January 2021 Patch Tuesday forecast: New focus on security and software development

2020 is in the rearview mirror and most of us can’t get away fast enough. It was a year unlike any other, but 2021 looks to be unique as well. The year started out with continuing investigation into the cause and impact of the compromised SolarWinds Orion software. Many predictions said we were due for another major cyberattack leading into 2021, but no one foresaw this type of attack and the impact it had, leading … More

The post January 2021 Patch Tuesday forecast: New focus on security and software development appeared first on Help Net Security.

Ad-injecting malware hijacks Chrome, Edge, Firefox

When searching for things online, has a greater number of ads than usual been popping up at the top of your search results? If it has, and you’re using Microsoft Edge, Google Chrome, Yandex Browser, or Mozilla Firefox, you might have fallen prey to the ad-injecting Adrozek malware.

Ad-injecting malware

According to Microsoft, cybercriminals have been pushing it on users since at least May 2020 and, at its peak in August, it was observed on over 30,000 devices every day.

“Adrozek shows that even threats that are not thought of as urgent or critical are increasingly becoming more complex. And while the malware’s main goal is to inject ads and refer traffic to certain websites, the attack chain involves sophisticated behavior that allow attackers to gain a strong foothold on a device,” the Microsoft 365 Defender Research Team warned.

Adrozek’s capabilities

Adrozek malware is capable of:

  • Modifying browser extensions by adding malicious scripts to them, which fetch additional scripts to injecting advertisements into search results
  • Modifying specific DLLs (depending on the browser), to turn off security controls that might detect its actions
  • Modifying browser’s security settings/preferences to (for example) add permissions that enable the malicious extensions to have more control over Chrome APIs, or to prevent the browsers from being updated with the latest versions.
  • Modifying several systems settings to have even more control of the compromised device and maintain persistence
  • Stealing user credentials (on Firefox)

“Adrozek is installed on devices through drive-by download,” Microsoft explained. “In our tracking of the Adrozek campaign from May to September 2020, we saw 159 unique domains used to distribute hundreds of thousands of unique malware samples. As this campaign is ongoing, this infrastructure is bound to expand even further.”

The crooks behind this campaign are earning money through affiliate advertising programs, i.e., they are paid for traffic referred to sponsored affiliated pages. Microsoft says that they didn’t see the injected ads point to malicious sites, but that could easily change.

Prevention and mitigation

Microsoft says that its Defender Antivirus on Windows 10 blocks the ad-injecting Adrozek malware and, by now, other security solutions likely do as well.

Users who have been infected have been advised to re-install their browsers.

“Considering the massive infrastructure that was used to distribute this threat on the web, users should also educate themselves about preventing malware infections and the risks of downloading and installing software from untrusted sources and clicking ads or links on suspicious websites,” Microsoft added.

“For enterprises, defenders should look to reduce the attack surface for these types of threats. Application control allows organizations to enforce the use of only authorized apps and services.”

November 2020 Patch Tuesday forecast: Significant OS changes ahead

November Patch Tuesday and the end-of-year holidays are rapidly approaching. Microsoft gave us a late release or maybe an early gift depending upon how you look at the new version of Windows 10. The Patch Tuesday updates appear to be light, so things are looking much better as we enter the final stretch for 2020.

November 2020 Patch Tuesday forecast

The big announcement this month is the release of Windows 10 version 20H2 on October 20. Yes, you read that correctly – not the 2020 Fall Release or Windows 10 version 2009, but Windows 10 version 20H2. Name changes once again!

This update follows the feature enablement model that began last year with Windows 10 versions 1903 and 1909. The new features in Windows 10 version 20H2 are also included in the October cumulative update for Windows 10 version 2004, although they are dormant. They can be turned on via a special enablement package.

A big change regarding servicing stack updates (SSU) and the latest cumulative updates (LCU) has finally been made – LCUs and SSUs have been combined into a single cumulative monthly update! Moving forward we don’t have to worry about managing these separately. Microsoft recommends applying the latest SSU for Windows 10, version 2004 and then you can forget about SSUs in the future because they are automatically applied as needed in the cumulative updates.

This release also includes a few security updates for Microsoft Defender Advanced Threat Protection (ATP), Microsoft Defender Application Guard for Office, and biometric enhancements for Windows Hello.

Each new release comes with its share of reported issues, so please review before you update to this latest version. From some of the forums I monitor, I’ve noted a lot of conversations around device drivers and device support in general. I suspect this is not an issue unique to Windows 10 version 20H2, but is part of a carryover from Microsoft now enforcing properly signed drivers, which began last month in the cumulative update. There are a lot of good reasons to update your OS, but always ‘look before you leap’ to ensure a smooth transition.

