Slashdot

According to a researcher, favicons can be a security vulnerability that could let websites track your movement and bypass VPNs, incognito browsing status, and other traditional methods of cloaking your movement online. From a report: The tracking method is called a Supercookie, and it's the work of German software designer Jonas Strehle. "Supercookie uses favicons to assign a unique identifier to website visitors. Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user," Strehle said on his Github. "The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers." Strehle's Github explained that he became interested in the idea of using favicons to track users after reading a research paper [PDF] on the topic from the University of Illinois at Chicago. "The complexity and feature-rich nature of modern browsers often lead to the deployment of seemingly innocuous functionality that can be readily abused by adversaries," the paper explained. "In this paper we introduce a novel tracking mechanism that misuses a simple yet ubiquitous browser feature: favicons." To be clear, this is a proof-of-concept and not something that Strehle has found out in the wild.

An unpatched zero-day in Microsoft Windows 10 allows attackers to corrupt an NTFS-formatted hard drive with a one-line command. Bleeping Computer reports: In August 2020, October 2020, and finally this week, infosec researcher Jonas L drew attention to an NTFS vulnerability impacting Windows 10 that has not been fixed. When exploited, this vulnerability can be triggered by a single-line command to instantly corrupt an NTFS-formatted hard drive, with Windows prompting the user to restart their computer to repair the corrupted disk records. The researcher told BleepingComputer that the flaw became exploitable starting around Windows 10 build 1803, the Windows 10 April 2018 Update, and continues to work in the latest version. What’s worse is, the vulnerability can be triggered by standard and low privileged user accounts on Windows 10 systems. […] It is unclear why accessing this attribute corrupts the drive, and Jonas told BleepingComputer that a Registry key that would help diagnose the issue doesn’t work. One striking finding shared by Jonas with us was that a crafted Windows shortcut file (.url) that had its icon location set to C::$i30:$bitmap would trigger the vulnerability even if the user never opened the file! As observed by BleepingComputer, as soon as this shortcut file is downloaded on a Windows 10 PC, and the user views the folder it is present in, Windows Explorer will attempt to display the file’s icon. To do this, Windows Explorer would attempt to access the crafted icon path inside the file in the background, thereby corrupting the NTFS hard drive in the process. Next, “restart to repair hard drive”; notifications start popping up on the Windows PC — all this without the user even having opened or double-clicked on the shortcut file.

An anonymous reader quotes a report from Ars Technica: Hackers are abusing Google Analytics so that they can more covertly siphon stolen credit card data out of infected ecommerce sites, researchers reported on Monday. Payment card skimming used to refer solely to the practice of infecting point-of-sale machines in brick-and-mortar stores. The malware would extract credit card numbers and other data. Attackers would then use or sell the stolen information so it could be used in payment card fraud. One challenge in pulling off the hack is bypassing website security policies or concealing the exfiltration of massive amounts of sensitive data from endpoint security applications installed on the infected network. Researchers from Kaspersky Lab on Monday said that they have recently observed about two dozen infected sites that found a novel way to achieve this. Instead of sending it to attacker-controlled servers, the attackers send it to Google Analytics accounts they control. Since the Google service is so widely used, ecommerce site security policies generally fully trust it to receive data. “Google Analytics is an extremely popular service (used on more than 29 million sites, according to BuiltWith) and is blindly trusted by users,” Kaspersky Lab researcher Victoria Vlasova wrote here. “Administrators write *.google-analytics.com into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What’s more, the attack can be implemented without downloading code from external sources.” The researcher added: “To harvest data about visitors using Google Analytics, the site owner must configure the tracking parameters in their account on analytics.google.com, get the tracking ID (trackingId, a string like this: UA-XXXX-Y), and insert it into the web pages together with the tracking code (a special snippet of code). Several tracking codes can rub shoulders on one site, sending data about visitors to different Analytics accounts.” The “UA-XXXX-Y” refers to the tracking ID that Google Analytics uses to tell one account from another. As demonstrated in the following screenshot, showing malicious code on an infected site, the IDs (underlined) can easily blend in with legitimate code.

