17 Aug Android 4.3 and SELinux Stefano Ortolani
22 Jul Master Keys and Vulnerabilities Stefano Ortolani
04 Jan TURKTRUST CA Problems Kurt Baumgartner
14 Dec Carberp-in-the-Mobile Denis
28 Nov Google.ro and other RO domains, victims of a possible DNS hijacking attack Stefan Tanase
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Not many weeks ago Google released a new revision of its flagship mobile operating system, Android 4.3. Although some say that this time updates have been quite scarce, from a security perspective there have been some undeniable improvements (among others, the "MasterKey" vulnerability has been finally patched). One of the most prominent is SELinux. Many cheered the event as a long-awaited move, while others criticized its implementation. Personally, I think that the impact is not that easy to assess, especially if we were to question the benefits for end-users. In order to shed some light we can't help but analyze a bit more what SELinux is, and what is its threat model.
Last weeks have been quite busy with announcements of either master keys or Chinese master keys being unveiled, both qualifying as critical vulnerabilities for the Android platform. Although things have finally calmed a bit, we are still waiting for the final act in Las Vegas at Black Hat USA, where Jeff Forristal (the researcher who discovered one of the two afore-mentioned vulnerabilities) will discuss all the pertaining details (you never know whether some surprise is to be expected). Nevertheless, we now have enough information to assess its impact.
First off, the term "master key" is a bit deceiving; the vulnerability, in fact, does not involve any cryptographic primitive, but instead it is all about stashing inside an Android application (the apk file) two versions of the same resource so to partially evade some integrity checks. The impact is, however, prominent, since it means that an adversary is able to tamper with an apk file signed by a trusted authority, so to include a modified resource thereby replacing the genuine one (it is easy too see the case of a modified classes.dex as the most dangerous).
From the user's perspective, this means that an application released and signed by "FamousCompany (tm)" might include some pieces of malicious code without the user noticing. This whole matter, however, is heavily mitigated by the fact that the Play Store (the most widely adopted application store) has been patched so to refuse applications packed as zip files including the same file twice. Nevertheless, based on some reports, some applications in the Play Store are packed like that, although harmlessly, and very likely by mistake (the zip file of the app in question included the same png resource twice). This means, however, that the security checks are only performed upon newly uploaded applications, and do not cover the whole set of applications.
If that was not enough, only few devices (reportedly only the Samsung Galaxy S4) are known to run the code patching this vulnerability. This is quite of interest if we consider that many users retrieve applications from third-party applications stores, which might not vet the uploaded apk files. If the widely discussed device fragmentation is not killing the development industry, we wonder how many users would be likely to accept it if that would result in a constant exposure to bugs like this. Anyway, this is another reason why the very same researchers have released an application checking whether your device is exposed. Kaspersky Lab products actively check that the device is clean from applications exploiting either vulnerabilities by querying the Kaspersky Security Network (KSN). That being said, best way to keep yourself safe from this unwinding chain of events is also avoiding third-party application stores, and leaving the check box "Install from Unknown Source" unselected.
Microsoft releases nine March Security Bulletins. Four of the Bulletins are rated critical, but of the 20 vulnerabilities being patched, 12 are rated critical and enable remote code execution and elevation of privilege. Microsoft software being patched with critical priority include Internet Explorer, Silverlight, Visio Viewer, and SharePoint. So, pretty much everyone running Windows, and lots of Microsoft shops, should be diligently patching systems today.
Pwn2own attracted top offensive security talent to Cansecwest and awarded a half million in prizes for fresh 0day this year, but the event didn't force much Microsoft fix development for this Bulletin release. Adobe, Java, Firefox and Chrome were all hit this year along with two Internet Explorer 10 0day for full compromise on Windows 8 on a Windows Surface Pro tablet.
Instead, MS013-021 is one giant "Internet Explorer Use-After-Free patch", addressing the longest list of IE use-after-free vulnerabilities in a single monthly Bulletin to date. Knowing that only one of these vulnerabilities was disclosed publicly, it almost looks as though they fixed a fuzzer in their own labs or someone stepped up development of their own.
MS013-022 addresses a memory pointer check in Silverlight component HTML rendering - an unusual problem known as "double de-referencing". The interesting thing here is that this client side RCE enables exploitation across not only all of its supported Windows systems, but across Apple's Mac OS X systems. In the light of OS X mass exploitation this past year and the recent slew of OS X-enabled targeted attacks, this patch is important to folks lugging around systems running OS X.
Microsoft recommends that EMET helps mitigate both the Internet Explorer and the Silverlight issues.
On the server side, altogether different from the client side memory corruption issues above, we see a web service vulnerability in Sharepoint, a pretty widely distributed service in organizations. The eye popper here includes an EoP enabled by an XSS flaw that provides remote users with a method to issue Sharepoint commands in the context of an administrative user on the site. These Sharepoint flaws were all privately reported by an outside researcher, but no public disclosure is known. At the same time, a denial of service and buffer overflow issue is being addressed in the Sharepoint code.
MS012-023 addresses vulnerable code in Visio Viewer 2010, but the vulnerable code also is delivered in components within Microsoft Office. The odd thing is that there is no known code path traversal through the vulnerable code within Microsoft Office. And, Microsoft maintains four or five versions of Visio Viewer, a widely used piece of software for organizations to distribute diagrams and charts of all types. However, this vulnerability only affects one version - Microsoft Visio Viewer 2010. Nonetheless, Microsoft is leaning towards addressing any and all security issues (including unknown future issues), and patching the code everywhere it resides including Microsoft Office, whether or not it is traversed at runtime within Office.
