STE WILLIAMS

Russian security biz Kaspersky Lab has said more than 70 per cent of malware attacks it detected last year were made against everyone’s favourite Microsoft suite – Office.

If at first you, er, make things worse, you’re probably Microsoft: Bug patch needed patching

READ MORE

“In the past few months, MS Office… became the most targeted platform,” the firm said in a blog post. It produced a graph showing that between Q4 2016 and Q4 2018, Office-targeting attacks rose from 16 per cent of total Kaspersky detections to more than two-thirds.

The outfit also reported a switch away from ne’er-do-wells exploiting web-based vulns. Over the same period, browser-targeting attacks shrank from 45 per cent to just 14 per cent of the total seen by Kaspersky.

“Malware authors prefer simple, logical bugs. That is why the equation editor vulnerabilities CVE-2017-11882 and CVE-2018-0802 are now the most exploited bugs in MS Office. Simply put, they are reliable and work in every version of Word released in the past 17 years,” Kaspersky commented. Rival infosec unit FireEye also noticed the 2017 CVE being thoroughly abused back in mid-2018, tending to correlate Kaspersky’s findings. Worryingly, the 2018 CVE mentioned by Kaspersky was patched in January that year, suggesting user and/or sysadmin slackness has a part to play in the popularity of these particular problems.

There’s also, as Kaspersky pointed out, CVE-2018-8174 – the infamous Windows VBscript engine vuln which Microsoft said it patched, only for world+dog to discover that they hadn’t. As we reported at the time, this was “a use-after-free() vulnerability in the scripting engine that could be exploited by a booby-trapped web page, when opened with Internet Explorer, or a malicious document, when opened by Office, to execute arbitrary devilish code with the current user’s rights”.

Kaspersky suggested that one of the main reasons such vulns still exist is Microsoft’s not unreasonable insistence on maintaining backward compatibility with Stone Age versions of Office from the turn of the millennium, which means retaining functionality that would otherwise long have been consigned to the recycling bin.

Even so, reporting these vulns brings an all-too-obvious flaw to light: “Once a technical report for a vulnerability goes public, an exploit for it appears on the dark market in a matter of days. Bugs themselves have become much less complex, and sometimes a detailed write-up is all a cybercriminal needs to build a working exploit.”

Short of the usual “keep everything patched” advice, or doing something left-field like dumping Office for open-source software, there’s not a whole lot Average Joe can do.

Even patching immediately comes with its own set of potentially server-killing pitfalls, as Sophos’s ongoing Microsoft horror revealed. A Sophos spokeswoman told The Register that, as of this morning, they had no update for the Windows Update problem. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/16/kaspersky_uptick_office_malware_vulns_attacks/

Although new attacks might get the most attention, don’t assume old one have gone away.

The economic philosophy of cybercrime is the same as for any other business. Although innovation is critical, keeping costs under control while maximizing ROI ensures the lights stay on. That’s why genuinely new malware and zero-day attacks are reasonably rare and are vastly outnumbered by reconfigured malware and the regular return of old attacks.

This is shown again in Fortinet’s latest Global Threat Landscape Report for the fourth quarter of 2018, where we reported that exploits that targeted individual organizations — often variations of existing malware or the misuse of FOSS (free/open source software) security tools — continue to grow at a rapid pace: 10% over the quarter, while the number of unique exploits they experienced increased by 5%. This suggests that, despite some reports suggesting that malicious actors follow the same work routines as their victims, cybercriminals didn’t take much of a break over the holidays. And as you would expect, all of this malware — especially botnets — is becoming more complex and harder to detect.

Additional Key Findings
There are four additional key scenarios in this report that are worth a closer look.

