Internet Explorer security flaw threatens all Windows users

Security researcher John Page has revealed an unpatched exploit in the web browser’s handling of MHT files ( IE’s default web page archiving format) that hackers can use to both spy on Windows users and steal their local data.

IE has been replaced by Edge as Microsoft’s preferred Windows browser, researchers keep finding unpleasant security flaws in Internet Explorer.

The vulnerability affects Windows 7, Windows 10 and Windows Server 2012 R2.

If Windows 7, Windows 10 or Windows Server 2012 R2 encounters one of these, it attempts to open them using IE which means that an attacker simply has to persuade the user to do that. Success would…

Allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.

IE should throw up a security warning, but this could be bypassed Page said:

Opening a specially crafted .MHT file using malicious markup tags the user will get no such active content or security bar warnings.

Page posted details of the exploit after Microsoft reportedly declined to roll out an urgent security fix. It instead said a fix would be “considered” in a future release. While that does suggest a patch is on the way, it leaves millions of users potentially vulnerable unless they either turn off Internet Explorer or point to another app that can open MHT files.

Vulnerabilities in the WPA3 Giving Hackers an Easy Way to Steal Wi-Fi passwords

Researchers have found several vulnerabilities in the WPA3 Wi-Fi security protocol. They’re severe enough to let hackers get Wi-Fi passwords easily.

WPA3 was launched in January 2018 by the Wi-Fi Alliance. WPA3 had claimed to be better than WPA2 in various ways like protecting from offline dictionary attacks and forward secrecy, and WPA3 certification also was aiming at making Wi-Fi network more secure. But, the study revealed that there have been many design flaws in WPA3.

Researchers Mathy Vanhoef of New York University Abu Dhabi and Eyal Ronen of Tel Aviv University & KU Leuven discovered the flaws in the WPA3 Wi-Fi authentication protocol. They published the results of their research in a technical paper. Vanhoef also discovered the KRACK vulnerability that affected WPA2 in 2017.

The researchers discovered several attacks against the protocol that fall into three categories.

The first category consists of downgrade attacks against WPA3-capable devices.

The second category consists of weaknesses in the Dragonfly handshake of WPA3, which in the Wi-Fi standard is better known as the Simultaneous Authentication of Equals (SAE) handshake. The flaws gives hackers enough information to deduce a password using side channel information, which is data leaked incidentally as part of another process.

Finally, there’s a denial of service attack. an attacker can also flood an access point by bypassing the technique that WPA3 uses to stop people using fake MAC addresses. It can bring a network to its knees with as few as 16 forged connection attempts per second.

The researchers also discovered serious flaws in EAP-PWD. This is a protocol that authenticates using a password. It is used in Android 4.0, and remote access servers using the RADIUS protocol. It is also used infrequently by some Wi-Fi networks. These bugs could allow an attacker to impersonate a user and access a Wi-Fi network without knowing the user’s password.

The researchers informed the Wi-Fi Alliance before releasing their findings, and it issued a press release.

In response to the issue, the Wi-Fi alliance clarified that all these vulnerabilities can be resolved through a simple and regular software update, as people usually perform on their mobile apps.

The WPA-Personal is still in its early stages of deployment, but the device manufacturers which are effected with this have already started to make efforts to resolve these issues.

 

Hackers hijacked ASUS update server to distribute backdoors on ASUS machines

Hackers in 2018 managed to compromise one of the ASUS’s servers used to provide software updates to ASUS machines and used it to distribute a malicious backdoor to unsuspecting Windows machines.

The attack, which has been given the name ShadowHammer was discovered late last year and has since been stopped.

With access to the update server, the attackers were able to distribute malicious files that appeared legitimate because they were given an ASUS digital certificate to make them appear to be authentic. Instead, the phony software updates gave the attackers a backdoor to access infected devices. Kaspersky estimates that about half a million Windows machines received the backdoor from ASUS’ update server. However, the attackers appear to have only been targeting about 600 systems. The malware was designed to search for machines by their MAC address.

Kaspersky said over 57,000 of its users have downloaded and installed the backdoored version of Asus Live Update but the issue may possibly affect over a million users worldwide.

asus-ShadowHammer

Kaspersky said the attack managed to fly under the radar for so long due to the fact that the trojanized updater was signed using legitimate certificates from Asus. As such, nobody ever suspected anything was amiss.

Kaspersky created a tool that can determine if your computer was specifically targeted in the attack by comparing MAC addresses.

