Archive for March 26, 2016

Android Devices on risk,warns Google

Google has issued an emergency patch for Nexus devices to fix critical kernel bug.

The officials have already uncovered one unidentified Google Play app that attempted to exploit the vulnerability, although they said they didn't consider the app to be doing so for malicious purposes.

Google can't patch all the android devices but it has judged a number of rooting apps are dangerous enough.

The unnamed rooting apps, which are available in Google Play and outside its app store, could lead to a "local permanent device.

Google has also confirmed that a publicly available rooting app could also compromise the Nexus 6.

The company has also updated the Android Verify Apps security feature to detect the rooting app. Though the company has not noticed any exploitation but it said that the user would need to install the rooting app manually for a device to be compromised.

This makes it exceedingly hard to develop applications that depend on features in the Linux kernel. This may be part of the reason Netflix supports HD on so few Android devices if it depends on kernel-level security features.Even Nexus devices don't get major updates to the kernel version. A Nexus device that shipped with 3.8.x is very likely to stay on 3.8.x, even as newer Nexus devices come with more recent versions. This is the super weird fragmentation of Android. Linux kernel versions (and thus, features and security) used in Android are completely unrelated to the version of Android on the device.

This makes it exceedingly hard to develop applications that depend on features in the Linux kernel. This may be part of the reason Netflix supports HD on so few Android devices if it depends on kernel-level security features.Note that even Nexus devices don't get major updates to the kernel version. A Nexus device that shipped with 3.8.x is very likely to stay on 3.8.x, even as newer Nexus devices come with more recent versions.ns.

Google Chrome, Adobe Flash, Apple Safari exploited on first day of Pwn2Own

On the first day of the Pwn2Own 2016 hacking contest $282,500 was awarded to the researchers for finding new security flaws in Adobe Flash, Google Chrome, and Apple Safari, which is taking place in Vancouver, Canada.

Hewlett Packard Enterprise and Trend Micro are jointly sponsoring this year's Pwn2own event.

 The 360Vulcan Team recieved $132,500 prize money for exploiting Adobe Flash and Google Chrome.

"The [Windows] kernel vulnerability was a use-after-free vulnerability," Christopher Budd,  global threat communications manager at Trend Micro, told eWEEK. "They successfully chained both of these to compromise the target at the system level."

The first exploit was Flash and Windows that earned $80,000 for the 360Vulcan team.
While the second hack was against Google Chrome that earned them $52,500.

JungHoon Lee, an Independent security researcher earned $60,000 for exploiting Apple's Safari browser. He found four vulnerabilities which includes issues in Safari as well as Apple's OS X desktop operating system.

"One of the vulnerabilities was in Safari, the other three were vulnerabilities within Mac OS X," Budd said.

Tencent Security Team Shield is the other team which won  $40,000 for an exploit against Apple Safari. They also earned $50,000 after attacking Flash with an out-of-bounds vulnerability, and for an infoleak vulnerability and a use-after-free vulnerability in the Windows Kernel to get SYSTEM access on the machine.

There is an award for reseacher who is able to execute a hypervisor escape from the VMware Workstation virtual machine on which the Windows-based browsers will be running, but unfortunately no security researchers even dared to attempt.

It's a new vector for attack, and one that can be particularly challenging," Budd said. "Given the amount of time required for adequate research, it's not surprising that no one has signed up this year. However, we do expect to see people sign up for this next year."

Samas Ransomware approaches its target differently

Microsoft researchers have warned that a new ransomware ‘Samas’ has been found leveraging pen-testing/attack tools for a more targeted approach of getting installed on compromised systems.
Saman ransomware or also known as MSIL started its malicious activities in the past quarter. It searches for potentially vulnerable networks to exploit. This is how Samas ransomware infection chain operates, but the result is the same as with other ransomware: user’s files end up encrypted.
Microsoft Malware Protection Center (MMPC) researcher, Marianne Mallen explained that a publicly-available tool called reGeorg is used for tunneling, and the actors behind this ransomware also use Java-based vulnerabilities such as direct use of unsafe Java Native Interface (JNI) with outdated JBOSS server applications.
The ransomware can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well.  All the stolen credentials are listed in a text file and used to deploy the malware and its components through a third party tool named psexec.exe through batch files that are detected as Trojan: BAT/Samas. B and Trojan: BAT/Samas. C, which lets users execute programs on remote systems.
Trojan:Bat/Samas.B also deletes the shadow files through the vssadmin.exe tool. Trojan:MSIL/Samas.A usually takes  the name of delfiletype.exe or sqlsrvtmg1.exe and looks for certain file extensions that are related to backup files in the system, it also makes sure they are not being locked up by other processes, otherwise, the trojan terminates such processes and finally it deletes the backup files.
Once all of the initial operations are performed, the ransomware starts encrypting files in the system using the AES algorithm. It also renames the encrypted files with extension encrypted.RSA and displays a ransom note to inform users what happened to their files, after which the ransomware also deletes itself from the system.
Researchers noticed that, while the ransomware initially used WordPress as its decryption service site, it then moved to Tor site in an attempt to remain anonymous.
Majority of the Samas ransomware infections were detected in North America, and there were a few instances in Europe. However, some other regions in Asia like India have also been affected by this ransomware.
To prevent this infection, Microsoft has suggested users and administrators to use Windows Defender for Windows 10 as antimalware scanner, to ensure that MAPS has been enabled, to put strong password policies, disable Office macros, and always up-to-date software.
Ransomware has emerged as one of the biggest threats because it has the ability to provide cybercriminals with potentially high gains with minimal effort.

