Google patches actively exploited Chrome browser zero-day vulnerability

Upgrading your Chrome build as quickly as possible is recommended.

Google has warned of reports that a zero-day vulnerability in the Chrome browser is being actively exploited in the wild.

The vulnerability, tracked as CVE-2021-21166, was reported by Alison Huffman from the Microsoft Browser Vulnerability Research team on February 11 and is described as an "object lifecycle issue in audio."

Google has labeled the vulnerability as a "high" severity security flaw and has fixed the issue in the latest Chrome release.

Alongside CVE-2021-21166, Huffman also recently reported another high-severity bug, CVE-2021-21165, another object lifestyle issue in audio problem, and CVE-2021-21163, an insufficient data validation issue in Reader Mode.

The tech giant has not revealed further details concerning how CVE-2021-21166 is being exploited, or by whom.

Google's announcement, published on Tuesday, also marked the release of Chrome 89 to the stable desktop channel for Windows, Mac, and Linux machines, which is currently rolling out. Users should upgrade to Chrome 89.0.4389.72 once available.

https://www.zdnet.com/article/google-patches-actively-exploited-chrome-browser-zero-day-vulnerability/

#google #chrome #zeroday #vulnerability
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Apple’s AirDrop leaks users’ PII, and there’s not much they can do about it

Apple has known of the flaw since 2019 but has yet to acknowledge or fix it.

AirDrop, the feature that allows Mac and iPhone users to wirelessly transfer files between devices, is leaking user emails and phone numbers, and there's not much anyone can do to stop it other than to turn it off, researchers said.

AirDrop uses Wi-Fi and Bluetooth Low Energy to establish direct connections with nearby devices so they can beam pictures, documents, and other things from one iOS or macOS device to another. One mode allows only contacts to connect, a second allows anyone to connect, and the last allows no connections at all.

A matter of milliseconds

To determine if the device of a would-be sender should connect with other nearby devices, AirDrop broadcasts Bluetooth advertisements that contain a partial cryptographic hash of the sender's phone number and email address. If any of the truncated hashes matches any phone number or email address in the address book of the receiving device or the device is set to receive from everyone, the two devices will engage in a mutual authentication handshake over Wi-Fi. During the handshake, the devices exchange the full SHA-256 hashes of the owners' phone numbers and email addresses.

Hashes, of course, can't be converted back into the cleartext that generated them, but depending on the amount of entropy or randomness in the cleartext, they are often possible to figure out. Hackers do this by performing a "brute-force attack," which throws huge numbers of guesses and waits for the one that generates the sought-after hash. The less the entropy in the cleartext, the easier it is to guess or crack, since there are fewer possible candidates for an attacker to try.

The amount of entropy in a phone number is so minimal that this cracking process is trivial since it takes milliseconds to look up a hash in a precomputed database containing results for all possible phone numbers in the world. While many email addresses have more entropy, they too can be cracked using the billions of email addresses that have appeared in database breaches over the past 20 years.

https://arstechnica.com/gadgets/2021/04/apples-airdrop-leaks-users-pii-and-theres-not-much-they-can-do-about-it

#apple #mac #iphone #airdrop #vulnerability
📡 @nogoolag 📡 @blackbox_archiv

Qualcomm Chip Flaw Could Leave 30 Percent of the World's Phones Vulnerable to Hackers

https://gizmodo.com/qualcomm-chip-flaw-could-leave-30-percent-of-the-worlds-1846837667


#qc #Qualcomm #soc #hack #vulnerability

WiFi devices going back to 1997 vulnerable to new Frag Attacks

https://therecord.media/wifi-devices-going-back-to-1997-vulnerable-to-new-frag-attacks/

A Belgian security researcher has discovered a series of vulnerabilities that impact the WiFi standard, with some bugs dating back as far back as 1997 and affecting devices sold for the past 24 years.

The vulnerabilities, known as Frag Attacks, allow an attacker within a device’s WiFi radio range to gather information about the owner and run malicious code to compromise a device, may it be a computer, smartphone, or other smart device.

Devices are also vulnerable even if the WiFi standard’s security protocols were activated, such as WEP and WPA.


