[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks

[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks

Recently uncovered two huge processor vulnerabilities called Meltdown and Spectre have taken the whole world by storm, while vendors are rushing out to patch the vulnerabilities in its products.

The issues apply to all modern processors and affect nearly all operating systems (Windows, Linux, Android, iOS, macOS, FreeBSD, and more), smartphones and other computing devices made in the past 20 years.

What are Spectre and Meltdown?

We have explained both, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), exploitation techniques in our previous article.

In short, Spectre and Meltdown are the names of security vulnerabilities found in many processors from Intel, ARM and AMD that could allow attackers to steal your passwords, encryption keys and other private information.

Both attacks abuse 'speculative execution' to access privileged memory—including those allocated for the kernel—from a low privileged user process like a malicious app running on a device, allowing attackers to steal passwords, login keys, and other valuable information.

Protect Against Meltdown and Spectre CPU Flaws

Some, including US-CERT, have suggested the only true patch for these issues is for chips to be replaced, but this solution seems to be impractical for the general user and most companies.

Vendors have made significant progress in rolling out fixes and firmware updates. While the Meltdown flaw has already been patched by most companies like Microsoft, Apple and Google, Spectre is not easy to patch and will haunt people for quite some time.

Here's the list of available patches from major tech manufacturers:

Windows OS (7/8/10) and Microsoft Edge/IE

Microsoft has already released an out-of-band security update (KB4056892) for Windows 10 to address the Meltdown issue and will be releasing patches for Windows 7 and Windows 8 on January 9th.

But if you are running a third-party antivirus software then it is possible your system won’t install patches automatically. So, if you are having trouble installing the automatic security update, turn off your antivirus and use Windows Defender or Microsoft Security Essentials.

"The compatibility issue is caused when antivirus applications make unsupported calls into Windows kernel memory," Microsoft noted in a blog post. "These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot."

Apple macOS, iOS, tvOS, and Safari Browser

Apple noted in its advisory, "All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time."

To help defend against the Meltdown attacks, Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2, has planned to release mitigations in Safari to help defend against Spectre in the coming days.

Android OS

Android users running the most recent version of the mobile operating system released on January 5 as part of the Android January security patch update are protected, according to Google.

So, if you own a Google-branded phone, like Nexus or Pixel, your phone will either automatically download the update, or you'll simply need to install it. However, other Android users have to wait for their device manufacturers to release a compatible security update.

The tech giant also noted that it's unaware of any successful exploitation of either Meltdown or Spectre on ARM-based Android devices.

Firefox Web Browser

Mozilla has released Firefox version 57.0.4 which includes mitigations for both Meltdown and Spectre timing attacks. So users are advised to update their installations as soon as possible.

"Since this new class of attacks involves measuring precise time intervals, as a partial, short-term mitigation we are disabling or reducing the precision of several time sources in Firefox," Mozilla software engineer Luke Wagner wrote in a blog post.

Google Chrome Web Browser

Google has scheduled the patches for Meltdown and Spectre exploits on January 23 with the release of Chrome 64, which will include mitigations to protect your desktop and smartphone from web-based attacks.

In the meantime, users can enable an experimental feature called "Site Isolation" that can offer some protection against the web-based exploits but might also cause performance problems.

"Site Isolation makes it harder for untrusted websites to access or steal information from your accounts on other websites. Websites typically cannot access each other's data inside the browser, thanks to code that enforces the Same Origin Policy." Google says.

Here's how to turn on Site Isolation:

• Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
• Look for Strict Site Isolation, then click the box labelled Enable.
• Once done, hit Relaunch Now to relaunch your Chrome browser.

Linux Distributions

The Linux kernel developers have also released patches for the Linux kernel with releases including versions 4.14.11, 4.9.74, 4.4.109, 3.16.52, 3.18.91 and 3.2.97, which can be downloaded from Kernel.org.

VMware and Citrix

A global leader in cloud computing and virtualisation, VMware, has also released a list of its products affected by the two attacks and security updates for its ESXi, Workstation and Fusion products to patch against Meltdown attacks.

On the other hand, another popular cloud computing and virtualisation vendor Citrix did not release any security patches to address the issue. Instead, the company guided its customers and recommended them to check for any update on relevant third-party software.