1. The adware threat is going mobile: The world over, adware tops the list of malware infections for most regions — exceeding one-quarter of all infection types for North America and Oceania, and almost one-quarter for Europe. No longer just a nuisance, this type of attack has gone mainstream and is increasingly being found in published apps posted to legitimate app stores.
2. Malware tools are being democratized: Multiple users benefit from FOSS utilities designed for things like penetration testing, event or log management, and malware detection, posted on sharing sites like GitHub. They help threat researchers analyze exploits, security teams test their defenses, and security instructors to use real-life examples when building instructional labs or training students. However, because these “openware” tools are available to all, cybercriminals also have access to them. And fourth-quarter data shows that they are increasingly leveraging and weaponizing these openware tools into new threats, especially ransomware. The same is true for open source malware, such as the Mirai Internet of Things (IoT) botnet launched in 2016. Since its developers released its code on the Internet, dozens of variants have been released.
3. Steganography is making a comeback: Steganography hides something (malicious code, for example) within something else, often in plain sight. It is an old attack from well over a decade ago that now is most commonly seen in “capture the flag” competitions. But in the fourth quarter of 2018, we observed that it is getting its second wind. New steganography samples found by our threat researchers showed malicious payloads were being hidden inside memes being passed around on social media, most commonly on Twitter. During the attack process, after an infected image has been loaded and made contact with its command and control host, the malware is instructed to look for additional images in an associated Twitter feed that contain hidden commands, such as /print (screen capture) and /processes (write list of running processes).
4. Physical security and the IP network are expanding the threat landscape: Half of the top 12 global exploits identified in the fourth quarter targeted IoT devices, and four of those top 12 were related to IP-enabled security cameras. In an ironic twist, malicious actors are increasingly targeting connected security cameras because, like many IoT devices, they lack the network security protocols necessary to protect themselves. Gaining access to IoT IP cameras could allow cybercriminals to snoop on private interactions or enact malicious on-site activities (like shutting off cameras to make it easier to physically access a restricted areas). They could also use those cameras as a launching pad to break into the network to start distributed denial-of-service attacks, steal proprietary information, initiate a ransomware attack, and more. Even more concerning, as cybersecurity and physical security continue to merge, compromised IoT security devices can become a conduit to more critical systems such as alarms and fire suppression systems.

What to Implement Now
These findings represent a lot of activity coming from many directions. To address them, organizations must take the following steps:

• As cyberattack complexity increases, develop defenses to address them. A fundamental way to begin is to implement network access control combined with intelligent, intent-based segmentation across your network. Additionally, organizations must leverage technology advances in the area of artificial intelligence (AI) and machine learning (ML) to combat new, machine-generated attacks.

• As cybercriminals become more innovative, use advanced threat intelligence against them — this includes global threat feeds from reputable researchers and real-time threat intelligence sharing across all deployed security elements — to stay abreast of the volume, velocity, and sophistication of the threat landscape.

• Be on the lookout for steganography and similar attacks from unexpected vectors that can be mobilized quickly. Security professionals must guard against such attacks with cybersecurity awareness training and by ensuring that they have transparent visibility across their entire attack surface, from social media sites and mobile devices that combine personal and business data and applications, through the core, and out to branch offices and multicloud network extensions.

Out-Innovate the Adversary
Malicious actors continue to evolve the complexity of their attacks in order to attack emerging and expanding threat vectors — from morphing open source malware tools into new threats, to using aging steganography exploits in new ways, to continuing to maximize on the vast insecurity of the IoT.

Because cybercriminals never stop innovating, neither can IT security teams. Develop a consistent, integrated security strategy that uses tools built to address today’s vast network edges and that can expand as the network evolves. AI and ML can be tremendous aids in threat detection, especially in today’s networked environments. And to be truly effective, security teams must also have access to real-time threat intelligence. When combined, these elements help organizations spot and overcome the never-ending flood of new attacks and attack strategies.

Related Content:

• Inside Incident Response: 6 Key Tips to Keep in Mind
• In Security, Programmers Aren’t Perfect
• War on Zero-Days: 4 Lessons from Recent Google Microsoft Vulns

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/new-attacks-(and-old-attacks-made-new)/a/d-id/1334335?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Employee accounts may have been compromised in a sophisticated phishing campaign.

Indian IT outsourcing company Wipro has begun an investigation into a potential breach of employee accounts. It says “a few” were compromised in a sophisticated phishing attack.

The firm noticed “potentially abnormal activity” in some employee accounts, Wipro officials told Reuters in a statement, adding that it hired a forensics firm to help. The probe follows a separate report from KrebsOnSecurity, which cited multiple Wipro sources who claimed attackers broke into Wipro IT systems and leveraged their access to target its customers.

