Browser In Your Browser, Sock Puppets, Performance Killing Patches, & GIFShell – PSW #755
In the Security News: you liked the browser so much we put a browser in your browser, hackers are using sock puppets, the patch that kills performance, detect eavesdroppers, no more passwords, one-click account hijack thanks to JavaScript, the return of Shakata Ga Nai, GIFShell (or is it jifshell), Lexmark firmware confusion, and searching for a long lost copy of OS/2!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. Lexmark: Firmware update to fix Windows bug and vulnerability CVE-2022-29850 in mid-Sept. 2022"there is a vulnerability in older firmware versions that allows an attacker to modify the internal configuration files. However, this assumes that the attacker has already compromised the device and is therefore able to change the configuration files. In this case, there would be a risk of making this compromise permanent, i.e., after rebooting the device, it would remain compromised." - Trying to dig in and figure out how this works, not enough information yet.
- 2. GIFShell attack creates reverse shell using Microsoft Teams GIFsSo there are 7, yes, 7, vulnerabilities and general "flaws" in Microsoft Teams that allow an attacker to create a reverse shell using MS Teams. Some of the flaws include the chat transcripts being stored in a user-accessible log file and the ability to embed commands inside GIFs, which in turn are executed: "When a base64 encoded GIF is received in Microsoft Teams and appears in the Teams log files, the GIFs byte content is decoded, and the attacker’s malicious commands that are embedded in the GIF are executed as system commands on the victim’s machine." Microsoft will not immediately fix these vulnerabilities, stating: "This type of phishing is important to be aware of and as always, we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. We’ve assessed the techniques reported by this researcher and have determined that the two mentioned do not meet the bar for an urgent security fix." - Seriously? I thought we were past this.
- 3. New Linux malware evades detection using multi-stage deploymentInteresting how they used Shakata Ga Nai (Japanese for "nothing can be done about it"), more information can be found here: https://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong. One of the interesting points is that many malware detection vendors may not be checking for older payload encoding, missing some malware that is encoded with Shakata Ga Nai (a polymorphic XOR additive feedback encoder), which was introduced into the Metasploit framework back in 2005. It also exploits PwnKit, the polkit vulnerability found by Qualys researchers last year. (Other article here: https://arstechnica.com/information-technology/2022/09/new-linux-malware-combines-unusual-stealth-with-a-full-suite-of-capabilities/)
- 4. Vulnerability in TikTok Android app could lead to one-click account hijackingJavaScript is neat: "The vulnerability allowed the app’s deeplink verification to be bypassed. Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers." I like this fix, but not certain how feasible it is: "we suggest using an approved list of trusted domains to be loaded to the application’s WebView to prevent loading malicious or untrusted web content."
- 5. Apple’s Killing the Password. Here’s Everything You Need to KnowIts webauthn: "Under the hood, Apple’s passkeys are based on the Web Authentication API (WebAuthn), which was developed by the FIDO Alliance and World Wide Web Consortium (WC3). The passkeys themselves use public key cryptography to protect your accounts. As a result, a passkey isn’t something that can (easily) be typed. When you create a passkey, a pair of related digital keys are created by your system. “These keys are generated by your devices, securely and uniquely, for every account,”" webauthn: "Instead of a password, a private-public keypair (known as a credential) is created for a website. The private key is stored securely on the user’s device; a public key and randomly generated credential ID is sent to the server for storage. The server can then use that public key to prove the user’s identity." https://webauthn.guide/#about-webauthn - It sounds like an SSH keypair but for web applications?
- 6. Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically
- 7. Letting off steamBrowser-in-the-Browser attacks are neat because the URL bar looks legit and it has the SSL lock. I've seen this in the past where they are both just images rather than actual browser elements.
- 8. The Hunt For A Rare Version Of IBM’s OS/2"Big Blue were so anxious to take their OS into new markets that they localized it into languages which Microsoft hadn’t touched, of which Slovenian was one. But a couple of decades later, could a copy of this rare operating system version be found?"
- 9. Apple fixes actively exploited zero-day in macOS, iOS (CVE-2022-32917)"As is Apple’s custom, details about the attack(s) taking advantage of this flaw have not been shared, but it’s likely that they are targeted and limited. Nevertheless, users are advised to update their Apple devices as soon as possible."
- 10. Beijing rebukes U.S. over alleged cyberattack on Chinese university
- 11. WordPress project WPHash harvests 75 million hashes for detecting vulnerable plugins
- 12. Pro-Palestinian group GhostSec hacked Berghof PLCs in Israel
- 13. Boffins build microphone safety kit to detect eavesdroppers"TickTock, they explain, relies on the fact that digital MEMS microphones on commodity laptops emanate electromagnetic (EM) signals when active."The emanation stems from the cables and connectors that carry the clock signals to the mic hardware, ultimately to operate its analog-to-digital converter (ADC)," they explain. "TickTock captures this leakage to identify the on/off status of the laptop mic."
- 14. Retbleed fix slugs Linux VM performance by up to 70 percent" A 70 percent decrease in computing performance will, however, have a major impact on application performance that could lead to unacceptable delays for some business processes. VMware's tests were run on Intel Skylake CPUs – silicon released between 2015 and 2017 that will still be present in many server fleets." 70% is a lot, but also, servers hang around a while eh? So many advances have been made, yet older computing tech sticks around. I still find vulnerabilities in UEFI systems from a few years ago, and the supply chain dates these components back further. This is a problem.
- 1. Red Hat lets staff stay away from the office forever
- 2. California governor signs bill forcing social media company transparency
- 3. Cybercriminals Are Selling Access to Chinese Surveillance Cameras
- 4. US Indicts Iranians Who Hacked Power Company, Women’s Shelter
- 5. Transacting in Person with Strangers from the Internet – Krebs on Security
- 6. Hackers now use ‘sock puppets’ for more realistic phishing attacks
- 7. Hackers steal Steam accounts in new Browser-in-the-Browser attacks