Read More

WhatsApp Flaw Could Allow 'Potential Attackers' to Spy On Encrypted Group Chats

WhatsApp Flaw Could Allow 'Potential Attackers' to Spy On Encrypted Group Chats 

A more dramatic revelation of 2018—an outsider can secretly eavesdrop on your private end-to-end encrypted group chats on WhatsApp and Signal messaging apps.

Considering protection against three types of attackers—malicious user, network attacker, and malicious server—an end-to-end encryption protocol plays a vital role in securing instant messaging services.

The primary purpose of having end-to-end encryption is to stop trusting the intermediate servers in such a way that no one, not even the company or the server that transmits the data, can decrypt your messages or abuse its centralized position to manipulate the service.

In order words—assuming the worst-case scenario—a corrupt company employee should not be able to eavesdrop on the end-to-end encrypted communication by any mean.

However, so far even the popular end-to-end encrypted messaging services, like WhatsApp, Threema and Signal, have not entirely achieved zero-knowledge system.

Researchers from Ruhr-Universität Bochum (RUB) in Germany found that anyone who controls WhatsApp/Signal servers can covertly add new members to any private group, allowing them to spy on group conversations, even without the permission of the administrator.

As described by the researchers, in the pairwise communication (when only two users communicate with each other) server plays a limited role, but in case of multi-user chats (group chat where encrypted messages are broadcasted to many users), the role of servers increases to manage the entire process.

That's where the issue resides, i.e. trusting the company's servers to manage group members (who eventually have full access to the group conversation) and their actions.

As explained in the newly published RUB paper, titled "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema," since both Signal and WhatsApp fail to properly authenticate that who is adding a new member to the group, it is possible for an unauthorized person—not a group administrator or even a member of the group—to add someone to the group chat.

What's more? If you are wondering that adding a new member to the group will show a visual notification to other members, it is not the case.

According to the researchers, a compromised admin or rogue employee with access to the server could manipulate (or block) the group management messages that are supposed to alert group members of a new member.

"The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group, however, leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group," the paper reads. 

"Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally, the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces."

WhatsApp has acknowledged the issue, but argued that if any new member is added to a group, let's say by anyone, other group members will get notified for sure.

"We've looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user," a WhatsApp spokesperson told Wired. 

"The privacy and security of our users is incredibly important to WhatsApp. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted."

But if you are not part of a group with very selected members, I'm sure many of you would relatively ignore such notifications easily.

Researchers also advised companies to fix the issue just by adding an authentication mechanism to make sure that the "signed" group management messages come from the group administrator only.

However, this attack is not easy (exception—services under legal pressure) to execute, so users should not be worried about it.

Read More

Google 0-Day Hunters Find 'Crazy Bad' Windows RCE Flaw

Google 0-Day Hunters Find 'Crazy Bad' Windows RCE Flaw

Google Project Zero's security researchers have discovered another critical remote code execution (RCE) vulnerability in Microsoft’s Windows operating system, claiming that it is something truly bad.

Tavis Ormandy announced during the weekend that he and another Project Zero researcher Natalie Silvanovich discovered "the worst Windows remote code [execution vulnerability] in recent memory. This is crazy bad. Report on the way."

Ormandy did not provide any further details of the Windows RCE bug, as Google gives a 90-day security disclosure deadline to all software vendors to patch their products and disclose it to the public.

This means the details of the new RCE vulnerability in Windows will likely be disclosed in 90 days from now even if Microsoft fails to patch the issue.

However, Ormandy later revealed some details of the Windows RCE flaw, clarifying that:

• The vulnerability they claimed to have discovered works against default Windows installations.
• The attacker does not need to be on the same local area network (LAN) as the victim, which means vulnerable Windows computers can be hacked remotely.
• The attack is "wormable," capability to spread itself.

Despite not even releasing any technical details on the RCE flaw, some IT professionals working for corporates have criticized the Google Project Zero researcher for making the existence of the vulnerability public, while Twitter's infosec community is happy with the work.

"If a tweet is causing panic or confusion in your organization, the problem isn't the tweet, the problem is your organization," Project Zero researcher Natalie Silvanovich tweeted.

This is not the first time when Google's security researchers have discovered flaws in Microsoft’s products. Most recently in February, Google researchers disclosed the details of an unpatched vulnerability impacting Microsoft's Edge and Internet Explorer browsers.

Microsoft released a patch as part of its next Patch Tuesday but criticized Google for making all details public, exposing millions of its Windows users at risk of being hacked.

