Several weeks ago, all security researchers failed to crack Google's Chrome OS at CanSecWest Pwnium3 in Vancouver, even the deadline extended from 2pm to 5pm due to researchers' request. But, unfortunately, the Chrome browser was compromised by MWR Labs at Pwn2Own 2013 which sponsored by HP and Google. This contest proves that Google Chrome was vulnerable.
Following is our analysis for chrome browser security:
Chrome browser was developed by Google and now is one of the most popular web browser in the world. It includes Google search, youtube and many Google proprietary services. In personalization, Chrome web store provides abounding extensions to modify and enhance the functionality of the Chrome browser.
Extensions are small software programs and bundle all their files (manifest.json, picture, js and CSS...) into a single file that the user downloads and installs. This bundling means that, unlike ordinary web apps, extensions don't need to depend on content from the web.
manifest.json provides important information including name, description, version, language and permission...
The following code shows the supported manifest fields. (http://developer.chrome.com/extensions/manifest.html )
The only fields that are always required are name and version. Here we take content_scripts, permissions and update_url to explain the attribute and function as following:
content_scripts: They are JavaScript files that run in the context of web pages. By using the standard Document Object Model (DOM), they can read details of the web pages the browser visits, or make changes to them.
update_url: Setting URL for update checking
permissions: To use most chrome.* APIs and extension capabilities, your extension must declare its intent in the manifest, often in the "permissions" field. For example, Google mail Checker mush have 2 permissions as following:
1. access your data on *google.com
2. access your tabs and browsing activity
An user might see a dialog for permission request when installing an extension. If the permission improperlyassigned and content_scripts include malicious code, the extension can do anything to your system.
For example: Malicious extension auto posts and spreads malicious links on Facebook. (Security Alert 2013-02-06: Watch out for Facebook video link). Also, the malicious extension will auto update by “update_url” setting to change to another hacking jobs.
Chrome browser adds extension function from version 4.0. The extension was easy to develop, but also easy to exploit. Old version of google Chrome permits related extensions auto setup when Windows application installing. It is easy to install malicious extensions to victim's system without user permission.
So, google chrome enhances extension management from ver 25.0. Only extensions from Chrome Web Store are available and no more auto installation. Every extension must be permitted by user before installation. However, there can be no assurance that all extensions in Chrome Web Store are secure.
On faceook, the attacker pretends to be victim's friend which shares attractive themes to lure victims to click the hyper link and install malicious extension. Then the victim will post many malicious link to his friends. So the malicious extensions spread constantly by victim's curiosity. The victim misunderstood his account was stolen and changed password, but it was not workable. The victim has to remove malicious extension from chrome browser.
For more detail scenario, please refer to our previous post:
Web browser plug-ins are additional pieces of software that add extra capabilities to your web browser, such as the ability to view movies, run Java applets, or see Flash animations. Unfortunately, since plug-ins run with all the privileges of real applications, they can do absolutely anything to your computer. The year past, so many 0-day vulnerabilities were reported in Java and many security experts strongly recommend disabling it.
As seen from the above analysis, the Extensions and Plug-ins are two vulnerable points in Chrome browser. For Chrome more secure, Google Web Store should inspect all extensions strictly, moreover, we would like to remind our customer:
1.Do not install any extensions from untrusted resource.
2.Notice that permission request is normal or not when extension installing.
3.Do not install unnecessary plug-ins as possible. If your have any plug-in installed, keep up to date.
As many of you would probably know several South Korean banks and local media organizations have been impacted by a critical cyber attack. The all victims did not boot anymore.
AegisLab has got the virus samples from crashing of computer network of major South Korean banks and TV Broadcasters.
As the sample we got, the virus overwrites the system's MBR (Master Boot Record) with string "HASTATI".
The partition table was also destroied.
The virus include 3 jobs as following:
1. taskkill /F /IM pasvc.exe => terminate %u300CAhnLab Policy Agent%u300D. (Top Anti-Virus software in South Korea)
2. taskkill /F /IM Clisvc.exe => terminate%u300CViRobot%u300D(Famous Anti-Virus software in South Korea)
3. shutdown -r -t 0 => reboot immediately
Obviously, the attack was focus on South Korea.
After executing "shutdown -r -t 0" , the blue death screen appears ...
reboot and then...
For your internet security, we urge our anti-virus customer to keep signature up to date as possible.
Following previous post, we have found some malicious extensions in Chrome browser to turn Likes into real results on Facebook.
Once you click the malicious links embedded in spam mail, messages or any hyperlinks, and download the extensions, the malware monitor your browser activity. If you are logged into Facebook with Chrome browser, it will GET hxxp://goo.gl/iiWeL? (also hxxp://fastotolike.com/yeni.php!)
The content of son.js in extension as following:
There two functions abone and sayfa2 in "hxxp://fastotolike.com/yeni.php", the partial content as below:
The function abone is tracking someone:
The function sayfa2 is turning Likes for someone:
Why did malwares turn Likes on Facebook? As we know, "On underground forums in Russia, a page with 100,000 likes sells for about $150 to $200", a security researcher said. Yes, for the money obviously.
For your internet browsing security and prevent malicious connection, we urge our customer to keep WebGuard signature up to date.
An Indian security researcher Shubham Upadhyay aka Cyb3R_Shubh4M, reported a new permanent XSS affecting the products listings on eBay.com.
AegisLab also test again immediately, so far, this vulnerability is currently unfixed!!
Here is the page with XSS injection code:
For this flaw, you need a eBay seller account, login to your account on eBay and create a listing for sale. Then put XSS code into HTML.
The news of XSS vulnerabilities is nothing new, but still so dangerous. What are the threats of XSS? Everything from account hijacking, shopping, payment, changing of user settings, cookie theft/poisoning, or false advertising is possible.
AgeisLab found a URL: www.hv20.com/payroll/djia-finance.php was posioned by Blackhat SEO.
The attack scenario as following:
Google search -> djia finance
-> hxxp://www.hv20.com/payroll/djia-finance.php
-> hopping site -> hxxp://78.159.118.51/in.cgi?10
-> the final download site -> hxxp://proddingappsumo.info/guaranteeing/means_phone- pool_occurs.php?tjn=33:2v:1h:2w:1m&wrgglxs=38&ciooh=33:30:32:2w:30:1n:31:1f:1m:1i&zuhy=1n:1d:1g:1d:1h:1d:1f
Copyright of AegisLab. All rights reserved. Add. 1F.-C6,No.1,Lising 1st Rd.,Science-Based Industrial Park, Hsinchu City 30078,Taiwan Tel. 886-3-5789399 Fax. 886-3-5789595
