Microsoft has released updates to fix a zero-day vulnerability impacting all versions of Windows, from Windows 7 to Windows 11.
According to Microsoft, the bug allows a bad actor to escalate privileges related to the Windows Common Log File System Driver. This could give the hacker full system privileges — the highest level available — giving them full access and control of the computer.
Fortunately, the vulnerability is not a fully remote attack and still requires social engineering or some other method to gain initial access, which can then be used to elevate privileges.
“This bug in the Common Log File System (CLFS) allows an authenticated attacker to execute code with elevated privileges. Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link,” writes Zero Day Initiative’s Dustin Childs. “Once they do, additional code executes with elevated privileges to take over a system. Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks.”
Given this attack is already being used in the wild, all users should update their Windows installation immediately.
Google Chrome users should immediately update to version 88, as the update fixes a vulnerability that is being actively exploited.
Google has a policy of not disclosing too much detail about security issues until the majority of users have updated:
Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
Nonetheless, the update includes a fix for a heap buffer overflows in the V8 JavaScript engine. The most worrisome detail is that the vulnerability is already being exploited:
Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild. We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Even if automatic updates are enabled, users should manually update as soon as possible to make sure there’s not unnecessary gaps in their security.
A researcher at Dutch security firm EYE has discovered a critical vulnerability in Zyxel’s firewall and VPN gateways, as a result of exposed credentials.
Zyxel sells a line of popular firewall and VPN gateway devices. Niels Teusink, a researcher with EYE, discovered a major issues that leaves over 100,000 devices vulnerable.
When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account ‘zyfwp’ with a password hash in the latest firmware version (4.60 patch 0). The plaintext password was visible in one of the binaries on the system. I was even more surprised that this account seemed to work on both the SSH and web interface.
Teusink goes on to highlight why this vulnerability is so dangerous.
As the zyfwp user has admin privileges, this is a serious vulnerability. An attacker could completely compromise the confidentiality, integrity and availability of the device. Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.
Teusink recommends updating to the latest firmware version immediately.
Google Project Zero (GPZ) has disclosed a serious vulnerability in GitHub’s Actions feature, after the version control platform drug its feet fixing it.
GPZ discovered an issue making GitHub Actions vulnerable to injection attacks. The vulnerability has been labeled ‘high-severity’ by GPZ. According to GPZ’s Felix Wilhelm, any project that relies heavily on Actions could be vulnerable.
The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed.
I’ve spent some time looking at popular Github repositories and almost any project with somewhat complex Github actions is vulnerable to this bug class.
To make matters worse, GitHub wasted the normal 90-day period GPZ normally gives organizations before disclosing a vulnerability. GitHub was initially notified of the vulnerability on July 21, with a disclosure date of October 18 set.
With no announced resolution, GPZ reached out to GitHub on October 12 and offered a 14-day grace period, which was accepted on October 16. A new disclosure date of November 2 was set. GPZ tried contacting GitHub on October 28, but received no response. On October 30, GPZ reached out to informal contacts, which indicated GitHub considered the issue fixed.
On November 1, GitHub officially reached out to request an additional 48 hours, not to fix the issue, but to notify users of a future date when the issue would be fixed. GPZ informed GitHub there was no further provision to extend the grace period and proceeded with the disclosure on November 2.
GitHub has provided an example of how not to handle a vulnerability. GPZ went above-and-beyond to communicate and work with GitHub, but it appears that GitHub squandered its opportunities to definitively address the issue.
A major security vulnerability left Qatari citizens open to having highly sensitive, personal information stolen.
Qatar is one of the many countries that has rolled out a contact tracing app. Contact tracing is widely considered to be one of the keys to getting a handle on the coronavirus pandemic. Unfortunately, there is tremendous potential for an app to be abused, or for poor security to open users up to hackers and scammers. For example, North Dakota’s Care19 app was recently discovered to be sharing location data with FourSquare.
Qatar’s app is now the latest to have an issue, with Amnesty International’s Security Lab discovering a serious vulnerability that “would have allowed cyber attackers to access highly sensitive personal information, including the name, national ID, health status and location data of more than one million users.”
To make matters worse, the Qatari contact tracing app is mandatory for the country’s citizens, ensuring virtually everyone was at risk. Amnesty International informed the authorities on May 21 of the vulnerability and they released a fix the very next day.
