Category Archives: exploits

Latest high-severity flaw in Windows Defender highlights the dark side of AV

(credit: Microsoft)

Microsoft recently patched a critical vulnerability in its ubiquitous built-in antivirus engine. The vulnerability could have allowed attackers to execute malicious code by luring users to a booby-trapped website or attaching a booby-trapped file to an e-mail or instant message.

A targeted user who had real-time protection turned on wasn't required to click on the booby-trapped file or take any other action other than visit the malicious website or receive the malicious e-mail or instant message. Even when real-time protection was off, malicious files would be executed shortly after a scheduled scan started. The ease was the result of the vulnerable x86 emulator not being protected by a security sandbox and being remotely accessible to attackers by design. That's according to Tavis Ormandy, the Google Project Zero researcher who discovered the vulnerability and explained it in a report published Friday.

Ormandy said he identified the flaw almost immediately after developing a fuzzer for the Windows Defender component. Fuzzing is a software testing technique that locates bugs by subjecting an application to corrupted data and other types of malformed or otherwise unexpected input.

Read 6 remaining paragraphs | Comments

Web host agrees to pay $1m after it’s hit by Linux-targeting ransomware

(credit: Aurich Lawson)

A Web-hosting service recently agreed to pay a $1 million to a ransomware operation that encrypted data stored on 153 Linux servers and 3,400 customer websites, the company said recently.

The South Korean Web host, Nayana, said in a blog post published last week that initial ransom demands were for five billion won worth of Bitcoin, which is roughly $4.4 million. Company negotiators later managed to get the fee lowered to 1.8 billion won and ultimately landed a further reduction to 1.2 billion won, or just over $1 million. An update posted Saturday said Nayana engineers were in the process of recovering the data. The post cautioned that that the recovery was difficult and would take time.

“It is very frustrating and difficult, but I am really doing my best, and I will do my best to make sure all servers are normalized,” a representative wrote, according to a Google translation.

Read 2 remaining paragraphs | Comments

Serious privilege escalation bug in Unix OSes imperils servers everywhere

Enlarge (credit: Victorgrigas)

A raft of Unix-based operating systems—including Linux, OpenBSD, and FreeBSD—contain flaws that let attackers elevate low-level access on a vulnerable computer to unfettered root. Security experts are advising administrators to install patches or take other protective actions as soon as possible.

Stack Clash, as the vulnerability is being called, is most likely to be chained to other vulnerabilities to make them more effectively execute malicious code, researchers from Qualys, the security firm that discovered the bugs, said in a blog post published Monday. Such local privilege escalation vulnerabilities can also pose a serious threat to server host providers because one customer can exploit the flaw to gain control over other customer processes running on the same server. Qualys said it's also possible that Stack Clash could be exploited in a way that allows it to remotely execute code directly.

"This is a fairly straightforward way to get root after you've already gotten some sort of user-level access," Jimmy Graham, director of product management at Qualys, told Ars. The attack works by causing a region of computer memory known as the stack to collide into separate memory regions that store unrelated code or data. "The concept isn't new, but this specific exploit is definitely new."

Read 5 remaining paragraphs | Comments

Banking trojan executes when targets hover over link in PowerPoint doc

Enlarge (credit: Dodge This Security)

Criminal hackers have started using a novel malware attack that infects people when their mouse hovers over a link embedded in a malicious PowerPoint file.

The method—which was used in a recent spam campaign that attempted to install a bank-fraud backdoor alternately known as Zusy, OTLARD, and Gootkit—is notable because it didn't rely on macros, visual basic scripts, or JavaScript to deliver its payload. Those methods are so widely used that many people are able to recognize them before falling victim.

Instead, the delivery technique made use of the Windows PowerShell tool, which was invoked when targets hovered over a booby-trapped hyperlink embedded in the attached PowerPoint document. Targets using newer versions of Microsoft Office would by default first receive a warning, but those dialogues can be muted when users are tricked into turning off Protected View, a mode that doesn't work when documents are being printed or edited. Targets using older versions of Office that don't offer Protected View are even more vulnerable.

Read 4 remaining paragraphs | Comments

Internet cameras have hard-coded password that can’t be changed

Enlarge (credit: F-Secure)

Security cameras manufactured by China-based Foscam are vulnerable to remote take-over hacks that allow attackers to view video feeds, download stored files, and possibly compromise other devices connected to a local network. That's according to a 12-page report released Wednesday by security firm F-Secure.

Researchers at F-Secure documented 18 vulnerabilities that the manufacturer has yet to fix despite being alerted to them several months ago. All of the flaws were confirmed in a camera marketed under the Opticam i5 HD brand. A smaller number of the vulnerabilities were also found in the Foscam C2. The report said the weaknesses are likely to exist in many other camera models Foscam manufactures and sells under other brand names.

F-Secure researchers wrote:

Read 5 remaining paragraphs | Comments

WikiLeaks says CIA’s “Pandemic” turns servers into infectious Patient Zero

Enlarge / One of the pages published Thursday in WikiLeaks' latest Vault 7 release. (credit: WikiLeaks)

WikiLeaks just published details of a purported CIA operation that turns Windows file servers into covert attack machines that surreptitiously infect computers of interest inside a targeted network.

