Major browsers get an update to fix separate bugs that both allow for remote attacks, which could potentially allow hackers to takeover targeted devices.
Makers of the Chrome, Firefox & Edge browsers are urging users to patch critical vulnerabilities that if exploited allow hackers to hijack systems running the software.
The Mozilla Firefox vulnerability (CVE-2020-16044) is separate from a bug reported in Google’s browser engine Chromium, which is used in the Google Chrome browser and Microsoft’s latest version of its Edge browser.
Critical Firefox Use-After-Free Bug
Last Thur., the US Cyber-Security & Infrastructure Security Agency (CISA) urged users of Mozilla Foundation’s Firefox browser to patch a bug, tracked as CVE-2020-16044, & rated as critical. The vulnerability is classified as a use-after-free bug & tied to the way Firefox handles browser cookies & if exploited allows hackers to gain access to the computer, phone or tablet running the browser software.
Impacted are Firefox browser versions released prior to the recently released Firefox desktop 84.0.2, Firefox Android 84.1.3 edition & also Mozilla’s corporate ESR 78.6.1 version of Firefox.
SCTP Packet
“A malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. We presume that with enough effort it could have been exploited to run arbitrary code,” according to a Mozilla security bulletin posted Thursday.
The acronym ‘SCTP’ stands for Stream Control Transmission Protocol, used in computer networking to communicate protocol data within the Transport Layer of the internet protocol suite, or TCP/IP. The bug is tied to the way cookie data is handled by SCTP.
COOKIE ECHO
Each inbound SCTP packet contains a cookie chunk that facilitates a corresponding reply from the browser’s cookie. A COOKIE ECHO chunk is a snippet of data sent during the initialisation of the SCTP connection with the browser.
According to Mozilla an adversary could craft a malicious COOKIE-ECHO chunk to impact the browser’s memory. A use-after-free vulnerability relates to incorrect use of dynamic memory during program operation.
If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program,” according to a description of the vulnerability.
Mozilla did not credit the bug discovery, nor did it state whether it was a vulnerability actively being exploited in the wild.
Chromium Browser Bug Impacts Chrome & Edge
Also, last Thur., CISA urged Windows, macOS & Linux users of Google’s Chrome browser to patch an out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141 version of the software.
The CISA-bug warning stated that the update to the latest version of the Chrome browser would “addresses vulnerabilities that an attacker could exploit to take control of an affected system.”
Because Microsoft’s latest Edge browser is based on Google Chromium browser engine, Microsoft also urged its users to update to the latest 87.0.664.75 version of its Edge browser.
Critical
While researchers at Tenable classify the out-of-bounds bug as critical, both Google & Microsoft classified the vulnerability as high severity. Tencent Security Xuanwu Lab researcher Bohan Liu is credited for finding & reporting the bug.
The CVE-2020-15995 bug dates back to a Chrome for Android update security bulletin Google’s published on Oct. 2020. Then, the bug was also classified as high severity. The flaw is identified as an “out of bounds write in V8”, bug originally found in Sept. 2020 by Liu.
Open-Source
V8 is Google’s open source & high-performance JavaScript & Web Assembly engine, according to a Google developer description. While the technical specifics of the bug are not available, similar out of bounds write in V8 bugs have allowed remote attackers to exploit a heap corruption via a crafted HTML page.
A ‘heap corruption’ is a type of memory corruption that occurs in a computer program when the contents of a memory location are modified due to programmatic behaviour — malicious or not — that exceeds the intention of the original programmer or program language parameters.
Heap Corruption
A so-called heap-smashing attack can be used to exploit instances of heap corruption, according to an academic paper (PDF) co-authored by Nektarios Georgios Tsoutsos, student member of IEEE & Michail Maniatakos, senior member of IEEE.
“Heap Smashing Attacks exploit dynamic memory allocators (e.g., malloc) by corrupting the control structures defining the heap itself.
By overflowing a heap block, attackers could overwrite adjacent heap headers that chain different heap blocks, & eventually cause the dynamic memory allocator to modify arbitrary memory locations as soon as a heap-free operation is executed.
Malicious Payload
The malicious payload can also be generated on-the-fly: i.e., by exploiting Just-In-Time (JIT) compilation, assembled code can be written on the heap,” they wrote.
Neither Microsoft nor Google explain why the Oct. 2020 CVE-2020-15995 is being featured again in both last Thurs. security bulletins. Typically, that is an indication that the original fix was incomplete.
Chromium Bugs Impact Chrome & Edge
12 extra bugs were reported by Google, impacting its Chromium browser engine. Both Google & Microsoft featured the same list of vulnerabilities (CVE-2021-21106, CVE-2021-21107, CVE-2021-21108, CVE-2021-21109, CVE-2021-21110, CVE-2021-21111, CVE-2021-21112, CVE-2021-21113, CVE-2021-21114, CVE-2021-21115, CVE-2021-21116, CVE-2020-16043).