“While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact tracing app that malicious attackers could have easily exploited. This vulnerability was especially worrying given use of the EHTERAZ app was made mandatory last Friday,” said Claudio Guarnieri, Head of Amnesty International’s Security Lab.
“This incident should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards. If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights.”
Hopefully governments around the world will take note of Qatar’s example and work hard to protect their citizens’ privacy.
A researcher has discovered seven critical security vulnerabilities with Thunderbolt that impact Windows, Linux and, to a lesser extent, macOS.
In late April it was reported that one of Microsoft’s reasons for not including Thunderbolt on its Surface devices was concerns over security. Specifically, Microsoft had concerns that, because Thunderbolt acts as a direct memory access port, a hacker could use a memory stick or other peripheral to gain direct access to the device’s memory.
It seems Microsoft’s concerns may not have been so far-fetched after all. Björn Ruytenberg, researcher at Eindhoven University of Technology, has published a report detailing seven Thunderbolt vulnerabilities that could allow a hacker to theoretically steal all data on a computer, regardless of what security measures are in place, such as password protection or encryption. In a video demonstrating the vulnerabilities, Ruytenberg gains access in roughly five minutes.
Of the vulnerabilities, all seven impact both Windows and Linux, while only two impact macOS. Even then, macOS is only partially affected, as Apple’s computers use two security measures not used by Windows or Linux. The vulnerability compromises the first measure, but not the second. If running Windows or Linux in Boot Camp, however, a Mac becomes “trivially affected.”
In a follow-up blog, Ruytenberg says Intel was notified in mid-February, but has no intention of taking any further action, citing action they have already taken. In a blog post on the company’s site, Intel’s Jerry Bryant explained the mitigation efforts already in place:
“In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled. Please check with your system manufacturer to determine if your system has these mitigations incorporated. For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.”
While a vulnerability of this kind is disconcerting, it’s important to keep it in perspective. The vulnerability requires physical access to a machine. As we wrote in the article describing Microsoft’s decision not to include Thunderbolt, “a long-standing rule of computer security is that once physical access has been achieved, all bets are off.“ That rule still holds true.
In the meantime, if Intel’s response is accurate, it seems modern computers with the latest OS updates are largely safe. In the meantime, common sense measures, such as controlling computer access and not plugging in unknown Thunderbolt devices, should go a long way toward protecting all users.
Sophos has issued a hotfix for its XG Firewall to patch a zero-day exploit that was being actively exploited by hackers.
According to Sophos, the firm was first made aware of the issue on April 22 by a customer who noticed “a suspicious field value visible in the management interface.” After investigating, Sophos determined the value was not a bug, but indicative of an attack against both physical and virtual XG Firewall units.
“The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices,” reads the security bulletin. “It was designed to exfiltrate XG Firewall-resident data. Customers with impacted firewalls should remediate to avoid the possibility that any data was compromised. The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP were not compromised.”
Because Sophos issued a hotfix for the vulnerability, a message should display on the XG management interface informing customers if their units were impacted. Uncompromised customers do not need to take any additional action, while compromised customers are encouraged to reset device administrator accounts, reboot the devices and reset passwords for local user accounts. If users had reused their XG passwords anywhere else, those should also be reset.
Apple has said a recently discovered iOS Mail vulnerability poses no immediate threat and a fix is coming soon.
As previously covered, security firm ZecOps discovered a flaw in iOS Mail, affecting both iPhones and iPads. The flaw involved a blank email being sent to a device, an email that would cause a crash and reset. The reset created an opportunity for a hacker to steal data from the device. ZecOps believes the vulnerability was being exploited as far back as 2018, and was working with a client they believed was targeted using this vulnerability in late 2019.
In spite of that, Apple reached out to Bloomberg reporter Mark Gurman to issue a statement, which Gurman tweeted:
Apple responds to ZecOps report on Mail app vulnerabilities, says it doesn’t pose immediate risk and software update coming.
”Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”
Apple’s response is good news, although it still leaves a number of questions, not the least of which is what did ZecOps find in the way of vulnerabilities being exploited over the last two years?
Researchers have discovered a flaw in the iOS version of Mail that may have left countless iPads and iPhones vulnerable to data theft.
According to Reuters, the flaw was found by San Francisco-based ZecOps, a company specializing in mobile security forensics. The investigation was prompted by a sophisticated attack against one of ZecOps clients in late 2019.
