• Sc chevron_right

      Google Pays $10M in Bug Bounties in 2023

      news.movim.eu / Schneier · Thursday, 21 March - 16:04

    BleepingComputer has the details . It’s $2M less than in 2022, but it’s still a lot.

    The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program’s launch in 2010 has reached $59 million.

    For Android, the world’s most popular and widely used mobile operating system, the program awarded over $3.4 million.

    Google also increased the maximum reward amount for critical vulnerabilities concerning Android to $15,000, driving increased community reports.

    During security conferences like ESCAL8 and hardwea.io, Google awarded $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS and another $116,000 for 50 reports concerning issues in Nest, Fitbit, and Wearables.

    Google’s other big software project, the Chrome browser, was the subject of 359 security bug reports that paid out a total of $2.1 million.

    Slashdot thread .

    • chevron_right

      VMware sandbox escape bugs are so critical, patches are released for end-of-life products

      news.movim.eu / ArsTechnica · Wednesday, 6 March - 20:19

    VMware sandbox escape bugs are so critical, patches are released for end-of-life products

    Enlarge (credit: Getty Images)

    VMware is urging customers to patch critical vulnerabilities that make it possible for hackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products.

    A constellation of four vulnerabilities—two carrying severity ratings of 9.3 out of a possible 10—are serious because they undermine the fundamental purpose of the VMware products, which is to run sensitive operations inside a virtual machine that’s segmented from the host machine. VMware officials said that the prospect of a hypervisor escape warranted an immediate response under the company’s IT Infrastructure Library , a process usually abbreviated as ITIL.

    “Emergency change”

    “In ITIL terms, this situation qualifies as an emergency change, necessitating prompt action from your organization,” the officials wrote in a post . “However, the appropriate security response varies depending on specific circumstances.”

    Read 8 remaining paragraphs | Comments

    • chevron_right

      Critical vulnerability affecting most Linux distros allows for bootkits

      news.movim.eu / ArsTechnica · Wednesday, 7 February - 01:37 · 1 minute

    Critical vulnerability affecting most Linux distros allows for bootkits

    Enlarge

    Linux developers are in the process of patching a high-severity vulnerability that, in certain cases, allows the installation of malware that runs at the firmware level, giving infections access to the deepest parts of a device where they’re hard to detect or remove.

    The vulnerability resides in shim, which in the context of Linux is a small component that runs in the firmware early in the boot process before the operating system has started. More specifically, the shim accompanying virtually all Linux distributions plays a crucial role in secure boot, a protection built into most modern computing devices to ensure every link in the boot process comes from a verified, trusted supplier. Successful exploitation of the vulnerability allows attackers to neutralize this mechanism by executing malicious firmware at the earliest stages of the boot process before the Unified Extensible Firmware Interface firmware has loaded and handed off control to the operating system.

    The vulnerability, tracked as CVE-2023-40547, is what’s known as a buffer overflow, a coding bug that allows attackers to execute code of their choice. It resides in a part of the shim that processes booting up from a central server on a network using the same HTTP that the the web is based on. Attackers can exploit the code-execution vulnerability in various scenarios, virtually all following some form of successful compromise of either the targeted device or the server or network the device boots from.

    Read 12 remaining paragraphs | Comments

    • chevron_right

      As if two Ivanti vulnerabilities under explot wasn’t bad enough, now there are 3

      news.movim.eu / ArsTechnica · Tuesday, 6 February - 02:30

    As if two Ivanti vulnerabilities under explot wasn’t bad enough, now there are 3

    Enlarge (credit: Getty Images )

    Mass exploitation began over the weekend for yet another critical vulnerability in widely used VPN software sold by Ivanti, as hackers already targeting two previous vulnerabilities diversified, researchers said Monday.

    The new vulnerability, tracked as CVE-2024-21893, is what’s known as a server-side request forgery. Ivanti disclosed it on January 22, along with a separate vulnerability that so far has shown no signs of being exploited. Last Wednesday, nine days later, Ivanti said CVE-2024-21893 was under active exploitation, aggravating an already chaotic few weeks. All of the vulnerabilities affect Ivanti’s Connect Secure and Policy Secure VPN products.

    A tarnished reputation and battered security professionals

    The new vulnerability came to light as two other vulnerabilities were already under mass exploitation, mostly by a hacking group researchers have said is backed by the Chinese government. Ivanti provided mitigation guidance for the two vulnerabilities on January 11, and released a proper patch last week. The Cybersecurity and Infrastructure Security Agency, meanwhile, mandated all federal agencies under its authority disconnect Ivanti VPN products from the Internet until they are rebuilt from scratch and running the latest software version.

    Read 6 remaining paragraphs | Comments

    • Sc chevron_right

      New Windows/Linux Firmware Attack

      news.movim.eu / Schneier · Monday, 11 December - 22:00 · 1 minute

    Interesting attack based on malicious pre-OS logo images :

    LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux….

