Stymied by browsers, attackers embed Flash 0-day inside MS Office document

Enlarge (credit: Qihoo 360)

As browser makers make it increasingly hard to exploit vulnerabilities in Adobe Flash and other plugins, hackers targeting diplomats in the Middle East tried a new approach this month: using Microsoft Office to remotely load Flash content that used a potent zero-day flaw to take control of computers.

On Thursday, Adobe published a patch for the critical vulnerability, indexed as CVE-2018-5002. The stack-based buffer overflow was being triggered in an Office document that embedded a link to a Flash file stored on people.dohabayt.com. Once executed, the malicious file then downloaded a malicious payload from the same domain. That’s according to researchers from security firms Icebrg and Qihoo 360, which independently discovered the attacks and privately reported them to Adobe and wrote about it here and here.

Over the past few years, browser makers have begun to block Flash content by default, a

Continue reading “Stymied by browsers, attackers embed Flash 0-day inside MS Office document”

Attackers used Telegram to deliver cryptocurrency-mining malware

Kaspersky Lab says it spotted evidence of a vulnerability in the desktop version of Telegram that allowed attackers to install cryptocurrency mining malware on users’ computers. The zero-day exploit was used to trick Telegram users into downloading malicious files, which could then be used to deliver cryptocurrency mining software and spyware. According to Kaspersky, those behind the exploit used the computers their malware had been installed on to mine digital currencies like Monero, Zcash, Fantomcoin and others. Kaspersky also says it found a stolen cache of Telegram data on one of the attackers’ servers.

Via: Bloomberg

Source: Kaspersky

An Adobe Flash 0day is being actively exploited in the wild

Enlarge / A screenshot of the malicious Excel document spreading a Flash zeroday. (credit: Talos)

An increasingly sophisticated hacking group is exploiting a zero-day vulnerability in Adobe’s Flash Player that lets them take full control of infected machines, researchers said Friday.

The critical, use-after-free vulnerability, which is indexed as CVE-2018-4877, resides in the latest version of the widely installed Flash, researchers from Cisco Systems’ Talos group said in a blog post. Adobe said separately that versions earlier than current Flash 28.0.0.137 are also susceptible. The vulnerability came to light on Wednesday when South Korea’s CERT issued an advisory warning that attack code was circulating in the wild that exploited the zeroday flaw.

Talos said the exploit is being distributed through a Microsoft Excel document that has a malicious Flash object embedded into it. Once the SWF object is triggered, it installs ROKRAT, a remote administration tool

Continue reading “An Adobe Flash 0day is being actively exploited in the wild”

Mysterious Microsoft patch killed 0days released by NSA-leaking Shadow Brokers

Enlarge (credit: NSA)

Contrary to what Ars and the rest of the world reported Friday, none of the published exploits stolen from the National Security Agency work against currently supported Microsoft products. This is according to a Microsoft blog post published late Friday night.

That’s because the critical vulnerabilities for four exploits previously believed to be zerodays were patched in March, exactly one month before a group called Shadow Brokers published Friday’s latest installment of weapons-grade attacks. Those updates—which Microsoft indexes as MS17-010, CVE-2017-0146, and CVE-2017-—make no mention of the person or group who reported the vulnerabilities to Microsoft. The lack of credit isn’t unprecedented, but it’s uncommon, and it’s generating speculation that the reporters were tied to the NSA. In a vaguely worded statement issued Friday, Microsoft seemed to say it had had no contact with NSA officials concerning any of the exploits contained

Continue reading “Mysterious Microsoft patch killed 0days released by NSA-leaking Shadow Brokers”

Microsoft Word 0day used to push dangerous Dridex malware on millions

Enlarge / A sample e-mail from Dridex campaign exploiting Microsoft Word zero-day. (credit: Proofpoint)

Booby-trapped documents exploiting a critical zeroday vulnerability in Microsoft Word have been sent to millions people around the world in a blitz aimed at installing Dridex, currently one of the most dangerous bank fraud threats on the Internet.

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn’t require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft’s most secure operating system ever. The flaw is known to affect most or all Windows versions of Word, but so far no one has ruled out that exploits might also be possible against Mac versions. Researchers from security firms McAfee and FireEye warned that the malicious Word documents are being attached to e-mails, but didn’t reveal the scope or ultimate objective of the campaign.

