Security Weekly 14

Security Weekly 14

Security Weekly 14: Flash is Comming to The End, Chrome Extensions Steal Traffic, the key to Apple’s SEP firmware is Laid Out

We just want you to think about this figure: 1033 vulnerabilities in Flash Player are patched since 2005! This is more than in Internet Explorer, more than in Windows XP.

  • At one time, Flash Player became a veritable revolution for the web – thanks to it, the animation was rampant on the sites, video, whistles, games for secretaries at the reception, and, of course, killer banners.

Adobe Flash Player is Ending

  • Most of all we liked Flash “black hats”. Fortunately, its vulnerability is a running commodity, and there has never been a shortage of them. Particularly was the year 2015 when they counted another 329 new holes. But in 2010, Jobs warned that it’s time to take Flash to the trash. And the main argument was its closeness. Well, yes, the head of Apple admitted that his company has its own proprietary standards, but not for the Web! At the same time, by the way, Adobe in every way prevents the emergence and development of alternative Flash players. As a result, we have free-range for exploits, the expense for large and small horned worms.

Well, and plus to all these problems a Flash Player slows down on mobile devices gobbles the battery is not in itself and puts the vendor platform on Adobe’s dependence.

  • And after all, Jobs warned us, when without the support of a flash full web surfing was still impossible. As events developed further, we know. Flash on the web is getting smaller, HTML5 more and more. And over the past three years, the process of outcomes has accelerated the almost free fall – from 80% of users who visit Flash sites in 2014 every day to 17% in 2017 (data on desktop users of Chrome).

Now, and Adobe recognized the inevitable. By the end of 2020, Flash Player support will be discontinued, Flash developers have declared a dead-end evolution branch and should switch to open formats like HTML5, WebGL, and web assembly.

  • However, not all agree with natural selection, as is usual in humans. Developer Juha Lindstedt, for example, organized a petition on Adobe to not kill Flash, but to pass the code to the open-source community, and they will continue to groom and cherish it there.

Hacked extensions for Chrome steal advertising traffic and replace it. 

Chrome Issues

Already eight extensions in Chrome were replaced by some bad guys. Proofpoint revealed a simple scheme: hackers send phishing emails to extension developers, and if it turns out to get credentials from Google services, they inject their code into the extension and fill it into the store instead of the present one.

The list of compromised extensions:

  • Web Developer 0.4.9
  • Chrome tank 1.1.3
  • Infinity New Tab 3.12.3
  • CopyFish 2.8.5
  • Web Paint 1.2.1
  • Social Fixer 20.1.1
  • TouchVPN
  • Betternet VPN

Curiously, hackers frightened developers on behalf of Google Chrome Web Store Team – they say your extension violates everything that can and will be thrown out of the store, and if you need more details, here’s a link. By reference, of course, there was a fake login page in Google.

  • If the developer did not pay attention to the address from which the letter came (with what reason does Google use Freshdesk?), Or to the login page, then the credentials flowed away to the dashing guys. The extension with the embedded malicious code spread by users through the update mechanism.
  • After launching the extension, the code on HTTPS pulled the js-file from the management and control server, and the domain was generated on the fly. And then the user roamed the Internet, as usual, only clicks on banners brought him to very different sites. But this, however, is not the worst. Sometimes the victim fell out a js-alert, saying that her computer was infected. Click on the alert led to the known where – on the page with malware.

The effectiveness of this campaign is not very clear, however, Alexa shows that the attendance of such sites has grown from the ground up for hundreds of thousands over the past month. Maybe, of course, not only because of hacked extensions.

In addition to these malvertising disruptions, the extensions are traded with the theft of credentials from CloudFlare. According to Proofpoint, hackers thus prepare subsequent attacks bypassing the protection of CloudFlare sites.

Hacker published the key to the firmware Apple SEP

Apple Hacked

Somebody took and laid out something that, according to him, is the key that allows decrypting the firmware of the Secure Enclave Processor cryptographic coprocessor in Apple chips. We must say that this is a state-of-the-art piece where iOS stores encryption keys and processes data from the Touch ID sensor.

  • Apple has not yet admitted that the key is real. However, I hastened to say that even if it is not a fake, there is no threat to user data. Most likely, this is true, but not all. Not just because of the company hid all the details about the SEP firmware. Decrypted firmware can be investigated and found their vulnerabilities. And without them, software is more complicated than “hello world” is not complete.

Inside, SEP has its own operating system, which by virtue of its total closeness and encryption all this time did without basic protection technologies, like randomization of memory. This will seriously facilitate the creation of an exploit if vulnerabilities are found. So if the Cherub did not lie, Apple should hurry up with the revision of the SEP firmware – it looks like the race started.