zero days – Page 7 – WindowsTechs.com

Google’s Project Zero details ‘indiscriminate’ hacking campaign against thousands of iPhones

Posted on August 30, 2019 by Jeff Stone

Researchers from Google on Thursday announced the discovery of a hacking campaign in which attackers spent two years using breached websites to try to siphon information off thousands of iPhones, a blockbuster announcement that upends traditional narratives around Apple device security. Google’s Project Zero detailed the malicious activity with five so-called exploit chains, which demonstrate how hackers linked together Apple vulnerabilities to infiltrate Apple’s protections. By directing iPhone connections to specific web pages, hackers proved capable of accessing a device’s kernel and other key functionality, access they could abuse to secretly install malicious apps, monitor a user’s location, or take other action, Google said. The vulnerabilities affect iOS versions 10 through iOS 12.4. The vulnerabilities were patched in the latest update, iOS 12.4.1. Google’s research team discovered a total of 14 vulnerabilities, including seven for the Safari browser, five for the kernel and another two sandbox escapes (exploits that enable […]

The post Google’s Project Zero details ‘indiscriminate’ hacking campaign against thousands of iPhones appeared first on CyberScoop.

Continue reading Google’s Project Zero details ‘indiscriminate’ hacking campaign against thousands of iPhones→

Microsoft Edge, Internet Explorer zero-days could allow spying on your browsing activity

Posted on April 2, 2019 by Jeff Stone

Two zero-day vulnerabilities in the updated versions of Microsoft Edge and Internet Explorer could enable outsiders to access confidential information shared between websites, according to new security research highlighted by Trend Micro Tuesday. The browser vulnerabilities were first made public March 29 by James Lee, a 20-year-old security researcher who says he first notified Microsoft about the issues 10 months ago. A Trend Micro analysis of the attacks found that if a web user visits a malicious page using either browser, attackers can exploit a process known as Origin Validation Error to gather information about other pages the user visited. Thieves could use this technique to bypass security measures and steal financial or other personal information, researchers said. “The browser is not restricting information about the website redirection properly, and instead allows [hackers] to access information about the client’s activities on other websites,” Trend Micro said in a blog post. “In […]

The post Microsoft Edge, Internet Explorer zero-days could allow spying on your browsing activity appeared first on CyberScoop.

Continue reading Microsoft Edge, Internet Explorer zero-days could allow spying on your browsing activity→

Tesla Model 3’s onboard browser attacked successfully at Pwn2Own

Posted on March 25, 2019 by Joe Warminsky

A prolific duo of white-hat hackers exploited a previously unknown flaw in the web browser for the Tesla Model 3’s infotainment system on the third and final day of the Pwn2Own competition in Vancouver, demonstrating the first automotive zero-day in the event’s history. Team “Flouroacetate” — aka Amat Cama and Richard Zhu — used the Tesla hack on Friday to cap off a dominant run in the competition, which takes place annually during the CanSecWest security conference. Cama and Zhu successfully demonstrated zero-day exploits on popular web browsers and widely used virtualization software during the first two days. The Zero Day Initiative (ZDI), the organization that runs Pwn2Own, didn’t release many details about the Tesla hack. Given the sensitivity of any flaws in automotive software, it’s hardly surprising. But the value of Cama and Zhu’s research to Tesla is clear: Not only did they win cash for their demonstration, they […]

The post Tesla Model 3’s onboard browser attacked successfully at Pwn2Own appeared first on CyberScoop.

Continue reading Tesla Model 3’s onboard browser attacked successfully at Pwn2Own→

Mozilla Firefox, Microsoft Edge succumb in web browser competition at Pwn2Own

Posted on March 22, 2019 by Joe Warminsky

The first day of this year’s Pwn2Own competition featured successful zero-day exploits on a popular web browser, and day two was no different, with the “Fluoroacetate” duo of Amat Cama and Richard Zhu turning their attention to Mozilla’s Firefox and Microsoft’s Edge. The team took home another $180,000 for their attacks, bringing their overall winnings to $340,000 for the competition, which highlights critical bugs in widely distributed software. Thursday’s winners also included Niklas Baumstark, who won $40,000 for a Firefox attack, and Arthur Gerkis of Exodus Intelligence, who won $50,000 for successfully targeting Edge. Competitors spend months preparing for the annual Pwn2Own hacking contest in Vancouver, which takes place during the CanSecWest security conference. Participants are tasked with trying to find vulnerabilities in widely used technology, and rewarded with cash prizes. They are only given a short amount of time to demonstrate their exploits for the crowd and judges. Team Flouroacetate’s attacks on […]

The post Mozilla Firefox, Microsoft Edge succumb in web browser competition at Pwn2Own appeared first on CyberScoop.

