Skip to content

Security News

Malicious Chrome extension is next to impossible to manually remove

Quote

Proving once again that Google Chrome extensions are the Achilles heel of what’s arguably the Internet’s most secure browser, a researcher has documented a malicious add-on that tricks users into installing it and then, he said, is nearly impossible for most to manually uninstall. It was available for download on Google servers until Wednesday, 19 days after it was privately reported to Google security officials, a researcher said.

Once installed, an app called “Tiempo en colombia en vivo” prevents users from accessing the list of installed Chrome extensions by redirecting requests to chrome://apps/?r=extensions instead of chrome://extensions/, the page that lists all installed extensions and provides an interface for temporarily disabling or uninstalling them. Malwarebytes researcher Pieter Arntz said he experimented with a variety of hacks—including disabling JavaScript in the browser, starting Chrome with all extensions disabled, and renaming the folder where extensions are stored—none of them worked. Removing the extension proved so difficult that he ultimately advised users to run the free version of Malwarebytes and let it automatically remove the add-on.

When Arntz installed the extension on a test machine, Chrome spontaneously clicked on dozens of YouTube videos, an indication that inflating the number of views was among the things it did. The researcher hasn’t ruled out the possibility that the add-on did more malicious things because the amount of obfuscated JavaScript it contained made a comprehensive analysis too time consuming. The researcher provided additional details in a blog post published Thursday.

Tiempo en colombia en vivo racked up almost 11,000 installs before Google removed it, but it may have found its way onto still more computers. That’s because a variety of abusive websites are using a technique that tricks inexperienced users into installing the extension. As Malwarebytes explained in late 2016, the forced install trick uses JavaScript to provide a dialog box that says visitors must install the extension before they can leave the page. Clicking cancel or closing the tab produces an unending series of variations on that message. Arntz said he privately reported the extension to Google on December 29 and that it remained available on the Chrome Store until Wednesday.

Arntz said he found a Firefox extension that also resisted user attempts to uninstall it, but the block was relatively easy to bypass. The researcher has yet to find any indication the add-on was available in the Firefox Extensions store.

Once again Caveat Emptor: Just because it is an app store, doesn’t mean its not malware.

Spectre and Meltdown Vulnerabilities

From our Partner ESET

On Wednesday, January 3rd, security researchers released details on vulnerabilities in several common processor designs. Some of these vulnerabilities specifically affect Intel chips, while other vulnerabilities are present in almost all AMD, ARM and Intel chips.  These weaknesses may place sensitive system data at risk of exposure to attackers.

As stated by researchers, there are theoretical ways that antivirus software could detect the problem. However, detection would have an extremely negative impact on device performance, and significantly influence user experience; it would be a less effective approach than prevention. Therefore, we are recommending that users take the following steps:

  • Keep track of any related patches for their systems and apply them as soon as possible
  • Keep all other software updated, including web browsers
  • Be on the lookout for phishing emails, which are still the number one way for hackers to get a foothold on your computer

More details are available in the following links:

Google Chrome vows to carpet bomb meddling Windows antivirus tools

Quote

Browser will block third-party software from mucking around with pages next year.

By mid-2018 Google Chrome will no longer allow outside applications – cough, cough, antivirus packages – to run code within the browser on Windows.

“In the past, this software needed to inject code in Chrome in order to function properly; unfortunately, users with software that injects code into Windows Chrome are 15 per cent more likely to experience crashes.”

In particular, the target here seems to be poorly coded AV tools can not only crash the browser or cause slowdowns, but also introduce security vulnerabilities of their own for hackers to exploit.

Rather than accept injected code, Chrome will require applications to use either Native Messaging API calls or Chrome extensions to add functionality to the browser. Google believes both methods can be used to retain features without having to risk browser crashes. With Chrome 68, the browser will block third-party code in all cases except when the blocking itself would cause a crash. In that case, Chrome will reload, allow the code to run, and then give the user a warning that the third-party software will need to be removed for Chrome to run properly. The warning will be removed and nearly all code injection will be disabled in January of 2019.

“While most software that injects code into Chrome will be affected by these changes, there are some exceptions,” said Hamilton.

“Microsoft-signed code, accessibility software, and IME software will not be affected.”

Big Cable’s pillow talk with FCC to forbid US states from writing own net neutrality rules

Quote

The stomach-churning love-fest between the American cable industry and FCC Ajit Pai continues apace with Big Cable now pillow talking the federal regulator into how to prevent individual US states forming their own net neutrality protections.

Pai is expecting to call for a vote on dismantling net neutrality rules on December 14 – despite widespread opposition to the idea – but cable companies are worried that state legislators will simply write their own laws to effectively reintroduce them.

And so, joining a determined campaign by cable giants Verizon and Comcast to lobby against such actions, the wireless comms trade association CTIA has joined the fray, sending a letter to the FCC informing it how it can usurp such state efforts.

The CTIA even has its own simple anecdote to explain why it makes sense for the FCC to set the rules across the entire US: a train journey.

“A passenger riding on Amtrak between Washington D.C. and New York City travels through five different jurisdictions during the course of a 3.5-hour trip,” the letter argued. “If each of these jurisdictions were permitted to enforce its own rules regarding (for example) traffic prioritization, the rider’s mobile broadband usage during the trip would be subject to five different legal regimes, even if the rider spent the entire trip watching a single movie. This would be impracticable, and only underscores the risks inherent in a patchwork quilt of broadband regulation.”

