Security Alerts & News
by Tymoteusz A. Góral

History
#2071 Researcher breaks reCAPTCHA using Google's speech recognition API
A researcher has discovered what he calls a "logic vulnerability" that allowed him to create a Python script that is fully capable of bypassing Google's reCAPTCHA fields using another Google service, the Speech Recognition API.

The researcher, who goes online only by the name of East-EE, released proof-of-concept code on GitHub.
#2070 Free decryption tools now available for Dharma ransomware
Computer users who have been affected by the Dharma ransomware and have held onto their encrypted files can now restore them for free. Researchers have created decryption tools for this ransomware strain after someone recently leaked the decryption keys.

Dharma first appeared in November and is based on an older ransomware program known as Crysis. It's easy to recognize files affected by it because they will have the extension: .[email_address].dharma, where the email address is the one used by the attacker as a point of contact.
#2069 50 Google engineers volunteered to patch thousands of Java open source projects
A year ago, several Google engineers got together and lay the foundation of Operation Rosehub, a project during which Google employees used some of their official work time to patch thousands of open source projects against a severe and widespread Java vulnerability.

Known internally at Google as the Mad Gadget vulnerability, the issue was discovered at the start of 2015 but came to everyone's attention in November 2015 after security researchers from Foxglove Security showcased how it could be used to steal data from WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS Java applications.
#2068 Researchers uncover PowerShell Trojan that uses DNS queries to get its orders
Researchers at Cisco's Talos threat research group are publishing research today on a targeted attack delivered by a malicious Microsoft Word document that goes to great lengths to conceal its operations. Based entirely on Windows PowerShell scripts, the remote access tool communicates with the attacker behind it through a service that is nearly never blocked: the Domain Name Service.

The malware was first discovered by a security researcher (@simpo13) who alerted Talos because of one peculiar feature of the code that he discovered: it called out Cisco's SourceFire security appliances in particular with the encoded text, "SourceFireSux."
#2067 Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token
I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token. Slack fixed the bug in 5 hours (on a Friday) and paid me $3,000 for it.

Recently a bug I found in Slack was published on HackerOne and I wanted to explain it, and the method I used to discover it.
#2066 0patching a 0day: Windows gdi32.dll memory disclosure (CVE-2017-0038)
As you've probably noticed, the last Patch Tuesday didn't make it. Consequently a number of 0-days are getting published, with CVE-2017-0038 being the first one on the list. But don't worry, every cloud has a silver lining. I had some free time last week to look into the matter and as a result I can give you the very first 0patch for a 0-day.

CVE-2017-0038 is a bug in EMF image format parsing logic that does not adequately check image dimensions specified in the image file being parsed against the amount of pixels provided by that file. If image dimensions are large enough the parser is tricked into reading memory contents beyond the memory-mapped EMF file being parsed. An attacker could use this vulnerability to steal sensitive data that an application holds in memory or as an aid in other exploits when ASLR needs to be defeated.
#2065 Mike Pence used an AOL e-mail account for state business and it got hacked
As the US Republican vice presidential candidate, Mike Pence vigorously chastised Hillary Clinton for using a personal server to send and receive official e-mails while she was Secretary of State. Not only was the arrangement an attempt to escape public accountability, he said, it also put classified information within dangerous reach of hackers.

Now come revelations that Pence routinely used a private AOL account to conduct government business while he was governor of Indiana and that the account was hacked last summer, just months before he turned the heat on his Democratic rival over her personal e-mail server. Use of the AOL account for state business came to light in a 2,100-word article published Thursday evening by The IndyStar. The news outlet based its report on e-mails it received under a public records request. State officials declined to release an unspecified number of e-mails because the state considers them confidential and too sensitive to release to the public.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12