These sources, who requested to remain anonymous, reportedly said Wipro had been affected by a “multimonth intrusion from an assumed state-sponsored attacker.” Its systems served as “jumping-off points” to target 12 or more Wipro clients. Those affected reportedly traced signs of network reconnaissance back to partner systems communicating with the Wipro network.

Wipro, which is due to report fourth-quarter earnings today, says it continues to monitor its network and infrastructure for suspicious activity.

Read more details here and here.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/it-outsourcing-firm-wipro-investigates-data-breach/d/d-id/1334435?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Numerous enterprise VPN clients could be vulnerable to a potentially serious security weakness that could be used to spoof access by replaying a user’s session, an alert from the Carnegie Mellon University CERT Coordination Center (CERT/CC) has warned.

Connecting to an enterprise VPN gateway made by a specific company usually requires a dedicated application designed to work with it. So far, the issue has only been confirmed in applications from four vendors – Palo Alto, F5 Networks, Pulse Secure, and Cisco – but others could be affected.

The problem is the surprisingly basic one that applications have been insecurely storing session and authentication cookies in memory or log files which renders them vulnerable to misuse. CERT/CC explains:

If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.

Which, if it were to happen on a network imposing no additional authentication, would be like handing over the privileges of an enterprise VPN to anyone able to get their hands on the vulnerable data.

The weakness manifests in two ways: cookies stored insecurely in log files and cookies stored insecurely in memory. The clients suffering both weaknesses:

– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows

– Palo Alto Networks GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)

– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2

– A range of F5 Edge Client components including BIG-IP APM, BIG-IP Edge Gateway, and FirePass (CVE-2013-6024)

Additionally, Cisco’s AnyConnect version 4.7.x and earlier stores the cookie insecurely in memory. However, the alert lists 237 vendors in total, only three of which are definitely not affected. Consequently:

It is likely that this configuration is generic to additional VPN applications.

That should be taken as a warning with red flashing lights on it that many more VPN clients might suffer the same problems.

Mitigations?

Exploiting the security flaw still requires that the attacker is using the same network as the targeted VPN in order to carry out the replay attack. It’s not clear whether additional authentication would be a defence against this.

A defence that should work is to log out of sessions, thereby invalidating the stored cookie and making them worthless to anyone looking to steal them.

Beyond that, admins should apply patches where they are available. In the case of Palo Alto Networks GlobalProtect it’s version 4.1.1, while Pulse Secure has yet to respond. Cisco suggested users should always terminate sessions to refresh cookies, before adding:

The storage of the session cookie within process memory of the client and in cases of clientless sessions the web browser while the sessions are active are not considered to be an unwarranted exposure.

F5 Networks said insecure log storage was fixed in 2017 in version 12.1.3 and 13.1.0 and onwards. As for the memory storage:

F5 has been aware of the insecure memory storage since 2013 and has not yet been patched.

Admins should consult F5’s online documentation regarding this.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/69OQ3ZW_xJ0/

A group of hackers that doxxed thousands of federal law enforcement employees last week has followed up with more posts offering even more victims’ personal information.

The hacking group, which we won’t name here, published the personal details of around 4.000 federal law enforcement employees last week after breaching three related websites. It had defaced at least two of the three websites, publishing its logo on them, which remained viewable until at least Sunday.

Employees at the FBI, Secret Service, Capitol Police, and US Park Police were among those doxxed, alongside police and sheriffs’ deputies in North Carolina and Florida, according to reports. Records posted on the group’s website included the individuals’ home addresses, phone numbers, emails and employers’ names.

The attackers harvested the information from websites associated with the FBI National Academy Associates (FBINAA), which is a non-profit organization of 17,000 law enforcement professionals. In a statement released Saturday, FBINAA said the attack had affected three of its chapters, all of which used an unnamed third party’s software. It added:

We believe we have identified the three affected Chapters that have been hacked and they are currently working on checking the breach with their data security authorities. We have checked with the national database server/data provider and they have assured us that the FBINAA national database is safe and secure.

The hacking group soon followed up with what it claimed were more hacked databases. On Saturday, 13 April, it posted a 1.1GB file containing what it said were dumps from six government databases. These appeared to be from three nonprofit associations for government professionals. Four of the hackers were from one group’s state-level chapters, according to information posted on the page.