Continue reading “Microsoft Word 0day used to push dangerous Dridex malware on millions”

Booby-trapped Word documents in the wild exploit critical Microsoft 0day

(credit: Rob Enslin)

There’s a new zeroday attack in the wild that’s surreptitiously installing malware on fully-patched computers. It does so by exploiting a vulnerability in most or all versions of Microsoft Word.

The attack starts with an e-mail that attaches a malicious Word document, according to a blog post published Saturday by researchers from security firm FireEye. Once opened, exploit code concealed inside the document connects to an attacker-controlled server. It downloads a malicious HTML application file that’s disguised to look like a document created in Microsoft’s Rich Text Format. Behind the scenes, the .hta file downloads additional payloads from “different well-known malware families.”

The attack is notable for several reasons. First, it bypasses most exploit mitigations: This capability allows it to work even against Windows 10, which security experts widely agree is Microsoft’s most secure operating system to date. Second, unlike the vast majority of the

Continue reading “Booby-trapped Word documents in the wild exploit critical Microsoft 0day”

Apple says it’s already patched ‘many’ Wikileaks iOS exploits

Less than 24 hours ago, Wikileaks published a large cache of documents detailing top secret CIA operations conducted by its Center for Cyber Intelligence. Included in the 8,761 documents and files, referred to was Vault 7, are references to zero-day exploits that were reportedly being used to track and control iPhones but also Android phones and Samsung smart TVs.

While the authenticity of some of Wikileaks’ claims are still in question, Apple has confirmed that some of the threats towards its mobile operating system are very real. In a move to reassure customers, the company issued a statement noting that it has already taken steps to patch “many” of the 14 iOS vulnerabilities listed and is working to “rapidly address” the rest.

Source: TechCrunch

iPhone exploit bounty surges to an eye-popping $1.5 million

Enlarge (credit: Antoine Taveneaux)

A controversial broker of security exploits is offering $1.5 million (£1.2 million) for attacks that work against fully patched iPhones and iPads, a bounty that’s triple the size of its previous one.

Zerodium also doubled, to $200,000, the amount it will pay for attacks that exploit previously unknown vulnerabilities in Google’s competing Android operating system, and the group raised the amount for so-called zeroday exploits in Adobe’s Flash media player to $80,000 from $50,000. After buying the working exploits, the company then sells them to government entities, which use them to spy on suspected criminals, terrorists, enemies, and other targets.

Last year, Zerodium offered $1 million for iOS exploits, up to a total of $3 million. It dropped the price to $500,000 after receiving and paying for three qualifying submissions. On Thursday, Zerodium founder Chaouki Bekrar said the higher prices are a

Continue reading “iPhone exploit bounty surges to an eye-popping $1.5 million”

iPhone exploit bounty surges to an eye-popping $1.5 million

Enlarge (credit: Antoine Taveneaux)

A controversial broker of security exploits is offering $1.5 million (£1.2 million) for attacks that work against fully patched iPhones and iPads, a bounty that’s triple the size of its previous one.

Zerodium also doubled, to $200,000, the amount it will pay for attacks that exploit previously unknown vulnerabilities in Google’s competing Android operating system, and the group raised the amount for so-called zeroday exploits in Adobe’s Flash media player to $80,000 from $50,000. After buying the working exploits, the company then sells them to government entities, which use them to spy on suspected criminals, terrorists, enemies, and other targets.

Last year, Zerodium offered $1 million for iOS exploits, up to a total of $3 million. It dropped the price to $500,000 after receiving and paying for three qualifying submissions. On Thursday, Zerodium founder Chaouki Bekrar said the higher prices are a

Continue reading “iPhone exploit bounty surges to an eye-popping $1.5 million”

Recently patched iOS security flaw also affects OS X

                    <img src="http://o.aolcdn.com/hss/storage/midas/552697e49ce442f250588abd2252055a/204276772/2f0a6840-1.jpg" />Last week <a href="https://www.engadget.com/2016/08/25/apple-iphone-security-flaw-update-activist-hack/">Apple rolled out a patch for iOS</a> that closed a security flaw that could give attackers control over a device by having a user click a single link. Now, Apple is patching the same hole in the Safari web browser on the desktop, with new updates for the <a href="https://support.apple.com/en-us/HT207131">browser</a> as well as <a href="https://support.apple.com/en-gb/HT207130">OS X Yosemite and El Capitan</a>. Lookout Security and <a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/">Citizenlab</a> identified the flaw based on a link sent to a human rights activist, and believe the "cyber war" organization NSO Group was selling the exploit to governments like the UAE.
                                    <strong>Via: </strong><a  href="https://motherboard.vice.com/read/apple-patches-safari-os-x-vulnerabilities-after-iphone-jailbreak-nso">Motherboard</a><!--//-->
                                    <strong>Source: </strong><a  href="https://support.apple.com/en-gb/HT207130">Apple - OS X Update info</a><!--//-->, <a  href="https://support.apple.com/en-us/HT207131">Apple Safari update info</a><!--//-->

