September 19, 2014

Google Safe Browsing to be expanded to detect even more suspicious downloads

Chrome-logo-2011-03-16(LiveHacking.Com) – One of the important security features that Google provides for users of its Chrome browser, as well as users of other software that call the related APIs, is its Safe Browsing service. Since Google are constantly trawling the Internet for its search engine, the company also looks at the pages it reads and checks to see if the website is serving malware or running any kind of suspicious JavaScript that can cause harm to a PC. If a user visits one of these sites and starts a download (either manually or via some malicious script) then Chrome will warn the user that the download is potentially harmful.

According to a recent blog post, Google is currently showing over three million download warnings per week! In total Chrome, along with the other browsers which use this service, are protecting over 1.1 billion people from mistakenly downloading malware on their computers.

Google has now announced that it will be expanding the Safe Browsing service to include protection against other kinds of deceptive software including programs disguised as helpful downloads that actually make unexpected and unwanted changes to your computer. As an example, Google cites applications which switch your homepage or default search engine to ones you don’t want.

“You should be able to use the web safely, without fear that malware could take control of your computer, or that you could be tricked into giving up personal information in a phishing scam,” wrote Moheeb Abu Rajab, Staff Engineer, Google Security.

When a users attempts to download these malicious software installers, Chrome will display a warning and halt the download. For those users who insist on downloading the package, it can still be accessed from the Downloads list.

It is always important to be watchful when downloading software from the Internet. Make sure you trust the source of the download and make sure your malware protection is current. Google has published a set of tips to help you stay safe on the web.

Microsoft, Adobe and Google release security patches for Critical vulnerabilities

binarycodeMicrosoft, Adobe and Google have released patches for their products to fix Critical security vulnerabilities. Microsoft released eight security bulletins – two rated Critical and six rated Important – to address 13 different vulnerabilities in .NET Framework, Office, SharePoint, Internet Explorer, and Windows. Adobe released security updates to address multiple vulnerabilities in Reader, Acrobat, Flash Player, and Illustrator. For both companies, some of the vulnerabilities could allow hackers to run arbitrary code and take control of the affected system. Google also updated its Chrome web browser with the new version of Adobe Flash, but it also took the opportunity to patch some vulnerabilities in the internals of its browser.

Microsoft

Listed among Microsoft’s updates is a patch for IE which fixes the zero-day vulnerability that attackers were using against the browser at the end of April. Microsoft released this particular patch on May 1 2014 and the patch also applied to Windows XP. However the same can’t be said of the rest of Microsoft’s updates. XP is now officially dead, from a support point of view anyway.

May’s patches also include another update for IE. This time to fix two privately reported vulnerabilities in the browser. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. IE 6 to IE 11 are all affected.

Microsoft are also recommending that system administrators ensure that their systems are updated with  MS14-024 and MS14-025. The former fixes a vulnerability in the MSCOMCTL common controls library that could allow a security feature bypass if a user views a specially crafted webpage with a web browser capable of instantiating COM components, such as Internet Explorer. The latter patches a vulnerability in Windows that could allow elevation of privilege if the Active Directory Group Policy preferences are used to distribute passwords across the domain. The update removes the ability to configure and distribute passwords that use certain Group Policy preference extensions because such actions could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences.

Adobe

Adobe’s updates cover three main product groups: Adobe Reader and AcrobatAdobe Flash Player and Adobe Illustrator (CS6). The affected versions are as follows:

  • Adobe Reader XI 11.0.07 for Windows and Macintosh
  • Adobe Reader X 10.1.10 for Windows and Macintosh
  • Adobe Acrobat XI (11.0.07) for Windows and Macintosh
  • Adobe Acrobat X (10.1.10) for Windows and Macintosh
  • Adobe Flash Player 13.0.0.214 for Windows, Macintosh, and Linux
  • Adobe Flash Player 11.2.202.359 for Linux
  • Adobe AIR SDK and Compiler 13.0.0.111 for Windows and Macintosh
  • Adobe Illustrator (subscription) 16.2.2 for Windows and Macintosh
  • Adobe Illustrator (non-subscription) 16.0.5 for Windows and Macintosh

The patch for Adobe Illustrator (CS6) for Windows and Macintosh fixes a “vulnerability that could be exploited to gain remote code execution on the affected system”, while the updates for Adobe Flash Player “address vulnerabilities that could potentially allow an attacker to take control of the affected system.” All the updates are rated as Critical including the third set which patch Adobe Reader and Acrobat XI to “address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”

Google

With the release of a new version of Adobe Flash, Google released Chrome 34.0.1847.137 for Windows, Mac and Linux to include Flash Player 13.0.0.214. However the search giant also took the opportunity to fix three security problems. The non-Google researchers who contributed to finding the vulnerabilities where rewarded $4500 between them for their efforts:

  • [$2000][358038] High CVE-2014-1740: Use-after-free in WebSockets. Credit to Collin Payne.
  • [$1500][349898] High CVE-2014-1741: Integer overflow in DOM ranges. Credit to John Butler.
  • [$1000][356690] High CVE-2014-1742: Use-after-free in editing. Credit to cloudfuzzer.

