Category Archives: Security Updates

OpenSSL Patched Two Vulnerabilities This Week

A Google researcher revealed the OpenSSL Project pronounced the accessibility of OpenSSL 1.0.2n on Thursday, a version that fixes two vulnerabilities. Google’s David Benjamin identified the errors by employing the search giant’s OSS-Fuzz fuzzing service.

CVE-2017-3737 is one of the security holes which is linked to an “error state” mechanism presented with OpenSSL 1.0.2b. The mechanism is designed and managed to generate an instant failure if there is an effort to carry on a handshake after a serious error has arisen. The nature of the problem is that if the SSL_read() or SSL_write() purposes are called openly, the mechanism doesn’t work appropriately.

“If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer,” OpenSSL said in its advisory.

While this susceptibility could have severe inferences, it has only been valued “moderate severity” as a result of the fact that the directed application would require having a bug that sources a call to SSL_read() or SSL_write() after attaining a danger error.

Benjamin stated another vulnerability to the OpenSSL Project is CVE-2017-3738, an excess bug that could permit an attacker to enter TLS-protected communications. But, an attack is very tough to accomplish, which is why the matter has been categorized as “low severity.” The two other vulnerabilities exposed utilizing the OSS-Fuzz tool and fixed last month CVE-2017-3738 is parallel to CVE-2017-3736 and CVE-2017-3732, and CVE-2015-3193, a concern patched in December 2015.

CVE-2017-3738 marks both the 1.0.2 and 1.1.0 divisions of OpenSSL. Though, because it’s low sternness, OpenSSL 1.1.0 has not been updated accordingly on this circumstance. The susceptibility will be fixed in OpenSSL 1.1.0h when it turns into available. This becomes the fourth OpenSSL update from 2017 that fixes security bugs and, except a serious problem is exposed, it will expect to be the last. OpenSSL security updates were also declared in January and February.

Google Makes 47 Android Bug Patches, Ten of Them Graded Harmful

Nexus and Pixel proprietors gain their patches on US Tuesday. The remaining of us peasants have to wait.

Google has provoked 47 Android fixes for Nexus and Pixel devices.

Five consideration the media framework amongst the harmful bugs in the Android Security Bulletin, one of them is system-level, four-hit Qualcomm modules. Google declared it to be the worst, which is one of the media framework viruses, not yet entirely revealed, but it “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process”.

Two of the media framework viruses only mark Android 6.0 (31 per cent of active devices), one disturbs only Android 8.0 (0.3 per cent), one moves all versions between 7.0 and 8.0 (20.9 per cent), and the best prevalent is in the entire version after 6.0 (nearly 52 per cent of devices).

Google has not up till now declared publicly with the sort of such bugs, nor has it revealed the system-level bug that marks Android 7.0 ahead, elsewhere describing that “a proximate attacker” could “execute arbitrary code” (furthermore, susceptible versions could be forced over-the-air, any via WiFi, the cellular modem, or Bluetooth).

Among 3 out of the 4 bugs congenital from Qualcomm are have previously been exposed to the public. In CVE-2017-11043, there’s an integer excess in the numap procedure (part of the WiFi code); in CVE-2016-3706 and CVE-2016-4429, there’s an extra load in a UDP RPC module. Entire three could be distantly consumable.

A Qualcomm closed-source module is susceptible to the so far-to-be-revealed CVE-2017-6211.

The thirty seven of the bugs are regarded “High”, five of which are similarly Qualcomm-specific, and one upstream fix in the Linux kernel to go easy of an opportunity increasing bug.

More vendors in the mischievous corner contain MediaTek and Nvidia, with 3 susceptibilities each.

Pixel and Nexus firmware images are due December 5, source code fixes will land within forty-eight hours, US time, and the remaining of the world can, as normal, wait for fixes to proceed their tired way down via carriers and vendors to land as an over-the-air inform. Ultimately.

Apple’s Latest Update on MacOS Security Fixes USB Threats

One of the susceptibilities mentioned by Apple in its modern set of security updates for MacOS is a random code implementation error, which could be oppressed via harmful USB devices.

Trend Micro security researchers revealed and informed Apple in April 2017, the matter exists in fsck_msdos, a system device developed to inspect for and resolve errors in devices configured with the FAT filesystem. The researchers revealed that since the device is automatically raised by MacOS when an instrument utilizing the FAT filesystem i.e. when USB disk or SD card is used, a security flaw could let harmful devices to implement random code when they are linked to a MacOS.

The vulnerability is created by a memory corruption issue and its exploitation could lead to an attacker taking full control of a vulnerable system, Trend Micro says.

“We do not believe that this attack has been used in the wild. We strongly recommend that users update their software to address this flaw, as well as the others that were part of this update cycle,” the security researchers note.

Trend Micro came to know that harmful code could change a byte comprising the extraordinary bits of a memory address with a random value and established to point alternative address.

“If the target address is sprayed with a malformed dosDirEntry structure, arbitrary code execution is now possible. This can potentially allow an attacker to take over the vulnerable device,” the security researchers note.

Tracked as CVE-2017-13811, Apple addresses about the vulnerability with the rise of macOS High Sierra 10.13.1 (and Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan), which fixed approximately 150 vulnerabilities, containing 3 KRACK-associated errors.

Trend Micro clarifies that fsck_msdos is utilized in further BSD-based functioning systems, as well as in Android. Since of that, additional vendors were also updated of the vulnerability, comprising Google.

However, it appears that the issue won’t be resolved in Android, because “fsck_msdos runs under a very restricted SELinux domain.” Nevertheless, Google is apparently looking into addressing the bug in a future release of the operating system, the researchers note.

The IT administrators are instructed to control USB access to devices to reduce the influence of this vulnerability, specifically in view of that this is a technique commonly used by malware to move in targeted systems. They should furthermore contemplate physical controls for particularly complex devices.

