in security and sandboxing architectures are implemented in a more thorough and comprehensive manner. Therefore, we believe Google Chrome is the browser that is most secured against attack.