    The vulnerabilities are the subject of a coordinated mass disclosure released Wednesday. The participating companies comprise nearly the entirety of the x64 and ARM CPU ecosystem, starting with UEFI suppliers AMI, Insyde, and Phoenix (sometimes still called IBVs or independent BIOS vendors); device manufacturers such as Lenovo, Dell, and HP; and the makers of the CPUs that go inside the devices, usually Intel, AMD or designers of ARM CPUs….

    As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment.

    “Once arbitrary code execution is achieved during the DXE phase, it’s game over for platform security,” researchers from Binarly, the security firm that discovered the vulnerabilities, wrote in a whitepaper. “From this stage, we have full control over the memory and the disk of the target device, thus including the operating system that will be started.”

    From there, LogoFAIL can deliver a second-stage payload that drops an executable onto the hard drive before the main OS has even started.

    Details .

    It’s an interesting vulnerability. Corporate buyers want the ability to display their own logos, and not the logos of the hardware makers. So the ability has to be in the BIOS, which means that the vulnerabilities aren’t being protected by any of the OS’s defenses. And the BIOS makers probably pulled some random graphics library off the Internet and never gave it a moment’s thought after that.

    • chevron_right

      Google researchers report critical zero-days in Chrome and all Apple OSes

      news.movim.eu / ArsTechnica · Friday, 1 December - 00:38

    The phrase Zero Day can be spotted on a monochrome computer screen clogged with ones and zeros.

    Enlarge (credit: Getty Images )

    Researchers in Google's Threat Analysis Group have been as busy as ever, with discoveries that have led to the disclosure of three high-severity zero-day vulnerabilities under active exploitation in Apple OSes and the Chrome browser in the span of 48 hours.

    Apple on Thursday said it was releasing security updates fixing two vulnerabilities present in iOS, macOS, and iPadOS. Both of them reside in WebKit, the engine that drives Safari and a wide range of other apps, including Apple Mail, the App Store, and all browsers running on iPhones and iPads. While the update applies to all supported versions of Apple OSes, Thursday’s disclosure suggested in-the-wild attacks exploiting the vulnerabilities targeted earlier versions of iOS.

    “Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1,” Apple officials wrote of both vulnerabilities, which are tracked as CVE-2023-42916 and CVE-2023-42917.

    Read 4 remaining paragraphs | Comments

    • chevron_right

      ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation

      news.movim.eu / ArsTechnica · Wednesday, 29 November - 00:38 · 1 minute

    Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word "exploit"

    Enlarge (credit: Getty Images)

    Security researchers are tracking what they say is the “mass exploitation” of a security vulnerability that makes it possible to take full control of servers running ownCloud, a widely used open-source filesharing server app.

    The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL, ownCloud officials warned last week. Within four days of the November 21 disclosure, researchers at security firm Greynoise said , they began observing “mass exploitation” in their honeypot servers, which masqueraded as vulnerable ownCloud servers to track attempts to exploit the vulnerability. The number of IP addresses sending the web requests has slowly risen since then. At the time this post went live on Ars, it had reached 13.

    Spraying the Internet

    “We're seeing hits to the specific endpoint that exposes sensitive information, which would be considered exploitation,” Glenn Thorpe, senior director of security research & detection engineering at Greynoise, said in an interview on Mastodon. “At the moment, we've seen 13 IPs that are hitting our unadvertised sensors, which indicates that they are pretty much spraying it across the internet to see what hits.”

    Read 11 remaining paragraphs | Comments

    • Sc chevron_right

      Email Security Flaw Found in the Wild

      news.movim.eu / Schneier · Tuesday, 21 November - 03:48

    Google’s Threat Analysis Group announced a zero-day against the Zimbra Collaboration email server that has been used against governments around the world.

    TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and authentication tokens. Most of this activity occurred after the initial fix became public on Github. To ensure protection against these types of exploits, TAG urges users and organizations to keep software fully up-to-date and apply security updates as soon as they become available.

    The vulnerability was discovered in June. It has been patched.

    • chevron_right

      Critical vulnerability in Atlassian Confluence server is under “mass exploitation”

      news.movim.eu / ArsTechnica · Monday, 6 November - 23:40

    Critical vulnerability in Atlassian Confluence server is under “mass exploitation”

    Enlarge

    A critical vulnerability in Atlassian’s Confluence enterprise server app that allows for malicious commands and reset servers is under active exploitation by threat actors in attacks that install ransomware, researchers said.

    “Widespread exploitation of the CVE-2023-22518 authentication bypass vulnerability in Atlassian Confluence Server has begun, posing a risk of significant data loss,” Glenn Thorpe, senior director of security research and detection engineering at security firm GreyNoise, wrote on Mastodon on Sunday. “So far, the attacking IPs all include Ukraine in their target.”

    He pointed to a page showing that between 12 am and 8 am on Sunday UTC (around 5 pm Saturday to 1 am Sunday Pacific Time), three different IP addresses began exploiting the critical vulnerability, which allows attackers to restore a database and execute malicious commands. The IPs have since stopped those attacks, but he said he suspected the exploits are continuing.

    Read 11 remaining paragraphs | Comments