ZecOps CEO, Zuk Avraham, “said he found evidence that a malicious program was taking advantage of the vulnerability in Apple’s iOS mobile operating system as far back as January 2018.” What makes the vulnerability particularly unsettling is that it requires little to no action on the part of the victim.
The hack works through a seemingly blank email that forces a crash and reset, Reuters reports, opening “the door for hackers to steal other data on the device, such as photos and contact details.” Not even recent versions of iOS protect a user, leaving the victim vulnerable to having their data remotely stolen from their device.
Apple did confirm to Reuters that a vulnerability does exist in Mail, and an upcoming software update would include a fix. While the fix is certainly good news, it’s worrisome that such a severe bug went undiscovered for so long while, at the same time, apparently being exploited by bad actors.
Adobe is urging Creative Cloud Desktop Application customers running Windows to upgrade immediately to prevent hackers from deleting their files.
According to a blog post, “Adobe has released security updates for Creative Cloud Desktop Application (APSB20-11) for Windows. This update address a critical vulnerability. Successful exploitation could lead to arbitrary File Deletion in the context of the current user. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin.”
The vulnerability was discovered by “Jiadong Lu of South China University of Technology and Zhiniang Peng of Qihoo 360 Core Security.” According to Adobe’s bulletin, the vulnerability is a Time Of Check To Time Of Use (TOCTTOU) race condition.
According to CWE, with a TOCTTOU vulnerability, “the software checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.
“This weakness can be security-relevant when an attacker can influence the state of the resource between check and use. This can happen with shared resources such as files, memory, or even variables in multithreaded programs.”
This is a major vulnerability and all impacted users should update immediately to ensure the security of their files.
A security issue in a popular WordPress plugin has left some 100,000 websites vulnerable to being completely wiped.
Security firm WebARX discovered a flaw in the ThemeGrill Demo Importer plugin. The plugin imports other plugins developed by ThemeGrill. When WebARX first discovered the flaw, some 200,000 websites had the plugin installed, although that number has now dropped to 100,000. This is likely due to companies uninstalling the plugin to mitigate the risk.
To make matters worse, this vulnerability is being actively exploited. WebARX has already stopped over 16,000 attacks attempting to exploit the plugin.
“This is a serious vulnerability and can cause a significant amount of damage,” writes WebARX. “Since it requires no suspicious-looking payload just like our previous finding in InfiniteWP, it is not expected for any firewall to block this by default and a special rule needs to be created to block this vulnerability.”
ThemeGrill has updated the plugin to fix the vulnerability. All impacted sites would install the new version immediately.
Samsung may be one of the most popular Android device makers, but that hasn’t stopped Google from taking it to task for making Android more vulnerable.
Jann Horn, Google Project Zero researcher, outlined how Samsung’s efforts to customize the Android kernel—or core of the operating system (OS)— for specific devices was not only unnecessary, but introduced security vulnerabilities. Horn was researching the kernel of the Galaxy A50 specifically, and had not yet tested his findings on other Samsung device kernels.
“On Android, it is normal for vendors to add device-specific code to the kernel,” writes Horn. “This code is a frequent source of security vulnerabilities. Android has been reducing the security impact of such code by locking down which processes have access to device drivers, which are often vendor-specific. Modern Android phones access hardware devices through dedicated helper processes, which form the Hardware Abstraction Layer (HAL).”
In the case of the A50, Horn wrote an exploit for a memory corruption issue in Samsung’s kernel that was aided by yet another kernel vulnerability. That second kernel issue had long since been fixed in the Android common kernel, but Samsung had yet to address it in their customized version.
The entire blog post is a long, extremely detailed breakdown of the technical issues at play. Google has been working hard to address security issues with Android, but those improvements are only as good as the vendors that implement them. Horn makes a compelling case that vendors who customize the Android kernel are putting their users at serious risk for questionable benefits.
“In my opinion, some of the custom features that Samsung added are unnecessary, and can be removed without any loss of value,” adds Horn.
“I believe that device-specific kernel modifications would be better off either being upstreamed or moved into userspace drivers, where they can be implemented in safer programming languages and/or sandboxed, and at the same time won’t complicate updates to newer kernel releases.”
One thing is clear: Android vendors need to take security as seriously as Google does.
The National Security Agency (NSA) has issued a press release detailing a severe vulnerability in Windows 10 and encouraging all users to update immediately.
According the NSA’s press release, the agency discovered the vulnerability in the Windows 10 cryptography functionality. “The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality.”