November 2020 Patch Tuesday forecast

  • Expect Microsoft to get back on track this month. There was a major dip in common vulnerabilities and exposures (CVEs) addressed last month, and for the first time I can remember there were no updates for Internet Explorer or Edge. Anticipate updates for the standard operating systems, browsers, Office, and extended support updates for Windows 7 and Server 2008. Servicing stack updates to include ESUs are expected.
  • Security updates were released this week for Adobe Acrobat and Reader, so I don’t expect anything next week.
  • Apple released their latest security updates for iTunes and iCloud in late September. The next updates will probably show up late this month or early December.
  • Google Chrome 86 was updated this week with a few security updates; there is a slight chance another release may come out on Patch Tuesday but don’t count on it.
  • Mozilla Firefox and Thunderbird were updated in mid-October. We should see some additional security updates next week.
  • It looks like an average Patch Tuesday for November. If you have some spare time, check out Microsoft’s latest and greatest in Windows 10 version 20H2.

How secure is your web browser?

NSS Labs released the results of its web browser security test after testing Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, for phishing protection and malware protection.

web browser security

Key takeaways

  • Phishing protection rates ranged from 79.2% to 95.5%
  • For malware, the highest block rate was 98.5% and the lowest block rate was 5.6%
  • Protection improved over time; the most consistent products provided the best protection against phishing and malware.

Email, instant messages, SMS messages and links on social networking sites are used by criminals to lure victims to download and install malware disguised as legitimate software (a.k.a. socially engineered malware). Once the malware is installed, victims are subjected to identity theft, bank account compromise, and other devastating consequences.

Those same techniques are also used for phishing attacks, where victims are lured to websites impersonating banking, social media, charity, payroll, and other legitimate websites; victims are then tricked into providing passwords, credit card and bank account numbers, and other private information.

In addition, landing pages (URLs) from phishing websites are another way attackers exploit victim’s computers and silently install malicious software.

Protecting against malware and phishing

The ability to warn potential victims that they are about to stray onto a malicious website puts web browsers in a unique position to combat phishing, malware, and other criminal attacks.

To protect against malware and phishing attacks, browsers use cloud-based reputation systems that scour the internet for malicious websites and then categorize content accordingly, either by adding it to blocklists or whitelists, or by assigning it a score.

“As a result of the COVID-19 pandemic, employees have been forced to work from home and now have unprecedented remote access to corporate resources. Threat actors are shifting tactics to target these remote employees who may not benefit from corporate protection. This makes the protection offered by web browsers more important than ever,” said Vikram Phatak, founder of NSS Labs.

Tested browsers

  • Google Chrome – version 81.0.4044.113 – 81.0.4044.138
  • Microsoft Edge – version 83.0.478.10 – 84.0.516.1
  • Mozilla Firefox – version 75.0 – 76.0.1
  • Opera – version 67.0.3575.137 – 68.0.3618.125

Firefox 76 delivers new password security features and security fixes

Mozilla has released Firefox 76, which comes with critical security fixes and new features related to Firefox Lockwise, the browser’s password manager/generator that’s also available as a standalone app for iOS and Android.

Firefox password security

New Firefox password security features

Just in time for this year’s World Password Day, Mozilla has released new Firefox Lockwise features.

Starting with Firefox 76, users will be able to check whether any of the passwords they use are vulnerable (e.g., identical to a password that has been breached) and they will be alerted when their login and password is involved in a breach:

Firefox password security

Unfortunately, the Website Breach warning will not be shown when you visit the login page of the breached site, but only if you go to the menu button located on the far right of the browser’s toolbar and select “Logins and Passwords”, i.e., if you “enter” Firefox Lockwise.

Another new feature is one that makes it possible to share a device with others (e.g., family or roommates) without them being able to see your passwords or you theirs.

“When you try to view or copy a password from your ‘Logins and Passwords’ page, you will be prompted for your device’s account password before proceeding. Once the password is added, your credentials will be available to view and copy for up to five minutes,” Mozilla explained. This is one more reason for having a separate device account for each user.

Security fixes

Firefox 76 contains fixes for two critical flaws:

  • CVE-2020-12387, a use-after-free vulnerability arising from a race condition when running shutdown code for web worker (a JavaScript script executed from an HTML page that runs in the background), which could result in a potentially exploitable crash, and
  • CVE-2020-12388, a sandbox escape flaw that only affects Firefox on Windows operating systems.

Also deemed critical are a bunch of memory safety bugs that have been fixed both in Firefox 76 and Firefox ESR 68.7.

Two high-risk security holes that have also been plugged – a sandbox escape that, again, only affects Firefox on Windows operating systems, and a buffer overflow that could lead to memory corruption and a potentially exploitable crash.

For more details about the vulnerabilities go here.

Two critical Firefox vulnerabilities exploited by attackers, patch now!

Mozilla has released critical security updates for Firefox and Firefox ESR on Friday, patching two vulnerabilities that are being actively exploited by attackers.

Firefox vulnerabilities exploitedfixed in Firefox 74.0.1 and Firefox ESR 68.6.1 are:

  • CVE-2020-6819: A use-after-free flaw caused by a race condition while running the nsDocShell destructor
  • CVE-2020-6820: A use-after-free caused by a race condition when handling a ReadableStream

No additional details about them have been provided and the bug entries in Mozilla’s bug database are still unaccessible to the wider public. The bugs have been rated “critical”, which means that chances are high they can lead to remote code execution (whether individually or concatenated together).