Microsoft has not yet responded to the latest claims, but the company has its May 2017 Patch Tuesday scheduled tomorrow, May 9, so hopefully, it will include a security patch to resolve this issue.

Read More

Website of Popular Mac Software Hacked to Spread Malware

Website of Popular Mac Software Hacked to Spread Malware

f you have recently downloaded the popular open source video transcoder app HandBrake on your Mac, there are chances that your computer is infected with a notorious Remote Access Trojan (RAT).

The HandBrake team issued a security alert on Saturday, warning Mac users that one of its mirror servers to download the software has been compromised by hackers.

In case you aren't aware, HandBrake is an open source video transcoder app that allows Mac users to convert multimedia files from one format to another.

According to the HandBrake team, an unknown hacker or group of hackers compromised the download mirror server (download.handbrake.fr) and then replaced the Mac version of the HandBrake client (HandBrake-1.0.7.dmg) with a malicious version infected with a new variant of Proton.

Originally discovered in February on a Russian underground hacking forum, Proton is a Mac-based remote access trojan that gives attackers root access privileges to the infected system.

The affected server has been shut down for investigation, but the HandBrake team is warning that anyone who has downloaded HandBrake for Mac from the server between May 2 and May 6, 2017, has a "50/50 chance" of getting their Mac infected by Proton.

How to Check if You're Infected?

The HandBrake team has provided instructions for less technical folks, who can check if they've been infected.

Head on to the OSX Activity Monitor application, and if you see a process called "Activity_agent" there, you are infected with the trojan.

You can also check for hashes to verify if the software you have downloaded is corrupted or malicious. The infected app is signed with the following hashes:

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

If you have installed a HandBrake.dmg with the above checksums, you are infected with the trojan.

How to Remove the Proton RAT?

The HandBrake developers have also included removal instructions for Mac users who have been compromised.

Follow the following instructions to remove the Proton Rat from your Mac:

Step 1: Open up the "Terminal" application and run the following command:

launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist

rm -rf ~/Library/RenderFiles/activity_agent.app

Step 2: If ~/Library/VideoFrameworks/ includes proton.zip, remove the folder.

Step 3: once done, you should remove any installations of Handbrake.app you may find.

However, instead of stopping here; head on to your settings and change all the passwords that are stored in your OS X KeyChain or any browser password stores, as an extra security measure.

Meanwhile, Mac users who have updated to HandBrake version 1.0 or later are not affected by the issue, as it uses DSA signatures to verify the downloaded files, so malware-tainted version reportedly would not pass the DSA verification process.

Read More

Unpatched Wordpress Flaw Could Allow Hackers To Reset Admin Password

Unpatched Wordpress Flaw Could Allow Hackers To Reset Admin Password


WordPress, the most popular CMS in the world, is vulnerable to a logical vulnerability that could allow a remote attacker to reset targeted users’ password under certain circumstances.

The vulnerability (CVE-2017-8295) becomes even more dangerous after knowing that it affects all versions of WordPress — including the latest 4.7.4 version.

The WordPress flaw was discovered by Polish security researcher Dawid Golunski of Legal Hackers last year in July and reported it to the WordPress security team, who decided to ignore this issue, leaving millions of websites vulnerable.

"This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website," Golunski wrote in an advisory published today. "As there has been no progress, in this case, this advisory is finally released to the public without an official patch."

Golunski is the same researcher who discovered a critical vulnerability in the popular open source PHPMailer libraries that allowed malicious actors to remotely execute arbitrary code in the context of the web server and compromise the target web application.

The vulnerability lies in the way WordPress processes the password reset request, for the user it has been initiated.

In general, when a user requests to reset his/her password through forgot password option, WordPress immediately generates a unique secret code and sends it to user’s email ID already stored in the database.

What's the Vulnerability?

While sending this email, WordPress uses a variable called SERVER_NAME to obtain the hostname of a server to set values of the From/Return-Path fields.

Here, "From" refers to the email address of the sender and "Return-Path" refers to the email address where 'bounce-back' emails should be delivered in the case of failure in the delivery for some reason.

According to Golunski, an attacker can send a spoofed HTTP request with a predefined custom hostname value (for example attacker-mxserver.com), while initiating password reset process for a targeted admin user.

