Apple vastly expands bug bounty program covers all operating systems, payouts up to $1M

Apple has confirmed at the Black Hat conference,  the bug bounty system has been expanded to cover Apple’s other operating systems.

Before that, Apple has restricted its bug bounty program to iOS and limited those who can participate in it. One of the first big changes announced today by Apple’s head of security engineering and architecture Ivan Krstic, is that the program will be opening up to include all of Apple’s platforms, even macOS and watchOS.

Going further, the expanded program will be open to all security researchers come this fall and Apple also shared a list of some of the new payouts which will go up to $1 million. The original iOS bounty program maxed out at a $200,000 payout.

During the conference, Apple provided a list of maximum possible payouts for finding issues, scaling with the difficulty of the attack.

  • Bounties for finding bugs that allow Lock screen bypass or unauthorized access to iCloud pay out $100,000.
  • Discovering vulnerabilities that could allow an attack via a user-installed app or network attacks pay up to $250k, while uncovering bugs that would allow network attacks with no user interaction pay up to $1 million.
  • That top payout is reserved for discovering a zero-click kernel code execution with persistence.
  • Furthermore, if a researcher finds a vulnerability in a pre-release beta build that is reported to Apple ahead of its public release, they stand to earn a bonus of up to 50% on top.

Apple also detailed its new iOS Security Research Device program. It will be launching next year and will also be open to all, as long as applicants have a “track record of high-quality systems security research…”

This is will be set up with permissions to provide more access to the inner workings of iOS, a move which could help increase the number of issues caught before they appear in beta or public-release software.

Latest Mac malware OSX/CrescentCore hides from security software

The latest Mac malware OSX/CrescentCore  trying to avoid detection by security researchers, according to security company Intego.

The company  says it has found CrescentCore on multiple websites, including one claiming to offer free downloads of new comic books.

Dubbed “CrescentCore,” the malware comes as it usually does —in the form of a DMG file pretending to be an Adobe Flash Player installer. If a user opens the .dmg disk image and opens the Player app, the malware will first check to see whether it is running inside a virtual machine.

The malware also checks to see whether any popular Mac antivirus programs are installed. If the malware determines that it’s running within a VM environment or with anti-malware software present, it will simply exit and not proceed to do anything further.

If there’s nothing in the way one version will install “LaunchAgent,” described as a “persistent infection,” while another will install either “Advanced Mac Cleaner” or a Safari extension.

“Nobody should be installing Flash Player in 2019—not even the real, legitimate one. Nearly all sites have stopped relying on Flash, as Adobe is discontinuing it; the company plans to no longer release security updates for Flash after 2020.” Intego commented.

CrescentCore is signed with multiple developer IDs registered to a “Sanela Lovic,” which Apple has already disabled. Intego’s own antivirus software is already scrubbing the code.

Flipboard discloses breach that gave hackers access to user data

Magazine-style news service Flipboard has revealed that hackers gained access to user passwords several times over the last nine months.

Between June 2, 2018 and April 22 this year databases were hit by “unauthorized access,” Flipboard said in an email to customers. The hackers may have “potentially” stolen information such as names, email addresses, and passwords, although the passwords were reportedly salted and hashed rather than saved in plain text.

The hacks exposed a variety of information connected to Flipboard user accounts, with the intruder able to access usernames, passwords, email addresses, and tokens used for connecting to third-party social networks such as Twitter. The passwords were protected using “salted hashing,” so long as they had been updated since March of 2012. Passwords from March 2012 and earlier were hashed with a weaker SHA-1 function.

As for the third-party account tokens, Flipboard says that it has “not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts.”

The company didn’t say how many people may have been impacted. As a safeguard however it’s notifying police, deleting any third-party tokens, and resetting all passwords, which may suggest widescale impact.

Security researcher exposes macOS malware vulnerability

Security researcher Filippo Cavallarin has worked out a way that malware makers can bypass the macOS Gatekeeper protections to run malicious code. The bypass remains unaddressed by Apple as of last week’s macOS 10.14.5 release.

Gatekeeper is a macOS security tool that verifies applications immediately after they are downloaded. This prevents applications from being run without user consent. When a user downloads an app from outside of the Mac App Store, Gatekeeper is used to check that the code has been signed by Apple. If the code has not been signed, the app won’t open without the user giving direct permission.