The vulnerabilities (and presumably their active exploitation) have been flagged by security researchers Francisco Alonso and Javier Marcos.

One of Alonso’s comments on Twitter seems to indicate that the flaws may also affect other browsers:

Update ASAP

Home users and enterprise admins are advised to implement the provided updates as soon as possible.

I would also urge home users to think about making Firefox update itself every time a new update is made available, as recommended by Mozilla. If you generally don’t think twice about installing offered updates, the “Automatically install updates” option might be the right thing for you.

The last actively exploited Firefox zero-day vulnerability before these was patched in January 2020.

A new way for securing web browsers from hackers

A powerful new approach to securing web browsers is getting its first real-world application in the Firefox browser.

Developed by a team of researchers from The University of Texas at Austin, the University of California San Diego, Stanford University and Mozilla, the approach shifts some of the browser code into “secure sandboxes” that prevent malicious code from taking over the user’s computer.

The new approach is now part of a test release of the Firefox browser for the Linux operating system and could be available on Windows and MacOS platforms within a few months.

How does it work?

Web browsers use libraries of code to do common activities — such as rendering media files including photos, videos and audio — but these libraries often have unreported bugs that can be exploited by hackers to take control of a computer.

“Modern browsers are the nightmare scenario for security,” said Hovav Shacham, professor of computer science at UT Austin and co-author of a related paper accepted for presentation at a computer security conference to be held this August.

“They have every feature imaginable. The more features you have, the more bugs there are. And the more bugs there are, the more chances an attacker has to compromise people’s devices. Attackers love attacking browsers, and they really understand how to do it.”

To prevent hackers from exploiting these vulnerabilities, the researchers are adapting WebAssembly, a security mechanism originally designed to speed up web applications that run within a browser while keeping those applications within “secure sandboxes” that prevent malicious code from taking over the user’s computer.

Applications that take advantage of WebAssembly include games and apps that perform music streaming, video editing, encryption and image recognition. In the researchers’ new approach, some of the browser’s own internal components — those responsible for the decoding of media files — would be shifted into WebAssembly sandboxes.

Full release versions are expected

The new approach will initially be applied to a test version of Firefox for the Linux operating system and will secure just one rendering library used for certain fonts.

Assuming the initial tests go well, the team expects the approach will be gradually expanded to include stable, full release versions of the browser on all major operating systems. They also anticipate future expansion will include other components involved in rendering media files.

“If the initial tests go well, then Firefox could apply this to all the image, video and audio formats that the browser supports,” Shacham said. “The hope is that at some point, bugs in all of those libraries become useless for hacking Firefox. And if that happens, then user security would be greatly improved.”

Over time, as more parts of the browser get these improvements and are incorporated into versions on more operating systems, it could improve security for millions of users worldwide. There are roughly 250 million monthly active users of the Firefox browser on desktop computers.

“Defects happen,” said Eric Rescorla, Firefox CTO at Mozilla. “To keep our users secure on the internet, we need to ensure that a single programming error cannot easily compromise the browser. To date the industry’s approach to this problem has been very coarse-grained, which limits its effectiveness. We’re very excited to bring the new level of isolation provided by RLBox to our users.”

You can read more about this project from Mozilla’s Hacks Blog.

Mozilla patches actively exploited Firefox zero-day

Mozilla has patched a Firefox zero-day vulnerability (CVE-2019-17026) that is being exploited in attacks in the wild and is urging Firefox and Firefox ESR users to update their installations as soon as possible.

CVE-2019-17026

About CVE-2019-17026

A day after Mozilla released Firefox 72 – which blocks fingerprinting scripts by default for all users, replaces annoying notification request pop-ups from various sites with a speech bubble in the address bar, and fixes a number of security issues – the corporation pushed out Firefox 72.0.1 (and Firefox ESR 68.4.1) with a fix for CVE-2019-17026, a type confusion vulnerability in IonMonkey, the JavaScript Just-In-Time (JIT) compiler for Mozilla’s JavaScript engine (SpiderMonkey).

According to the accompanying security advisory, the vulnerability was flagged by researchers with Chinese internet security company Qihoo 360 and is being actively abused by attackers.

That’s the extent of the information that’s currently available regarding this flaw, although, according to Catalin Cimpanu, the company let it slip that there is an accompanying Internet Explorer zero-day abused in these ongoing attacks.

Previous zero-days and attacks

The last Firefox zero-day before this one was plugged in June 2019. In fact, there were two: CVE-2019-11707 (also a type confusion flaw) and CVE-2019-11708 (a sandbox escape). Together they were used (unsuccessfully) against Coinbase employees.

Whether this latest flaw is being used for a similar purpose or for an alternative one (e.g., de-anonymization of Tor Browser users) is unknown.

Whatever the case, the Tor Project has announced they will be releasing a new version of the Tor Browser to implement Mozilla’s fix “soon”.