Since the hostname in the malicious HTTP request is an attacker-controlled domain, the From and Return-Path fields in the password reset email will be modified to include an email ID associated with the attacker's domain, i.e. wordpress@attacker-mxserver.com, instead of wordpress@victim-domain.com.

"Because of the modified HOST header, the SERVER_NAME will be set to the hostname of attacker's choice. As a result, Wordpress will pass the following headers and email body to the /usr/bin/sendmail wrapper," Golunski says.

Don't get confused here: You should note that the password reset email will be delivered to victim's email address only, but since the From and Return-Path fields now point to attacker's email ID, the attacker can also receive reset code under following scenarios:

1. If, in case, the victim replies to that email, it will be delivered to attacker email ID (mentioned in 'From' field), containing a password reset link in the message history.
2. If, for some reason, victim's email server is down, the password reset email will automatically bounce-back to the email address mentioned in "Return-Path" field, which points to the attacker's inbox.
3. In another possible scenario, to forcefully retrieve bounce-back email, the attacker can perform a DDoS attack against the victim's email server or send a large number of emails, so that the victim's email account can no longer receive any email.

"The CVE-2017-8295 attack could potentially be carried out both with user interaction (the user hitting the 'reply' button scenario), or without user interaction (spam victim's mailbox to exceed their storage quota)," Golunski told The Hacker News in an email.

For obvious reason, this is not a sure shot method, but in the case of targeted attacks, sophisticated hackers can manage to exploit this flaw successfully.

Another notable fact on which successful exploitation of this flaw depends is that, even if WordPress website is flawed, not all web servers allow an attacker to modify hostname via SERVER_NAME header, including WordPress hosted on any shared servers.

"SERVER_NAME server header can be manipulated on default configurations of Apache Web server (most common WordPress deployment) via HOST header of an HTTP request," Golunski says.

Since the vulnerability has now been publically disclosed with no patch available from the popular CMS company, WordPress admins are advised to update their server configuration to enable UseCanonicalName to enforce static/predefined SERVER_NAME value.

Read More

Beware! Don't Fall for FireFox "HoeflerText Font Wasn't Found" Banking Malware Scam

Beware! Don't Fall for FireFox "HoeflerText Font Wasn't Found" Banking Malware Scam 


The malicious scam campaign, "The 'HoeflerText' font wasn't found," is back, which was previously targeting Google Chrome users to trick them into installing Spora ransomware on their computers.

This time the campaign has been re-designed to target Mozilla Firefox users with a banking trojan, called Zeus Panda.

Interestingly, the attackers behind this new campaign are so stupid that they forgot to change the name of the font, i.e. HoeflerText, due to which it was easily caught by Kafeine, a security researcher at Proofpoint.

As I previously warned — Next time when you accidentally land up on a suspicious website with jumbled content prompting to update the Firefox or Chrome font pack by downloading a missing text font to read the article… Just don't download it. It's obviously a trap.

Just like the previous one, the latest Firefox 'HoeflerText font wasn't found scam is also very convincing and easy to fall for.

The attack initiates with an alert message, which states that "The 'HoeflerText' font was not found," asking Firefox users to update their "Mozilla Font Pack."

Once clicked, it downloads a ZIP file (Mozilla_Font_v7.87.zip) on the victim’s system, containing a JavaScript file. Meanwhile, the screen will display a set of instructions, asking victims to run the JS file in order to install the missing "Mozilla Font Pack."

If the victims turned out to be so stupid that they run the JS file themselves, as instructed, the program will download the malware payload (.exe) from a remote server and then runs it automatically, injecting the Zeus Panda banking Trojan into the infected systems.

Panda is an online banking trojan that was initially found to be targeting banks in Europe and North America early last year and then started spreading itself to Brazil through at least three different exploit kits, including Angler, Nuclear, and Neutrino.

Once it infects a system, the Zeus Panda banking trojan contacts its command and control (C&C) server to send the infected device information, including a list of installed antivirus and firewall products.

Panda focuses on stealing banking credentials from users, as well as those of bitcoin exchanges, payment card services and online payments providers, prepaid cards, airline loyalty programs and online betting accounts, to name a few.

To protect yourself from such scams, always exercise caution when downloading anything from the Internet onto your computers. Moreover, keep your antivirus up-to-date and do not ever fall for scam asking you to update your Mozilla or Chrome font pack, as it already comes with everything you need.

Read More