The argument is, of course, gibberish: internet users pull content from all over the world every second of every day with it passing through hundreds of jurisdictions. And yet somehow the internet continues to function. How? Because internet traffic is not road or rail traffic.

Whether Pai and the other FCC commissioners are able to see through such obvious, false manipulation or get seduced by the appeal to their own importance, we will have to see. Or perhaps the bigger question: how far is Pai willing to go to please the cable industry? And is he prepared to make a fool of himself doing so? Infatuation is a difficult thing to judge.

More Holes than Swiss Cheese

Quote

Microsoft and Adobe are getting into the holiday spirit this month by gorging users and admins with a glut of security fixes.

The November of Patch Tuesday brings fixes for more than 130 bugs between the two software giants for products including IE, Edge, Office, Flash Player and Acrobat.

Microsoft’s patch dump addresses a total 53 CVE-listed vulnerabilities, including three that already have been publicly detailed. Those include CVE-2017-11827, a memory corruption flaw in Edge and IE that lets webpages achieve remote code execution, CVE-2017-8700, a flaw in ASP.NET that lets web apps access restricted memory contents, and CVE-2017-11848, a flaw in IE that allows webpages to track users when they leave the website.

As usual, memory corruption and scripting engine flaws in IE and Edge make up the bulk of what Microsoft considers to be the highest risk flaws.

Those include a total of 17 CVE entries (CVE-2017-11837,CVE-2017-11839, CVE-2017-11841, CVE-2017-11861, CVE-2017-11862, CVE-2017-11870, CVE-2017-11836, CVE-2017-11838, CVE-2017-11840, CVE-2017-11843, CVE-2017-11846, CVE-2017-11859, CVE-2017-11871, CVE-2017-11873) described as browser scripting engine memory corruption holes that would allow attackers to execute arbitrary evil code on vulnerable PCs by crafting webpages that exploit the programming blunders.

Three other flaws, CVE-2017-11845, CVE-2017-11855, CVE-2017-11856, concern similar remote code execution holes in other components of Edge and Internet Explorer that can be exploited by malicious webpages.

….

And then there’s Adobe

Elsewhere, Adobe’s Flash Player has once again earned its moniker of The Internet’s Screen Door as the Windows, macOS and Linux versions of the browser plugin received fixes for five remote-code execution vulnerabilities.

The largest Adobe patch load, however, was reserved for Acrobat and Reader this month. The PDF readers were the subject of a whopping 62 CVE entries, most of which are remote code execution flaws triggered by opening a malformed PDF file.

Remember Shockwave Player? It got an update to fix CVE-2017-11294, a memory corruption flaw that would let a malformed Shockwave file achieve remote code execution.

Adobe also released updates for Photoshop CC, Connect, DNG Converter, InDesign, and Digital Editions, and Experience Manager

Updating Things: IETF bods suggest standard

Quote

A trio of ARM engineers have devoted some of their free time* to working up an architecture to address the problem of delivering software updates to internet-connected things.

Repeated IoT breaches – whether it’s cameras, light bulbs, toys or various kinds of sex toys – have made it painfully clear that too many Things aren’t updated, and/or can’t be.

A step in the right direction.

Equifax – the Disaster Continues

So I called Equifax this am after logging into the Trust-ID site and seeing that after two weeks, the account was still stuck in Enrollment Processing. Awful. I was connected to poorly trained agents in the Philippines. They could not understand the issue. When I asked to speak to a supervisor I was simply put on hold. I called back and the same issue. Next I tried to speak to an agent in the US. I was told to redial the number. Oh great, routed back to Philippines. When I finally tried for a fourth time and demanded to speak to someone in the US, I was on hold for 10 minutes (after being promised 2 minutes) and I finally gave up.

Clearly by outsourcing this they are still more concerned about making money than helping customers protect their private information

Equifax needs to be completely wound down. It is dysfunctional from the top down.

Microsoft silently fixes security holes in Windows 10 – Leaves Win 7, 8 out in the cold

Quote

Microsoft is silently patching security bugs in Windows 10, and not immediately rolling out the same updates to Windows 7 and 8, potentially leaving hundreds of millions of computers at risk of attack.

Flaws and other programming blunders that are exploitable by hackers and malware are being quietly cleaned up and fixed in the big Windows 10 releases – such as the Anniversary Update and the Creator’s Update. But this vital repair work is only slowly, if at all, filtering back down to Windows 7 and Windows 8 in the form of monthly software updates.

Windows 8.1 is supposed to receive monthly security fixes until January 10, 2023, and for Windows 7, January 14, 2020

Read: We want you all on Windows 10 Spyware Platform so can farm all your information and target you with adverts.

Downloaded CCleaner lately? Oooops..malware laden

Quote

Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users….Cisco Talos discovered that servers distributing the program were leveraged to deliver malware to unsuspecting victims.

“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” researchers explained. “On September 13, 2017, Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities.”

CCleaner has been downloaded over 2 billion times, with 5 million additional downloads a week.

We estimate that 2.27 million users had the v5.33.6162 software, and 5,010 users had the v1.07.3191 of CCleaner Cloud installed on 32-bit Windows machines. We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.

There is no indication or evidence that any additional malware has been delivered through the backdoor. In the case of CCleaner Cloud, the software was automatically updated. For users of the desktop version of CCleaner, we encourage them to download and install the latest version of the software.