Security Week 33: Flash, goodbye, Chrome extensions steal traffic, Apple SEP firmware key uploaded

No, you just think about this number: 1033 ( one thousand thirty-three ) vulnerabilities in Flash Player have been crammed since 2005! This is more than in Internet Explorer, more than in Windows XP - in general, it’s “now good to drop noodles” through it, since the topic is closed .

At one time, Flash Player became a real revolution for the web - thanks to him, animation boomed on the websites, went down the vidosiks, whistles, games for secretaries at the reception, and, of course, killer banners (I wanted to hang a couple of examples here, but my eyes twitched from the memories) . There were even sites completely made on a flash.

Most loved Flash "black hats." Fortunately, its vulnerabilities are a hot commodity, and there has never been a lack of them. The year 2015 was especially fruitful when 329 new holes were counted in the sieve. But back in 2010, Jobs warned that it was time to put Flash in the trash. Moreover, the main argument was its closeness. Well, yes, the head of Apple admitted that his company has its own proprietary standards, but not for the web! At the same time, by the way, Adobe in every way impedes the emergence and development of alternative Flash players. As a result, we have free range for exploits, expanse for large and small horned malware.

Well, and even Flash Player slows down on mobile devices, eats the battery like crazy and makes the platform vendor dependent on Adobe.

And after all, Jobs warned us when without the support of flash full-fledged web surfing was still impossible. How events developed further, we know. Flash on the web is getting smaller, HTML5 is getting bigger. Moreover, over the past three years, the outcome process has gained acceleration of almost free fall - from 80% of users who visit Flash sites daily in 2014 to 17% in 2017 (data for Chrome desktop users).

Now Adobe has recognized the inevitable. By the end of 2020, support for Flash Player will be discontinued, Flash developers have been declared a stub branch of evolution and should switch to open formats like HTML5, WebGL and WebAssembly.

However, not everyone agrees with natural selection, as is common in humans. Developer Juha Lindstedt, for example, hosted on GitHubPetition to Adobe not to kill Flash, but to pass the code to the open source community, and they will continue to cherish it and cherish it. Otherwise, a large layer of the history of the Internet will go into oblivion and all that. Particularly unfortunate, of course, are Flash games (actually not).

Hacked extensions for Chrome steal advertising traffic and replace

News advertising . Seven. No, already eight extensions in Chrome were replaced by some bastards. Proofpoint revealed a simple scheme: hackers send phishing emails to extension developers, and if they manage to get credentials from Google services, they inject their code into the extension and fill it in the store instead of the real one.


It is curious that the hackers on behalf of the Google Chrome Web Store Team even frightened the developers - they say that your extension violates everything that can and will be ejected from the store, and if you need more details, here is the link. The link, of course, was a fake login page in Google.



If the developer did not pay attention to either the address from which the letter came (why does Google use Freshdesk?), Or to the address of the login page, then the credentials leaked out to dumb guys. An extension with embedded malicious code spread to users through the update mechanism.

After starting the extension, the code via HTTPS pulled the js-file from the management and control server, and the domain was generated on the fly. And then the user surfed the Internet as usual, only clicks on banners led him to completely different sites. But this, however, is not the most disgusting. Sometimes a js alert fell out to the victim, stating that her computer was infected (and they didn’t lie, hell)! A click on the alert resulted in a known where - on a page with malvara.



The effectiveness of this campaign is not very clear, but Alexa shows that the traffic to such sites has grown over the past month from zero for hundreds of thousands. Maybe, of course, not only because of hacked extensions.

In addition to these malvertising ugliness extensions expand on identity theft from Cloudflare. According to Proofpoint, hackers thus prepare subsequent attacks bypassing the protection of Cloudflare sites.

The hacker has published a key to the firmware Apple SEP

News . Someone xerub took and laid out something that, according to him, is the key to decrypt the firmware of the Secure Enclave Processor cryptographic coprocessor in Apple chips. I must say that this is a top-secret thing where iOS stores encryption keys and processes data from the Touch ID sensor.

Apple has not yet admitted that the key is real. However, she hastened to declare that even if he is not a fake, there is no threat to user data. Most likely, this is true, but not all. Not just that the company hid all the details about the SEP firmware. Decrypted firmware can be investigated and vulnerabilities can be found there. And without them, software is more difficult than hello world.

Inside SEP, there is its own operating system, which, due to its total secrecy and encryption, has been doing without basic security technologies all this time, such as randomizing memory. This will greatly facilitate the creation of an exploit if vulnerabilities are found. So if the Cherub didn’t lie, Apple should hurry up with the development of SEP firmware - it seems that the race has started.

Antiquities

"Tetris-552"

Resident very dangerous virus. It is written to COM and OVL files by default when they are loaded into memory. When opening .PRG files, the “? 'PLAY TETRIS, HI-HI-HI" command is written to their beginning. It hooks int 21h.

Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 84.

Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.