Archive for the ‘privacy’ Category

Immediately Patch Microsoft 0 day vulnerabilities being used to spread SPYWARE!

Thursday, September 14th, 2017

 

Windows 0-Day Flaw

Get ready to install a fairly large batch of security patches onto your Windows computers.

As part of its September Patch Tuesday, Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products.

 The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE).

Affected Microsoft products include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • .NET Framework
  • Skype for Business and Lync
  • Microsoft Exchange Server
  • Microsoft Office, Services and Web Apps
  • Adobe Flash Player

.NET 0-Day Flaw Under Active Attack

According to the company, four of the patched vulnerabilities are publicly known, one of which has already been actively exploited by the attackers in the wild.

Here’s the list of publically known flaws and their impact:

Windows .NET Framework RCE (CVE-2017-8759)—A zero-day flaw, discovered by researchers at cybersecurity firm FireEye and privately reported it to Microsoft, resides in the way Microsoft .NET Framework processes untrusted input data.

Microsoft says the flaw could allow an attacker to take control of an affected system, install programs, view, change, or delete data by tricking victims into opening a specially crafted document or application sent over an email.

The flaw could even allow an attacker to create new accounts with full user rights. Therefore users with fewer user rights on the system are less impacted than users who operate with admin rights.

According to FireEye, this zero-day flaw has actively been exploited by a well-funded cyber espionage group to deliver FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July this year.

FinSpy is a highly secret surveillance software that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies.

Once infected, FinSpy can perform a large number of secret tasks on victims computer, including secretly monitoring computers by turning ON webcams, recording everything the user types with a keylogger, intercepting Skype calls, copying files, and much more.

“The [new variant of FINSPY]…leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult,” researchers at FireEye said.

“As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

Three Publicly Disclosed Vulnerabilities

The remaining three publicly known vulnerabilities affecting the Windows 10 platform include:

  • Device Guard Security Feature Bypass Vulnerability (CVE-2017-8746): This flaw could allow an attacker to inject malicious code into a Windows PowerShell session by bypassing the Device Guard Code Integrity policy.
  • Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8723): This flaw resides in Edge where the Content Security Policy (CSP) fails to properly validate certain specially crafted documents, allowing attackers to trick users into visiting a website hosting malware.
  • Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417): this flaw exists in the Broadcom chipset in HoloLens, which could be exploited by attackers to send a specially crafted WiFi packet, enabling them to install programs, view, change, or delete data, even create new accounts with full admin rights.

BlueBorne Attack: Another Reason to Install Patches Immediately

Also, the recently disclosed Bluetooth vulnerabilities known as “BlueBorne” (that affected more than 5 Million Bluetooth-enabled devices, including Windows, was silently patched by Microsoft in July, but details of this flaw have only been released now.

BlueBorne is a series of flaws in the implementation of Bluetooth that could allow attackers to take over Bluetooth-enabled devices, spread malware completely, or even establish a “man-in-the-middle” connection to gain access to devices’ critical data and networks without requiring any victim interaction.

So, users have another important reason to apply September security patches as soon as possible in order to keep hackers and cyber criminals away from taking control over their computers.

Other flaws patched this month include five information disclosure and one denial of service flaws in Windows Hyper-V, two cross-site scripting (XSS) flaws in SharePoint, as well as four memory corruption and two remote code execution vulnerabilities in MS Office.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Source:
Mohit Kumar - Hacking News
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

Sweden Accidentally Leaks Personal Details of Nearly All Citizens

Wednesday, July 26th, 2017

sweden-data-leak

A Massive data breach in the Swedish Transport Agency Accidentally Leaks Personal Details of Nearly All Citizens
Another day, Another data breach!

This time sensitive and personal data of millions of transporters in Sweden, along with the nation’s military secrets, have been exposed, putting every individual’s as well as national security at risk.

Who exposed the sensitive data? The Swedish government itself.

Swedish media is reporting of a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to the leak of the private data about every vehicle in the country, including those used by both police and military.

