24.4.21

 


Google rushes out fix for zero‑day vulnerability in Chrome

The update patches a total of seven security flaws in the desktop versions of the popular web browser

Google has released an update for its Chrome web browser that fixes a range of security flaws, including a zero-day vulnerability that is known to be actively exploited by malicious actors. The bugs affect the Windows, macOS, and Linux versions of the popular browser.

“Google is aware of reports that exploits for CVE-2021-21224 exist in the wild,” said Google about the newly disclosed zero-day vulnerability that stems from a type confusion bug in the V8 JavaScript engine that is used in Chrome and other Chromium-based web browsers.

Beyond the zero-day flaw, the new release fixes six other security loopholes, with Google specifically listing four high-severity vulnerabilities where fixes were contributed by external researchers. The first, indexed as CVE-2021-21222, also affects the V8 engine, however this time it is a heap buffer-overflow bug.

The second flaw, tracked as CVE-2021-21225, also resides in the V8 component and manifests as an out-of-bounds memory access bug. As for CVE-2021-21223, it is found to affect Mojo as an integer overflow bug. The fourth high-severity vulnerability, labeled CVE-2021-21226, is a use-after-free flaw found in Chrome’s navigation.

READ NEXT: Google: Better patching could have prevented 1 in 4 zero‑days last year

“Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data,” warned the Center for Internet Security.

As is common with such releases, the tech titan has not disclosed any further details about the security loopholes until most users have had a chance to update their web browsers to the newest available version, mitigating the chance of the vulnerabilities being exploited by threat actors.

The Government Computer Emergency Response Team Hong Kong (GovCERT.HK) issued a security alert advising users and system administrators to update their browsers. “Users of affected systems should update the Google Chrome to version 90.0.4430.85 to address the issue,” said the agency.

Considering the disclosed vulnerabilities, users would do well to update their browsers to the latest version (90.0.4430.85) as soon as practicable. If you have automatic updates enabled, your browser should update by itself. You can also manually update your browser by visiting the About Google Chrome section, which can be found under Help in the menu bar.

 

 

Instagram rolls out new features to help prevent cyberbullying

The social media platform is stepping up efforts to help stomp out harassment and other abusive behavior

 

Amer Owaida

 Instagram has unveiled new tools to help combat cyberbullying and other abusive behavior on the platform – a filter that will prevent users from seeing abusive Direct Messages (DMs) and a tool to stop someone a user has blocked from contacting them from another account.

“We understand the impact that abusive content – whether it’s racist, sexist, homophobic, or any other kind of abuse – can have on people. Nobody should have to experience that on Instagram. But combatting abuse is a complex challenge and there isn’t one single step we can take to eliminate it completely,” Instagram said in a blogpost introducing the tools. Indeed, cyberbullying has become a perennial problem on social media, with victims ranging from children to adults.

To protect user privacy, the Facebook-owned social media network doesn’t proactively monitor users’ DMs like it would other publicly viewable content on its platform. Instead, it is debuting a tool that will filter out abusive messages.

“That’s why we’re introducing a new tool which, when turned on, will automatically filter DM requests containing offensive words, phrases and emojis, so you never have to see them. This tool focuses on DM requests, because this is where people usually receive abusive messages – unlike your regular DM inbox, where you receive messages from friends,” explained the popular social network.

READ NEXT: Attack of the Instagram clones

The new feature isn’t dissimilar from the previously introduced comment filtering system, which allows users to hide abusive or offensive comments, as well as set up a word filter that will hide comments that contain the flagged terms. Both the DM and comment filters can be set up through the Privacy Settings in the Hidden Words section.

While Instagram users will have the option to set up a custom list of words depending on what they consider offensive, the company has also worked with several leading anti-bullying and anti-discrimination organizations to create a predefined list of offensive words. Importantly, Instagram won’t see the content of the messages, since the filtering will be done natively on the device; however, users will have the option to report offensive behavior.

Although users were already able to block accounts of people who were harassing them, Instagram is also introducing a new tool that will allow them to block also any new accounts the offender will create to continue their tirades.

“This is in addition to our harassment policies, which already prohibit people from repeatedly contacting someone who doesn’t want to hear from them. We also don’t allow recidivism, which means if someone’s account is disabled for breaking our rules, we would remove any new accounts they create whenever we become aware of it,” said the platform.

While both tools should be rolled out to users over the upcoming months, the social media company acknowledged that there is still more work to be done, and promised to keep cooperating with organizations, experts, and teens to weed out abusive behavior.

 

21.4.21

ESET’s detectie en respons-mogelijkheden voor endpoints getest in derde MITRE Engenuity ATT & CK® evaluatie


Het ATT & CK-beoordelingsteam van MITRE Engenuity heeft ESET Enterprise Inspector ingezet tegen aanvalstechnieken die Carbanak- en FIN7-dreigingsgroepen nabootsten. ESET nam deel aan een optionele beveiligingsscenario.

ESET, een wereldleider in cyberbeveiliging, kondigde de deelname aan van ESET Enterprise  HYPERLINK "https://www.eset.com/int/business/solutions/endpoint-detection-and-response/"Inspector aan de derde ronde van de ATT & CK® evaluatie. Het MITRE Engenuity-team gebruikte de kennisbasis van MITRE ATT HYPERLINK "https://attack.mitre.org/"& HYPERLINK "https://attack.mitre.org/"CK® om nepaanvallen uit te voeren met behulp van tactieken en technieken van Carbanak en FIN7 - gekende tegenstanders – die doelen op financiële diensten en horecabedrijven. De derde evaluatieronde begon in de tweede helft van 2020 en de resultaten zijn zopas bekend gemaakt.