Google fixes Chrome zero-day exploit, advises users to upgrade now

Google released an incremental update for Chrome on Mac, Windows, and Linux with the zero-day exploit fix. The company’s security team advises users to update Chrome on all platforms immediately as there is evidence of a malicious party actively using the attack.

This particular attack involves the FileReader API that allows websites to read local files, while the “Use-after-free” class of vulnerabilities — at worse — allows for execution of malicious code.

Google’s internal Threat Analysis Group first caught wind of the exploit on Wednesday, February 27th, which was apparently being used by nefarious actors when the Chrome update was released.

Google also alerted users that the bug was being used in concert with a second exploit attacking the Windows operating system. According to its blog post, it may only impact people running Windows 7 32-bit systems, and those people are encouraged to upgrade to a newer version of the OS, or install patches when/if Microsoft makes them available (seriously, it’s time to move on).

Users are being advised to update Chrome across all platforms. A new version of Chrome for Android was released shortly after the desktop version on Friday, while Chrome OS was patched on Tuesday.

Flaws in 4G/5G Networks Could Let Hackers Track Your Location

According to researchers, Flaws in both 4G and 5G cellular networks could potentially let hackers pinpoint the location of any given smartphone.

An attack dubbed “Torpedo” exploits the way phones send paging data when they receive calls or texts. By placing and cancelling multiple calls to it within a short amount of time, a target device can be made to trigger a paging message without alerting its owner. The scheme can not only be used to track location, but hijack a paging channel and inject or block paging messages, even denying someone messages altogether.

Torpedo can be the gateway to two other exploits, nicknamed “Piercer” and “IMSI-Cracking.” Both can be used to expose a device’s IMSI (international mobile subscriber identity), the former on 4G networks and the latter on both 4G and 5G.

As a result, even 5G phones could be intercepted by Stingray-style tracking devices used by law enforcement, spy agencies, and criminal groups. Needed equipment is said to cost as little as $200.

All four major U.S. carriers are vulnerable to Torpedo, one of the researchers said. The cellular industry has reportedly been notified about the threat.

E-ticketing flaw exposes passenger information to Hackers

The e-ticketing systems of eight airlines, including Southwest Airlines and Dutch carrier KLM, have a vulnerability that could expose personal information and result in tampering with seats and boarding passes.

The exposed data could include the following:

  • Email addresses
  • First and last names
  • Passport or ID information — including the document number, the issuing country and the expiration date
  • Booking references
  • Flight numbers and times
  • Seat assignments
  • Baggage selections
  • Full boarding passes
  • Partial credit card details
  • Details of booking travel companies

Researchers at mobile security firm Wandera published a report highlighting vulnerability found in check-in emails delivered to passengers.

The issue stems from the use of unencrypted check-in links sent to passengers via email. When a person clicks on the link, they are directed to a site to check in for their flight, make changes or print their boarding pass.  The hackers then can view and, in some cases, even change the victim’s flight booking details, or print their boarding passes.

Air France, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa also have this problem, according to Wandera.

“Wandera investigated the e-ticketing systems in use by over 40 global airlines,” said Michael Covington, the company’s VP of product.

Wandera gives vendors up to four weeks to provide a patch or relevant fix before publicly disclosing a vulnerability.

The company has been communicating with “some of the affected airlines” but has not been able to verify that any fixes have been implemented, Covington said.

Cisco fixes serious DoS flaws in email security appliance

Cisco patched two serious denial-of-service (DoS) vulnerabilities that can be exploited remotely without authentication in its email security appliances.

One of the flaws, tracked as CVE-2018-15453 can be exploited by sending a malicious S/MIME-signed email through a targeted device. An attacker can cause appliances to reload and enter a DoS condition by sending a specially crafted S/MIME email.

“If Decryption and Verification or Public Key Harvesting is configured, the filtering process could crash due to memory corruption and restart, resulting in a DoS condition. The software could then resume processing the same S/MIME-signed email, causing the filtering process to crash and restart again,” the company explained.

“A successful exploit could allow the attacker to cause a permanent DoS condition. This vulnerability may require manual intervention to recover the ESA.

The second flaw, tracked as CVE-2018-15460 can be exploited by sending a malicious email message that contains a large number of whitelisted URLs. A successful exploit can cause a sustained DoS condition that could force the affected device to stop scanning and forwarding email messages. The flaw allows an attacker to cause a DoS condition by getting CPU usage to increase to 100%.

Both vulnerabilities were discovered by Cisco itself and there is no evidence of malicious exploitation.