The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military’s most secretive units, police suspects, people under the witness relocation programme, the weight capacity of all roads and bridges, and much more.

The incident is believed to be one of the worst government information security disasters ever.

Here’s what and How it Happened:

In 2015, the Swedish Transport Agency hand over IBM an IT maintenance contract to manage its databases and networks.

However, the Swedish Transport Agency uploaded IBM’s entire database onto cloud servers, which covered details on every vehicle in the country, including police and military registrations, and individuals on witness protection programs.

The transport agency then emailed the entire database in messages to marketers that subscribe to it.

And what’s terrible is that the messages were sent in clear text.

When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves.

If you think the scandal ends there, you are wrong. The outsourcing deal gave IBM staff outside Sweden access to the Swedish transport agency’s systems without undergoing proper security clearance checks.

IBM administrators in the Czech Republic were also given full access to all data and logs, according to Swedish newspaper Dagens Nyheter (DN), which analysed the Säpo investigation documents.

According to Pirate Party founder and now head of privacy at VPN provider Private Internet Access Rick Falkvinge, who brought details of this scandal, the incident “exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation.”

Tons of Sensitive Info Exposed about Both Individuals and Nation’s Critical Infrastructures

According to Falkvinge, the leak exposed:

  • The weight capacity of all roads as well as bridges (which is crucial for warfare, and gives a lot idea about what roads are intended to be used as wartime airfields).
  • Names, photos, and home addresses of fighter pilots in the Air Force.
  • Names, photos, and home addresses of everybody in a police register, which are believed to be classified.
  • Names, photos, and residential addresses of all operators in the military’s most secret units that are equivalent to the SAS or SEAL teams.
  • Names, photos, and addresses of everybody in a witness relocation program, who has been given protected identity for some reasons.
  • Type, model, weight, and any defects in all government and military vehicles, including their operator, which reveals a much about the structure of military support units.

Although the data breach happened in 2015, Swedish Secret Service discovered it in 2016 and started investigating the incident, which led to the fire of STA director-general Maria Ågren in January 2017.

Ågren was also fined half a month’s pay (70,000 Swedish krona which equals to $8,500) after finding her guilty of being “careless with secret information,” according to the publication.

What’s the worrying part? The leaked database may not be secured until the fall, said the agency’s new director-general Jonas Bjelfvenstam. The investigation into the scope of the leak is still ongoing.

Swati - Hacking News

Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk

Wednesday, July 19th, 2017
internet-of-the-things-hacking

Security researchers have discovered a critical remotely exploitable vulnerability in an open-source software development library used by major manufacturers of the Internet-of-Thing devices that eventually left millions of devices vulnerable to hacking.

The vulnerability (CVE-2017-9765), discovered by researchers at the IoT-focused security firm Senrio, resides in the software development library called gSOAP toolkit (Simple Object Access Protocol) — an advanced C/C++ auto-coding tool for developing XML Web services and XML application.

Dubbed “Devil’s Ivy,” the stack buffer overflow vulnerability allows a remote attacker to crash the SOAP WebServices daemon and could be exploited to execute arbitrary code on the vulnerable devices.

The Devil’s Ivy vulnerability was discovered by researchers while analysing an Internet-connected security camera manufactured by Axis Communications.

“When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed,” researchers say.

“Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.”

Axis confirmed the vulnerability that exists in almost all of its 250 camera models (you can find the complete list of affected camera models here) and has quickly released patched firmware updates on July 6th to address the vulnerability, prompting partners and customers to upgrade as soon as possible.

However, researchers believe that their exploit would work on internet-connected devices from other vendors as well, as the affected software is used by Canon, Siemens, Cisco, Hitachi, and many others.

Axis immediately informed Genivia, the company that maintains gSOAP, about the vulnerability and Genivia released a patch on June 21, 2017.

