Security – major threats revealed – August 2015

August 8th, 2015 by Stephen Jones Leave a reply »

A major vulnerability plaguing Firefox has Mozilla warning users to update the Web browser to Firefox 39.0.3 to fix the vulnerability The browser is set to automatically update by default, but users should manually check to ensure that the update has indeed gone through.
An advertisement on a news Web site in Russia was offering an exploit for the browser that searched for specific, sensitive files, before uploading those to a server that appeared to be located in the Ukraine.
The vulnerability allows hackers to violate the browser’s same origin policy and inject script into a non-privileged part of Firefox’s built-in PDF viewer. Same origin is a security practice in which a Web browser allows scripts running from one Web page to access data from a second one, if both pages are from the same origin. The bug allows an attacker to read and steal sensitive local files on the victim’s computer.
Mozilla said that since the vulnerability is specific to its PDF Viewer, versions of the browser that do not contain the PDF Viewer, such as Firefox for Android, are not at risk.
The company said that the exploit leaves no trace of itself on the local machine, making it difficult for users to know if their files had been compromised. Mozilla urged users running Firefox on Windows and Linux systems to change any passwords and keys for programs targeted by the exploit. Mac users were not vulnerable to the particular exploit found in the wild, but would be vulnerable if another hacker designed a payload targeting Macs.

Firefox users on Windows machines should change the passwords for the following files: subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients.

Linux users, meanwhile, should change passwords associated with global configuration files such as /etc/passwd, user directories including .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts

Before the dust has had a chance to settle on one major security flaw uncovered in the Android mobile operating system, a second massive vulnerability — dubbed “Certifi-gate” — has burst onto the scene.
The new vulnerability can allow attackers to “gain unrestricted device access, allowing them to steal personal data, track device locations, turn on microphones to record conversations, and more,” according to Check Point. The problem cannot be completely fixed with a patch.

Check Point has a scanner app that Android users can download from the Google Play Store and run to determine whether their devices are vulnerable. The Certifi-gate vulnerability allows applications to gain illegitimate privileged access rights that are normally used to support remote applications, according to Check Point. Those applications might have come pre-installed on the device, or been intentionally downloaded by the user, but currently there is no way in Android to revoke the certificates that allow those privileged permissions.

This latest flaw “affects hundreds of millions of Android devices, as most popular OEMs (original equipment manufacturers) have collaborated with these vendors. The same scale applies to the previously disclosed Stagefright vulnerability, which potentially affects 95 percent — about 950 million — of Android devices.

Google, Samsung and LG this week said they would start providing more frequent — about once a month — security updates for their Android devices. Google’s own Nexus devices are not affected, nor has the company seen any attempts to exploit the vulnerability.

Apple users have largely skirted the bugs, viruses and other malicious software that plague Microsoft Windows and Google’s Android. But this flaw in Apple’s OS X is serious enough to sound the alarm.
German security researcher Stefan Esser published details about a zero-day vulnerability in OS X without telling Apple first and hackers moved quickly to exploit the flaw. It’s an adware installer that actually modifies a file that controls who can run what commands on a machine while Thomas was testing it.

The Sudoers File

The sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.

The worse part is that Apple has reportedly known about the zero-day vulnerability for quite some time because another security researcher had disclosed it previously.
There is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest.
Another Apple bug, Thunderstrike 2, which will be revealed at Black Hat security conference in Las Vegas this week, is more concerning. That’s because firmware bugs can cause lots of headaches for both regular users and advanced users and are almost always harder to eradicate than any other bug.

A massive hack infiltrated Yahoo’s ad network for at least seven days, according to Malwarebytes’ official security blog- this anti-malware security company, discovered the attack and immediately notified the search company. With more than 6.9 billion visitors to Yahoo’s Web site every month, the attack, which began on July 28, constitutes one of the farthest reaching malware attacks ever recorded.
The hackers pulled off the attack using Web sites for Microsoft Azure, a cloud computing platform and infrastructure used for building, managing, and deploying applications and services. The scam worked by redirecting users to an Angler exploit kit, off-the-shelf software containing easy-to-use packaged attacks on known and unknown vulnerabilities.

Malicious ads do not require any type of user interaction to execute their payloads. Just visiting a Web site that contains malicious advertisements can be enough to trigger an infection.
Yahoo said it took immediate action when it learned of the campaign, and would continue to investigate it in the future. Because of the large number of visitors to Yahoo sites, it is difficult to know exactly how many Internet users have been affected.

The subtlety of a malvertising attack, combined with the complexity of the Internet advertising market, make it a difficult security challenge to overcome. That might be part of the reason such attacks are increasing. The number of malvertising attacks spiked in the first half of this year, registering a 260 percent increase over the same period in 2014,

“The major increase we have seen in the number of malvertisements over the past 48 months confirms that digital ads have become the preferred method for distributing malware,” said James Pleger, director of research at RiskIQ. “There are a number of reasons for this development, including the fact that malvertisements are difficult to detect and take down since they are delivered through ad networks and are not resident on Web sites. They also allow attackers to exploit the powerful profiling capabilities of these networks to precisely target specific populations of users.”

“This machine-to-machine ecosystem has also created opportunities for cybercriminals to exploit display advertising to distribute malware,” according to the company. “For example, malicious code can be hidden within an ad, executables can be embedded on a Web page, or bundled within software downloads.”

Advertisement

Leave a Reply

You must be logged in to post a comment.