#WiFi #vulnerability #frag

Holes in the WiFi

https://lwn.net/Articles/856044/

The discoverer of the KRACK attacks against WPA2 encryption in WiFi is back with a new set of flaws in the wireless-networking protocols. FragAttacks is a sizable group of WiFi vulnerabilities that (ab)use the fragmentation and aggregation (thus "Frag") features of the standard. The fixes have been coordinated over a nine-month period, which has allowed security researcher Mathy Vanhoef time to create multiple papers, some slide decks, a demo video, patches, and, of course, a web site and logo for the vulnerabilities.

Three of the vulnerabilities are design flaws in the WiFi standards, so they are likely present in all implementations, while the other nine are various implementation-specific problems. The design flaws may be more widespread, but they are much harder to exploit "because doing so requires user interaction or is only possible when using uncommon network settings". That means the real danger from FragAttacks lies in the programming errors in various WiFi implementations. "Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities."

In fact, in the FAQ section of the web site, Vanhoef offers to list any products that he can verify as not having been affected by the flaws described on the site. He also notes that even though the design flaws are difficult to exploit on their own, they can be combined with the other flaws found to make for a much more serious problem. "In other words, for some devices the impact is minor, while for others it's disastrous."
...

#wifi #hole #vulnerability

A serious bug in #Linux from 12 years ago allows you to get root on any distro

To fix it upgrade or:
chmod 0755 /usr/bin/pkexec

#PwnKit: Local Privilege Escalation #Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)

https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

New Linux bug gives root on all major distros, exploit released.

A new Linux vulnerability known as 'Dirty Pipe' allows local users to gain root privileges through publicly available exploits.

Today, security researcher Max Kellermann responsibly disclosed the 'Dirty Pipe' vulnerability and stated that it affects Linux Kernel 5.8 and later versions, even on Android devices.

The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root.

Kellerman discovered the bug after tracking down a bug that was corrupting web server access logs for one of his customers.

Kellerman states that the vulnerability is similar to the Dirty COW vulnerability (CVE-2016-5195) fixed in 2016.

https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released/
https://dirtypipe.cm4all.com/

📡@cRyPtHoN_INFOSEC_EN

#linux #root #vulnerability

#Intel and #AMD Hertzbleed CPU #Vulnerability Uses Boost Speed to Steal Crypto Keys

Intel and researchers from UT Austin, UIUC, and UW published papers today outlining the 'Hertzbleed' chip vulnerability that allows side-channel attacks that can steal secret AES cryptographic keys by observing the CPU's boost frequency/power mechanisms. Both Intel and AMD CPUs are impacted.

The vulnerability impacts all Intel processors and AMD Zen 2 and Zen 3, but it isn't clear if it will impact the upcoming Zen 4 Ryzen 7000.

https://www.tomshardware.com/news/intel-amd-hertzbleed-cpu-vulnerability-boost-clock-speed-steal-crypto-keys

Fundamental flaws uncovered in Mega's encryption scheme — show the service can read your data

MEGA's system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files — the researchers wrote on a website. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice, which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks — showcasing their practicality and exploitability.

https://arstechnica.com/information-technology/2022/06/mega-says-it-cant-decrypt-your-files-new-poc-exploit-shows-otherwise/

#mega #vulnerability #cloud #data

MEGA Security Update

https://blog.mega.io/mega-security-update

Today, MEGA has released software updates that fix a critical vulnerability reported by researchers at one of Europe’s leading universities, ETH Zurich, Switzerland. Further updates addressing less severe identified issues will follow in the near future. MEGA is not aware of any user accounts being compromised by these vulnerabilities.

Who is potentially affected?

Customers who have logged into their MEGA account at least 512 times (the more, the higher the exposure). Note that resuming an existing session does not count as a login. While all MEGA client products use permanent sessions by default, some third-party clients such as Rclone do not, so their users may be exposed.

Who could have exploited the vulnerability?

Very few: An attacker would have had to first gain control over the heart of MEGA’s server infrastructure or achieve a successful man-in-the-middle attack on the user’s TLS connection to MEGA.

What could have been the outcome?

Once a targeted account had made enough successful logins, incoming shared folders, MEGAdrop files and chats could have been decryptable. Files in the cloud drive could have been successively decrypted during subsequent logins. Furthermore, files could have been placed in the account that appear to have been uploaded by the account holder (a “framing” attack).