The company also reached out to electronics industry consortium ONVIF to ensure all of its members, including Canon, Cisco, and Siemens, those who make use of gSOAP become aware of the issue and can develop patches to fix the security hole.

Internet of Things (IoT) devices has always been the weakest link and, therefore, an easy entry for hackers to get into secured networks. So it is always advisable to keep your Internet-connected devices updated and away from the public Internet.

Source: Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk

Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!

Wednesday, July 19th, 2017
Cisco-WebEx-Remote-Command-Execution

A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim’s computer.

Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world.  The extension has roughly 20 million active users.Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension. To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed.  Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system.

“I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them,” Ormandy said. “This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well.”Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though “there are no workarounds that address this vulnerability.”

“This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows,” Cisco confirmed in an advisory released today.

Download Cisco WebEx Extension 1.0.12

In general, users are always recommended to run all software as a non-privileged user in an effort to diminish the effects of a successful attack.

 Fortunately, Apple’s Safari, Microsoft’s Internet Explorer and Microsoft’s Edge are not affected by this vulnerability.  Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge or Internet Explorer are not affected by the vulnerability, the company confirmed.The remote code execution vulnerability in Cisco WebEx extension has been discovered second time in this year.

 

Source: Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!

SatPhone Encrypted Calls Can be Cracked in Fractions of a Second

Thursday, July 13th, 2017

Decrypting-Satellite-Phone-Calls

Security researchers have discovered a new method to decrypt satellite phone communications encrypted with the GMR-2 cipher in “real time” — that too in mere fractions of a second in some cases.

The new attack method has been discovered by two Chinese security researchers and is based on previous research by German academicians in 2012, showing that the phone’s encryption can be cracked so quickly that attackers can listen in on calls in real time.

The research, disclosed in a paper published last week by the security researchers in the International Association for Cryptologic Research, focused on the GMR-2 encryption algorithm that is commonly being used in most modern satellite phones, including British satellite telecom Inmarsat, to encrypt voice calls in order to prevent eavesdropping.

Unlike previous 2012 research by German researchers who tried to recover the encryption key with the help of ‘plaintext’ attacks, the Chinese researchers attempted to “reverse the encryption procedure to deduce the encryption-key from the output keystream directly.”

The attack method requires hitting a 3.3GHz satellite stream thousands of times with an inversion attack, which eventually produces the 64-bit encryption key and makes it easier to hunt for the decryption key, allowing attackers to decrypt communications and listen in to a conversation.

“This indicates that the inversion attack is very efficient and practical which could lead to a real time crack on the GMR-2 cipher,” the research paper reads. “The experimental results on a 3.3GHz platform demonstrate that the 64-bit encryption-key can be completely retrieved in around 0.02s.”

According to the duo, the attack can eventually crack the satellite phone call encryption in a fraction of a second when carried out successfully, allowing the attacker to break into the communications in real time for live eavesdropping.

The new findings spark concerns surrounding the security of satellite phones, which are mostly used by field officers in war zones that protect our land, air, and water, as well as people in remote area precisely because of no other alternatives.

Such attacks could pose a significant threat to satellite phone users’ privacy.

“Given that the confidentiality is a very crucial aspect in satellite communications, the encryption algorithms in the satellite phones should be strong enough to withstand various eavesdropping risks,” researchers said.

“This again demonstrates that there exists serious security flaws in the GMR-2 cipher, and it is crucial for service providers to upgrade the cryptographic modules of the system in order to provide confidential communication,” researchers concluded.

The research was carried out by Jiao Hu, Ruilin Li and Chaojing Tang of National University of Defense Technology, Changsha, China. For more details, you can head on to their research paper [PDF], titled “A Real-time Inversion Attack on the GMR-2 Cipher Used in the Satellite Phones.”

Story Credit ::
Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst.
She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

Goodbye Applets: Another Cruddy Piece of Web Tech Is Finally Going Away | WIRED

Tuesday, March 8th, 2016

Another piece of old, insecure web infrastructure is about to be killed off.

