Saturday, February 25, 2017

Cyber Updates - 25/02

Hey all,

Here are this week's cyber updates:

(1) A new phishing campaign, targeting Google Chrome's users, has been recently discovered.
The campaign encourages users to download a fake font, which in turn installs more than an innocent font, but rather a malware. Hackers have hacked into legitimate websites (for example by using the WordPress content injection vulnerability that was reported three weeks ago) in order to cause websites to display non-readable characters. The attackers then "offers" the user the ability to view the website's content by updating their "Chrome font package".



Once installed, the victim's machine is compromised. What interesting to note about the attack is that the font message looks legitimate (same UI as Chrome itself).

The following mistakes are done by this sophisticated attack:
1. The dialog window shows hard coded version of Chrome (version 53, instead of the currently installed version).
2. The image encourages users to download Chrome_font.exe, when in fact the downloaded file is Chrome Font v7.5.1.exe

Having said that, such mistakes can easily be fixed. Thus, users are requested not to install new fonts in case a website requests them to do so.

Here are all the details:
https://neosmart.net/blog/2017/beware-of-this-new-chrome-font-wasnt-found-hack/

(2) Linux Kernel was found to be vulnerable to yet another decade old privilege escalation exploit (CVE-2017-6074).
While the Dirty Cow exploit (dated back from 2007) was only discovered less than half a year ago, security researcher Andrey Konovalod has managed to discover an older exploit in Linux kernel (dated as far as 2005).
In particular, this vulnerability exploits a use-after-free in the DCCP protocol, which can allow an attacker to alter's the kernel memory.

Organizations are advised to update their kernel as soon as possible.

Here are all the details:
http://seclists.org/oss-sec/2017/q1/471
http://thehackernews.com/2017/02/linux-kernel-local-root.html

(3) A buffer overflow vulnerably in Cloudflare's edge servers was reported, allowing users to view sensitive information such as the authentication tokens (when stored in the server's memory). This vulnerability has resulted by a bad implementation of a Ragel script used for HTTP rewriting, causing the server to return more data than intended.
The data was already cached by search engines, therefore causing Cloudflare to wait for several days before publishing the details of this vulnerability.
While the leaked memory can contain private information, the SSL private key could not have been compromised by this bug.

Here are all the details:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

Stay tuned for more updates,

Dan Gurfinkel
Head of Offensive Security & Response Unit