Of the lesser rated vulnerabilities, the kernel mode USB descriptor issue seems the most interesting. And yes, the title of this post is out-of proportion and fairly ridiculous. I don't expect another Stuxnet to rise up simply because of this vulnerability. But, in a flashback to Stuxnet exploit vectors, it provides another vector of delivery for arbitrary code to be executed in kernel mode simply by inserting a USB device into a system.
To clarify, the danger here does not lie in the immediate potential for another Stuxnet. The immediate danger lies in the availability of attack surface demonstrated by Stuxnet to enable highly secured, air gapped industrial environments to be infiltrated with Pearl Harbor style surprise and effectiveness.
Microsoft just publicly announced a release to actively "untrust" three certificates issued by Certificate Authority TURKTRUST and its Intermediate CAs, a subsidiary of the Turkish Armed Forces ELELE Foundation Company. According to Microsoft, the company made a couple major mistakes resulting in fraudulent certificate issuance that could be used to MiTM encrypted communications or spoof gmail and a long list of other google properties. A Chrome installation detected a "an unauthorized digital certificate for the "*.google.com" domain" late the night of Dec. 24th 2012, and the Google security team's investigation began there.
We previously wrote several times about Man-in-the-Mobile attacks which aim to steal mTANs sent via SMS. For a long time, only two families of such malware have been known: ZeuS-in-the-Mobile (ZitMo) and SpyEye-in-the-Mobile (SpitMo). ZitMo and SpitMo work together with their Windows ‘brothers’. Actually, without them, they would look like trivial SMS spy Trojans. It is necessary to mention that during the last two years such attacks have been observed only in some European countries like Spain, Italy, Germany, Poland and few others.
But when the mobile version of Carberp Trojan appeared (we detect it as Trojan-Spy.AndroidOS.Citmo, Carberp-in-the-Mobile) such attacks became real in Russia as well. There is no secret that online banking is becoming more and more popular in Russia; and banks are very active in promoting online banking with various authorization methods.
Carberp for Windows works in a similar way to the ZeuS Trojan. If a user tries to login into his online banking account using a machine infected by Carberp, the malware will modify the transaction so that user credentials are sent to a malicious server rather than a bank server.
In addition to the login and password, cybercriminals still need mTANs in order to confirm any money transfer operation from a stolen account. That is why one of the Carberp modifications (we call it Trojan-Spy.Win32.Carberp.ugu and we've added detection for it on 11th of December) alters the online banking web page on the fly, inviting the user to download and install an application which is allegedly necessary for logging into the system. And the user can get this link via SMS message by entering his phone number or by scanning a QR-code:
According to this screenshot, users of one of the most popular Russian banks, Sberbank, are under attack. ‘Sberbank’ updated its web page on 12th of December with information about the attack. The link in the QR-code led to the fake ‘SberSafe’ application (Trojan-Spy.AndroidOS.Citmo) which has been in Google Play since 30th of November.
Earlier today, Softpedia reported that an Algerian hacker using the nickname MCA-CRB has managed to deface the Romanian sites of Google (google.ro) and Yahoo! (yahoo.ro).
When we found out about this incident we were pretty skeptical of these websites being hacked. A website as large as Google can be hacked, in theory, but it’s highly unlikely. We then noticed that both domains resolve to an IP address located in the Netherlands: 18.104.22.168 (server1.joomlapartner.nl) – so it rather looks like a DNS poisoning attack.
The question which remains unanswered up until now is where exactly the DNS spoofing/poisoning attack has happened.There are several possible scenarios here:
Phishing is not exactly a ground-breaking technique. Quite the opposite, it seems like it has been around forever. This is an indicator of its effectiveness: we might think that it is unlikely that people would give away their banking credentials just because they are asked for them, but still there is a percentage who continue to become victims of one of the simplest fraud methods.
However both user awareness and anti-phishing tools are making harder for fraudsters to succeed in their attempts to get our money. We see this changing in the decrease in the percentage of spam. That is not the only reason: users are switching to new platforms such as social networks for direct communication.
Today I want to show you an example of the creativeness in avoiding spam and phishing filters.
Yesterday we were contacted by our partner MegaFon, one of the major mobile carriers in Russia. They notified us about a suspicious application, which was found in both the Apple App Store and Google Play. At first glance, this seemed to be an SMS worm spread via sending short messages to all contacts stored in the phone book with the URL to itself.
However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.
The application is called ‘Find and Call’ and can be found in both the iOS Apple App Store and Android’s Google Play. We’ve already informed both Apple and Google but we haven’t received an answer yet.
Find and Call in the Apple Store
Find and Call in the Google Play
All user comments (both in Apple Store and Google Play) are pretty angry and contain the same complaint that the app sends SMS spam:
Google is set to launch Android 5.0, aka Jelly Bean, this fall. But do we even need it? While Google has made some steps in securing its Play branded marketplace, and offered a few security updates to the operating system, it is a fact that the most targeted Android platform is still 2.x. Why is that? There are several reasons, not the least of which is a lack of security patches provided to previously deployed operating system versions.
I really like the new app by OMGPOP called Draw Something. I play this game with my friends possibly a little too much. Draw Something has attracted more than 50 million downloads, and was just acquired by Zynga for $200 million dollars. It was surprising the other day when I noticed an advertisement at the bottom of the screen for a battery optimizer app. In fact it even told me two upgrades were available!