Disclosed earlier this year, potentially dangerous Meltdown and Spectre vulnerabilities that affected a large family of modern processors proven that speculative execution attacks can be exploited in a trivial way to access highly sensitive information.

Since then, several more variants of speculative execution attacks have been discovered, including Spectre-NG, SpectreRSB, Spectre 1.1, Spectre1.2, TLBleed, Lazy FP, NetSpectre and Foreshadow, patches for which were released by affected vendors time-to-time.

Speculative execution is a core component of modern processors design that speculatively executes instructions based on assumptions that are considered likely to be true. If the assumptions come out to be valid, the execution continues, otherwise discarded.

Now, the same team of cybersecurity researchers who discovered original Meltdown and Spectre vulnerabilities have uncovered 7 new transient execution attacks affecting 3 major processor vendors—Intel, AMD, ARM.

While some of the newly-discovered transient execution attacks are mitigated by existing mitigation techniques for Spectre and Meltdown, others are not.

images from Hacker News

At Pwn2Own 2018 mobile hacking competition held in Tokyo on November 13-14, white hat hackers once again demonstrated that even the fully patched smartphones running the latest version of software from popular smartphone manufacturers can be hacked.

Three major flagship smartphones—iPhone X, Samsung Galaxy S9, and Xiaomi Mi6—were among the devices that successfully got hacked at the annual mobile hacking contest organized by Trend Micro’s Zero Day Initiative (ZDI), earning white hat hackers a total of $325,000 in reward.

Teams of hackers participated from different countries or representing different cybersecurity companies disclosed a total of 18 zero-day vulnerabilities in mobile devices made by Apple, Samsung, and Xiaomi, as well as crafted exploits that allowed them to completely take over the targeted devices.

images from Hacker News

A security researcher has disclosed details of a critical vulnerability in one of the popular and widely active plugins for WordPress that could allow a low-privileged attacker to inject malicious code on AMP pages of the targeted website.

The vulnerable WordPress plugin in question is “AMP for WP – Accelerated Mobile Pages” that lets websites automatically generate valid accelerated mobile pages for their blog posts and other web pages.

AMP, stands for Accelerated Mobile Pages, is an open-source technology that has been designed by Google to allow websites build and server faster web pages to mobile visitors.

Though I am pretty sure the main version of “The Hacker News” website is enough fast for both desktop and mobile device users, you can also check the AMP version for this specific article here.

images from Hacker News

Instagram has recently patched a security issue in its website that might have accidentally exposed some of its users’ passwords in plain text.

The company recently started notifying affected users of a security bug that resides in a newly offered feature called “Download Your Data” that allows users to download a copy of their data shared on the social media platform, including photos, comments, posts, and other information that they have shared on the platform.

To prevent unauthorised users from getting their hands on your personal data, the feature asks you to reconfirm your password before downloading the data.

However, according to Instagram, the plaintext passwords for some users who had used the Download Your Data feature were included in the URL and also stored on Facebook’s servers due to a security bug that was discovered by the Instagram internal team.

The company said the stored data has been deleted from the servers owned by Facebook, Instagram’s parent company and the tool has now been updated to resolve the issue, which “affected a very small number of people.”

images from Hacker News

An independent exploit developer and vulnerability researcher has publicly disclosed a zero-day vulnerability in VirtualBox—a popular open source virtualization software developed by Oracle—that could allow a malicious program to escape virtual machine (guest OS) and execute code on the operating system of the host machine.

The vulnerability occurs due to memory corruption issues and affects Intel PRO / 1000 MT Desktop (82540EM) network card (E1000) when the network mode is set to NAT (Network Address Translation).

The flaw is independent of the type of operating system being used by the virtual and host machines because it resides in a shared code base.

VirtualBox Zero-Day Exploit and Demo Video Released

Sergey Zelenyuk published Wednesday a detailed technical explanation of the zero-day flaw on GitHub, which affects all current versions (5.2.20 and prior) of VirtualBox software and is present on the default Virtual Machine (VM) configuration.

According to Zelenyuk, the vulnerability allows an attacker or a malicious program with root or administrator rights in the guest OS to escape and execute arbitrary code in the application layer (ring 3) of the host OS, which is used for running code from most user programs with the least privileges.

images from Hacker News