Security Alerts & News
by Tymoteusz A. Góral

#1929 Exploiting a misused C++ shared pointer on Windows 10
In this post I describe a detailed solution to my “winworld” challenge from Insomni’hack CTF Teaser 2017. winworld was a x64 windows binary coded in C++11 and with most of Windows 10 built-in protections enabled, notably AppContainer (through the awesome AppJailLauncher), Control Flow Guard and the recent mitigation policies.

These can quickly be verified using Process Hacker (note also the reserved 2TB of CFGBitmap!)
#1928 PayPal users targeted in sophisticated new phishing campaign
Recent phishing scams targeted both Gmail and Yahoo, and now attackers have their sights set on PayPal with some very convincing bait. With fake websites and email campaigns that look real, it’s easy to be fooled, and potentially have your identity and money stolen by scammers. Here’s how it happens.

First, there’s an email with logos and verbiage that sounds great (that is, “look and sound authentic”). Notice, however, errors in grammar and syntax that suggest the author isn’t a native English speaker.
#1927 Netflix scam delivers ransomware
Netflix has a 93 million-strong subscriber base in more than 190 countries, so it’s unsurprising that cybercriminals want a piece of the pie. Among their modus operandi: stealing user credentials that can be monetized in the underground, exploiting vulnerabilities, and more recently infecting systems with Trojans capable of pilfering the user’s financial and personal information.

What other purposes can stolen Netflix credential serve? Offer them up as bargaining chip to fellow cybercriminals, for instance. Or more nefariously, use them as lure to trick certain users into installing malware (and turn a profit in the process). If you’re planning to free ride your way into binge-watching your favorite shows on Netflix, think again. Your computer’s files may end up getting held hostage instead.
#1926 SMS-exploitable bug in Samsung Galaxy phones can be used for ransomware attacks
Samsung has patched a combo of four security flaws that affected Galaxy handsets that an attacker could have combined and used to put devices in endless reboot loops or hijack handsets for ransomware.

Discovered by mobile security researchers from Context Information Security, these four bugs are exploitable via the ancient 17-years-old WAP protocol, still supported in modern-day smartphones.

Developed in 1999 and used to grant customers access to the Internet in the early days of mobile networks, the protocol also includes various other functions, such as the ability to send configuration files to the user's phone, in the form of SMS text messages.
#1925 WordPress 4.7.2 update fixes XSS, SQL injection bugs
Developers with WordPress fixed three security issues this week, including a cross-site scripting and a SQL injection vulnerability, with the latest version of the CMS.

The update, 4.7.2, was pushed Thursday, only two weeks after developers released the previous version.

Aaron Campbell, a WordPress core contributor, announced the update – a security release – on WordPress’ blog.

One of the issues, the SQL injection, affected WordPress’ WP_Query, a class used to access variables, checks and functions coded into the WordPress core. Mohammad Jangda, a web developer at Automattic – WordPress’ parent company – discovered the class is vulnerable when passing unsafe data. While the issue didn’t affect the WordPress core, Campbell writes that WordPress added hardening to prevent plugins and themes from causing further vulnerabilities.
#1924 Cisco warns of critical flaw in teleconferencing gear
Cisco Systems is warning customers of a critical vulnerability affecting three of its TelePresence MCU platform models. The flaw could give attackers the ability to remotely execute code on impacted systems or create conditions favorable to a denial-of-service (DoS) attack.

According to an advisory issued this week, the vulnerability (CVE-2017-3792) is tied to a proprietary device driver in the kernel of the Cisco TelePresence Multipoint Control Unit (MCU) Software used in platform models 4500, MSE 8510 and 5300 Series.

“The vulnerability is due to improper size validation when reassembling fragmented IPv4 or IPv6 packets,” wrote Cisco in its bulletin. Affected systems are those running software version 4.3(1.68) or later configured for “Passthrough” content mode.
#1923 Majority of Android VPNs can’t be trusted to make users more secure
Over the past half-decade, a growing number of ordinary people have come to regard virtual private networking software as an essential protection against all-too-easy attacks that intercept sensitive data or inject malicious code into incoming traffic. Now, a comprehensive study of almost 300 VPN apps downloaded by millions of Android users from Google's official Play Market finds that the vast majority of them can't be fully trusted. Some of them don't work at all.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12