iOS apps can read metadata revealing users’ location histories

EXIF through a gift shop full of personal data

In what looks like an Apple oversight, a developer has discovered that apps can access image metadata and therefore a pretty good history of iThing users’ location.…

Source

Advertisements

Google publishes PoC Exploit code for iPhone Wi-Fi Chip hack

Google disclosed details and a proof-of-concept exploit for iPhone Wi-Fi firmware vulnerability affecting Broadcom chipsets in iOS 10 and earlier. This week Google disclosed details and a proof-of-concept exploit for a Wi-Fi firmware vulnerability affecting Broadcom chipsets in iOS 10 and earlier. The flaw that was patched this week could be exploited by attackers to […]

The post Google publishes PoC Exploit code for iPhone Wi-Fi Chip hack appeared first on Security Affairs.

Google disclosed details and a proof-of-concept exploit for iPhone Wi-Fi firmware vulnerability affecting Broadcom chipsets in iOS 10 and earlier.

This week Google disclosed details and a proof-of-concept exploit for a Wi-Fi firmware vulnerability affecting Broadcom chipsets in iOS 10 and earlier. The flaw that was patched this week could be exploited by attackers to execute code and establish a backdoor on a targeted device. The attackers just need the iPhone’s MAC address or network-port ID.

The vulnerability, tracked as CVE-2017-11120, is a memory corruption vulnerability, Apple addressed it in the security update for the release of iOS 11.

“Attaching exploit for this issue. The exploit gains code execution on the Wi-Fi firmware on the iPhone 7. The password for the archive is “rrm_exploit”.” states the bug report published by Google Project Zero researcher Gal Beniamini.

“The exploit has been tested against the Wi-Fi firmware as present on iOS 10.2 (14C92), but should work on all versions of iOS up to 10.3.3 (included). However, some symbols might need to be adjusted for different versions of iOS, see “exploit/symbols.py” for more information.

iphone

The Beniamini’s exploit code allowed the expert to establish a backdoor into Broadcom chip’s firmware, which allowed him to remotely read and write commands to the firmware.

Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip).” continues the report.

The exploit code works against the firmware packaged with iOS 10.2 and that it should work on versions up to and including 10.3.3. The experts also verified that BCM4355C0 System on Chip with firmware version 9.44.78.27.0.1.56 is vulnerable.

The vulnerability resides the Broadcom chips that are used in the iPhone and other Apple products, including Apple TV and in the Apple Watch.

This vulnerability is similar to the one Gal Beniamini discovered in the Broadcom WiFi SoC (Software-on-Chip) back in April, and the BroadPwn critical remote code execution vulnerability (CVE-2017-3544), that affects the Broadcom BCM43xx family of WiFi chipsets.

Since there is no way to find out if your device

Users urge to update iPhones to iOS 11 because it is not possible to discover if their device is running the firmware version BCM4355C0.

Pierluigi Paganini

(Security Affairs – WhatsApp, Censorship)

The post Google publishes PoC Exploit code for iPhone Wi-Fi Chip hack appeared first on Security Affairs.

Source

Apple macOS High Sierra Exploit Lets Hackers Steal Keychain Passwords in Plaintext

Apple yesterday rolled out a new version of its macOS operating system, dubbed High Sierra 10.13—a few hours before an ex-NSA hacker publicly disclosed the details of a critical vulnerability that affects High Sierra as well as all earlier versions of macOS.
Patrick Wardle, an ex-NSA hacker and now head of research at security firm Synack, found a critical zero-day vulnerability in macOS that

Source

Hackers exploit an undocumented Word feature for user fingerprinting

Kaspersky researchers discovered a new attack technique leveraging an undocumented Word feature to gather information on users. Kaspersky researchers discovered a new attack technique leveraging Microsoft Word documents to gather information on users. The technique is innovative because it doesn’t use active content such as macros or exploits, it exploits an undocumented Word feature to fingerprint users. […]

The post Hackers exploit an undocumented Word feature for user fingerprinting appeared first on Security Affairs.

Kaspersky researchers discovered a new attack technique leveraging an undocumented Word feature to gather information on users.

Kaspersky researchers discovered a new attack technique leveraging Microsoft Word documents to gather information on users. The technique is innovative because it doesn’t use active content such as macros or exploits, it exploits an undocumented Word feature to fingerprint users.

The attackers sent phishing emails using Word documents in OLE2 format and contained links to PHP scripts hosted on third-party web resources. Once the user opened the files in Microsoft Office, the application accesses one of the links, resulting in the attackers receiving information about the software installed on the target machine.

“They were in OLE2 format and contained no macros, exploits or any other active content. However, a close inspection revealed that they contained several links to PHP scripts located on third-party web resources.” reads the analysis published by Kaspersky Lab. “When we attempted to open these files in Microsoft Word, we found that the application addressed one of the links. As a result, the attackers received information about the software installed on the computer.”

One of the documents analyzed by the researchers contained tips on how to use Google search more effectively, it doesn’t contain active content, no VBA macros, embedded Flash objects or PE files. Once opened Word sends a GET request to an internal link.

“This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed,” continues the analysis.

The researchers discovered that the document used an undocumented Word feature, they noticed the presence of an INCLUDEPICTURE field that indicates that an image is attached to certain characters in the text.

The experts highlighted that there is no description for Microsoft Office documentation provides basically no description of the INCLUDEPICTURE field.

The attackers used the INCLUDEPICTURE field to include a suspicious link there, although not the URL addressed by Word.

The text in Word documents is stored in the WordDocument stream in a ‘raw state that doesn’t contain formatting except for so-called fields. The fields are used to instruct Word that a certain segment of the text must be presented in a specific way. The field INCLUDEPICTURE indicates that an image is attached to certain characters in the text.

The experts identified the following characters inside the document:

Begin = 0x13
Sep = 0x14
End = 0x15
Field = <Begin> *<Field> [Sep] *<Field> <End>

undocumented word feature

A byte between the separator (SEP) and the end (END) tells words that an image should be inserted at that point. The experts first located the byte sequence with the picture placeholder, then they discovered at which offset the image should be located in the Data stream.

“So, we go to offset 0 in the Data stream and see that the so-called SHAPEFILE form is located there:undocumented Word feature fingerprint

Forms are described in a different Microsoft document: [MS-ODRAW]: Office Drawing Binary File Format. This form has a name and, in this case, it is another suspicious link:” continues the analysis.

Experts noticed that a combination of flags was used to indicate that additional data should be attached to the form. According to Kaspersky, this data constitutes a URL that leads to the actual content of the form.

“This indicates that additional data should be attached to the form (it is highlighted in yellow in the screenshot), and that this data constitutes a URL that leads to the actual content of the form. Also, there is a ‘do not save’ flag, which prevents this content from being saved to the actual document when it is opened.” continues the analysis.

The attackers devised this complex technique to fingerprint users opening the Word documents.

“This is a complex mechanism that the bad guys have created to carry out profiling of potential victims for targeted attacks. In other words, they perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks,” Kaspersky says.

According to Kaspersky, the Office feature exists in Word and Windows, Microsoft Office for iOS, and Microsoft Office for Android. LibreOffice and OpenOffice do not implement this feature

Pierluigi Paganini

(Security Affairs – undocumented Word, hacking)

The post Hackers exploit an undocumented Word feature for user fingerprinting appeared first on Security Affairs.

Source

CCleaner supply chain compromised to distribute malware

CCleaner app version 5.33 that was available for download between August 15 and September 12 was modified to include the Floxif malware Bad news for the users of the CCleaner app, according to researchers with Cisco Talos, version 5.33 that was available for download between August 15 and September 12 was modified to include the Floxif […]

The post CCleaner supply chain compromised to distribute malware appeared first on Security Affairs.

CCleaner app version 5.33 that was available for download between August 15 and September 12 was modified to include the Floxif malware

Bad news for the users of the CCleaner app, according to researchers with Cisco Talos, version 5.33 that was available for download between August 15 and September 12 was modified to include the Floxif malware.

The Floxif malware downloader is used to gathers information (computer name, a list of installed applications, a list of running processes, MAC addresses for the first three network interfaces) about infected systems and to download and run other malicious binaries.

The variant of Floxif malware spread by the crooks only works on 32-bit systems and victims must use an administrator account.

“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner.” reads the analysis published by Cisco Talos. “CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly” states the analysis published by Cisco Talos.

Cisco Talos experts spotted the trojanized CCleaner app last week while performing beta testing of a new exploit detection solution, they noticed that a version of CCleaner 5.33 was connecting to suspicious domains.  later discovered that the CCleaner installer was downloaded from the official website and was signed using a valid digital certificate.

Further investigation allowed Talos to discover that the tainted CCleaner version was deployed on the official website and was signed using a valid digital certificate.

Researchers speculate attackers have compromised the Avast’s supply chain to spread the Floxif trojan.

It is possible that attackers compromised the company system, but experts haven’t excluded that the incident was an insider’s job.

“Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.” continues Talos.

Let’s remind that Avast owns Piriform that developed the CCleaner solution, the Antivirus solution firm bought it in July, a month before the tainted CCleaner 5.33 version was released.

On September 13, Piriform released a new version of the CCleaner (5.34) and CCleaner Cloud version 1.07.3191 that do not contain the malware.

“Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue.” reads a blog post published by Piriform.

The Floxif trojan leverage the DGA algorithm to randomly generated domains names used as command and control (C&C) servers. The DNS data revealed that DNS requests for the domain names used in August and September show thousands of users were infected.

CCleaner DNS requests August-September

 

Once informed of the incident Avast took down the C&C servers and observed a spike in the number of infected hosts making DNS queries for a backup domain.

It is important to highlight that updating to CCleaner version 5.34 does not solve the situation because the malware will be still present on infected hosts.

Pierluigi Paganini

(Security Affairs – CCleaner version 5.33, malware)

The post CCleaner supply chain compromised to distribute malware appeared first on Security Affairs.

Source

Malware attacks leverage the Hangul Word Processor and PostScript to spread malware

Experts at Trend Micro reported malware attacks that leveraged the Hangul Word Processor (HWP) word processing application to target users. It has happened again, attackers leveraged the Hangul Word Processor (HWP) word processing application to target users in South Korea. The application is very popular in South Korea and was exploited in several hacking campaigns against entities in the country. In the […]

The post Malware attacks leverage the Hangul Word Processor and PostScript to spread malware appeared first on Security Affairs.

Experts at Trend Micro reported malware attacks that leveraged the Hangul Word Processor (HWP) word processing application to target users.

It has happened again, attackers leveraged the Hangul Word Processor (HWP) word processing application to target users in South Korea.

The application is very popular in South Korea and was exploited in several hacking campaigns against entities in the country.

In the recent attacks, hackers use the Hangul Word Processor in association with PostScript. The attackers use emails containing malicious attachments to deliver the malware.

“A branch of PostScript called Encapsulated PostScript exists, which adds restrictions to the code that may be run. This is supposed to make opening these documents safer, but unfortunately older HWP versions implement these restrictions improperly. We have started seeing malicious attachments that contain malicious PostScript, which is in turn being used to drop shortcuts (or actual malicious files) onto the affected system.” states the analysis published by Trend Micro.

Although the Encapsulated PostScript adds restrictions to secure the system while opening a document, the older HWP versions implement these restrictions improperly. The attackers have started using attachments containing malicious PostScript to drop shortcuts or malicious files onto the affected system.

Experts noticed that some of the subject lines and document names used by attackers include “Bitcoin” and “Financial Security Standardization”.

Hangul Word Processor

Researchers highlighted that attackers don’t use an actual exploit, but abuse a feature of PostScript to manipulate files.

PostScript doesn’t have the ability to execute shell commands, but attackers obtain a similar behavior by dropping files into various startup folders, then these files are executed when the user reboots the machine.

“Some of the ways we’ve seen this seen of this include:

  1. Drops a shortcut in the startup folder, which executes MSHTA.exe to execute a Javascript file.
  2. Drops a shortcut in startup folder and a DLL file in %Temp% directory. The shortcut calls rundll32.exe to execute the said DLL file.
  3. Drops an executable file in the startup folder.

” reads the analysis.

One of the attacks observed by the researchers at Trend Micro would overwrite the file gswin32c.exe, which is the PostScript interpreter used by the Hangul Word Processor application. The file is replaced with a legitimate version of Calc.exe, in this way the attackers prevent the execution of other embedded PostScript content.

Newer versions of the Hangul Word Processor implement EPS properly, for this reason, users must upgrade the application to stay protected.

“Newer versions of the Hangul Word Processor implement EPS correctly, with the 2014 versions and later not being susceptible to this problem. We suggest upgrading to these newer, safer versions.” Trend Micro says.

Pierluigi Paganini

(Security Affairs – Malware, HWP)

The post Malware attacks leverage the Hangul Word Processor and PostScript to spread malware appeared first on Security Affairs.

Source

BlueBorne: Critical Bluetooth Attack Puts Billions of Devices at Risk of Hacking

If you are using a Bluetooth enabled device, be it a smartphone, laptop, smart TV or any other IoT device, you are at risk of malware attacks that can carry out remotely to take over your device even without requiring any interaction from your side.
Security researchers have just discovered total 8 zero-day vulnerabilities in Bluetooth protocol that impact more than 5.3 Billion devices—from

Source