A vulnerability in version 3.1.1 of the Server Message Block (SMB) — the service that’s used to share files, printers, and other resources on local networks and over the internet — can allow attacks to execute code of their choice on both servers and end-user computers that use the vulnerable protocol, Microsoft said in an advisory. Ars Technica reports: The flaw, which is tracked as CVE-2020-0796, affects Windows 10, versions 1903 and 1909 and Windows Server versions 1903 and 1909, which are relatively new releases that Microsoft has invested huge amounts of resources hardening against precisely these types of attacks. Patches aren’t available, and Tuesday’s advisory gave no timeline for one being released. Asked if there was a timeline for releasing a fix, a Microsoft representative said, “Beyond the advisory you linked, nothing else to share from Microsoft at this time.” In the meantime, Microsoft said vulnerable servers can be protected by disabling compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. Users can use the following PowerShell command to turn off compression without needing to reboot the machine: “Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD -Value 1 -Force.” That fix won’t protect vulnerable client computers or servers if they connect to a malicious SMB service, but in that scenario, the attacks aren’t wormable. Microsoft also recommended users block port 445, which is used to send SMB traffic between machines.

Billions of devices — many of them already patched — are affected by a Wi-Fi vulnerability that allows nearby attackers to decrypt sensitive data sent over the air, researchers said on Wednesday at the RSA security conference. From a report: The vulnerability exists in Wi-Fi chips made by Cypress Semiconductor and Broadcom, the latter a chipmaker Cypress acquired in 2016. The affected devices include iPhones, iPads, Macs, Amazon Echos and Kindles, Android devices, Raspberry Pi 3’s, and Wi-Fi routers from Asus and Huawei. Eset, the security company that discovered the vulnerability, said the flaw primarily affects Cyperess’ and Broadcom’s FullMAC WLAN chips, which are used in billions of devices. Eset has named the vulnerability Kr00k, and it is tracked as CVE-2019-15126. Manufacturers have made patches available for most or all of the affected devices, but it’s not clear how many devices have installed the patches. Of greatest concern are vulnerable wireless routers, which often go unpatched indefinitely. “This results in scenarios where client devices that are unaffected (either patched or using different Wi-Fi chips not vulnerable to Kr00k) can be connected to an access point (often times beyond an individual’s control) that is vulnerable,” Eset researchers wrote in a research paper published on Wednesday. “The attack surface is greatly increased, since an adversary can decrypt data that was transmitted by a vulnerable access point to a specific client (which may or may not be vulnerable itself).”

An anonymous reader quotes a report from ZDNet: WordPress site owners who use commercial themes provided by ThemeGrill are advised to update one of the plugins that come installed with these themes in order to patch a critical bug that can let attackers wipe their sites. The vulnerability resides in ThemeGrill Demo Importer, a plugin that ships with themes sold by ThemeGrill, a web development company that sells commercial WordPress themes. The plugin, which is installed on more than 200,000 sites, allows site owners to import demo content inside their ThemeGrill themes so they’ll have examples and a starting point on which they can build their own sites. However, in a report published yesterday, WordPress security firm WebARX says that older versions of the ThemeGrill Demo Importer are vulnerable to remote attacks from unauthenticated attackers. Remote hackers can send a specially crafted payload to vulnerable sites and trigger a function inside the plugin. The vulnerable function resets the site’s content to zero, effectively wiping the content of all WordPress sites where a ThemeGrill theme is active, and the vulnerable plugin is installed. Furthermore, if the site’s database contains a user named “admin” then the attacker is granted access to that user with full administrator rights over the site.

