On average, companies took 52 days to fix bugs, while three years ago they needed an average of 80 days. Thus, almost all vendors fixed the vulnerabilities within the industry standard of 90 days.

According to statistics collected for 2019-2021 and based on 376 zero-day vulnerabilities discovered by Google Project Zero experts, 26% of the problems related to Microsoft products, 23% to Apple and 16% to Google. That is, the three software giants accounted for 65% of all detected problems, and, according to experts, this well reflects the complexity and volume of their software products, which inevitably have “white spots” that even numerous security engineers miss.

Overall, the report named Linux, Mozilla, and Google as the best in terms of timely release of patches, while Oracle, Microsoft, and Samsung were named as the worst.

Recall, by the way, that we wrote that 0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues.

In the highly competitive field of mobile OS, iOS and Android go hand in hand: the former has an average bug fix time of 70 days, while the latter has 72 days.

In the browser category, Chrome outperforms all competitors with an average bug fix period of 29.9 days, while Firefox comes in second with 37.8 days. Apple, in third place, took twice as long to fix bugs in WebKit, taking an average of 72.7 days.

Google Project Zero experts explain:

You might also be interested in reading what Google says that a quarter of all 0-day vulnerabilities are new variations of old problems.

READ ALSO: Zero Day Attacks – How To Prevent Them? What does a zero day attack mean? Or is there a way to avoid this danger?

The post Google analysts noticed that software vendors began to fix Zero-day vulnerabilities faster appeared first on Gridinsoft Blog.

The authors of the report write that many problems could have been avoided if the developers immediately corrected their products more thoroughly.

In 2020, thanks to the work of the Google Project Zero team, were identified 24 zero-day vulnerabilities, which were actively exploited by hackers. Six of them (in Chrome, Firefox, Internet Explorer, Safari and Windows) turned out to be new versions of previously known vulnerabilities. Supposedly, attackers carefully studied the old bug reports, figured out the original problems, and then created new versions of exploits for them.

In addition, three other issues that were discovered last year and affected Chrome, Internet Explorer and Windows were not fully fixed, that is, they eventually required additional patches. In fact, if hackers carefully studied the released fixes, they could discover a way to allow them to continue exploiting bugs and attacks.

Google Project Zero experts advise their colleagues to analyze 0-day vulnerabilities deeper and learn to work with such problems. Once the Google Project Zero team was created specifically to search and research zero-day vulnerabilities, and now its experts say that 0-day bugs are a kind of “window” that allows looking into the heads of attackers, learn as much as possible about possible attack vectors , classes of problems and how to deal with them.

Let me remind you that in the fall Google Project Zero discovered a 0-day vulnerability in the Windows kernel.

The post Google says that a quarter of all 0-day vulnerabilities are new variations of old problems appeared first on Gridinsoft Blog.

The underlying critical vulnerability CVE-2020-3843, discovered by the researcher, made it possible to remotely steal sensitive data from any device in the Wi-Fi hotspot without any user’s interaction.

The exploit, which Bier worked on alone for six months, allows “to view all photos, read all e-mail, copy all private messages and track everything that happens [on the device] in real time.”

Since Apple engineers fixed the problem back in the spring of this year (within the framework of iOS 13.3.1, macOS Catalina 10.15.3 and watchOS 5.3.7), and the researcher has now disclosed details of the problem and even demonstrated an attack in action.

The video below shows how, using an iPhone 11 Pro, Raspberry Pi, and two Wi-Fi adapters, the researcher were capable of remotely reading and writing of random kernel memory. Beer used all of this to inject shellcode into kernel memory through exploiting the victim process, escaping the sandbox, and retrieving user data.

Essentially, a potential attacker needed to attack the AirDrop BTLE infrastructure in order to enable the AWDL interface. This was done through brute-force hash values of the contact (after all, usually users provide AirDrop with access only to their contacts), and then an AWDL buffer overflow.

As a result, it was possible to gain access to the device and run malware with root privileges, which gave the attacker complete control over the user’s personal data, including email, photos, messages, iCloud data, as well as passwords and cryptographic keys from the Keychain, and much more.