Cisco this week also released 16 other advisories describing “medium severity” flaws affecting ASR routers, Webex, IOS, TelePresence, Prime, IP Phone, Jabber, Identity Services Engine, Firepower, Unified Communications Manager, and Policy Suite products.

 

Android malware steals money from victims’ PayPal account

ESET researchers have found a new Android Trojan hidden inside a battery optimization app that tricks users into logging into PayPal, then takes over and mimics the user’s clicks to send money to the attacker’s PayPal address.

This happens because during installation, the app requests access to the Android “Accessibility” permission, a very dangerous feature that allows an app to automate screen taps and OS interactions.

If the official PayPal app is installed on the compromised device, the malware displays a notification alert prompting the user to launch it. Once the user opens it and logs in, the malicious accessibility service steps in to perform the transaction.

“During our analysis, the app attempted to transfer 1000 euros, however, the currency used depends on the user’s location,” Stefanko explained.

“Because the malware does not rely on stealing PayPal login credentials and instead waits for users to log into the official PayPal app themselves, it also bypasses PayPal’s two-factor authentication (2FA). Users with 2FA enabled simply complete one extra step as part of logging in, – as they normally would – but end up being just as vulnerable to this Trojan’s attack as those not using 2FA.”

This particular Trojan bundled up with the bogus battery optimization app is distributed via third-party app stores, but the researchers also spotted five malicious apps with similar capabilities on Google Play, masquerading as tools for tracking the location of other Android users.

That malware concentrates on phishing the credentials for online banking services for several Brazilian banks, as well as on thwarting uninstallation attempts by AV or app manager apps.

The heist won’t go unnoticed by the victim if they are looking at the phone screen, but they will also be unable to do anything to stop the transaction from being executed as it all happens in a matter of seconds.

The only thing that will prevent the theft is if the user has insufficient PayPal balance and no payment card connected to the account.

Users who have installed the PayPal-targeting Trojan would do well to check if their accounts have been drained (the malware can repeat the stealing manoeuvre) and to report the unauthorized transactions to PayPal. Changing their Gmail and online banking passwords is also a good idea.

Australia passes new encryption laws that could force tech companies to offer access to encrypted messages

Australia has passed that encryption legislation, which means companies including Apple, Facebook and Google could be forced to “build new capabilities” to thwart encrypted messages.

As reported by CNET, the legislation calls on companies to provide three levels of assistance to law enforcement and select government agencies:

  • Technical Assistance Requests: Companies provide voluntary assistance to aid certain agencies as they perform duties relating to “Australia’s national interests, the safeguarding of national security and the enforcement of the law.”
  • Technical Assistance Notices: Requires companies to provide assistance that is “reasonable, proportionate, practicable and technically feasible.” Providers are able to use existing means like encryption keys to decrypt communications.
  • Technical Capability Notices: Requires companies to build a new capability that enables it to provide assistance to law enforcement agencies and government bodies. The notice cannot force a provider to build or implement a capability to remove electronic protection, such as encryption.

Technical Assistance and Technical Capability Notices both require an underlying warrant or authorization, the bill reads.

Australian government officials have been cautious of using the word “backdoor,” but tech companies worry that the law is essentially a pathway for such tools. Speaking about the piece of legislation, Apple stated that it is “wrong to weaken security for millions of law-abiding customers in order to investigate the very few who post a threat.”

What Apple and other tech companies also worry about is the precedent this could set for other countries. Apple has long opposed the idea of creating a backdoor for government officials, but this new Australian legislation could hurt Apple’s efforts around the world.

Google is shutting down Google+ following massive user data exposure

Following a massive data breach first reported on by The Wall Street Journal, Google announced today that it is shutting down its social network Google+ for consumers.

According to the Wall Street Journal’s sources as well as documents reviewed by the publication, a software vulnerability gave outside developers access to private Google+ user data between 2015 and 2018. And an internal memo noted that while there wasn’t any evidence of misuse on behalf of developers, there wasn’t a way to know for sure whether any misuse took place. Google said that it also found no evidence that any of the developers behind the 438 applications that used the API in question were aware of the bug.

Though Google allows developers to collect Google+ profile information when granted access by users, a bug gave developers access to the profile data of friends of those users as well, regardless of whether those friends had chosen to share that information publicly. It included static data fields such as name, email, occupation, gender and age. It did not include information from Google+ posts. The bug was patched in March 2018, but Google didn’t inform users at that point. “We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks,” the company said in a blog post. “That means we cannot confirm which users were impacted by this bug.”