Mozilla and Tor release urgent update for Firefox 0-day under active attack

November 30, 2016 – 9:15 PM

Developers with both Mozilla and Tor have published browser updates that patch a critical Firefox vulnerability being actively exploited to deanonymize people using the privacy service.

“The security flaw responsible for this urgent release is already actively exploited on Windows systems,” a Tor official wrote in an advisory published Wednesday afternoon. “Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately.”

The Tor browser is based on the open-source Firefox browser developed by the Mozilla Foundation. Shortly after this post went live, Mozilla security official Daniel Veditz published a blog post that said the vulnerability has also been fixed in a just-released version of Firefox for mainstream users. On early Wednesday, Veditz said, his team received a copy of the attack code that exploited a previously unknown vulnerability in Firefox.

The attack executed code when targets loaded malicious JavaScript and code based on scalable animation vector graphics. The exploit used the capability to send the target’s IP and MAC address to an attacker-controlled server. The code in general resembles the types of so-called network investigative techniques used by law-enforcement agencies, and specifically one that the FBI used in 2013 to identify Tor-protected users who were trading child pornography.

Source:
http://arstechnica.com/security/2016/11/tor-releases-urgent-update-for-firefox-0day-thats-under-active-attack/

Major Linux security hole gapes open

November 16, 2016 – 5:51 AM

Sometimes Linux users can be smug about their system’s security. And sometimes a major hole that’s been hiding in Linux since about version 2.6 opens up and in you fall.

The security hole this time is with how almost all Linux distributions implement Linux Unified Key Setup-on-disk-format (LUKS). LUKS is the standard mechanism for implementing Linux hard disk encryption. LUKS is often put into action with Cryptsetup. It’s in Cryptsetup default configuration file that the problem lies and it’s a nasty one. Known Linux distributions with this bug include Debian, Ubuntu, Fedora, Red Hat Enterpise Linux (RHEL), and SUSE Linux Enterprise Server (SLES).

As described in the security report, CVE-2016-4484, the hole allows attackers “to obtain a root initramfs [initial RAM file system] shell on affected systems. The vulnerability is very reliable because it doesn’t depend on specific systems or configurations. Attackers can copy, modify, or destroy the hard disc as well as set up the network to exflitrate data. This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protected (password in BIOS and GRUB) and we only have a keyboard or/and a mouse.”

Now for the really embarrassing part. Want to know how to activate it? Boot the system and then hold down the enter key. Wait. After about a minute and a half, you’ll find yourself in a BusyBox root shell. You now control the horizontal, you now control the vertical, and whoever owns the system is not going to be happy with you.

Source:
http://www.zdnet.com/article/major-linux-security-hole-gapes-open/

Web Of Trust (WOT) Browser Add-On Caught Selling Users

November 8, 2016 – 5:44 AM

Browser extensions have become a standard part of the most popular browsers and essential part of our lives for surfing the Internet.

But not all extensions can be trusted.

One such innocent looking browser add-on has been caught collecting browsing history of millions of users and selling them to third-parties for making money.

An investigation by German television channel NDR (Norddeutscher Rundfunk) has discovered a series of privacy breaches by Web Of Trust (WOT) – one of the top privacy and security browser extensions used by more than 140 Million online users to help keep them safe online.

Web of Trust has been offering a “Safe Web Search & Browsing” service since 2007. The WOT browser extension, which is available for both Firefox and Chrome, uses crowdsourcing to rate websites based on trustworthiness and child safety.

However, it turns out that the Web of Trust service collects extensive data about netizens’ web browsing habits via its browser add-on and then sells them off to various third party companies.

What’s extremely worrying? Web of Trust did not properly anonymize the data it collects on its users, which means it is easy to expose your real identity and every detail about you.

Source:
http://thehackernews.com/2016/11/web-of-trust-addon.html

Moving Beyond EMET

November 3, 2016 – 6:27 PM

Microsoft’s Trustworthy Computing initiative was 7 years old in 2009 when we first released the Enhanced Mitigation Experience Toolkit (EMET). Despite substantial improvements in Windows OS security during that same period, it was clear that the way we shipped Windows at the time (3-4 years between major releases) was simply too slow to respond quickly to emerging threats. Our commercial customers were particularly exposed since it often took years to deploy new OS versions in large scale environments. And thus, EMET was born as a stop-gap solution to deliver tactical mitigations against certain zero-day software vulnerabilities.

For Microsoft, EMET proved useful for a couple of reasons. First, it allowed us to interrupt and disrupt many of the common exploit kits employed by attackers at the time without waiting for the next Windows release, thus helping to protect our customers. Second, we were able to use EMET as a place to assess new features, which directly led to many security innovations in Windows 7, 8, 8.1, and 10.

But EMET has serious limits as well – precisely because it is not an integrated part of the operating system. First, many of EMET’s features were not developed as robust security solutions. As such, while they blocked techniques that exploits used in the past, they were not designed to offer real durable protection against exploits over time. Not surprisingly, one can find well-publicized, often trivial bypasses, readily available online to circumvent EMET.

Second, to accomplish its tasks, EMET hooks into low-level areas of the operating system in ways they weren’t originally designed. This has caused serious side-effects in both performance and reliability of the system and the applications running on it. And this presents an ongoing problem for customers since every OS or application update can trigger performance and reliability issues due to incompatibility with EMET.

Finally, while the OS has evolved beneath it, EMET hasn’t kept pace. While EMET 5.5x was verified to run on Windows 10, its effectiveness against modern exploit kits has not been demonstrated, especially in comparison to the many security innovations built-in to Windows 10.

Source:
https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/

Google warns of actively exploited Windows zero-day

November 1, 2016 – 5:40 AM

Google has disclosed to the public the existence of a Windows zero-day vulnerability (CVE-2016-7855) that is being actively exploited in the wild.

According to Neel Mehta and Billy Leonard, of the Google Threat Analysis Group, it’s a local privilege escalation in the Windows kernel that can be used as a security sandbox escape, and can be triggered “via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

The same vulnerability has been shared with bith Microsoft and Adobe on October 21st, as it also affected Flash Player. But while Adobe has already pushed out an update with the patch, Microsoft has not been so quick.

“Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10,” Adobe said in the security bulletin accompanying the release.

Google has made public the flaw before Microsoft has had the chance to fix it because it is a critical vulnerability that could lead to system compromise, and it is being actively exploited.

They have advised users to update Flash and implement the Microsoft patch as soon as it is made available.

In the meantime, Windows 10 users can use Google Chrome to protect themselves against possible attacks leveraging the flaw.

Source:
https://www.helpnetsecurity.com/2016/11/01/google-warns-actively-exploited-windows-zero-day/