Even worse, such an exploit could have the potential of a worm, that is, it could spread from one device to another “by air” and again without user intervention.

Beer notes that this vulnerability was not exploited by cybercriminals, but the hacking community and “exploit vendors seem to be interested in the released fixes.”

I also wrote that Researcher remotely hacked iPhone using only one vulnerability.

And always remember that US authorities can hack the iPhone, but may have difficulties with Android.

The post Cybersecurity expert created an exploit to hack iPhone via Wi-Fi appeared first on Gridinsoft Blog.

The bug was identified as CVE-2020-16009 and was discovered by the Threat Analysis Group (TAG), Google’s internal security team dedicated to tracking attackers and their ongoing operations.

So far, details about the vulnerability and its exploitation have not been disclosed. It is worth noting that this is a common practice for Google: the company’s specialists can “keep silent” for months on the technical details of bugs in order not to give cybercriminals hints and allow users to install updates calmly.

I must say that two weeks ago, Google experts fixed another 0-day vulnerability in their browser. The error was also discovered internally by Google Project Zero specialists. It was identified as CVE-2020-15999 and was associated with the FreeType font rendering library that comes with standard Chrome distributions. It is known that the bug is associated with a violation of the integrity of information in memory.

Let me remind you that CVE-2020-15999 was used in conjunction with another 0-day vulnerability – CVE-2020-17087, a serious bug found in the Windows kernel.

For example, a vulnerability in Chrome was used to run malicious code inside the browser, and day zero was used in Windows during the second part of the attack, which allowed attackers to leave the secure Chrome container and execute the code already at the OS level (that is, to escape from the sandbox). Microsoft is expected to fix this issue on November 10th as part of Patch Tuesday.

The post Google Chrome fixed second 0-day vulnerability in two weeks appeared first on Gridinsoft Blog.

The vulnerability is related to the operation of the Windows Kernel Cryptography Driver (cng.sys), more specifically the cng!CfgAdtpFormatPropertyBlock function, and belongs to the category of buffer overflow bugs (pool-based buffer overflow).

Researchers have published not only a written report on the vulnerability, but also a PoC exploit for it, the use of which can lead to the failure of vulnerable Windows devices, even if they are running the system with default settings.

The PoC exploit has been tested on the latest version of Windows 10 1903, but the researchers write that the vulnerability is present in other versions of the OS, starting at least with Windows 7.

Although the vulnerability was found only 8 days ago, experts decided quickly disclose the details of the problem, since hackers are already using it. Researchers have not disclosed details about these attacks, but according to the head of Google Project Zero, Ben Hawkes, the operation of CVE-2020-17087 has nothing to do with the US presidential election.

There is no patch for the vulnerability yet, and Hawkes reports that the release of the fix is expected only on the next “Patch Tuesday”, that is, November 10, 2020.

Let me remind you that recently Google Project Zero specialists discovered and described many vulnerabilities in Apple’s operating systems.

The post Google Project Zero discovered a 0-day vulnerability in the Windows kernel appeared first on Gridinsoft Blog.

The current number of 0-day problems indicates that, most likely, that overall this year will be identified the same number of zero-day vulnerabilities, as in 2019 (20).

The link above leads to the company’s internal statistics, which Google specialists collected and tracked since 2014. So, for the first half of 2020, experts included the following problems in their list.

1. Firefox (CVE-2019-17026)

The bug that received the identifier CVE-2019-17026 was discovered by experts from the Chinese company Qihoo 360, and it was associated with the work of IonMonkey – the JavaScript JIT compiler SpiderMonkey, the main component of the Firefox kernel responsible for JavaScript operations (JavaScript engine of the browser). The vulnerability has been classified as type confusion.

The patches are included with Firefox 72.0.1 and are available here.

2. Internet Explorer (CVE-2020-0674)

The problem was exploited by the North Korean hacker group DarkHotel, in conjunction with the aforementioned 0-day bug in the Firefox browser. Both issues have been used to track targets in China and Japan, and have been discovered by Qihoo 360 and JP-CERT experts. Victims of this campaign were redirected to a site where either a Firefox or IE vulnerability was exploited; later victims were infected with the RAT Gh0st.