Google pays out $10,000 in rewards for latest release of Chrome

Chrome-logo-2011-03-16Google has released a new stable version of its popular web browser Chrome, in the process it has paid out $10,000 to security researchers who helped find security flaws in the software. Google pays rewards to independent security researchers who dig into Chromium (the open source version of Chrome) and attempt to find security vulnerabilities. These vulnerabilities are often memory issues like use-after-free errors or memory corruptions that could be exploited by hackers to execute arbitrary code on the machine running the browser.

The latest release includes 14 security fixes, two of which received rewards from Google. The rewards are as follows:

  • [$1000]High CVE-2013-6649: Use-after-free in SVG images. Credit to Atte Kettunen of OUSPG.
  • [$3000]High CVE-2013-6650: Memory corruption in V8. This issue was fixed in v8 version 3.22.24.16. Credit to Christian Holler.

However the reward payouts didn’t stop there. As part of the release announcement for Google Chrome 32.0.1700.102 the search giant also thanked  cloudfuzzer and miaubiz for helping out during the latest development cycle to prevent security bugs from entering into a stable release. For their efforts Google paid out an additional $6000, making the total pay out $10,000 for this release.

“We would also like to thank cloudfuzzer and miaubiz for working with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Karen Grunberg and Daniel Xie on the Chrome release blog.

Google also fixed a number of non-security related bugs including problems where Chrome became unresponive and broken scrolling on in combo boxes.

Chrome can be downloaded from http://google.com/chrome and is available for Windows, Mac and Linux.

Google expands its patch reward program

google logoIn early October Google launched its patch reward program that awards members of the open source community for making security improvements to open source projects. The program was designed to more than just a open source bug hunting exhibition but rather a way to provide financial incentives for proactive security enhancements that go beyond fixing a known security vulnerability.

The project started out quite small in scope with Google only considering patches for projects like OpenSSH, BIND, ISC DHCP, libjpeg, libjpeg-turbo, libpng, giflib and OpenSSL. To qualify patches need to be submitted to the maintainers of the individual projects and then Google need to be notified about the improvements. If Google considers the submission has a positive impact on security then the coder qualifies for a reward ranging from $500 to $3,133.7.

Now after almost six weeks of running the initial program Google has announced that it is ready to expand the program to include more open source projects including Android. The full list of new projects now eligible for rewards are:

  • All the open-source components of Android: Android Open Source Project
  • Widely used web servers: Apache httpd, lighttpd, nginx
  • Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
  • Virtual private networking: OpenVPN
  • Network time: University of Delaware NTPD
  • Additional core libraries: Mozilla NSS, libxml2
  • Toolchain security improvements for GCC, binutils, and llvm

The inclusion of Android is interesting as it shows that Google is keen to continue making security improvements to its very popular mobile operating system. Recently Google has added SELinux and nosuid protection to Android as well as creating a free built-in service called Verify Apps. Available for all versions of Android from 2.3 onwards, Verify Apps behaves very much like an antivirus scanner and blocks the installation of malicious software, regardless of the source.

In the past Android has been seen as less secure than Apple’s iOS primarily because Android allows users to install apps from anywhere not just from Google’s Play Store. Since Apple maintains a walled garden and only allows apps into its store after rigorous testing it means that malware scares have been less prominent on iOS. Vendors of Android security software suites seem to constantly write sensational headlines about how many new variants of Android malware are being created each month. Although technically they are right, users who stick to Google’s Play Store shouldn’t be in any danger.

Google fixes three High risk security bugs in Chrome 24.0.1312.56

Chrome-logo-2011-03-16(LiveHacking.Com) – Google has released Chrome 24.0.1312.56 with several important bug fixes along with five security related changes to patch vulnerabilities in the browser. Among the bug fixes are changes to improve mouse wheel scrolling performance and improvements to the installation process when the browser is installed as admin on Windows.

On the security side, Google paid out a $1000 reward to Atte Kettunen of OUSPG for finding a High priority use-after-free bug in the canvas font handling. Google considers a vulnerability High risk if it could could let an attacker read or modify confidential data belonging to other web sites. Also vulnerabilities that interfere with browser security features are also considered to have a high severity.

There were a further two High severity vulnerabilities fixed, both of which were found by employees of Google. The first was an unchecked array index in content blocking that was discovered by Chris Evans. The second was a crash that occurred with an unsupported RTC sampling rate. This Mac only vulnerability was found by Ted Nakamura.

