Microsoft today released updates to plug at least 26 separate security holes in itsWindows operating systems and related software. At the same time, Microsoft has issued a stopgap fix for a newly-discovered flaw that attackers are actively exploiting.
The security fixes are included in seven security patch bundles, three of which earned Microsoft’s most dire “critical” label, signifying that attackers can exploit them without any help on the part of the user. Redmond patched vulnerabilities in Windows,Internet Explorer, Dynamics AX, Microsoft Lync(Microsoft’s enterprise instant message software), and theMicrosoft .NET Framework.
Microsoft called out two patches as particularly important: the Internet Explorer bundle (MS12-037), which addresses 13 issues; and a critical flaw in the Windows remote desktop protocol (RDP). Updates are available for all supported versions of Windows, via Windows Update or Automatic Update.
In a separate advisory published today, Microsoft warned that it is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0., 4.0, 5.0. and 6.0. This is a browse-and-get-owned flaw that can be triggered when an Internet Explorer user on any supported version of Windows visits a specially crafted Web page. Microsoft does not have an official patch available yet for this flaw, but it has issued a FixIt tool workaround that effectively disables the vulnerable component. The vulnerability was discovered by Google, which said it saw the flaw being exploited in the wild in targeted attacks.
A summary of the patches released today — with links to the individual patch advisories — is available here. As always, if you experience any issues applying these patches, please sound off in the comments below.
While it is nice to know that your product is good and better than your Competitors,some times you invite an opportunity to expose the chinks in your armour.
Buoyed by zero-day attack ever hitting Chrome in the wild, and at the previous three years’ contests, Google got bruised badly at annual Pwn2Own hacker contest when Google got hacked .
It is wise that your friends overestimate and enemies underestimate you.
May be the hackers will be offered employment in any of these Companies or worse(better?) Google a la Facebook.
What about the prize money of One Million Dollars?
“It was a rare event. To date, there are no known reports of a zero-day attack ever hitting Chrome in the wild, and at the previous three years’ contests, Chrome escaped unscathed, even as Internet Explorer, Firefox, and Safari were brought down by exploits that allowed the attackers to take complete control of the machine running the software. The chief reason: Chrome’s security sandbox—which isolates web content inside a highly restricted perimeter that’s separated from the rest of the operating system—makes it harder to write reliable attacks.
“We pwned Chrome to make things clear to everyone,” said Chaouki Bekrar, CEO of Vupen Security, which wielded the Chrome zero-day an hour or so after the contest began on Wednesday. “We wanted to show that even Chrome is not unbreakable.”
A contestant in the second contest, which Google has dubbed “Pwnium,” was also able to bypass the Chrome sandbox so he could execute any code of his choosing on the underlying machine. Sergey Glazunov wasn’t on site to discuss the hack. Google has said only that for him to win the top $60,000 reward, his exploit was required to bypass the sandbox using code native to Chrome.
Bekrar told Ars that his team’s attack exploited what’s known as a use-after-free bug to bypass DEP, or data execution prevention, and ASLR, or address space layout randomization. Both mitigations are designed to prevent hackers from executing malicious code even when they locate vulnerabilities. He said it exploited a second vulnerability that allows code to break out of the sandbox. He declined to detail the vulnerable component, except to say it was found in the “default” installation of the Google browser.
That detail led several observers to speculate that an Adobe Flash plugin was the means Vupen used to access more sensitive parts of the operating system. While Chrome runs the media player add-on in its own sandbox, the perimeter is considerably more porous than it is with other components, security researchers say. Core functionality in Flash, for instance, requires the app be able to control web cams and microphones, access system state, and connect to display monitors and other connected devices.
Now in its sixth year at the CanSecWest security conference in Vancouver, the contest rules this time around have been significantly reworked. In the past, organizer Tipping Point paid as much as $15,000 to the first person who exploited a fully patched version of each targeted software. Competitors on Wednesday scored 32 points for zero-day vulnerabilities, and they received 10 points each for exploiting already patched security flaws.
Google has pledged cash prizes totaling $1 million to people who successfully hack its Chrome browser at next week’s CanSecWest security conference.
Google will reward winning contestants with prizes of $60,000, $40,000, and $20,000 depending on the severity of the exploits they demonstrate on Windows 7 machines running the browser. Members of the company’s security team announced the Pwnium contest on their blog on Monday. There is no splitting of winnings, and prizes will be awarded on a first-come-first-served basis until the $1 million threshold is reached.