Oracle says that it’s discontinuing its Java browser plugin starting with the next big release of the programming language. No, Oracle isn’t killing the Java programming language itself, which is still widely used by many companies. Nor is it killing off JavaScript, which is a completely different language that Oracle doesn’t control. What Oracle is getting rid of is a plugin that allows you to run programs known as “Java applets” in your browser.You may not think you even have the Java plugin installed, but if you’ve ever installed Java, or if Java came pre-installed on your computer, then you probably do, even if you never use it. The good news is that Oracle won’t be automatically installing the Java plugin when you install Java anymore. The bad news is that it won’t be providing security updates anymore either, so you should go ahead and uninstall it now. In fact, there’s a good chance you can uninstall Java entirely.

Source: Goodbye Applets: Another Cruddy Piece of Web Tech Is Finally Going Away | WIRED

Password hash cracking on a Juniper ScreenOS device

Monday, January 4th, 2016

So the Juniper Netscreen/SSG ScreenOS password hash is a bit of a hidden mystery. I had in my hand the config of a Netscreen device and I wanted to perform a reverse of the password hashes to see if they were weak.

In this case here’s the line from the config:

1
set admin user “admin” password “nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn” privilege “all”

John The ripper has supported Netscreen passwords since back in 2008 when Samuel Moñux released this patch. Unfortunately John was too slow for my needs as I was up against a deadline, thus I looked at the faster approach of using the GPU to perform the cracking. Hashcat is the best tool for the job but unfortunately Hashcat didn’t support this hashing algorithm. :-(

After a looking through jar source code I found this python script which can generate a Netscreen hash, getting warmer. Here’s a shortened version of the code to show just the function we’re interested in:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def makepass(user, password):
middle = “Administration Tools”
s = “%s:%s:%s” % (user, middle, password)
print s
m = hashlib.md5(s).digest()
narray = []for i in range(8):
n1 = ord(m[2*i])
n2 = ord(m[2*i+1])
narray.append( (n1<<8 & 0xff00) | (n2 & 0xff) )

res = “”
for i in narray:
p1 = i >> 12 & 0xf
p2 = i >> 6  & 0x3f
p3 = i       & 0x3f
res += b64[p1] + b64[p2] + b64[p3]

for c, n in  zip(“nrcstn”, [0, 6, 12, 17, 23, 29]):
res = res[:n] + c + res[n:]
return res

After looking through the code it is clear that there is a fixed salt of Administration Tools and a salt of the username(lines 2 and 3).
The code then takes each 2 chars and adds the binaries together(lines 8-11)
From this it creates 3 characters from the 16bits(lines 14-18)
And finally is scatters the letters n,r,c,s,t & n onto the hash in specific places (lines 20 and 21)
It’s worth noting that the letters nrcstn is actually NeTSCReeN in reverse without the e’s :-)

Using this code it was possible to write some new code to reverse backwards through the steps in order to go from a Netscreen hash back to the raw MD5 hash. Here’s the function for this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
def reversetomd5(knownhash):
# strip out nrcstn fixed characters
clean=“”
for i in [1,2,3,4,5,7,8,9,10,11,13,14,15,16,18,19,20,21,22,24,25,26,27,28]:
clean+=knownhash[i]# create blocks
block=[]
for i in xrange(2,24,3):
p1 = b64.index(clean[i-2])
p2 = b64.index(clean[i-1])
p3 = b64.index(clean[i])
block.append(p1 << 12 | p2 << 6 | p3)

# split block into half and find out character for each decimal
md5hash=“”
for i in block:
n1 = i >> 8
n2 = i & 0xff
md5hash+=chr(n1)+chr(n2)
return binascii.hexlify(md5hash)

Using this function you are able to give it a Netscreen hash and you’ll get back the raw MD5.