Cavallarin writesthe security hole on his blog and explains how it gets around Gatekeeper – the feature that prompts users to confirm they want to install applications from outside the Mac App Store.

Gatekeeper considers network shares to be ‘safe’ locations that don’t require permission checks, an intruder just has to trick the user into mounting one of those shares to run the apps they like.

Cavallarin said he notified Apple of the vulnerability on February 22nd, and that was supposed to have been resolved as of macOS 10.14.5. He said it wasn’t, though, and that Apple had stopped responding to his emails. He was publishing the flaw after giving Apple 90 days to address the issue.

 

New ‘ZombieLoad’ Intel chip Vulnerability Affects Dating Back to 2011

Security researchers have discovered a new set of vulnerabilities named ZombieLoad that affect Intel chips dating back to 2011.

These vulnerabilities are as serious as the Meltdown and Spectre vulnerabilities that were discovered in early 2018 and take advantage of the same speculative execution process, which is designed to speed up data processing and performance.

ZombieLoad impacts almost every Intel computer dating back to 2011, but AMD and ARM chips are not affected. A demonstration of ZombieLoad was shared on YouTube, displaying how it works to see what you’re doing on your computer. While spying on web browsing is demoed, it can also be used for other purposes like stealing passwords.

A white paper shared by notable security researchers (including some who worked on Spectre and Meltdown) offers details on how ZombieLoad functions. [PDF]

Intel has released microcode for vulnerable processors. Apple addressed the vulnerability in the macOS Mojave 10.14.5 update that was released and in security patches for older versions of macOS that were also released.

 

WhatsApp discloses a security flaw that enabled spyware to be installed on Phone

A report from The Financial Times  details a vulnerability in WhatsApp that allowed attackers to install Israeli spyware onto phones via the app’s call feature.

The sophisticated spyware, called Pegasus, was developed by Israeli company NSO Group and transmitted by calling users via WhatsApp on iOS and Android.

The software could be installed on Android and iPhone handsets simply by calling the targeted person through WhatsApp.  It could be injected even if a user did not answer the WhatsApp call. In many cases, call logs would even disappear from the target’s device, erasing any evidence that their phone had been tampered with.

Many details about the vulnerability remain unclear, but the report suggests that the loophole was open for several weeks. In a statement, WhatsApp said:

This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said. “We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society.

WhatsApp said it’s still investigating the matter and it was too early to say how many users had been impacted by the spyware, suggesting only that it was a “select number” of people. WhatsApp reportedly disclosed the issue to the United States Department of Justice last week, and started deploying a fix to its servers on Friday.

WhatsApp told users to check that they’re running the latest version of the app on their devices. It also advised users to make sure their mobile operating system is up to date to ensure proper protection against potential targeted exploits designed to access information stored on mobile devices.

The Pegasus spyware is usually licensed to governments who use it to gain access to the devices of individuals targeted in investigations.

In a statement, NSO Group said its technology is used by “authorized government agencies for the sole purpose of fighting crime and terror. The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions.”

The company said it always investigates any “credible allegations of misuse and if necessary, we take action, including shutting down the system.”

It added: “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organization.”

Read the full report from The Financial Times here.

Internet Explorer security flaw threatens all Windows users

Security researcher John Page has revealed an unpatched exploit in the web browser’s handling of MHT files ( IE’s default web page archiving format) that hackers can use to both spy on Windows users and steal their local data.

IE has been replaced by Edge as Microsoft’s preferred Windows browser, researchers keep finding unpleasant security flaws in Internet Explorer.

The vulnerability affects Windows 7, Windows 10 and Windows Server 2012 R2.

If Windows 7, Windows 10 or Windows Server 2012 R2 encounters one of these, it attempts to open them using IE which means that an attacker simply has to persuade the user to do that. Success would…

Allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.

IE should throw up a security warning, but this could be bypassed Page said:

Opening a specially crafted .MHT file using malicious markup tags the user will get no such active content or security bar warnings.

Page posted details of the exploit after Microsoft reportedly declined to roll out an urgent security fix. It instead said a fix would be “considered” in a future release. While that does suggest a patch is on the way, it leaves millions of users potentially vulnerable unless they either turn off Internet Explorer or point to another app that can open MHT files.