Recently patched iOS security flaw also affects OS X

                    <img src="http://o.aolcdn.com/hss/storage/midas/552697e49ce442f250588abd2252055a/204276772/2f0a6840-1.jpg" />Last week <a href="https://www.engadget.com/2016/08/25/apple-iphone-security-flaw-update-activist-hack/">Apple rolled out a patch for iOS</a> that closed a security flaw that could give attackers control over a device by having a user click a single link. Now, Apple is patching the same hole in the Safari web browser on the desktop, with new updates for the <a href="https://support.apple.com/en-us/HT207131">browser</a> as well as <a href="https://support.apple.com/en-gb/HT207130">OS X Yosemite and El Capitan</a>. Lookout Security and <a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/">Citizenlab</a> identified the flaw based on a link sent to a human rights activist, and believe the "cyber war" organization NSO Group was selling the exploit to governments like the UAE.
                                    <strong>Via: </strong><a  href="https://motherboard.vice.com/read/apple-patches-safari-os-x-vulnerabilities-after-iphone-jailbreak-nso">Motherboard</a><!--//-->
                                    <strong>Source: </strong><a  href="https://support.apple.com/en-gb/HT207130">Apple - OS X Update info</a><!--//-->, <a  href="https://support.apple.com/en-us/HT207131">Apple Safari update info</a><!--//-->

Apple patches three zero-day exploits after activist is hacked

                    <img src="http://o.aolcdn.com/dims-shared/dims3/GLOB/crop/4259x2844+0+0/resize/1600x1068!/format/jpg/quality/85/http://o.aolcdn.com/hss/storage/midas/f817f9b9233c87d609dbc8aa6f02849a/201569403/10575772326_dc8cf4b4f6.jpg" />Apple has <a href="https://support.apple.com/en-us/HT207107">rolled out a patch</a> for three previously unknown zero-day exploits that were used to hack into the iPhone 6 of Ahmed Mansoor, an award-winning human rights activist based in the United Arab Emirates. Security company <a href="https://blog.lookout.com/blog/2016/08/25/lookout-trident-pegasus-enterprise-discovery/#more-16426">Lookout</a> and internet watchdog group <a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/">Citizen Lab</a> investigated the attack on Mansoor's iPhone and found it to be the product of NSO Group, a "cyber war" organization based in Israel that's responsible for distributing a powerful, government-exclusive spyware product called Pegasus.
                                                <strong>Source: </strong><a  href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/">Citizen Lab</a><!--//-->, <a  href="https://support.apple.com/en-us/HT207107">Apple</a><!--//-->, <a  href="https://blog.lookout.com/blog/2016/08/25/lookout-trident-pegasus-enterprise-discovery/#more-16426">Lookout</a><!--//-->

Get Apple’s QuickTime Off Your PC Now, U.S. Government Advises

Do you still have QuickTime for Windows on your PC? Get rid of it, pronto.

That’s the advice coming from the U.S. Computer Emergency Readiness Team (US-CERT), following an “urgent call to action” by cybersecurity firm Trend Micro


tmicf



. The version of QuickTime on Apple


aapl



computers is not affected.

What’s the rush? Trend Micro found two critical flaws in the PC version of Apple’s media-playing software that could let hackers take over victims’ computers.

Get Data Sheet, Fortune’s technology newsletter.

And is Apple fixing the flaws? Nope. According to Trend Micro, after the security firm advised Apple about the vulnerabilities back in March, Apple waited four months before telling Trend Micro that it would simply stop supporting QuickTime for Microsoft’s


msft



Windows, and give users instructions for how to remove it.

