Home Tags Byte

Tag: Byte

“Yahoobleed” flaw leaked private e-mail attachments and credentials

Yahoo promptly retired ImageMagic library after failing to install 2-year-old patch.

Yahoo retires ImageMagick library after 18-byte exploit leaks user email content

The simple line of code made it possible for attackers to view private Yahoo Mail images.

Yahoo! retires! bleeding! ImageMagick! to! kill! 0-day! vulnerability!

Purple Palace pays researcher US$778 bounty per byte How would you like US$778 per byte for your exploit?…

You only need 60 bytes to hose Linux’s rpcbind

Sigh ... people just leave it on without blocking the port world+dog knows it uses.
So patch it or close it, people A 60 byte payload sent to a UDP socket to the rpcbind service can crash its host by filling up the target's memory.…

Use of DNS Tunneling for C&C Communications

Often, virus writers don't even bother to run encryption or mask their communications. However, you do get the occasional off-the-wall approaches that don't fall into either of the categories.

Take, for instance, the case of a Trojan that Kaspersky Lab researchers discovered in mid-March and which establishes a DNS tunnel for communication with the C&C server.

XPan, I am your father

While we have previously written on the now infamous XPan ransomware family, some of it’s variants are still affecting users primarily located in Brazil.

This sample is what could be considered as the “father” of other XPan ransomware variants.

A considerable amount of indicators within the source code depict the early origins of this sample.

Old Malware Tricks To Bypass Detection in the Age of Big...

Kaspersky Lab has been tracking a targeted attack actor’s activities in Japan and South Korea recently.

This attacker has been using the XXMM malware toolkit, which was named after an original project path revealed through a pdb string inside the… Read Full Article

Unraveling the Lamberts Toolkit

The Lamberts is a family of sophisticated attack tools that has been used by one or multiple threat actors against high-profile victims since at least 2008.

The arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers.

Android switches to native Java 8 support

Android's mobile application build system will natively support Java 8 features going forward, with Google deprecating the Jack toolchain.Jack has served as a toolchain to compile Java source code into Android dex byte code, with Java providing the ...

PetrWrap: the new Petya-based ransomware used in targeted attacks

This year we found a new family of ransomware used in targeted attacks against organizations.

After penetrating an organization's network the threat actors used the PsExec tool to install ransomware on all endpoints and servers in the organization.

The next interesting fact about this ransomware is that the threat actors decided to use the well-known Petya ransomware to encrypt user data.

KopiLuwak: A New JavaScript Payload from Turla

A new, unique JavaScript payload is now being used by Turla in targeted attacks.

This new payload, dubbed KopiLuwak, is being delivered using embedded macros within Office documents.

Firefox 51 Begins Warning Users of Insecure HTTP Connections

Mozilla Foundation took steps with the release of Firefox 51 on Tuesday to communicate more clearly to users when they land on a HTTP website collecting personal information such as passwords that the site may not be secure. Going forward, Firefox will display a gray lock icon with a red strikethrough in the address bar.
Should the user click on the lock, a dialog box will pop up with text indicating the connection is not secure.

Eventually, Mozilla said, this will be the experience for all HTTP pages. “To continue to promote the use of HTTPS and properly convey the risks to users, Firefox will eventually display the struck-through lock icon for all pages that don’t use HTTPS, to make clear that they are not secure,” a post to the Mozilla security blog said. “As our plans evolve, we will continue to post updates but our hope is that all developers are encouraged by these changes to take the necessary steps to protect users of the Web through HTTPS.” Mozilla’s move follows similar efforts by Google with its Chrome browser. Late last year, Google said starting this month, Chrome users who navigate to some HTTP sites will be notified they’re on a site that isn’t secure. On Tuesday, Mozilla also patched several critical security vulnerabilities. Topping the list of critical vulnerabilities is one described as a “excessive JIT code allocation allowing the bypass of ASLR and DEP.” A JIT (just in time) code is a default processes that handles how Java request are made, allowing for compiled byte code to run directly versus taking an additional step of interpreting the code and then running it.

The ASLR (address space layout randomization) guards against buffer-overflow attacks and DEP (data execution prevention) protects operating systems from virus attacks launched from Window’s system memory locations. “JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks,” according to the security advisory.

The vulnerability (CVE-2017-5375) impacts only Firefox 51. Other critical vulnerabilities include a use-after-free flaw (CVE-2017-5376) related to manipulating XSL in XSLT documents.

A second critical memory corruption flaw (CVE-2017-5377) was found impacting the open source 2D graphics library called Skia. Of the advisories rated high three were use-after-free vulnerabilities related to web animations (CVE-2017-5379), DOM manipulation of SVG content (CVE-2017-5380) and a bug related to the Firefox Media Decoder (CVE-2017-5396). Several critical vulnerabilities were also found in Mozilla’s Extended Support Release (ESR) version of the Firefox browser.

Firefox ESR is a custom version of the Mozilla Firefox browser specifically designed for the special browser requirements relied upon by schools, government agencies and businesses that maybe leery about forced browser updates that could disrupt line-of-business browser-based applications. One of those Firefox ESR critical security alerts (CVE-2017-5374) was a memory safety bug that with enough effort could be exploited to run arbitrary code, according to the advisory.

Another critical memory safety bug was found in Firefox and Firefox ESR 45.7 that also could be exploited to run arbitrary code.

Both Firefox ERS vulnerabilities were patched. Firefox 51 browser also became the first of the major browsers to display a warning to users who run into a site that doesn’t support TLS certificates signed by the SHA-2 hashing algorithm.

According to Mozilla, SHA-1 warnings start this week for beta Firefox users and will roll out to all other users sometime after that.

The move is meant to protect users from collision attacks, where two or more inputs generate the same hash value.