1
Knownhash of:nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn has MD5Hash of: 078f1d1f09bede18edf49c0f745781dd

Now using the power of GPU cracking and my favourite tool Hashcat it is possible to crack the hash. We need to put the hash in a format that hashcat can understand so we create a file called netscreen.txt and put the hash in the following format(note the training colon after the fixed salt):

1
2
[hash]:[user]:Administration Tools:
078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:

We then use hashcat’s mode 20 which is md5($salt.$pass) to crack the hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\cudaHashcat64.exe -m 20 netscreen.txt rockyou.txt
cudaHashcat v1.01 starting…
Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 660M, 2048MB, 950Mhz, 2MCU
Device #1: Kernel ./kernels/4318/m0020_a0.sm_30.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptxGenerated dictionary stats for rockyou.txt: 139921541 bytes, 14344395 words, 14343300 keyspace

078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools::MySecretPassword

Session.Name…: cudaHashcat
Status………: Cracked
Input.Mode…..: File (rockyou.txt)
Hash.Target….: 078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:
Hash.Type……: md5($salt.$pass)
Time.Started…: Fri Jan 10 15:03:24 2014 (5 secs)
Speed.GPU.#1…:  4886.1 kH/s
Recovered……: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress…….: 11109723/14343300 (77.46%)
Rejected…….: 1371/11109723 (0.01%)
HWMon.GPU.#1…:  0% Util, 41c Temp, N/A Fan

Started: Fri Jan 10 15:03:24 2014
Stopped: Fri Jan 10 15:03:32 2014

Bingo it’s cracked the hash with the password MySecretPassword

As this algorithm uses more than just a fixed salt to create the hash I’ll speak to Atom (the creator of hashcat) to see if he want’s to implement it into a future release, but until then this code should help you in cracking netscreen passwords.

Update: Atom has added this hash type to oclHashcat as of version 1.20 https://hashcat.net/hashcat/ (Feature request here: https://hashcat.net/trac/ticket/235)

 

This article’s Original Author:

https://www.phillips321.co.uk/2014/01/10/cracking-a-juniper-netscreen-screenos-password-hash/

Cisco disrupts $30 million browser plug-in hacking operation

Wednesday, October 7th, 2015

Cisco has disrupted a major browser-based hacking operation, thought to be worth $30 million to criminals each year.

The company said unnamed hackers used the notorious Angler Exploit Kit to take advantage of vulnerabilities in common browser plugins, such as Flash and Java.

As many as 90,000 users were affected each day by the attack.

The networking company, through its security wing Talos Group, patched the vulnerabilities being used by the exploit kit, cutting off affected machines from the command-and-control infrastructure.

“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen [intellectual property, credit card info and personally identifiable information are generating hundreds of millions of dollars annually,” said the researchers in a blog post.

The exploit kit helped to generate vast sums by gaining access to computers, and holding them hostage for a ransom price, which must be paid within a limited time frame to gain back access to their device.

US federal agents warned earlier this year that so-called ransomware, which encrypts files and documents without the owner’s permission, costs consumers $18 million a year.

 

via ZDNet Article

Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password

Tuesday, August 4th, 2015

Hackers have their hands on something of your concern. A severe zero-day vulnerability in the latest, fully patched version of Apple’s Mac OS X is reportedly being exploited in the wild by the hackers. The vulnerability could allow attackers to install malware and adware onto a target Mac, running OS X 10.10 (Yosemite) operating system, without requiring victims to enter system passwords, a new report says. The zero-day bug came over a week after security researcher Stefan Esser discovered a privilege escalation zero-day vulnerability in the latest version of Apple’s OS X Yosemite that caused due to environment variable DYLD_PRINT_TO_FILE and dynamic linker dyld, new error-logging features added to the operating system. The developers failed to implement standard safeguards that are needed while adding support for new environment variables to the OS X dynamic linker dyld, allowing hackers to create or modify files with root privileges that can fit anywhere in the Mac OS X file system. OS X Zero-Day Exploit in the Wild Now, security researchers from anti-malware firm Malwarebytes spotted a malicious installer in the wild that was exploiting the zero-day vulnerability to infect Macs with different types of adware including VSearch, MacKeeper and Genieo.