 

Chrome 24 released with new version of Flash and a $4000 bug fix

Chrome-logo-2011-03-16(LiveHacking.Com) –  Google has released Chrome 24  with support for MathML, a new version of Adobe Flash Player, fixes for various security issues in V8 (v8-3.14.5.3) and $6000 worth of High priority security fixes.

First, Adobe released a new version of Adobe Flash Player this week and Microsoft subsequently updated IE 10 to upgrade its built-in Flash Player. Google normally do the same thing and as expected Chrome 24 contains the latest Flash Player with the security fixes issued by Adobe.

Also, Google fixed some High priority security bugs. It paid security researchers over $6000 for their effort. Erling A Ellingsen and Subodh Iyengar, both of Facebook, got to share $4000 between them for a same origin policy bypass when using a malformed URL bug. The full list of rewards is:

  • [$1000] [162494] High CVE-2012-5145: Use-after-free in SVG layout. Credit to Atte Kettunen of OUSPG.
  • [$4000] [165622] High CVE-2012-5146: Same origin policy bypass with malformed URL. Credit to Erling A Ellingsen and Subodh Iyengar, both of Facebook.
  • [$1000] [165864] High CVE-2012-5147: Use-after-free in DOM handling. Credit to José A. Vázquez.

Google also fixed a number of other security related bugs which were found by Google’s Chrome Security Team:

  • [167122] Medium CVE-2012-5148: Missing filename sanitization in hyphenation support. Credit to Google Chrome Security Team (Justin Schuh).
  • [166795] High CVE-2012-5149: Integer overflow in audio IPC handling. Credit to Google Chrome Security Team (Chris Evans).
  • [165601] High CVE-2012-5150: Use-after-free when seeking video. Credit to Google Chrome Security Team (Inferno).
  • [165538] High CVE-2012-5151: Integer overflow in PDF JavaScript. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.
  • [165430] Medium CVE-2012-5152: Out-of-bounds read when seeking video. Credit to Google Chrome Security Team (Inferno).
  • [164565] High CVE-2012-5153: Out-of-bounds stack access in v8. Credit to Andreas Rossberg of the Chromium development community.
  • [Windows only] [164490] Low CVE-2012-5154: Integer overflow in shared memory allocation. Credit to Google Chrome Security Team (Chris Evans).
  • [Mac only] [163208] Medium CVE-2012-5155: Missing Mac sandbox for worker processes. Credit to Google Chrome Security Team (Julien Tinnes).
  • [162778] High CVE-2012-5156: Use-after-free in PDF fields. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.
  • [162776] [162156] Medium CVE-2012-5157: Out-of-bounds reads in PDF image handling. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.
  • [162153] High CVE-2013-0828: Bad cast in PDF root handling. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.
  • [162114] High CVE-2013-0829: Corruption of database metadata leading to incorrect file access. Credit to Google Chrome Security Team (Jüri Aedla).
  • [Windows only] [162066] Low CVE-2013-0830: Missing NUL termination in IPC. Credit to Google Chrome Security Team (Justin Schuh).
  • [161836] Low CVE-2013-0831: Possible path traversal from extension process. Credit to Google Chrome Security Team (Tom Sepez).
  • [160380] Medium CVE-2013-0832: Use-after-free with printing. Credit to Google Chrome Security Team (Cris Neckar).
  • [154485] Medium CVE-2013-0833: Out-of-bounds read with printing. Credit to Google Chrome Security Team (Cris Neckar).
  • [154283] Medium CVE-2013-0834: Out-of-bounds read with glyph handling. Credit to Google Chrome Security Team (Cris Neckar).
  • [152921] Low CVE-2013-0835: Browser crash with geolocation. Credit to Arthur Gerkis.
  • [150545] High CVE-2013-0836: Crash in v8 garbage collection. Credit to Google Chrome Security Team (Cris Neckar).
  • [145363] Medium CVE-2013-0837: Crash in extension tab handling. Credit to Tom Nielsen.
  • [Linux only] [143859] Low CVE-2013-0838: Tighten permissions on shared memory segments. Credit to Google Chrome Security Team (Chris Palmer).

 

In Brief: Microsoft, Google and Mozilla all block digital certificate issued by intermediate certificate authority of TURKTRUST

turktrust_logo(LiveHacking.Com) –  Microsoft, Google and Mozilla have all removed the trust of certificates issued by an intermediate certificate authority (CA) linking back to TURKTRUST Inc. What has happened is that TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org), the first of which was used to issue a fraudulent digital certificate for *.google.com.

Intermediate CA certificates carry the same authority as CA, so anyone who has one can use it to create a certificate for any website. Fraudulent certificate can be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

“TURKTRUST told us that based on our information, they discovered that, in August 2011, they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,” wrote Google.