So here are those instructions. If you have that software on your PC, you know what

Continue reading “Get Apple’s QuickTime Off Your PC Now, U.S. Government Advises”

Zero-day exploits aren’t as important to the NSA as you think

                    <img src="http://o.aolcdn.com/hss/storage/midas/d60ee470a7357774644c29cc0d39c45e/203334391/Screen+Shot+2016-01-29+at+1.29.19+PM.png" />The head of the National Security Agency&#039;s elite hacking arm, Tailored Access Operations, downplayed the importance of zero-day exploits during a talk at USENIX Enigma 2016 in San Francisco this week, as spotted by Vice. Zero-day security holes are s...

FBI: yes, we exploit unpatched security holes

        <img src="http://o.aolcdn.com/dims-shared/dims3/GLOB/crop/2400x1596+0+0/resize/1400x932!/format/jpg/quality/85/http://hss-prod.hss.aol.com/hss/storage/midas/bfd29179c7a8872dbb17f9e18237076d/203101665/500403036.jpg" />It&#039;s no secret that the FBI uses tech tools like Stingray phone trackers to investigate suspects, but it&#039;s now clear that the bureau is willing to go even further than that.  Operational Technology Division lead Amy Hess (above) tells the Washington...

Oracle releases v11 fix for zero-day Java security flaw

Oracle has released an official fix for the Java security flaw that was reported by CERT (the Computer Emergency Readiness Team) on January 11. Shortly after the flagging by CERT, Apple took steps to disable the Java plug-in on all Macs running OS X 10.6 or later by amending the XProtect malware/minimum versions file.

Users who want to re-enable a secure, working version of Java can download the update here. The update is recommended for users on all operating systems including Windows and Linux. Of course, if you don’t need to be running a Java VM for a specific reason, your most secure path is to not have it installed.

At a minimum, you might consider TJ’s reasonable advice and reserve your browser-centric Java activities to a single-site browser like Fluid.app, or simply leave Java disabled for browser access most of the time and only turn it on when specifically required.

From the release notes, Oracle states: “Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 ‘in the wild,’ Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”

Apple no longer distributes its own version of Java for Macs running OS X 10.7 or higher. Oracle is now directly responsible for producing and updating the Mac JRE package, as it does for other mainstream operating systems.

Oracle releases v11 fix for zero-day Java security flaw originally appeared on TUAW – The Unofficial Apple Weblog on Mon, 14 Jan 2013 09:00:00 EST. Please see our terms for use of feeds.

Source | Permalink | Email this | Comments

Another Adobe Flash zero-day for sale by security software vendor



InteVyDis, a Russian firm specializing in packaging software security exploits, has released a software module that can give a remote computer access to an up-to-date Windows 7 machine running the most recent version of Adobe Flash Player 11.

The exploit module, called vd_adobe_fp, is packaged in VulnDisco Step Ahead Edition, an add-on toolkit for Canvas—an automated exploitation system developed for IT security professionals by Miami Beach-based Immunity. In a video demo of the exploit, Immunity’s Alex McGeorge said that the attack had been tested against fully patched Windows 7 Ultimate and Windows XP Pro systems running Internet Explorer 7 and 8, Google Chrome, and Firefox. McGeorge said that a Mac OS X version of the exploit is expected in the next release.

When a system connects to a website on a remote system equipped with the exploit, it can give that system access to a “low-integrity” shell with limited access to the target, allowing the uploading of other software modules to the target and giving the remote system control over TCP socket connections. Additional exploits could then be used to get higher-level permissions to the system.

Update: An Adobe spokesperson responded to an inquiry from Ars on the exploit, saying that the company is aware of the announcement and has “reached out” to InteVyDis. “We would welcome any details so we can verify and address the vulnerability,” the spokesperson said, but without further information Adobe can do nothing but monitor for exploits.

Read the comments on this post


Researchers discover zero-day Windows exploit in Duqu virus



Hungarian researchers have discovered a  previously unknown Windows kernel vulnerability that is used by the installer for Duqu, the Stuxnet-like Trojan first detected in October. The researchers at the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics (CrySyS), who were the first to discover the Duqu virus, have reported the vulnerability to Microsoft and other organizations, and a patch is in development. 

According to a Symantec analysis of the exploit, Duqu’s installer was delivered to target systems embedded in a seemingly legitimate Microsoft Word document. When the document is opened, the installer embedded in the document is activated, and executes Windows shell code to install the malware’s .DLL and driver file to the system by hijacking Windows’ services control manager.