#mega #cloud #vulnerability

KeePass exploit helps retrieve cleartext master password, fix coming soon – https://www.bleepingcomputer.com/news/security/keepass-exploit-helps-retrieve-cleartext-master-password-fix-coming-soon/

#KeePass #vulnerability

The code that wasn't there: Reading memory on an Android device by accident | The GitHub Blog – 2023

The bug was a somewhat accidental find, and although it can only be used to leak information, it is nevertheless a very powerful bug that can be used to leak large amounts of information to a malicious Android app; it can be used an unlimited number of times with no adverse effects on the running state of the phone. I’ll show how it can be used to leak information at the page level in the user space and kernel space. I’ll then use the kernel space information leak to construct a KASLR bypass. From a vulnerability research point of view, it’s also a rather subtle and perhaps one the most unusual bugs that I’ve ever found

#Android #Vulnerability #Bug #Qualcomm

New Python tool checks NPM packages for manifest confusion issues –

The problem is with the inconsistent information between a package's manifest data as displayed in the NPM registry and the data present in the 'package.json' file of the published package.

A malicious actor could manipulate the manifest data of a new package, eliminating certain scripts or dependencies so that they do not appear in the NPM registry.

However, these scripts or dependencies would still be present in the package.json file and would be executed when the package is installed, without the user being aware

#Github #cybersec #vulnerability

itnewsbot@schleuss.online - WinRAR 0-day that uses poisoned JPG and TXT files under exploit since April - Enlarge (credit: Getty Images)

A newly discovered zeroday in t... - https://arstechnica.com/?p=1962625 #vulnerability #security #zipfiles #exploit #zeroday #biz⁢ #winrar

#Intel ‘Downfall’: Severe flaw in billions of #CPUs leaks passwords and much more

There is a serious security flaw in billions of Intel CPUs that can let attackers steal confidential data like passwords and encryption keys. Firmware updates can fix it, but at a potential significant performance loss.

https://www.pcworld.com/article/2025589/downfall-serious-security-vulnerability-in-billions-of-intel-cpus-how-to-protect-yourself.html

https://downfall.page/


>It only requires the attacker and victim to share the same physical processor core
>only
"if you let us in your house, we might steal your stuff!"

#vulnerability

Unpatchable vulnerability in Apple chip leaks secret encryption keys | Ars Technica –

A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday

#Apple #Vulnerability #Infosec

#Bluetooth #vulnerability allows unauthorized user to record & play audio on Bluetooth speaker via #BlueSpy

Prevention section explains how you can check if your Bluetooth LE speakers/headsets are vulnerable to this attack using nRF Connect app
https://www.mobile-hacker.com/2024/03/22/bluetooth-vulnerability-allows-unauthorized-user-to-record-and-play-audio-on-bluetooth-speakers/

#BlueDucky automates exploitation of Bluetooth pairing vulnerability that leads to 0-click code execution
▪️automatically scans for devices
▪️store MAC addresses of devices that are no longer visible but have enabled Bluetooth
▪️uses Rubber Ducky payloads
https://www.mobile-hacker.com/2024/03/26/blueducky-automates-exploitation-of-bluetooth-pairing-vulnerability-that-leads-to-0-click-code-execution/

Demonstration of using BlueDucky to exploit 0-click Bluetooth vulnerability of unpatched Android smartphone (CVE-2023-45866)
Exploit was triggered by Raspberry Pi 4 and then by Android running NetHunter
https://youtu.be/GOGW7U1f2RA

@androidMalware

Becoming any Android app via Zygote command injection | Meta Red Team X

We have discovered a vulnerability in Android that allows an attacker with the WRITE_SECURE_SETTINGS permission, which is held by the ADB shell and certain privileged apps, to execute arbitrary code as any app on a device. By doing so, they can read and write any app’s data, make use of per-app secrets and login tokens, change most system configuration, unenroll or bypass Mobile Device Management, and more. Our exploit involves no memory corruption, meaning it works unmodified on virtually any device running Android 9 or later, and persists across reboots.

#Zygote #Android #Vulnerability

Security flaw found in #android's WRITESECURESETTINGS showing attackers access to any app's data

https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html

#vulnerability