On 14 April, the team struck again, this time posting what it said was an FBI watch list. It said:

A list of people being watched by the FBI. I advise these people to take care of their safety, I do not want you to go to jail)[sic]

Be careful

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/s9RQECtf6yc/

Law enforcement officials in the US have been routinely mining Google’s location history data for criminal investigations. Requests have escalated in the last six months, according to The New York Times.

The location data resides in Sensorvault, a Google system that logs information provided by the search and advertising giant’s mobile applications. Applications may gather the data even when not running, depending on the phone’s settings. However, for Sensorvault to store their data a user must have opted in to Location History, a feature that Google introduced in 2009. It stores daily movements based on raw data communicated via these apps.

Police officers don’t request the phone data of a particular suspect. Instead, they serve reverse location warrants, also known as ‘geofence’ warrants. These request anonymous IDs and locations relating to all phones found in a particular area over a particular time.

Officers analyse this data, looking for movement patterns that correlate with potential suspects or witnesses. When they narrow down the search to a handful of devices, they can request those users’ names and other information from Google.

The report highlighted several instances in which federal law enforcement have used this technique. They include the March 2018 bombings in Austin, Texas, along with a 2016 murder in Florida.

Sometimes, as with the investigation of a home invasion in Minnesota last year, these warrants can gather data on tens of thousands of individual devices. And, the Times reported that the use of location data has led to some mistakes.

One such case saw police arrest Arizona warehouse worker Jorge Molina after harvesting his phone data via a geofence warrant. They released him after nearly a week in jail when friends provided alibi information that placed him elsewhere at the time of the shooting. They then arrested another man, his mother’s ex-boyfriend, who occasionally used Molina’s car.

Geofence warrants apparently offer a way around a Supreme Court ruling last year, which made it unlawful for law enforcement and federal agencies to access a specific subject’s cell phone location records without a warrant. Geofence warrants allow officials to cast a net within a certain area and then follow up any leads surfacing from this potentially large data set.

If you don’t want Google to store your location in Sensorvault, you can turn off location history via your browser.

To do so, sign into your Google account, click on your profile picture and the Google account button. From there, go to Data personalization, and select Pause next to Location History. To turn off location tracking altogether, you must do the same for Web App activity in the same section.

If you want to view and download all the location information Google has saved about you, you can access it in your Timeline. The small gear icon at the bottom right of the map contains an option to delete it.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/aVtDOCyXlF4/

For nearly a week, Instagram users have been receiving odd messages from followers expressing shock that their accounts have somehow ended up on something called the “Nasty List.”

If you receive one, the message with an embedded link will look something like the following example (the list and placement numbers vary):

OMG your actually on here, @TheNastyList_xx, your number is 26! its really messed up.

In the cold light of day, it looks dubious but social media is all about rapid clicking so that’s what some people do, unaware of the danger they are heading towards.

According to Bleeping Computer, clicking on TheNastyList profile link leads to a page containing a second link that says it will let the user see everyone on the imaginary list.

Readers will probably have worked out what’s coming next – anyone following this is asked for their Instagram username and password (the link on the login page isn’t a legitimate Instagram address but it seems a lot of people don’t notice this).

Anyone entering their credentials will find themselves in a spot of trouble, starting with their entire base of followers receiving the same message telling them that they too are on the Nasty List – and so the social media phishing attack grows.

They’ll also potentially have handed control of their account to criminals to do whatever they want with.

As one of the early victims noticed when discussing the attack on a Reddit thread:

As soon as I clicked the link I exited out of it realizing it was a hack, but a day later the messages were sent. I changed my password and turned on two factor authentication. Does that mean the bot still has access to my account?

Too late

It’s easy to say don’t fall for it, but what if people do fall for it?

First, as long as you are sure you didn’t enter your credentials on the fake login page, you should be safe.

If you did enter your credentials but are using two-factor authentication (2FA) via SMS or an authenticator app, you should be ok because it’s much more difficult for criminals to bypass that.

2FA can be set up on Instagram by going to your profile and selecting the hamburger icon. Then choose Settings Privacy and security Two-factor authentication and follow the instructions on the page.

