Posts

Google fixes sixth Chrome zero-day exploited in the wild this year

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.


Google Chrome

Google has released Chrome 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities, with one zero-day vulnerability exploited in the wild and tracked as CVE-2021-30551.

Google Chrome 91.0.4472.101 has started rolling out worldwide and will become available to all users over the next few days.

Google Chrome will automatically attempt to upgrade the browser the next time you launch the program, but you can perform a manual update by going to Settings > Help > ‘About Google Chrome

Google updated to version 91.0.4472.10
Google updated to version 91.0.4472.10

Six Chrome zero-days exploited in the wild in 2021

Few details regarding today’s fixed zero-day vulnerability are currently available other than that it is a type confusion bug in V8, Google’s open-source and C++ WebAssembly and JavaScript engine.

The vulnerability was discovered by Sergei Glazunov of Google Project Zero and is being tracked as CVE-2021-30551.

Google states that they are “aware that an exploit for CVE-2021-30551 exists in the wild.”

Shane Huntley, Director of Google’s Threat Analysis Group, says that this zero-day was utilized by the same threat actors using the Windows CVE-2021-33742 zero-day fixed yesterday by Microsoft.

Today’s update fixes Google Chrome’s sixth zero-day exploited in attacks this year, with the other five listed below:

  • CVE-2021-21148 – February 4th, 2021
  • CVE-2021-21166 – March 2nd, 2021
  • CVE-2021-21193 – March 12th, 2021
  • CVE-2021-21220 – April 13th, 2021
  • CVE-2021-21224 – April 20th, 2021 

In addition to these vulnerabilities, news broke yesterday of a threat actor group known as Puzzlemaker that is chaining together Google Chrome zero-day bugs to escape the browser’s sandbox and install malware in Windows.

“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” the researchers said.

Microsoft…

Source…

Cisco fixes 6-month-old AnyConnect VPN zero-day with exploit code

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.


Cisco fixes 6-month-old AnyConnect VPN zero-day with exploit code

Cisco has fixed a six-month-old zero-day vulnerability found in the Cisco AnyConnect Secure Mobility Client VPN software, with publicly available proof-of-concept exploit code.

The company’s AnyConnect Secure Mobility Client allows working on corporate devices connected to a secure Virtual Private Network (VPN) through Secure Sockets Layer (SSL) and IPsec IKEv2 using VPN clients available for all major desktop and mobile platforms.

Cisco disclosed the zero-day bug tracked as CVE-2020-3556 in November 2020 without releasing security updates but provided mitigation measures to decrease the attack surface.

While the Cisco Product Security Incident Response Team (PSIRT) said that CVE-2020-355 proof-of-concept exploit code is available, it also added that there is no evidence of attackers exploiting it in the wild.

The vulnerability is now addressed n Cisco AnyConnect Secure Mobility Client Software releases 4.10.00093 and later.

These new versions also introduce new settings to help individually allow/disallow scripts, help, resources, or localization updates in the local policy, settings that are strongly recommended for increased protection.

Default configurations not vulnerable to attacks

This high severity vulnerability was found in Cisco AnyConnect Client’s interprocess communication (IPC) channel, and it may allow authenticated and local attackers to execute malicious scripts via a targeted user.

CVE-2020-3556 affects all Windows, Linux, and macOS client versions with vulnerable configurations; however, mobile iOS and Android clients are not impacted.

“A vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled,” Cisco explains in the security advisory. “Auto Update is enabled by default, and Enable Scripting is disabled by default.”

As further disclosed by the company, successful exploitation also requires active AnyConnect sessions and valid credentials on the targeted device.

Cisco added that the vulnerability:

  • Is not exploitable on laptops used by a single user, but instead requires valid logins for multiple users on the end-user device.
  • Is not remotely exploitable, as it requires local credentials on the end-user…

Source…

Google revises Project Zero’s Disclosure Policy to help improve zero-day vulnerability fixes


Project Zero, Google’s dedicated team of security analysts, has made changes to its Disclosure Policy to help reduce the time it takes for vulnerabilities to get fixed. Henceforward the security group will not make the technical details of a vulnerability for 30 days if a vendor patches it before the 90-day or 7-day deadline. According to the group, the extra days aim at user patch adoption.

Google Project Zero’s revised policy says that if an issue remains unpatched after 90 days, technical details are made public immediately. If the fix is plugged within the 90-day timeframe, it will publish the details 30 days after the fix is released. The team also gives a 14-day grace period. If both parties agree, vulnerabilities can be disclosed earlier as well.

ALSO READ: IBM uncovers more attacks against Covid-19 vaccine supply chain

In the case of zero-day vulnerability actively exploited in the wild, Project Zero will make the technical details public immediately if the issue remains unpatched after seven days. If the vendor has patched the issue within the stipulated time, technical details will be published 30 days after the fix. Vendors also have the option to request an additional 3-days grace period. Earlier, Google Project Zero did not give any grace period and made the details public after seven days of reporting regardless of when the bug is fixed.

The full list of changes for 2021

The full list of changes for 2021 (Google)

According to the revised Disclosure Policy, Google aims to reduce the time between reporting a bug and a fix rolled out to users. The policy aims to ensure comprehensive fixes. It also hopes it will reduce the time between a patch rollout and users adoption.

ALSO READ: 97% of organisations faced mobile malware attack in 2020: Checkpoint report

 

“This 90+30 policy gives vendors more time than our current policy, as jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive. Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines,” Google Project Zero further said.

Source…

OpenSSL fixes two high-severity crypto bugs – Naked Security

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.


We’re sure you’ve heard of OpenSSL, and even if you aren’t a coder yourself, you’ve almost certainly used it.

OpenSSL is one of the most popular open-source cryptography libraries out there, and lots of well-known products rely on it, especially on Linux, which doesn’t have a standard, built-in encryption toolkit of its own.

Even on Windows and macOS, which do have encryption toolkits built into their distributions, you may have software installed that includes and uses OpenSSL instead of the operating system’s standard cryptographic libraries.

As its name suggests, OpenSSL is very commonly used for supporting network-based encryption using TLS, which is the contemporary name for what used to be called SSL.

TLS, or transport layer security, is what puts the padlock into your browser, and it’s probably what encrypts your email in transit these days, along with protecting many other online communications initiated by your computer.

So, when an OpenSSL security advisory reports exploitable vulnerabilities in the software…

…it’s worth paying attention, and upgrading as soon as you can.

The latest patches, which came out in OpenSSL 1.1.1k on 2021-03-25, fix two high-severity bugs that you should definitely know about:

  • CVE-2021-3449: Crash can be provoked when connecting to a vulnerable server.
  • CVE-2012-3450: Vulnerable client can be tricked into accepting a bogus TLS certificate.