Malware

LAS VEGAS–The way that things are right now in mobile security, there does not look to be much hope for keeping corporate and personal data secure. A panel of researchers who focus on looking for attacks and bugs at various levels of the mobile device and infrastructure said at Black Hat that there are so many ways an attacker can compromise phones from the infrastructure all the way down to the application level, defending against all of them is highly problematic.

We recently reported on a massive drive-by-download campaign affecting some 90,000 Web pages. In the less than two weeks since that report, the same campaign is now affecting more than six million pages.

Exploit kits come and go, but the exploits they utilize remain the same, according to Securelist’s mid-year analysis of exploit kits and attack vectors.

HED: Three Ways that Google’s Chrome OS Could Enable Really Nasty Web Based AttacksDEK: Researchers at the Black Hat Briefings conference in Las Vegas warn that Google’s new Chrome Operating System could enable certain kinds of Web based attacksGoogle’s new Chrome Operating System was designed to fix the nagging security problems that have plagued platforms like Microsoft Windows. But new research unveiled at the Black Hat Briefings in Las Vegas suggests that the new cloud-centric OS, while far more secure, may also introduce some troubling security issues, too. In their talk, Web security researchers Matt Johansen and Kyle Osborn, both of Whitehat Security, said that a thorough audit of Google’s Chrome OS turned up numerous security issues, most of which are not specific to Chrome, but which could still be used to push malicious programs to devices running Chrome, hijack Google- or other online accounts of Chrome users and steal sensitive information. The researchers spoke Wednesday in a BlackHat session dubbed “Hacking Google Chrome OS,” which presented the results of a WhiteHat audit that was authorized by Google, itself. The two gave the Web based OS high marks on many traditional measures of security, noting that Chrome OS eliminates many traditional targets of malware and attacks: Chrome OS devices don’t use internal hard drives, eliminating the possibility of persistent malware infections and data theft. “We’re not looking for the ‘usual suspects’ like buffer overflows or vulnerabilities in (Adobe) Flash or (Microsoft) Office,” Johansen told the audience. Instead, the researchers said they focused their attention on some of the core APIs (application program interfaces) that undergird Chrome, and on extensions to Chrome that might allow attackers to push malicious content before a user, capture information from them or access sensitive databases and other data stores. Among other things, the two researchers found that a notepad application, Scratchpad, that comes bundled with the ChromeOS on Chromebooks contained a cross site scripting vulnerability that could have allowed one Chrome user to hijack another user’s Google account, make off with their Google contacts and other data by way of a shared Scratchpad and some simple Javascript. Google has since closed that security hole, the researchers said. In analyzing key Chrome APIs, the two found that those interfaces permitted behavior that, while not unique to Chrome, could make stealthy attacks against Chrome OS environements child’s play. APIs like chrome.windows and chrome.tabs allow new browser windows to be opened and scripts run automatically upon accessing a specific Web site – a feature that could be used, for example, to craft attacks against banking or e-commerce Web sites.Chrome extensions, if not properly written, could contain cross site scripting holes that could then be leveraged by an attacker against any Web site. Google’s policy of abstaining from reviews of extensions that are uploaded to the company’s Web store also pose a problem by allowing clearly malicious extensions to be posted without any review or sanity checking. During the demonstration, the two showed off a custom extension they developed that collected a number of malicious features, including one that could allow an attacker to launch an internal port scan from Web browser with some simple HTML and Java coding. Osborn said he was able to upload the malicious extension to Google’s Web store, from which other users could download it. Google hasn’t contested the researchers’ findings, but says the attacks they demonstrated aren’t unique to its operating system, but are typical of Web based attacks that affect all operating systems. “We think that the characterization that this is a new attack surface created with Chrome OS seems inconsistent,” a company spokesman told Threatpost. According to the Whitehat researchers, Google is weighing responses to the security issues they raised, including the introduction of application specific APIs that would allow the company to more tightly control access permissions extensions and limit access to other data stored on Google. A Google spokesman declined to comment on that. For now, the company said it wants to work with developers to avoid cross site scripting. “Extensions are powerful software, and there are a number of things that come into play with that, but this isn’t about the Chrome OS, its about the Web and those extensions,” the spokesman said. Researchers at the Black Hat Briefings conference in Las Vegas warn that Google’s new Chrome Operating System could enable certain kinds of Web based attacksGoogle’s new Chrome Operating System was designed to fix the nagging security problems that have plagued platforms like Microsoft Windows. But new research unveiled at the Black Hat Briefings in Las Vegas suggests that the new cloud-centric OS, while far more secure, may also introduce some troubling security issues, too.

Global 2000 companies can be split into two categories, according to the author of a new white paper from McAfee (PDF); those that know they’ve been compromised and those that don’t yet know.“The only organizations that are exempt from this threat,” writes the paper’s author, Dmitri Alperovitch, “are those that don’t have anything valuable or interesting worth stealing.”

Hackers are actively exploiting a zero-day vulnerability that may be affecting millions of WordPress users. The bug was found in an image re-sizing utility that comes built-in to a number of commercial and free themes on the popular blogging platform.

The world moves fast, but much of the world of vulnerability research and exploitation has been stuck in stasis for the last few years. Much of the focus has been on memory-corruption vulnerabilities, application-level bugs and using Java and Flash to get around exploit mitigations and other protections. But that seems to be changing now, if the topics and depth of research at this week’s Black Hat conference are any evidence.