If there’s a risk that your account has been compromised, you should immediately change your account password, turn on 2FA, and double check to make sure that the email address and phone number associated with the account haven’t been changed.

If you’ve used the same password for Instagram on other online accounts you should immediately change those too. And make the new passwords different for each account – password managers really help with this.

For more on locking down your Instagram account, read the Naked Security guide.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/j82GwHW2aF4/

Indian IT outsourcing behemoth Wipro admitted this morning to falling victim to a “sophisticated” phishing attack.

The outfit confirmed to Reuters: “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign.”

Security blogger KrebsonSecurity yesterday cited anonymous sources that claimed the attack on its systems was then used to target at least a dozen Wipro customers.

We asked the IT services giant about these allegations specifically, but it would only comment about what it termed “abnormal activity” in a “few employee accounts”, telling The Reg: “Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact.”

The news comes just in time for the company’s fourth quarter results due out later today. Analysts are predicting a squeeze on margins and a 1 per cent growth in revenues. This time last year, it reported Q4 revenues of $2.1bn, the bulk of which were derived from its IT services segment. It is also a reseller of desktops, servers, notebooks, storage products, networking solutions and packaged software internationally, which are nested under IT products.

Wipro employs about 160,000 people around the world and its clients include many of the largest companies and public sector organisations.

In the UK it performs IT consulting and outsourcing services for the public sector, energy, utilities and manufacturing from East Kilbride, a developer hub in Edinburgh, and a London HQ. It has contracts with North Lanarkshire and The Highland Council, among others. It has multiple services and infrastructure packages on offer via UK.gov’s G-Cloud 10 framework.

Last year the firm had to fork over $75m after a massive SAP upgrade botch at the National Grid in the United States. The firm said in a filing with the Bombay Stock Exchange at the time that the settlement did not mean it had admitted fault. ®

If you know anything more about this, you can drop us a line, in confidence, to [email protected].

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/16/wipro_confirms_flushing_phishers_from_systems/

The US Navy is looking to hire someone to teach the basics of cybersecurity to its sailors.

Companies have until May 6 to make their pitch to the Navy Postgraduate School on exercises it can use with its course on Cyber Operations Fundamentals.

Specifically, the school wants a contractor to develop lab exercises to go along with the yber Operations course. Those exercises should help to give the students a taste of what sort of attack techniques and situations they would face when pitted against both private and government-backed hackers in the field. In short, the cyber-security version of war games.

From the sound of things, the class is designed to be an entry-level crash course for officers on the basics of infosecurity, encryption, and communications. The Navy is asking bidders to have 5-plus years experience developing academic coursework, specifically at the Master’s level.

“This course analyzes the offensive and defensive dimensions of cyberspace operations based on actual campaigns and incidents,” the Navy Cyber Academic Group said.

“It examines network architectures, technical methods, and emerging innovations for the conduct of cyberspace operations. The course debates policy and legal precedents to counter malicious actors operating in the domain.”

Big data at sea: How the Royal Navy charts the world’s oceans

READ MORE

To that extent, the contractor will be tasked with creating eight lab exercises (to run in-browser via HTML5) that cover everything from the basics of networking, encryption, and secure data transfers to IoT security and the basics of exploit tools and malware as well as the applications of international law in cyberspace.

It won’t be as easy as slapping together a handful of exercises, however.

The Navy says the exercises will have to take between 50 and 110 minutes from beginning to completion and will be due 45 days after the contract is awarded. Additionally, the winning dev will need to deliver videos, workbooks, custom software with source code, and provide tech support for the school from July through September (the summer academic quarter).

On the plus side, the Navy notes that no travel is required and the developer will not need a security clearance, as the contract is unclassified. The posting does not say what the job pays, but the winning bidder can expect a full year of contract work. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/15/us_navy_cybersecurity_curriculum/

A feature introduced last year in Adblock Plus and a few other related content blocking browser extensions allows providers of filtering lists, under certain conditions, to execute arbitrary code on web pages.

Adblock Plus v3.2 for Chrome, Firefox and Opera, released in July 2018, includes support for the $rewrite filter option, which can alter filter rules governing whether or not content gets blocked. The rationale for doing so is that there may be times when it’s better to redirect a web request rather than blocking it.