The patches are included in the February “Patch Tuesday” and are available here.

3. Chrome (CVE-2020-6418)

The vulnerability was identified by experts from the Google Threat Analysis Group, but there are no details about the attacks that exploited the problem.

The bug was fixed with the release of Chrome version 80.0.3987.122, patches are available here.

4 and 5. Trend Micro OfficeScan (CVE-2020-8467 and CVE-2020-8468).

Trend Micro employees spotted both zero days. The bugs supposely have been discovered when Trend Micro investigated a different, older zero-day issue in the same product, used for hacking of Mitsubishi Electric.

The patches can be found here.

6 and 7. Firefox (CVE-2020-6819 and CVE-2020-6820)

Detailed information about the attacks that used these 0-days has not yet been published, although cybersecurity researchers speculate that these problems could be part of a chain of exploits.

Vulnerabilities are fixed in Firefox 74.0.1, patches are available here.

8, 9, and 10. Microsoft (CVE-2020-0938, CVE-2020-1020, and CVE-2020-1027)

Google experts found and reported about all three bugs to Microsoft engineers. As with most other Google Threat Analysis Group “discoveries”, the details of these issues are kept secret and nothing is known about the attacks. The vulnerabilities were fixed as part of the April “update Tuesday”, patches are available here.

11. Sophos XG Firewall (CVE 2020-12271)

Earlier in 2020, an unknown group of hackers discovered and exploited this vulnerability. Later Sophos experts said that using the bug, hackers tried to deploy the Ragnarok ransomware on infected hosts, but the company said that it blocked most of the attempts.

Patches are available here.

Let me remind you that in 2019, Google specialists discovered 20 zero-day vulnerabilities, 11 of which were found in Microsoft products.

At the same time, experts explain that Microsoft has the most bugs, as there are more security tools designed to detect bugs in Windows.

The post Google: 11 0-day vulnerabilities identified in the first half of 2020 appeared first on Gridinsoft Blog.

Vulnerabilities in software that could compromise a system without user intervention (for example, without clicking on a malicious link by the victim) present a great interest to security researchers. Experts from Google Project Zero, who have devoted the study of this issue over the past few months, are not an exception.

On Thursday, January 9, Google Project Zero security researcher Samuel Gross from Google Project Zero demonstrated how he can remotely hack an iPhone, access passwords, messages, email and activate the camera with a microphone with just one Apple ID in a few minutes.

“All of this is possible without any user interaction (e.g. opening a URL sent by an attacker) or visual indicator (e.g. notifications) being displayed to the user. The attack exploits a single vulnerability, CVE-2019-8641 to first bypass ASLR, then execute code on the target device outside of the sandbox.”, — writes Samuel Gross.

The researcher described his attack method in three separate articles on the Google Project Zero blog. The first provides technical details about the vulnerability, the second describes how to hack ASLR, and the third explains how remotely execute code on an attacked device bypassing the sandbox.

During the attack, Gross exploited the only vulnerability in iOS 12.4 (CVE-2019-8641), fixed by Apple in August last year with the release of iOS 12.4.1. With its help, he bypassed ASLR technology, designed to complicate the operation of certain types of vulnerabilities.

ASLR provides for changing the location in the process address space of important data structures (executable file images, loaded libraries, heaps and stacks). However, the attack, which demonstrated Gross, rises doubt on the effectiveness of ASLR.

“The study was mainly motivated by the following question: is it possible with the use of single remote vulnerability for memory impairment to achieve remote code execution on iPhone without using other vulnerabilities and without any user interaction? A series of my publications proves that yes, it is indeed possible”, – Gross said.

A key insight of this research was that ASLR, which in theory should offer strong protection in this attack scenario, is not as strong in practice.

Overall, the life is getting more and more dangerous, as recently, another researcher demonstrated that TikTok could be hacked using SMS.

Take care of yourself, remember about information hygiene and use Gridinsoft

The post Researcher remotely hacked iPhone using only one vulnerability appeared first on Gridinsoft Blog.