Vulnerabilities in the WPA3 Giving Hackers an Easy Way to Steal Wi-Fi passwords

Researchers have found several vulnerabilities in the WPA3 Wi-Fi security protocol. They’re severe enough to let hackers get Wi-Fi passwords easily.

WPA3 was launched in January 2018 by the Wi-Fi Alliance. WPA3 had claimed to be better than WPA2 in various ways like protecting from offline dictionary attacks and forward secrecy, and WPA3 certification also was aiming at making Wi-Fi network more secure. But, the study revealed that there have been many design flaws in WPA3.

Researchers Mathy Vanhoef of New York University Abu Dhabi and Eyal Ronen of Tel Aviv University & KU Leuven discovered the flaws in the WPA3 Wi-Fi authentication protocol. They published the results of their research in a technical paper. Vanhoef also discovered the KRACK vulnerability that affected WPA2 in 2017.

The researchers discovered several attacks against the protocol that fall into three categories.

The first category consists of downgrade attacks against WPA3-capable devices.

The second category consists of weaknesses in the Dragonfly handshake of WPA3, which in the Wi-Fi standard is better known as the Simultaneous Authentication of Equals (SAE) handshake. The flaws gives hackers enough information to deduce a password using side channel information, which is data leaked incidentally as part of another process.

Finally, there’s a denial of service attack. an attacker can also flood an access point by bypassing the technique that WPA3 uses to stop people using fake MAC addresses. It can bring a network to its knees with as few as 16 forged connection attempts per second.

The researchers also discovered serious flaws in EAP-PWD. This is a protocol that authenticates using a password. It is used in Android 4.0, and remote access servers using the RADIUS protocol. It is also used infrequently by some Wi-Fi networks. These bugs could allow an attacker to impersonate a user and access a Wi-Fi network without knowing the user’s password.

The researchers informed the Wi-Fi Alliance before releasing their findings, and it issued a press release.

In response to the issue, the Wi-Fi alliance clarified that all these vulnerabilities can be resolved through a simple and regular software update, as people usually perform on their mobile apps.

The WPA-Personal is still in its early stages of deployment, but the device manufacturers which are effected with this have already started to make efforts to resolve these issues.

 

Hackers hijacked ASUS update server to distribute backdoors on ASUS machines

Hackers in 2018 managed to compromise one of the ASUS’s servers used to provide software updates to ASUS machines and used it to distribute a malicious backdoor to unsuspecting Windows machines.

The attack, which has been given the name ShadowHammer was discovered late last year and has since been stopped.

With access to the update server, the attackers were able to distribute malicious files that appeared legitimate because they were given an ASUS digital certificate to make them appear to be authentic. Instead, the phony software updates gave the attackers a backdoor to access infected devices. Kaspersky estimates that about half a million Windows machines received the backdoor from ASUS’ update server. However, the attackers appear to have only been targeting about 600 systems. The malware was designed to search for machines by their MAC address.

Kaspersky said over 57,000 of its users have downloaded and installed the backdoored version of Asus Live Update but the issue may possibly affect over a million users worldwide.

asus-ShadowHammer

Kaspersky said the attack managed to fly under the radar for so long due to the fact that the trojanized updater was signed using legitimate certificates from Asus. As such, nobody ever suspected anything was amiss.

Kaspersky created a tool that can determine if your computer was specifically targeted in the attack by comparing MAC addresses.

Google fixes Chrome zero-day exploit, advises users to upgrade now

Google released an incremental update for Chrome on Mac, Windows, and Linux with the zero-day exploit fix. The company’s security team advises users to update Chrome on all platforms immediately as there is evidence of a malicious party actively using the attack.

This particular attack involves the FileReader API that allows websites to read local files, while the “Use-after-free” class of vulnerabilities — at worse — allows for execution of malicious code.

Google’s internal Threat Analysis Group first caught wind of the exploit on Wednesday, February 27th, which was apparently being used by nefarious actors when the Chrome update was released.

Google also alerted users that the bug was being used in concert with a second exploit attacking the Windows operating system. According to its blog post, it may only impact people running Windows 7 32-bit systems, and those people are encouraged to upgrade to a newer version of the OS, or install patches when/if Microsoft makes them available (seriously, it’s time to move on).

Users are being advised to update Chrome across all platforms. A new version of Chrome for Android was released shortly after the desktop version on Friday, while Chrome OS was patched on Tuesday.