The shell code discovered in the Duqu worm by CrySyS was written to only allow installation of the virus during an eight-day period in August. Once the virus is installed, it can spread to other computers over networked file shares, and connect back to a command-and-control network over the Internet. Researchers found that when the virus infects systems not directly connected to the Internet, it uses a file-sharing protocol to connect with computers that have Internet access to form a relay back to the command and control network.

So far, confirmed Duqu infections have been reported in France, the Netherlands, Switzerland, the UK, Ukraine, Austria, Hungary, Iran, Sudan, Vietnam and Indonesia. The virus communicated with servers in Belgium, which have been shut down. But it’s unknown if the virus has since been modified and used for other attacks.

Read the comments on this post


Apple releases slew of updates, fixes Zero Day bug

Filed under:

Apple has released a slew of updates in the last few days, including a security update that fixes the Zero Day bugs discovered by Charlie Miller and revealed at CanSecWest. In addition to the MacBook Pro and MobileMe Backup updates, Apple has also released:

27-inch iMac SMC Firmware Update 1.0
This update fixes Target Display Mode compatibility issues on 27-inch iMac computers. Weighs in at 397 KB.

27-inch iMac EFI FW Update 1.0

The update is recommended for all quad-core Intel Core i5 and Core i7 processor 27-inch iMacs.

This update addresses the following: Resolves an issue that sometimes caused high processor utilization while playing audio through the headphone output mini-jack. Resolves an issue that prevented the display backlight from turning on after powering on the iMac. Weighs in at 2.1 MB.

Security Update 2010-003 (Snow Leopard)

Security Update 2010-003 is recommended for all users and improves the security of Mac OS X. Weighs in at 6.50 MB.

Server Admin Tools 10.6.3
This update includes the latest releases of: iCal Server Utility, Podcast Composer, Server Admin, Server Monitor, Server Preferences, System Image Utility, Workgroup Manager, and Xgrid Admin. The update weighs in at 236MB.

Security Update 2010-003 (Leopard-Client)
This update improves the security of Mac OS X. Weighs in at 218.6 MB.

Security Update 2010-003 (Leopard-Server)
This update improves the security of Mac OS X. Weighs in at 379.5 MB.

Mac OS X v10.6.3 v1.1 Update (Combo)

The 10.6.3 v1.1 Update is recommended for all users running Mac OS X Snow Leopard and includes general operating system fixes that enhance the stability, compatibility, and security of your Mac. The update weighs in at 785.29 MB.

Mac OS X Server 10.6.3 v1.1 Update (Combo)
The 10.6.3 v1.1 update is recommended for all servers currently running Snow Leopard Server version 10.6 and includes general operating system fixes that enhance the stability, compatibility and security of your server. The update weighs in at 897.32 MB.

TUAWApple releases slew of updates, fixes Zero Day bug originally appeared on The Unofficial Apple Weblog (TUAW) on Wed, 14 Apr 2010 17:45:00 EST. Please see our terms for use of feeds.

Permalink | Email this | Comments

20 zero-day security holes in Mac OS X to be revealed

Filed under:

Charles Miller, a computer security researcher who’s worked with the NSA, is planning to reveal 20 zero-day security holes in Mac OS X at CanSecWest, a digital security conference, in Vancouver BC next week. A zero-day security hole is a weakness in software that neither the makers of the software nor other individuals have any knowledge of. Hackers then take advantage of the exploit on the day it becomes general knowledge. Miller revealing that Mac OS X has twenty of them makes Apple look like they didn’t do the job right the first time and also suggests Apple needs glasses to see what they’ve missed – and he’s not wrong.

“Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town,” Miller said, suggesting that while both OSes have their security flaws, the Mac OS is safer because of the lack of people threatening to exploit it.

But software is software, and no matter how much more secure Mac OS X is than Windows, it’s still bound to have some security issues. I’m all for Charles Miller digging around the OS to find flaws, but come on, if you find them, why announce them to the world and open up a potential new round of attacks? Wouldn’t it be better to report them to Apple instead of to the host of hackers that pay attention to CanSecWest? There’s no question about it, Apple should have caught these holes in the first place and Miller is right in calling them out on it. But while I understand that public outings go a long way to ensuring that people or companies don’t make the same mistakes again, you can call Apple out without showing people – especially the wrong people – the specific cracks in the system.

TUAW20 zero-day security holes in Mac OS X to be revealed originally appeared on The Unofficial Apple Weblog (TUAW) on Sat, 20 Mar 2010 17:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments