ZeroDay
Latest
Google found a serious Android flaw affecting Pixel, Samsung and Huawei phones
Google researchers have discovered an unpatched vulnerability on its own Android OS that affect the Pixel 1 and 2, Huawei P20, Samsung Galaxy S7, S8, and S9 and other devices. It disclosed the problem just seven days after finding it, as the exploit is a "zero-day" that is already being exploited in the wild. Oddly, the bug -- which affects Android 8.x and later -- was discovered and patched in December 2017 on earlier versions of the OS. However, the fix was apparently not carried over to newer versions.
You should update Firefox right now to fix a critical bug
If you have Firefox on your computer, you should update it right now. Mozilla has released security updates Firefox 67.0.3 and Firefox ESR 60.7.1 to fix a critical bug, which it says hackers are actively exploiting to take control of vulnerable systems. The US Cybersecurity and Infrastructure Security Agency also issued an alert urging users and system administrators to review Mozilla's security advisory and act accordingly -- in other words, update your browser.
When China hoards its hackers everyone loses
They say you don't notice something good until it's gone. With China's decision to restrict its information security researchers from participating in global hacking competitions, we're about to see what that looks like on the global "zero day" stage.
Attackers used Telegram to deliver cryptocurrency-mining malware
Kaspersky Lab says it spotted evidence of a vulnerability in the desktop version of Telegram that allowed attackers to install cryptocurrency mining malware on users' computers. The zero-day exploit was used to trick Telegram users into downloading malicious files, which could then be used to deliver cryptocurrency mining software and spyware. According to Kaspersky, those behind the exploit used the computers their malware had been installed on to mine digital currencies like Monero, Zcash, Fantomcoin and others. Kaspersky also says it found a stolen cache of Telegram data on one of the attackers' servers.
'Shadow Brokers' dump of NSA tools includes new Windows exploits (updated)
Earlier this year "The Shadow Brokers" -- an entity claiming to have stolen hacking tools from the NSA then offering them for sale -- seemed to pack up shop, but the group has continued on. Today, it made a new post that contained a number of working exploits for Windows machines running everything from XP up to at least Windows 8. As far as Windows 10, it appears that the stolen data is from 2013 and predates the latest OS. As such, it isn't immediately apparent if it's vulnerable, but early results indicate at least some of the tools aren't working on it. Update (4/15): Microsoft responded early Saturday morning, saying that for the seven flaws leaked that affect supported systems -- they've all already been patched. Of course, the story gets a bit more interesting from there, since it appears that four of them were only patched just last month, suggesting someone informed the company about the security issues before TSB could leak them.
Samsung's in-house OS is a security nightmare
Samsung's Tizen platform might give the company the technological independence it wouldn't have if it stuck to outside software like Android, but it's apparently a security disaster. Researcher Amihai Neiderman tells Motherboard he has discovered 40 unpatched vulnerabilities in Samsung's operating system, exposing many of its smartphones, smartwatches and TVs to remote attacks. Reportedly, it's the "worst code" the expert has "ever seen" -- it was designed by a team that had no real understanding of security concepts, and makes mistakes that virtually anyone else would avoid.
Apple says it's already patched 'many' Wikileaks iOS exploits
Less than 24 hours ago, Wikileaks published a large cache of documents detailing top secret CIA operations conducted by its Center for Cyber Intelligence. Included in the 8,761 documents and files, referred to was Vault 7, are references to zero-day exploits that were reportedly being used to track and control iPhones but also Android phones and Samsung smart TVs. While the authenticity of some of Wikileaks' claims are still in question, Apple has confirmed that some of the threats towards its mobile operating system are very real. In a move to reassure customers, the company issued a statement noting that it has already taken steps to patch "many" of the 14 iOS vulnerabilities listed and is working to "rapidly address" the rest.
Microsoft patch for Google-outed exploit is still a week away
Microsoft is still more than a little upset at Google revealing unpatched Windows security flaws, but it'll at least have a solution in hand in the days ahead. The software giant now plans to issue a patch for affected version of Windows on November 8th. You're in good shape if you use both Windows 10 Anniversary Update and a sufficiently up to date browser (both Chrome and Edge should be safe), but you'll definitely have to be cautious if you can't use one of the known safe browsers or the latest version of Windows.
Recently patched iOS security flaw also affects OS X
Last week Apple rolled out a patch for iOS that closed a security flaw that could give attackers control over a device by having a user click a single link. Now, Apple is patching the same hole in the Safari web browser on the desktop, with new updates for the browser as well as OS X Yosemite and El Capitan. Lookout Security and Citizenlab identified the flaw based on a link sent to a human rights activist, and believe the "cyber war" organization NSO Group was selling the exploit to governments like the UAE.
Apple patches three zero-day exploits after activist is hacked
Apple has rolled out a patch for three previously unknown zero-day exploits that were used to target the iPhone 6 of Ahmed Mansoor, an award-winning human rights activist based in the United Arab Emirates. Security company Lookout and internet watchdog group Citizen Lab investigated the attack on Mansoor's iPhone and found it to be the product of NSO Group, a "cyber war" organization based in Israel that's responsible for distributing a powerful, government-exclusive spyware product called Pegasus.
Zero-day exploits aren't as important to the NSA as you think
The head of the National Security Agency's elite hacking arm, Tailored Access Operations, downplayed the importance of zero-day exploits during a talk at USENIX Enigma 2016 in San Francisco this week, as spotted by Vice. Zero-day security holes are secret (and usually short-lived) software vulnerabilities -- the vendor doesn't know about them (until it does). According to TAO chief Rob Joyce, zero-day exploits are a small part of the NSA's hacking agenda.
FBI: Yes, we exploit unpatched security holes
It's no secret that the FBI uses tech tools like Stingray phone trackers to investigate suspects, but it's now clear that the bureau is willing to go even further than that. Operational Technology Division lead Amy Hess (above) tells the Washington Post that the FBI uses zero-day (that is, unknown by vendors) security software exploits for investigations -- the first time any official has admitted this on the record. The outfit doesn't prefer to use these hacks given how short-lived they are, Hess says, but they're still on the table.
The US Navy wants to buy unpatched security flaws
It won't surprise you to hear that governments are eager to buy unpatched security exploits for the sake of cyberdefense or surveillance, but they're rarely overt about it. No one must have told that to the US Navy until this week, however. The Electronic Frontier Foundation caught the military branch soliciting for both zero-day exploits and recently discovered vulnerabilities (less than six months old) for relatively common software from the likes of Apple, Google and Microsoft. The Navy quickly took the posting down, but it was clear the organization wanted to turn these flaws into "exploit binaries" -- that is, finished software that would be useful for attacks.
Google is giving companies a break on security disclosures
Google's Project Zero is supposed to goad companies into patching software security flaws before they pose a threat, but that's not exactly how the effort has panned out. As Apple and Microsoft will tell you, the strict 90-day disclosure deadline sometimes leaves developers scrambling to finish patches after the details of an exploit go public. Thankfully, Google appears to be listening to those gripes -- the Project Zero team has tweaked its policies to give programmers a better chance at mending holes. Companies now get a 14-day "grace period" to release fixes if they let Google know that the code won't be ready within the usual 90-day window. Also, the folks in Mountain View won't ruin tech workers' days off by revealing vulnerabilities on holidays and weekends.
Google reveals Mac security holes before Apple's fix is ready
Microsoft isn't the only big tech firm grappling with surprise security flaw disclosures these days. Google's Project Zero security unit revealed at least two unpatched vulnerabilities in OS X (Yosemite appears to have mitigated a third) that theoretically help attackers take control of your Mac. The search company says it privately notified Apple about the holes back in October, but automatically published the details after Project Zero's usual 90-day cutoff period. Apple's usual policy is to decline comment on exploits like this until it has a solution. However, relief is at least relatively close -- iMore reports that an upcoming Yosemite update (10.10.2) is expected to tackle these flaws. The main question is whether or not Apple can deliver its fix before malware writers find a way to use those bugs for sinister purposes.