Slashdot reader golden_donkey quotes Forbes: Are you booting up your Windows 10 machine and discovering you can’t log in to your profile? It appears you’re not alone. Reports are increasing across Twitter and Microsoft forums that following the most recent Patch Tuesday update (KB4532693), users are complaining that their profiles and desktop files are missing, and that custom icons and wallpaper have all been reset to their default state… The KB4532693 update is allegedly causing much more serious headaches for some users. A newer report by Windows Latest cites multiple users in their comments section complaining that the data is nowhere to be found and allegedly not recoverable. Microsoft has now “yanked KB4524244 from its update servers…” reports ZDNet, “after acknowledging reports of an issue affecting a sub-set of devices.” Microsoft says customers who have successfully installed the update don’t need to take any further steps. Those who have configured PCs to defer installation of updates by at least four days should also be unaffected. For those who are experiencing issues related to this update, Microsoft recommends uninstalling the update. Forbes also shared a video “on a related note.” Its title? “How To Choose A Linux Distro That’s Right For You…”

Microsoft on Tuesday patched an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. The vulnerability was spotted and reported by the NSA. CNBC reports: The flaw affected encryption of digital signatures used to authenticate content, including software or files. If exploited, the flaw could allow criminals to send malicious content with fake signatures that make it appear safe. The finding was reported earlier by The Washington Post. It is unclear how long the NSA knew about the flaw before reporting it to Microsoft. The cooperation, however, is a departure from past interactions between the NSA and major software developers such as Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the U.S. tech arsenal. In a statement, Microsoft declined to confirm or offer further details. "We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available." Jeff Jones, a senior director at Microsoft said in a statement Tuesday: "Customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible." Microsoft told CNBC that it had not seen any exploitation of the flaw "in the wild," which means outside a lab testing environment.

“Top domain name registrars NetworkSolutions.com, Register.com and Web.com are asking customers to reset their passwords after discovering an intrusion in August 2019 in which customer account information was accessed,” reports security researcher Brian Krebs: “On October 16, 2019, Web.com determined that a third-party gained unauthorized access to a limited number of its computer systems in late August 2019, and as a result, account information may have been accessed,” Web.com said in a written statement. “No credit card data was compromised as a result of this incident.” The Jacksonville, Fla.-based Web.com said the information exposed includes “contact details such as name, address, phone numbers, email address and information about the services that we offer to a given account holder…” Both Network Solutions and Register.com are owned by Web.com. Network Solutions is now the world’s fifth-largest domain name registrar, with almost seven million domains in its stable, according to domainstate.com; Register.com listed at #17 with 1.7 million domains… Web.com said it has reported the incident to law enforcement and hired an outside security firm to investigate further, and is in the process of notifying affected customers through email and via its website… Web.com wasn’t clear how long the intrusion lasted, but if the breach wasn’t detected until mid-October that means the intruders potentially had about six weeks inside unnoticed. That’s a long time for an adversary to wander about one’s network, and plenty of time to steal a great deal more information than just names, addresses and phone numbers.

“If you’re at all concerned about the privacy of your data, you don’t want to leave the default settings in place on your devices — and that includes anything that runs Windows 10,” warns a new article in Wired, listing out the “controls and options you can modify to lock down the use of your data, from the information you share with Microsoft to the access that individual apps have to your location, camera, and microphone.” Long-time Slashdot reader shanen calls the the article “a rough estimate of the degree to which my privacy can be intruded upon,” adding some particularly pessimistic additional thoughts: Not just Microsoft, of course. It’s safe to conclude that there are similar capabilities embedded in the software from Apple, the google, Amazon, and Facebook (and others…) [T]here is no real boundary between the software that does the privacy intrusions, the software that controls the intrusions, and the software that tells me the state of the intrusions. Have I actually disabled that particular abuse of my privacy? Or is the software still doing it and lying to me and claiming it isn’t doing it… Or maybe it’s the NSA, GRU, FBI, FSB, DHS, MSS, CIA, or any other governmental agency with a secret legal power to compel intrusions that you can’t be told about…