Google, Microsoft work together for a year to figure out new type of Windows flaw

Researcher finds building blocks for privilege escalation: Can they be assembled to create a flaw?

Google, Microsoft work together for a year to figure out new type of Windows flaw

Enlarge (credit: Marco Verch / Flickr)

One of the more notable features of Google Project Zero's (GPZ) security research has been its 90-day disclosure policy. In general, vendors are given 90 days to address issues found by GPZ, after which the flaws will be publicly disclosed. But sometimes understanding a flaw and developing fixes for it takes longer than 90 days—sometimes, much longer, such as when a new class of vulnerability is found. That's what happened last year with the Spectre and Meltdown processor issues, and it has happened again with a new Windows issue.

Google researcher James Forshaw first grasped that there might be a problem a couple of years ago when he was investigating the exploitability of another Windows issue published three years ago. In so doing, he discovered the complicated way in which Windows performs permissions checks when opening files or other secured objects. A closer look at the involved parts showed that there were all the basic elements to create a significant elevation of privilege attack, enabling any user program to open any file on the system, regardless of whether the user should have permission to do so. The big question was, could these elements be assembled in just the right way to cause a problem, or would good fortune render the issue merely theoretical?

The basic rule is simple enough: when a request to open a file is being made from user mode, the system should check that the user running the application that's trying to open the file has permission to access the file. The system does this by examining the file's access control list (ACL) and comparing it to the user's user ID and group memberships. However, if the request is being made from kernel mode, the permissions checks should be skipped. That's because the kernel in general needs free and unfettered access to every file.

Read 15 remaining paragraphs | Comments

Epic says its Game Store is not spying on you

But Sweeney says it will stop accessing Steam friends lists without permission.

Despite what you may have read, Epic says this is not spyware.

Enlarge / Despite what you may have read, Epic says this is not spyware.

This week, certain corners of the gaming Internet have been abuzz with a bit of self-described "amateur analysis" suggesting some "pretty sketchy," spyware-like activity on the part of the Epic Game Store and its launcher software. Epic has now stepped in to defend itself from those accusations, while also admitting to an "outdated implementation" that can make unauthorized access to local Steam information.

The Reddit post "Epic Game Store, Spyware, Tracking, and You!" points to a wide-ranging set of implications based on some broad file and network access traffic observations when the Epic Game Store is running. But much of the post is focused on Epic's association with Chinese gaming giant Tencent, which owns a share of the company.

"Tencent is a significant, but minority shareholder in Epic," co-founder and CEO Tim Sweeney wrote in response to the conspiracy theory in one Reddit thread. "I'm the controlling shareholder of Epic... The decisions Epic makes are ultimately my decisions, made here in North Carolina based on my beliefs as a game developer about what the game industry needs!"

Read 6 remaining paragraphs | Comments

Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250)

Earlier this month Check Point Research reported discovery of a 19 year old code execution vulnerability in the wildly popular WinRAR compression tool. Rarlab reports that that are over 500 million users of this program. While a patched version, 5.70, was released on February 26, attackers are releasing exploits in an effort to reach vulnerable […]

The post Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250) appeared first on McAfee Blogs.

Earlier this month Check Point Research reported discovery of a 19 year old code execution vulnerability in the wildly popular WinRAR compression tool. Rarlab reports that that are over 500 million users of this program. While a patched version, 5.70, was released on February 26, attackers are releasing exploits in an effort to reach vulnerable systems before they can be patched.

One recent example piggybacks on a bootlegged copy of Ariana Grande’s hit album “Thank U, Next” with a file name of “Ariana_Grande-thank_u,_next(2019)_[320].rar”

When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Access Control (UAC) is bypassed, so no alert is displayed to the user. The next time the system restarts, the malware is run.

Figure 1 – Malformed Archive detected by McAfee as CVE2018-20250!4A63011F5B88
SHA256: e6e5530ed748283d4f6ef3485bfbf84ae573289ad28db0815f711dc45f448bec

Figure 2 – Extracted non-malicious MP3 files

Figure 3 – Extracted Malware payload detected by McAfee as Generic Trojan.i
SHA256: A1C06018B4E331F95A0E33B47F0FAA5CB6A084D15FEC30772923269669F4BC91

In the first week since the vulnerability was disclosed, McAfee has identified over 100 unique exploits and counting, with most of the initial targets residing in the United States at the time of writing.

 

McAfee advises users to keep their anti-malware signatures up to date at all times. McAfee products detect known and unknown malformed ACE files exploiting the vulnerability as CVE2018-20250![Partial hash] starting with the following content

  • V2 DATs version 9183 released March 2, 2019
  • V3 DATs version 3634 released March 2, 2019

Additional GTI coverage exists for email-based attacks, in tandem with the Suspicious Attachment feature. When this feature is enabled, Artemis![Partial hash] detections will occur on known exploits.

The post Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250) appeared first on McAfee Blogs.

An email marketing company left 809 million records exposed online

150GB database included mortgage amounts, info on credit ratings.

(GERMANY OUT) Leerstehendes Fabrikgebäude im Bonner Stadtteil Friesdorf. Vernagelte Eingangstüre mit zerschlagenen Scheiben    (Photo by JOKER / Karl-Heinz Hick/ullstein bild via Getty Images)

Enlarge / (GERMANY OUT) Leerstehendes Fabrikgebäude im Bonner Stadtteil Friesdorf. Vernagelte Eingangstüre mit zerschlagenen Scheiben (Photo by JOKER / Karl-Heinz Hick/ullstein bild via Getty Images) (credit: Ullstein Bild | Getty Images)

By this point, you've hopefully gotten the message that your personal data can end up exposed in all sorts of unexpected internet backwaters. But increased awareness hasn't slowed the problem. In fact, it's only grown bigger—and more confounding.

Last week, security researchers Bob Diachenko and Vinny Troia discovered an unprotected, publicly accessible MongoDB database containing 150 gigabytes of detailed, plaintext marketing data—including 763 million unique email addresses. The pair went public with their findings this week. The trove is not only massive but also unusual; it contains data about individual consumers as well as what appears to be "business intelligence data," like employee and revenue figures from various companies. This diversity may stem from the information's source. The database, owned by the "email validation" firm Verifications.io, was taken offline the same day Diachenko reported it to the company.

While you've likely never heard of them, validators play a crucial role in the email marketing industry. They don't send out marketing emails on their own behalf, or facilitate automated mass email campaigns. Instead, they vet a customer's mailing list to ensure that the email addresses in it are valid and won't bounce back. Some email marketing firms offer this mechanism in-house. But fully verifying that an email address works involves sending a message to the address and confirming that it was delivered—essentially spamming people. That means evading protections of internet service providers and platforms like Gmail. (There are less invasive ways to validate email addresses, but they have a tradeoff of false positives.) Mainstream email marketing firms often outsource this work rather than take on the risk of having their infrastructure blacklisted by spam filters, or lowering their online reputation scores.

Read 14 remaining paragraphs | Comments