It is relatively unusual for the NSA to issue a press release about a vulnerability, but the severity of this particular one warranted it.
“The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”
The agency recommends all users immediately apply all January 2020 Patch Tuesday patches to mitigate the danger.
A recent release of Mozilla Firefox has a vulnerability severe enough that even the Department of Homeland Security is telling everyone to update.
According to Mozilla, “incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.”
That last statement is particularly worrisome, as many software flaws are patched before bad actors start abusing them. In this case, however, this flaw is already being exploited.
The Department of Homeland Security’s Cyber-Infrastructure (CISA) division states the following:
“Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.
“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.”
As CISA points out, this flaw impacts both the regular and enterprise (ESR) versions of Firefox, so ALL users should update immediately. Individuals can use the app’s built-in updater or go to Mozilla’s official site for the latest version.
Twitter announced Friday that it has patched a serious vulnerability in the official Twitter client for Android.
According to the announcement on the company’s blog, the bug “could allow a bad actor to see nonpublic account information or to control your account (i.e., send Tweets or Direct Messages). Prior to the fix, through a complicated process involving the insertion of malicious code into restricted storage areas of the Twitter app, it may have been possible for a bad actor to access information (e.g., Direct Messages, protected Tweets, location information) from the app.”
The company does not have any evidence the vulnerability was actually exploited, but is choosing to error on the side of caution. Twitter is contacting—via email or the app—any users who could have been exposed and providing instructions on what they should do.
In the meantime, all Android users should update to the latest version, where the vulnerability has been fixed. iOS users are in the clear, as the bug appears to have only impacted the Android client.
Security firm Checkmarx has announced a serious flaw in Android that allows rogue apps to access the camera, as well as the microphone.
Director of Security Research Erez Yalon and Senior Security Researcher Pedro Umbelino authored the post detailing their findings. In short, rogue apps on Google and Samsung phones, and in the Android ecosystem in general, could access the camera, take photos, record videos, access stored photos and videos, as well as use the GPS metadata in photos to locate a user.
“After a detailed analysis of the Google Camera app, our team found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so. Additionally, we found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data. This same technique also applied to Samsung’s Camera app.
In doing so, our researchers determined a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off. Our researchers could do the same even when a user was is in the middle of a voice call.”
That last part is especially concerning, as it means rogue apps can access the camera without the user realizing it. This opens up a world of possibilities for surveillance, both visual and audio, comprising a person’s privacy at best and corporate or government security at worst.
The researchers were quick to praise both Google and Samsung for their quick and professional response, and both companies have fixed the issue with their devices. Unfortunately, other vendors are also affected and it is unknown to what extent they have addressed the vulnerability.
What is up with smartphones and their knack for having so many vulnerabilities just waiting to be exploited?
HTC is the latest smartphone maker to acknowledge a vulnerability in their software that allows a user’s Wi-Fi password and SSID to to be stolen by a malicious application runnning on the phone according to Bret Jordan’s blog that first revealed the issue.
Thankfully, HTC has rolled out an update to several phones. Some phones, however, will need to be manually updated. HTC promises more details on the update next week according to PC Mag.
Chris Hessing and Bret Jordan were the first to report the vulnerability to CERT. The CERT Web site describes the vulnerability as such:
Any Android application on an affected HTC build with the android.permission.ACCESS_WIFI_STATE permission can use the .toString() member of theWifiConfiguration class to view all 802.1X credentials and SSID information. If the same application also has the android.permission.INTERNETpermission then that application can harvest the credentials and exfiltrate them to a server on the Internet.
The vulnerability affects only a certain number of HTC phones including the Desire HD, Glacier, Droid Incredible, Thunderbolt 4G, Sensation Z710e, Sensation 4G, Desire S, EVO 3D and EVO 4G. The MyTouch 3G and Nexus One are not affected.
If your phone is one of those listed above, you can download an update starting next week from the HTC help page.
HTC just can’t seem to catch a break. We reported last December that HTC had many of their phones banned from being sold in the U.S. after a successful patent lawsuit from Apple. HTC had to remove the offending feature from all of their phones.
Once again, these kind of problems will always come up with smartphones as they move towards being more computer-like. People will attempt to exploit their weaknesses while manufacturers will attempt to patch them as they come up. Just remember to be smart and safe with your smartphones by not storing a lot of personal information, like Wi-Fi passwords, on them.