Google doubled the Chrome Bug bounty reward

It has been six years now since Google has started  its bug bounty program and they have paid over over $6 million (over $2 million last year alone) to the security researchers. The company has announced two changes in the Chrome Reward Program, first they increased the reward for Chromebooks and second they added a new Bug bounty.

The Bug bounty programs is seen as appreciations for the individuals and groups of hackers to find out the  flaws and to disclose them to the company instead of selling them to someone else who can exploit the flaw.

According to the company’s security team they have not received any single successful submission in compromise of a Chromebook in guest mode which has reward of a $50,000.

Now, Google has doubled the bounty for the top Chrome reward, to $100,000. “That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool,” Google declared.

The qualifying reward rules are as follows:

•  Safe Browsing must be enabled on Chrome and have an up-to-date database (this may take up to a few hours after a new Chrome install).
•  Safe Browsing servers must be reachable on the network.
•  Binary must land in a location a user is likely to execute it (e.g. Downloads folder).
•   The user can’t be asked to change the file extension or recover it from the blocked download list.
•   Any gestures required must be likely and reasonable for most users. As a guide, execution with more than three reasonable user gestures (eg: click to download, open .zip, launch .exe) is unlikely to qualify, but it’ll be judged on a case-by-case basis. The user can’t be expected to bypass warnings.
•   The download should not send a Download Protection Ping back to Safe Browsing. Download Protection Pings can be measured by checking increments to counters at chrome://histograms/SBClientDownload.CheckDownloadStats. If a counter increments, a check was successfully sent (with exception to counter #7, which counts checks that were not sent).

•  The binary’s hosting domain and any signature cannot be on a whitelist. You can measure this by checking chrome://histograms/SBClientDownload.SignedOrWhitelistedDownload does not increment.

VMware patches XSS flaws in vRealize

VMware's Linux version of two vRealize products received the first maintenance release for version 7 and also became the subject of a security alert on Tuesday (March 16).

If exploited, the products could lead to the compromise of a user’s client workstation.

The issue in the Automation version was dug up by independent researcher, Lukasz Plonka while the issue in the Business and Enterprise version was discovered by Alvaro Trigo Martin de Vidales, a senior IT security consultant with Deloitte Spain in vRealize Business, a product designed to automate the core financial processes needed to plan and optimize the cost and value of IT in an organization.

The bugs, stored cross-site scripting (XSS) vulnerabilities and rated important, exist in the company’s vRealize Automation and vRealize Business Advanced and Enterprise platforms.

The vulnerability has been patched with the release of VMware vRealize Automation 6.2.4. vRealize Automation 7.x for Linux and vRealize Automation 5.x for Windows are not affected.

The new bits include a management agent to automate the installation of Windows components and to collect logs, and an installation Wizard that automates a Minimal or Enterprise installation.

Though the fix has been generated but there are many things in the new version which can be problem posers. For example, Virtual machine is deleted during reprovisioning when a datastore is moved from one SDRS cluster to another and after upgrading to vRealize Automation 7.0, duplicate catalog items for the same business group appear in the catalog. But nevertheless, the fix will at least fix on compromising the workstations of clients.

It’s the third issue that VMware has patched its products this year. The updates follow a set of patches the company released to address last month’s critical glibc vulnerability and a series of updates it pushed in January to address a privilege escalation bug in ESXi, Fusion, Player, and Workstation.

The company was forced to reissue a patch in February, from last October that it issued which failed to address serious remote code execution vulnerability in vCenter which let remote attackers connect to the vCenter Server and run code. While Windows Firewall mitigated the issue, officials with VMware still encouraged users to reapply the tweaked patch.