The $rewrite filter provides a way to remove tracking data from URLs. One example might be avoiding Google Accelerated Mobile Pages (AMP). “We could redirect people to the non-AMP page as AMP is only meant to advertise and track not to actually make the web better,” suggested Adblock Plus developer Hubert Figuière last year.

Other content blocking extensions with confusingly similar names like AdBlock and uBlock (owned by AdBlock and not associated with uBlock Origin) are said to have also implemented the $rewrite option. With this directive, third-party maintained filter lists can selectively rewrite URL parameters.

According to Sebastian, web pages are vulnerable under specific conditions: if they load a JavaScript string via XMLHttpRequest or Fetch and execute the returned code; if they fail to limit the applicable domain origin fetched with Content Security Policy directives or URL validation; and if the origin of the fetched code has a server-side open redirect or allows the hosting of arbitrary user content.

In such a case, an untrustworthy provider of filer list data could include a malicious filter string that would execute arbitrary code.

In a blog post on Monday developer Armin Sebastian, who found the issue, said he has informed Google about the potential vulnerability but the company considers it intended behavior rather than a bug.

Adblock Plus, in a statement emailed to The Register said, “We are taking this very seriously and are currently investigating the actual risk for our users to determine the best countermeasure.”

In its statement, Adblock Plus said support for $rewrite “was added to allow filter list authors to effectively block circumvention attempts, where a website tries to force ads on visitors that use an ad blocker.”

“The new feature is a fundamental shift from how ad blockers are understood to work,” said Sebastian in a Twitter conversation with The Register.

“In the past the worst that could have happened was for a malicious filter list provider to block access to a site, which would have been a minor annoyance that is easy to spot. The $rewrite filter option, when chained with other security issues from web services, enables account takeovers and the exfiltration of private data. That is quite the leap from how users perceive ad blockers to work.”

Sebastian said he was unaware of whether anyone has been exploiting filtering lists thus, but said manipulation would be difficult to detect. “This method allows delivering payloads on a per request basis, you may be targeted, exploited and the evidence cleared from the extension storage, without needing to publish the payload as part of a public filter list,” he said.

Cause for concern

Raymond Hill, the creator of rival content blocking extension uBlock Origin, last year said he would not be implementing $rewrite because of security concerns. Specifically, he worried same-origin restrictions would not be enough because sites like GitHub can have the same origin (github.com) while giving different people control over content on different pages.

“Even with strictly same origin, a malicious filter list author could add bad stuff to a network request,” he wrote, noting that he preferred an option called querystrip that removes but does not rewrite URL query parameters.

As netizens, devs scream bloody murder over Chrome ad-block block, Googlers insist: It’s not set in stone (yet)

READ MORE

In an email to The Register, Hill said, “The exploit requires that a filter list maintainer go rogue, an unlikely scenario, especially for prominent filter lists, i.e. those used by default by the affected blockers. Still, [Sebastian’s post] makes the case that the possibility exists and this needs to be taken into account by users according to how they personally choose to assign trust.”

Adblock Plus said $rewrite has been restricted to prevent it from executing any scripts but, despite Content Security Policy settings, “certain websites allow the interpretation of plaintext from a third party as code and execute it.”

The company said it considers exploitation unlikely (and hasn’t seen any exploitation attempts) because it vets authors who contribute to filter lists enabled in Adblock Plus by default and it examines filter lists regularly.

“Nevertheless, there are still websites where this option can be used to run malicious software and we know that it is our responsibility to protect our users from such attacks. We are working on fixing this exploit,” the company said.

In addition to further restrictions being considered for $rewrite, Adblock Plus says may restrict all filter lists to https, which is currently the case for default activated lists.

Sebastian said the risk can be mitigated by whitelisting known origins with the connect-src CSP header or by omitting server-side open redirects.

The Register asked Google to confirm that it doesn’t see this as a Chrome security problem, but we’ve not yet heard back.

One of the reasons Google cites for its controversial Manifest v3 plan to change the APIs available to Chrome extensions is security. The search biz is focused on issues other than filter trust, like replacing the webRequest API, which evaluates rules in the browser (where they can be changed) rather than in the JavaScript engine (where declared rules remain fixed). ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/15/adblock_plus_hole/