"Pandemic," as the implant is codenamed, turns file servers into a secret carrier of whatever malware CIA operatives want to install, according to documents published Thursday by WikiLeaks. When targeted computers attempt to access a file on the compromised server, Pandemic uses a clever bait-and-switch tactic to surreptitiously deliver malicious version of the requested file. The Trojan is then executed by the targeted computers. A user manual said Pandemic takes only 15 seconds to be installed. The documents didn't describe precisely how Pandemic would get installed on a file server.

In a note accompanying Thursday's release, WikiLeaks officials wrote:

Read 7 remaining paragraphs | Comments

New Shadow Brokers 0-day subscription forces high-risk gamble on whitehats

Enlarge / Gambling. (credit: Jamie Adams)

The mysterious group that over the past nine months has leaked millions of dollars' worth of advanced hacking tools developed by the National Security Agency said Tuesday it will release a new batch of tools to individuals who pay a $21,000 subscription fee. The plans, announced in a cryptographically signed post published Tuesday morning, are generating an intense moral dilemma for security professionals around the world.

On the one hand, the Shadow Brokers, as the person or group calls itself, has in the past released potent hacking tools into the wild, including two that were used to deliver the WCry ransomware worm that infected more than 200,000 computers in 150 countries. If the group releases similarly catastrophic exploits for Windows 10 or mainstream browsers, security professionals are arguably obligated to have access to them as soon as possible to ensure patches and exploit signatures are in place to prevent similar outbreaks. On the other hand, there's something highly unsavory and arguably unethical about whitehats paying blackhats with a track record as dark as that of the Shadow Brokers.

"It certainly creates a moral issue for me," Matthew Hickey, cofounder of security firm Hacker House, told Ars. "Endorsing criminal conduct by paying would be the wrong message to send. Equally, I think $21k is a small price to pay to avoid another WannaCry situation, and I am sure many of its victims would agree with that sentiment."

Read 11 remaining paragraphs | Comments

A wormable code-execution bug has lurked in Samba for 7 years. Patch now!

Enlarge (credit: Guido Sorarù)

Maintainers of the Samba networking utility just patched a critical code-execution vulnerability that could pose a severe threat to users until the fix is widely installed.

The seven-year-old flaw, indexed as CVE-2017-7494, can be reliably exploited with just one line of code to execute malicious code, as long as a few conditions are met. Those requirements include vulnerable computers that (a) make file- and printer-sharing port 445 reachable on the Internet, (b) configure shared files to have write privileges, and (c) use known or guessable server paths for those files. When those conditions are satisfied, remote attackers can upload any code of their choosing and cause the server to execute it, possibly with unfettered root privileges depending on the vulnerable platform.

"All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it," Samba maintainers wrote in an advisory published Wednesday. They urged anyone using a vulnerable version to install a patch as soon as possible.

Read 9 remaining paragraphs | Comments

“Yahoobleed” flaw leaked private e-mail attachments and credentials

Enlarge (credit: BenGrantham)

For years, Yahoo Mail has exposed a wealth of private user data because it failed to update widely used image-processing software that contained critical vulnerabilities. That's according to a security researcher who warned that other popular services are also likely to be leaking sensitive subscriber secrets.

Chris Evans, the researcher who discovered the vulnerabilities and reported them privately to Yahoo engineers, has dubbed them "Yahoobleed" because the vulnerabilities caused the site to bleed contents stored in server memory. The easy-to-exploit flaws resided in ImageMagick, an image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other programming languages. One version of Yahoobleed was the result of Yahoo failing to install a critical patch released in January 2015. A second Yahoobleed vulnerability was the result of a bug that ImageMagick developers fixed only recently after receiving a private report from Evans.

The vulnerability discovered by Evans could be exploited by e-mailing a maliciously manipulated image file to a Yahoo Mail address. After opening the 18-byte file, chunks of Yahoo server memory began leaking to the end user. Evans called this version of the attack "Yahoobleed1." "Yahoobleed2" worked by using a hacking tool known as "Strings" to exploit the vulnerability fixed in January 2015.

Read 4 remaining paragraphs | Comments

Windows 7, not XP, was the reason last week’s WCry worm spread so widely

Enlarge (credit: Kaspersky Lab)

Eight days ago, the WCry ransomware worm attacked more than 200,000 computers in 150 countries. The outbreak prompted infected hospitals to turn away patients and shut down computers in banks and telecoms. Now that researchers have had time to analyze the self-replicating attack, they're learning details that shed new and sometimes surprising light on the world's biggest ransomware attack.

Chief among the revelations: more than 97 percent of infections hit computers running Windows 7, according to attacks seen by antivirus provider Kaspersky Lab. By contrast, infected Windows XP machines were practically non-existent, and those XP PCs that were compromised were likely manually infected by their owners for testing purposes. That's according to Costin Raiu, director of Kaspersky Lab's Global Research and Analysis Team, who spoke to Ars.

While the estimates are based only on computers that run Kaspersky software, as opposed to all computers on the Internet, there's little question Windows 7 was overwhelmingly affected by WCry, which is also known as "WannaCry" and "WannaCrypt." Security ratings firm BitSight found that 67 percent of infections hit Windows 7, Reuters reported.

Read 11 remaining paragraphs | Comments