Serious bug in fully patched Internet Explorer puts user credentials at risk

A vulnerability in fully patched versions of Internet Explorer allows attackers to steal login credentials and inject malicious content into users' browsing sessions. Microsoft officials said they're working on a fix for the bug, which works successfully on IE 11 running on both Windows 7 and 8.1.

The vulnerability is known as a universal cross-site scripting (XSS) bug. It allows attackers to bypass the same origin policy, a crucially important principle in Web application models that prevents one site from accessing or modifying browser cookies or other content set by any other site. A proof-of-concept exploit published in the past few days shows how websites can violate this rule when people use supported versions Internet Explorer running the latest patches to visit maliciously crafted pages.

To demonstrate the attack, the demo injects the words "Hacked by Deusen" into the website of the Daily Mail. But it also could have stolen HTML-based data the news site, or any other website, stores on visitors' computers. That means it would be trivial for attackers to use it to steal authentication cookies many websites use to grant access to user accounts once a visitor has entered a user name and password. Once in possession of the cookie, an attacker could access the same restricted areas normally available only to the victim, including those with credit card data, browsing histories, and other confidential data. Phishers could also exploit the bug to trick people into divulging passwords for sensitive sites.

Read 3 remaining paragraphs | Comments

Malicious Google Play apps (may have) hosed millions of Android handsets

Security researchers have once again found Google Play offering malicious apps that have been downloaded by millions of Android users. According to a blog post published Tuesday by antivirus provider Avast, the apps include the Durak card game app and at least two other titles. Combined, those apps have been installed as many as 15 million times. Researcher Filip Chytry wrote:

When you install Durak, it seems to be a completely normal and well working gaming app. This was the same for the other apps, which included an IQ test and a history app. This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device. Some of the apps wait up to 30 days until they show their true colors. After 30 days, I guess not many people would know which app is causing abnormal behavior on their phone, right?

Each time you unlock your device an ad is presented to you, warning you about a problem, e.g. that your device is infected, out of date or full of porn. This, of course, is a complete lie. You are then asked to take action, however, if you approve you get re-directed to harmful threats on fake pages, like dubious app stores and apps that attempt to send premium SMS behind your back or to apps that simply collect too much of your data for comfort while offering you no additional value.

It's not the first time Google's official Android app bazaar has been found to host malicious apps. In the past, it has offered titles laced with surreptitious remote access trojans, Bitcoin miners, and rogue advertising networks. Three years ago, Google introduced a cloud-based scanner that scours Play for malicious apps, but attackers have been known to bypass it.

Google officials regularly remove apps from Play when they are found to be malicious. At the time this post was being prepared, all three flagged by Avast remained available for download.

Read 1 remaining paragraphs | Comments