Google is also considering an update to Chrome which will no longer indicate Extended Validation status for certificates issued by TURKTRUST. Mozilla has suspended the TURKTRUST root certificate. TURKTRUST subsequently asked Mozilla to include a newer root certificate and their request was initially approved. However, due to the mis-issued  intermediate CA certificates, Mozilla has decided to suspend inclusion of the new root certificate for now.

Ex-black hat hacker claims to have full backup for one of Yahoo’s domains

(LiveHacking.Com) –  A reformed black hat hacker, who now works as an ethical security researcher and penetration tester, has found zero-day vulnerabilities in several online services including some provided by Adobe, Microsoft, Yahoo, Google, Apple and Facebook. Since the tester, who goes by the name Virus_HimA, ceased black hat activities he started reporting the vulnerabilities to the vendors instead. According to his post on Pastebin, companies like Google reacted quickly to the reported flaws, but others like Adobe and Yahoo moved very slowly and in some cases didn’t even bother to reply to the disclosure emails they were sent.

As a result Virus_HimA has declared his intention to “teach both of them a hard lesson to harden their security procedures.” This is the better of two evils acording to the ex-hacker. “It would make a disaster if such companies vulnerabilities was privately used in the underground and they never know about it! not only their customers been affected but the vendors themselves also suffer from such exploits,” he wrote.

As part of his penetration activities, Virus_HimA claims to have access to:

  • Full files backup for one of Yahoo domains
  • Full access to 12 of Yahoo Databases
  • Knowledge of a reflected-XSS (Cross Site Scripting) vulnerability

The researcher has promised never to use, share, sell or publish any of the Adobe or Yahoo data and exploits anywhere, but rather is keen to establish his reputation. To this end when he released a small sample of data from Adobe, he specially chose to publish critical email addresses including those with a .mil  ending. This got Adobe’s attention which quickly started investigating the case, shut-down the vulnerable web site and emailed him asking for vulnerability details. Apparently Adobe are now working on a patch.

Analysis

This isn’t the first time a frustrated researcher has resorted to public exposure to get a large online business to move quicker with regards to security issues. Back in November PayPal were embroiled in a dispute with a security researcher who reported errors under PayPal’s security bounty scheme. A few weeks later Skype had to move quickly to fix an account hijacking flaw after it was posted online. The problem was that Skype had been made aware of the flaw some three months before hand.

The ethicality of such public exposure is questionable, however until some of the big online companies start to take these private disclosures more seriously they will continue to happen.

Google updates Chrome to fix a Critical vulnerability and update Flash

(LiveHacking.Com) –  Google has released a new version of Chrome for Windows, Mac and Linux. Chrome 23.0.1271.97 fixes several non-security related bugs along with at least one Critical level security vulnerability. The new version also includes an updated version of Flash following Adobe’s security update.

The Critical level bug is a crash in the history navigation. It was found by Michal Zalewski of the Google Security Team. The other security related bugs, along with the money awarded to the bounty hunter by Google under the Chromium security rewards scheme, are:

  • [$1500] [158204] High CVE-2012-5139: Use-after-free with visibility events. Credit to Chamal de Silva.
  • [$1000] [159429] High CVE-2012-5140: Use-after-free in URL loader. Credit to Chamal de Silva.
  • [160456] Medium CVE-2012-5141: Limit Chromoting client plug-in instantiation. Credit to Google Chrome Security Team (Jüri Aedla).
  • [160926] Medium CVE-2012-5143: Integer overflow in PPAPI image buffers. Credit to Google Chrome Security Team (Cris Neckar).
  • [$2000] [161639] High CVE-2012-5144: Stack corruption in AAC decoding. Credit to pawlkt.

The new version also fixes the following non-security related bugs

  • Some texts in a Website Settings popup are trimmed (Issue: 159156)
  • Linux: <input> selection renders white text on white bg in apps (Issue: 158422)
  • some plugins stopped working (Issue: 159896)
  • Windows 8: Unable to launch system level chrome after self destructing user-level chrome (Issue: 158632)

In Brief: Google releases Chrome 23.0.1271.95 and gives Pinkie Pie $7331

(LiveHacking.Com) –  Google has released a new version of its Chrome browser (23.0.1271.95) just three days after releasing the previous version. This new update is a purely security related release and it fixes two high rated security vulnerabilities.

In Google speak, High means that the vulnerability could let an attacker read or modify confidential data belonging to other web sites. Also vulnerabilities that interfere with browser security features are also high severity.

The first vulnerability fixed, found by Jüri Aedla of the Google Chrome Security Team, was a bug in file path handling. The second, found by Pinkie Pie, was a use-after-free in media source handling. Pinkie Pie’s bug earned the researcher $7331.