The issue actually resides in a hidden Unix file – Sudoers – which is actually a list of files as to which software are allowed to get root permissions on a computer. However, a modification to the Sudoers allowed the installer to gain root level permissions without the need of password from an administrator. The issue was discovered by Adam Thomas while testing a new adware installer. “The script that exploits the DYLD_PRINT_TO_FILE vulnerability is written to a file and then executed,” Malwarebytes researchers explains in a blog post. “Part of the script involves deleting itself when it’s finished.” “The real meat of the script, though, involves modifying the Sudoers file.

The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password.” No Way Out for Mac Users The zero-day flaw affects both the current stable Mac version OS X 10.10 (build 10.10.4) and the recent Beta build OS X 10.10.5 (Yosemite). Good news for Mac users who are running Mac OS X 10.11 El Capitan Beta builds, as it appears that they are not affected by the zero-day flaw. Until Apple patches this critical issue, you don’t have any good options to prevent a skilled hacker from installing malware on your Mac systems, beyond using a patch created by Esser himself, which can be downloaded from here. No doubt, Esser is a respected security researcher, but installing a patch from a third party developer can be a risky. Therefore, we advise you to fully investigate the patch before installing.

Source: Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password

Stagefright: SMS Text Message Can Hack Android Phones – Fortune

Monday, July 27th, 2015

Share icons “Stagefright” is one of the worst Android vulnerabilities to date. So listen: Can I have your number? Can I have it? Can I? Have it? Um…maybe not. Actually, you should think twice before giving away your cell phone number—especially if you happen to own a phone that runs on Google’s Android operating system. That’s the only thing a hacker needs to compromise a handset. A mobile security researcher has uncovered a flaw that leaves as many as 95% of Android devices—that’s 950 million gadgets—exposed to attack. The computer bug, nicknamed “Stagefright” after a vulnerable media library in the operating system’s open source code, may be one of the worst Android security holes discovered to date. It affects Android versions 2.2 and on. Should a hacker learn someone’s cell phone number, all it takes is for that person to send a malware-laced Stagefright multimedia message to an affected phone in order to steal its data and photos or to hijack its microphone and camera, among other nefarious actions. Worse yet, a user might have no idea that his or her device has been compromised. Joshua Drake, vice president of research and exploitation at the mobile security firm Zimperium zLabs, says an attacker can delete the message before a victim has any idea.   “These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” he writes on his company’s blog. “Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.” When Drake reported the severe vulnerabilities along with potential fixes to Google GOOG 0.73% in April (as well as another set May), the company, he writes, “acted promptly and applied the patches to internal code branches within 48 hours.” That doesn’t mean the problem is resolved, however. As Forbes reporter Thomas Fox-Brewster writes, device manufacturers will still need to push the updates out in order to safeguard their customers. Google’s major Android partners, which include phone-makers like LG, Lenovo LNVGY -5.20% , Motorola MSI -1.33% , Samsung SSNLF -3.23% , and Sony SNE -1.33% were not immediately available to comment. (Fortune has reached out to these handset makers and Google. We will update this when we hear back.) An HTC HTC 0.00% spokesperson responded: “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.” Drake praises the security firm Silent Circle, based in Geneva, Switz., which makes the Blackphone handset, for its quick response protecting users since it released PrivatOS version 1.1.7. He also praises Mozilla, maker of the Firefox web browser, for including fixes since version 38. “We applaud these vendors for prioritizing security and releasing patches for these issues quickly.”   “This is Heartbleed for mobile,” said Chris Wysopal, chief tech and information security officer at the application security firm Veracode. These vulnerabilities “are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS.” Drake plans to present his research at the Black Hat and Def Con security conferences in Las Vegas next month. So, um, can I have your number?

Source: Stagefright: SMS Text Message Can Hack Android Phones – Fortune