“Het was essentieel te weten of ESET Enterprise Inspector, onze volwassen endpointdetectie- en responsoplossing, tegen de tactieken en technieken van geavanceerde aanhoudende dreigingsgroepen bestand was. Daarom kozen we om deel te nemen aan de ATT & CK®-evaluatie ”, zegt Roman Kováč, directeur onderzoek bij ESET. "We volgen Carbanak al sinds 2015, maar daar cybercriminelen voortdurend evolueren, is het dus bijzonder belangrijk om hun tempo bij te houden en onze beveiligingsoplossingen te testen en deskundige feedback te krijgen van het MITRE Engenuity-team."

In deze oefening werd ESET Enterprise Inspector met tientallen ATT & CK-technieken vergeleken. Naast de categorie Detectie, was ESET een van de 17 vendors (op een totaal van 29) die zich registreerden voor een grondige beoordeling in de categorie Bescherming. Het MITRE Engenuity-team gaf een vergelijkingstool vrij die vendors naast elkaar plaatst, zodat het gemakkelijker wordt om de verschillen tussen twee geselecteerde oplossingen te vinden.

“De beoordelingen van MITRE stellen de beveiligingsgemeenschap in staat om beter geïnformeerde beslissingen te nemen via een transparant beoordelingsproces. Het verheugt ons dat ESET, samen met verschillende andere vendors, aan deze belangrijke evaluatie heeft deelgenomen ”, aldus Frank Duff, Evaluations Lead bij MITRE ATT & CK. “Door de database van MITRE ATT & CK als benchmark te gebruiken en onze resultaten openbaar te maken, kunnen gebruikers zien hoe ESET Enterprise Inspector ons gedrag als een geëmuleerde tegenstander van Carbanak en FIN7 heeft gedetecteerd. Door samen te werken, kunnen deze evaluaties de cyberspace voor iedereen veiliger maken. "

Bezoek https://attackevals.mitre-engenuity.org/enterprise/carbanak_fin7/ voor meer informatie over de evaluatie van MITRE Engenuity ATT & CK voor Carbanak en FIN7,

Over MITRE Engenuity ATT & CK Assessments

MITRE Engenuity ATT & CK-evaluaties worden door vendors gefinancierd en zijn bedoeld om vendors en eindgebruikers te helpen de mogelijkheden van een product beter te begrijpen in relatie tot het openbaar toegankelijke ATT & CK®-framework van MITRE. MITRE ontwikkelde en onderhoudt de ATT & CK Knowledge Base. Deze is gebaseerd op rapporten uit de echte wereld over tactieken en technieken van de tegenstanders. ATT & CK is gratis beschikbaar en wordt veel gebruikt door industrie en overheid om hiaten in zichtbaarheid, defensieve tools en processen te vinden bij het evalueren en selecteren van opties om de beveiliging van hun netwerken te verbeteren. MITRE Engenuity maakt de methodologie en de resultaten openbaar, zodat andere organisaties hiervan kunnen profiteren en hun eigen analyse en interpretatie kunnen uitvoeren. Deze evaluaties geven  geen scores, ranglijsten of aanbevelingen.

 Over MITRE Engenuity

MITRE Engenuity is een stichting voor technologie die samenwerkt met de private sector aan oplossingen van algemeen belang, waaronder cyberbeveiliging, veerkracht van de infrastructuur, efficiëntie in gezondheidszorg, micro-elektronica, kwantumdetectie en communicatietechnologie van de toekomst. www.mitre-engenuity.org

20.4.21

Google’s Project Zero to wait longer before disclosing bug details



The 30-day grace period is designed to speed up the rollout and adoption of patches

Amer Owaida

Google’s Project Zero team has announced that it will give vendors and companies an extra 30-day period before it discloses the technical details of a vulnerability.

“Starting today, we’re changing our Disclosure Policy to refocus on reducing the time it takes for vulnerabilities to get fixed, improving the current industry benchmarks on disclosure timeframes, as well as changing when we release technical details,” said Tim Willis, the senior security engineering manager of Google’s elite bug-hunting crew.

Previously, in line with the 2020 disclosure policy, vendors were afforded a 90-day cycle between the initial vulnerability was reported and until its details were publicly disclosed, with the public disclosure taking place regardless of whether the bug was fixed or not.

However, according to its new vulnerability disclosure policy, developers will still have 90 days to fix the vulnerability. However, Project Zero will give them another 30 days before it publishes details about the flaw, as long as the bug is fixed within that period. The ultimate aim is also to give users enough time to patch their systems.

Longer to patch

The new disclosure policy also affects vulnerabilities that are actively exploited in the wild. While previously these flaws were automatically disclosed seven days after they were reported, vendors can now request a three-day grace period. If the bug is fixed within seven days, Project Zero will wait 30 days before it reveals technical details about the security flaw.

The main idea behind the 2020 policy was that vendors who wanted to give users more time to patch their systems would focus on shipping the fixes earlier in the 90-day cycle. However, as Willis pointed out, that wasn’t the case, saying that Project Zero “didn’t observe a significant shift in patch development timelines”.

“The goal of our 2021 policy update is to make the patch adoption timeline an explicit part of our vulnerability disclosure policy. Vendors will now have 90 days for patch development, and an additional 30 days for patch adoption,” he added.

The new model was adopted due to fears that transitioning to a 60+30 policy would be considered too quick and disruptive. But in the future, Google anticipates that it will be able to steadily lower the patch development and adoption timelines for vendors.

“Moving to a “90+30” model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks,” Willis concluded. Project Zero is known for a number of high-profile disclosures; a few months ago, the team reported multiple zero-days affecting ChromeWindows and Apple.