October’s Patch Tuesday covers Windows, IE, Edge and Office

In October’s Patch Tuesday, Microsoft rolled out SIX security bulletins that contain more than 30 vulnerabilities targeting Windows, Internet Explorer, Edge, and Office. Out of 6 bulletins released, 3 of them are rated as ‘CRITICAL’. MS15-106 a critical rated bulletin addresses 14 vulnerabilities in the Internet Exlporer. The issues fixed in this bulletin are related to memory corruption, privilege escalation, information disclosure, and VBScript and JScript ASLR bypass issues. Another critical-rated bulletin is MS15-108 that patches various issues related to information disclosure, memory corruption, and ASLR bypass vulnerabilities in the VBScript and JScript scripting engines in Windows. Third and the last critical bulletin addresses a flaw in the Microsoft Windows that allows remote code execution by opening a specially crafted toolbar object in Windows. <more>

Apple iOS 9 PATCHES Airdrop flaw

Apple has released an update for iOS 9, fixes a critical security flaw allowing intruders to inject malicious files in iPhones that can be used to hijack victim’s phone later on. Security researcher Mark Dowd from Azimuth Security found the issue which affects almost all devices using iOS 7 or later, along with all Mac OS X Yosemite versions. According to PoC where Mark Dowd was forcing crafted files to an iPhone using Apple’s AirDrop, even though the request to transfer was denied by the user. AirDrop provides file sharing facility between iOS and OS X devices using WiFi and/or Bluetooth. AirDrop is vulnerable to directory traversal attack allowing intruders to make modification in victim’s OS setting and install malicious apps and rest will be done accordingly. All an attacker needs to install a malicious app is to have a legitimate Apple enterprise certificate to validate the app’s installation process. <more>

Beware!! Android Lollipop users

Researchers from University of Texas has found a security flaw in the lock screen feature of Android 5.x. According to John Gordon, a network security analyst at the University of Texas, the issue exists in the password field – unable to handle a sufficiently long string while the camera app is active, allowing an attacker to crash the lock screen. From the locked screen, one can easily bypass the security. The potential attacker can open the emergency call window, fill it with characters, then copy those into the password field via the settings option on the locked screen until the user interface crashes. Software Development – http://www.bellintegrator.com/en/services-software.html. By using USB debugging normally allows access to vulnerable device to execute arbitrary command or gain access to files with full rights. Google was notified about the issue earlier this year and responded swiftly to release a security patch in June to rectify this issue. Google urge users to apply updates on earliest basis.

Google Chrome 45 addresses 29 flaws

Google has released Chrome 45 to address 29 security flaws affecting Windows, Mac, and Linux platforms. According to Google advisory, Six issues are rated as CRITICAL allowing remote code execution. These high-severity issues addressed cross-origin bypass flaws in DOM, covered in CVE-2015-1291 and CVE-2015-1293, where as a cross-origin bypass issue occurs in Service Worker that is covered in CVE-2015-1292. Besides this, multiple use-after-free flaws in Skia (CVE-2015-1294) and Printing (CVE-2015-1295), and a character spoofing bug in the Omnibox address bar (CVE-2015-1296). The latest version also patched medium severity vulnerabilities in WebRequests, extensions and in the Blink web browser engine. Google credits security researchers Mariusz Mlynski, Rob Wu, Alexander Kashev, and experts using the online monikers taro.suzuki.dev, cgvwzq, cloudfuzzer, and zcorpan for finding vulnerabilities in the browser. So far, company has given rewards of $40,500 through bug bounty program. Morever, Google has decided to stop running Flash Ads due to various flaws found in Adobe Flash from time to time. Google is automatically converting most of the Flash ads uploaded to AdWords to HTML5, otherwise it can be done manually using a tool provided by the company. <more>

Bugzilla hack eXposes Firefox 0-day flaw

Mozilla confirmed about Bugzilla breached by an attacker who was able to get access to sensitive information about zero-day flaws in Firefox. According to Mozilla, the intruder was able to breach a high-level user’s account who had access to Bugzilla that contains information of non-public zero-day security flaws. Mozilla said attacker took control of the account since September 2013 and accessed approximately 185 vulnerabilities that were non-public, where 53 vulnerabilities considered CRITICAL flaws. However, company claims 43 of the severe flaws had already been patched, but 10 unpatched security flaws are still in the hands of intruder which pose a huge security risk for Firefox users. <more>

Bugzilla hack eXposes Firefox 0-day flaw

Mozilla confirmed about Bugzilla breached by an attacker who was able to get access to sensitive information about zero-day flaws in Firefox. According to Mozilla, the intruder was able to breach a high-level user’s account who had access to Bugzilla that contains information of non-public zero-day security flaws. Mozilla said attacker took control of the account since September 2013 and accessed approximately 185 vulnerabilities that were non-public, where 53 vulnerabilities considered CRITICAL flaws. However, company claims 43 of the severe flaws had already been patched, but 10 unpatched security flaws are still in the hands of intruder which pose a huge security risk for Firefox users. <more>

0-day in the Fancybox-for-WordPress Plugin

WordPress – the most popular open-source blogging tool and a content management system (CMS) is under attacked by hackers that targets Fancybox plugin used in WordPress. Security researchers from Sucuri issued an alert regarding the affected plugin that allows attackers to inject a malformed iframe into websites. FancyBox is used for exhibit images, HTML content and multimedia that mounts on top of Web pages. It is one of the most widely used WordPress plugins – around 600,000 times has been downloaded from the official website. According to Sucuri researchers, it’s a high risk vulnerability that allows malware to be loaded on the affected website that uses that out-dated plugin. It is in user’s interest to apply the security update on earliest basis. <more>