Now in its sixth year, the Pwn2Own contest at the same CanSecWest conference awards valuable prizes to those who remotely commandeer computers by exploiting vulnerabilities in fully patched browsers and other Internet software. At last year’s competition, Internet Explorer and Safari were both toppled but no one even attempted an exploit against Chrome (despite Google offering an additional $20,000 beyond the $15,000 provided by contest organizer Tipping Point).
Chrome is currently the only browser eligible for Pwn2Own never to be brought down. One reason repeatedly cited by contestants for its lack of attention is the difficulty of bypassing Google’s security sandbox.
“While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” wrote Chris Evans and Justin Schuh, members of the Google Chrome security team. “To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards.”
In the same blog post, the researchers said Google was withdrawing as a sponsor of the Pwn2Own contest after discovering rule changes allowing hackers to collect prizes without always revealing the full details of the vulnerabilities to browser makers.
Google seems bent on getting your Private information whatever be the cost.
It is interesting to read the New privacy information in Google, where it never says what you want to know nor you become any wiser what Google is talking about Privacy.Please read my blog on this.(under ‘internet’)
Like the Safari compromise, the IE9 compromise involves cookies — small bits of code that Web sites put into your Web browser. Those cookies usually don’t contain any personal information, but can keep track if you’ve visited a particular Web site so you don’t have to log in again every time you come back to the site. (Think how annoying it would be if you had to re-enter your Facebook ID every time you came back to Facebook, for instance.)
Early on the morning of August 23 the spam monitors at Barracuda Labs started detecting a large number of emails claiming to be from LinkedIn. The quantities were significant, tens of thousands an hour, and these were pretty convincing messages…
Most of these sorts of spam attacks simply link to a malware file which the browser then downloads and offers to run. If an antivirus doesn’t intercept such a file then Windows will ask for permission to run it and it is easy enough to say no.
But this attack is different and much more serious. Each of the malicious domains such as linkedin-reports.com or linkedin-alert.com hosts an exploit kit, a set of malicious payloads that quietly attempt to take advantage of weaknesses in the Web browser and its helper applications.
Clicking on the “follow this link” hyperlink in the message doesn’t appear to have any effect. Nothing seems to happen; however there is a lot going on behind the scenes.
Below is what the behind-the-scenes network traffic looked like.
…As convincing as they may be these emails have nothing to do with LinkedIn. The from address is fake and the “Follow this link” hyperlink leads to one of a set of recently registered domains deliberately set up to serve malicious content….
It’s time to get out your pocket-squares and zit cream, Pwn2Ownis coming up! This annualhacking competition, which takes place every March, gives hackers a chance to break into new systems, and to get paid for doing so. Companies like Apple, Google, and Firefox will offer up monetary prizes to geeks who can hack into their products.
In the past the prize money has been around $15,000. But this year is different. Google is offering $20,000 and a free Chrome CR-48 laptop to anyone who can successfully exploit two vulnerabilities in its code.
Two things. One, if Google really wanted to show confidence in Chrome, shouldn’t the prize money be like, $2 million? And two, this seems like a great way to find and hire Google’s next member of their security team. Let the hacking begin!
Personally, I am not impressed by the $20,000 award. That must mean they expect to give that money away, and have hedged their bet. What’s also interesting is that both Firefox and Apple are only offering $15K to anyone who can hack their browser’s security. That sounds like chump change.
Offer up $500K and you’ll have my attention, and the top spot in my choice of browser. With each company worth billions, let’s up the ante her folks and get some serious money on the table.
Of course this is all publicity for Chrome, which is currently third in popularity behind Internet Explorer and Firefox, but I think there’s something more to it. What a great way to find the flaws in the system, and to find the guy who is smart enough to discover them!
When the Pwn2Own goes down, will Google hand out $20K, a laptop, and a job to the person who can hack Chrome? It seems natural.
If you fancy yourself a computer wiz, have time to take a 3-day trip to Vancouver in March, and have always wanted to work for Google, get packing, and get hacking. You’re shot’s coming up!
The security fixes are included in seven security patch bundles, three of which earned Microsoft’s most dire “critical” label, signifying that attackers can exploit them without any help on the part of the user. Redmond patched vulnerabilities in Windows,Internet Explorer, Dynamics AX, Microsoft Lync(Microsoft’s enterprise instant message software), and theMicrosoft .NET Framework.
You must be logged in to post a comment.