Continue reading Mozilla Firefox, Microsoft Edge succumb in web browser competition at Pwn2Own→

Apple, Oracle, VMware products successfully hacked at Pwn2Own

Posted on March 21, 2019 by Joe Warminsky

The white-hat hacking team of Amat Cama and Richard Zhu, together known as “Flouroacetate,” took home the majority of the prize money available on the first day of this year’s Pwn2Own competition in Vancouver, demonstrating zero-day exploits against Apple’s Safari browser as well as virtualization software from Oracle and VMware. Other winners on Wednesday included “anhdaden,” also known as Phạm Hồng Phi of Singapore-based cybersecurity company STAR Labs, who targeted the Oracle software; and the phoenhex & qwerty team — Bruno Keith, Niklas Baumstark and Luca Todesco — which targeted Safari. Flouracetate won $160,000 total, while anhdaden earned $35,000 and phoenhex & qwerty claimed $45,000 in prize money. Confirmed! @fluoroacetate leveraged a race condition leading to an out-of-bounds write to escalate from a #VMware client to execute code on the host OS. The effort brings them another $70,000 and 7 more Master of Pwn points. Their Day 1 total is $160,000 […]

The post Apple, Oracle, VMware products successfully hacked at Pwn2Own appeared first on CyberScoop.

Continue reading Apple, Oracle, VMware products successfully hacked at Pwn2Own→

Zero-Days in Counter-Strike Client Used to Build Major Botnet

Posted on March 14, 2019 by Tara Seals

A full 39 percent of Counter-Strike 1.6 game servers on Steam were found to be malicious. Continue reading Zero-Days in Counter-Strike Client Used to Build Major Botnet→

Microsoft patches two zero-days exploited by FruityArmor, SandCat hacking groups

Posted on March 13, 2019 by Jeff Stone

Microsoft has released security updates for two vulnerabilities that researchers say have been exploited by suspected nation-state hacking groups dubbed FruityArmor and SandCat. The March edition of Microsoft’s Patch Tuesday — when the company introduces fixes for reported security problems — includes 64 updates, 17 of which were rated as “critical.” Attackers already have leveraged at least two of the bugs, CVE-2019-0808 and CVE-2019-0797, according to researchers from Google and Russian security vendor Kaspersky Lab. Both bugs are known as elevation of privilege vulnerabilities, and could allow outsiders to manipulate Windows machines into authorizing an action that should not be allowed. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode,” Microsoft wrote in a security bulletin about the vulnerabilities. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The warning is not just theoretical. Kaspersky […]

The post Microsoft patches two zero-days exploited by FruityArmor, SandCat hacking groups appeared first on CyberScoop.

Continue reading Microsoft patches two zero-days exploited by FruityArmor, SandCat hacking groups→

Iranian APT, Equifax, & Crowdfense – Hack Naked News #210

Posted on March 12, 2019 by Security Weekly Productions

Severe RCE vulnerability affected popular StackStorm Automation software, Crowdfense is willing to pay $3 Million for iOS and Android Zero-Days, Equifax neglected cyber security prior to breach, Google launches new Cloud Security services, and an u… Continue reading Iranian APT, Equifax, & Crowdfense – Hack Naked News #210→

A Saudi Cybersecurity Company Tried to Buy Zero Day Exploits from Me

Posted on March 12, 2019 by Joseph Cox

We recently got a rare look at how a company tried to source these exploits through private one-on-one deals—because the company came to us. Continue reading A Saudi Cybersecurity Company Tried to Buy Zero Day Exploits from Me→

For sale: Gray-market iPhones that yield secrets to encryption

Posted on March 8, 2019 by Lisa Vaas

The prototype iPhones are slipping out of Apple’s supply chain with disabled security, to the delight of researchers and jailbreakers. Continue reading For sale: Gray-market iPhones that yield secrets to encryption→