Hackers broke into Sony Pictures using an unpatched security hole
Whether or not you believe that North Korea hacked Sony Pictures, one thing is becoming apparent: whoever's responsible knew what they were doing. Sources for Recode understand that the perpetrators took advantage of a zero-day exploit, or a software security hole that hadn't been patched yet. The details of just what this attack involved are still under close guard, but it suggests that Sony had no surefire way to protect itself. Also, it hints that the culprits had a lot of skill, a lot of money or both. Zero-day vulnerabilities are usually difficult to find and fetch a high price on the black market (typically between $5,000 to $250,000), so the attackers must have really wanted in.
Kevin Mitnick will sell you security exploits, if you have $100,000
Ever since he was released from prison, legendary hacker (and social engineering expert) Kevin Mitnick has spent much of his time helping companies protect against internet attacks. However, his security consulting work recently entered murky territory. He's now offering the Absolute Zero Day Exploit Exchange, a service that sells "exclusive" unpatched exploits to companies and governments for $100,000 or more. If you're willing to pay for a premium tier, you can even get notification the moment an exploit is available for a program you're interested in -- whether or not it's your own.
Oracle releases v11 fix for zero-day Java security flaw
Oracle has released an official fix for the Java security flaw that was reported by CERT (the Computer Emergency Readiness Team) on January 11. Shortly after the flagging by CERT, Apple took steps to disable the Java plug-in on all Macs running OS X 10.6 or later by amending the XProtect malware/minimum versions file. Users who want to re-enable a secure, working version of Java can download the update here. The update is recommended for users on all operating systems including Windows and Linux. Of course, if you don't need to be running a Java VM for a specific reason, your most secure path is to not have it installed. At a minimum, you might consider TJ's reasonable advice and reserve your browser-centric Java activities to a single-site browser like Fluid.app, or simply leave Java disabled for browser access most of the time and only turn it on when specifically required. From the release notes, Oracle states: "Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 'in the wild,' Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible." Apple no longer distributes its own version of Java for Macs running OS X 10.7 or higher. Oracle is now directly responsible for producing and updating the Mac JRE package, as it does for other mainstream operating systems.
Flame malware snoops on PCs across the Middle East, makes Stuxnet look small-time
Much ado was made when security experts found Stuxnet wreaking havoc, but it's looking as though the malware was just a prelude to a much more elaborate attack that's plaguing the Middle East. Flame, a backdoor Windows trojan, doesn't just sniff and steal nearby network traffic info -- it uses your computer's hardware against you. The rogue code nabs phone data over Bluetooth, spreads over USB drives and records conversations from the PC's microphone. If that isn't enough to set even the slightly paranoid on edge, it's also so complex that it has to infect a PC in stages; Flame may have been attacking computers since 2010 without being spotted, and researchers at Kaspersky think it may be a decade before they know just how much damage the code can wreak. No culprit has been pinpointed yet, but a link to the same printer spool vulnerability used by Stuxnet has led researchers to suspect that it may be another instance of a targeted cyberwar attack given that Iran, Syria and a handful of other countries in the region are almost exclusively marked as targets. Even if you live in a 'safe' region, we'd keep an eye out for any suspicious activity knowing that even a fully updated Windows 7 PC can be compromised.
Security firm claims to have hacked Chrome's sandbox
It didn't manage to do it during the most recent Pwn2Own challenge, but VUPEN Security is now claiming that it has finally managed to hack Google's Chrome browser and crack its so-called "sandbox." According to the firm, the exploit relies on some newly discovered zero day vulnerabilities, works on all Windows operating systems (and only Windows, apparently), and could give malicious websites the ability to download code from a remote source and execute it on a user's computer -- the video after the break shows an example, in which the Windows Calculator application is downloaded and run automatically. For its part, Google says it has been unable to confirm the hack since VUPEN hasn't shared any details with it -- something the firm apparently doesn't plan to do, as it says it only shares its vulnerability research with its "government customers for defensive and offensive security."