The majority of the bugs were rated high-severity & tied to use-after-free bugs. 3 of the vulnerabilities earned bug hunters $20,000 for their work. Weipeng Jiang from Codesafe Team of Legendsec at Qi’anxin Group is credited for finding both $20,000 bugs (CVE-2021-21106 & CVE-2021-21107).
Autofill Function
The 1st, a use-after-free bug tied to Chromium’s autofill function & the 2nd a use-after-free bug in the Chromium media element.
Leecraso & Guang Gong of 360 Alpha Lab earned $20,000 for a CVE-2021-21108, also a use-after-free bug in the browser’s media component.
No technical details were disclosed, but typically are not until its determined that most Chrome browsers have been updated.
Major browsers get an update to fix separate bugs that both allow for remote attacks, which could potentially allow hackers to takeover targeted devices.
Makers of the Chrome, Firefox & Edge browsers are urging users to patch critical vulnerabilities that if exploited allow hackers to hijack systems running the software.
The Mozilla Firefox vulnerability (CVE-2020-16044) is separate from a bug reported in Google’s browser engine Chromium, which is used in the Google Chrome browser and Microsoft’s latest version of its Edge browser.
Major browsers get an update to fix separate bugs that both allow for remote attacks, which could potentially allow hackers to takeover targeted devices.
Makers of the Chrome, Firefox & Edge browsers are urging users to patch critical vulnerabilities that if exploited allow hackers to hijack systems running the software.
The Mozilla Firefox vulnerability (CVE-2020-16044) is separate from a bug reported in Google’s browser engine Chromium, which is used in the Google Chrome browser and Microsoft’s latest version of its Edge browser.
Critical Firefox Use-After-Free Bug
Last Thur., the US Cyber-Security & Infrastructure Security Agency (CISA) urged users of Mozilla Foundation’s Firefox browser to patch a bug, tracked as CVE-2020-16044, & rated as critical. The vulnerability is classified as a use-after-free bug & tied to the way Firefox handles browser cookies & if exploited allows hackers to gain access to the computer, phone or tablet running the browser software.
Impacted are Firefox browser versions released prior to the recently released Firefox desktop 84.0.2, Firefox Android 84.1.3 edition & also Mozilla’s corporate ESR 78.6.1 version of Firefox.
SCTP Packet
“A malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. We presume that with enough effort it could have been exploited to run arbitrary code,” according to a Mozilla security bulletin posted Thursday.
The acronym ‘SCTP’ stands for Stream Control Transmission Protocol, used in computer networking to communicate protocol data within the Transport Layer of the internet protocol suite, or TCP/IP. The bug is tied to the way cookie data is handled by SCTP.
COOKIE ECHO
Each inbound SCTP packet contains a cookie chunk that facilitates a corresponding reply from the browser’s cookie. A COOKIE ECHO chunk is a snippet of data sent during the initialisation of the SCTP connection with the browser.
According to Mozilla an adversary could craft a malicious COOKIE-ECHO chunk to impact the browser’s memory. A use-after-free vulnerability relates to incorrect use of dynamic memory during program operation.
If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program,” according to a description of the vulnerability.
Mozilla did not credit the bug discovery, nor did it state whether it was a vulnerability actively being exploited in the wild.
Chromium Browser Bug Impacts Chrome & Edge
Also, last Thur., CISA urged Windows, macOS & Linux users of Google’s Chrome browser to patch an out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141 version of the software.
The CISA-bug warning stated that the update to the latest version of the Chrome browser would “addresses vulnerabilities that an attacker could exploit to take control of an affected system.”
Because Microsoft’s latest Edge browser is based on Google Chromium browser engine, Microsoft also urged its users to update to the latest 87.0.664.75 version of its Edge browser.
Critical
While researchers at Tenable classify the out-of-bounds bug as critical, both Google & Microsoft classified the vulnerability as high severity. Tencent Security Xuanwu Lab researcher Bohan Liu is credited for finding & reporting the bug.
The CVE-2020-15995 bug dates back to a Chrome for Android update security bulletin Google’s published on Oct. 2020. Then, the bug was also classified as high severity. The flaw is identified as an “out of bounds write in V8”, bug originally found in Sept. 2020 by Liu.
Open-Source
V8 is Google’s open source & high-performance JavaScript & Web Assembly engine, according to a Google developer description. While the technical specifics of the bug are not available, similar out of bounds write in V8 bugs have allowed remote attackers to exploit a heap corruption via a crafted HTML page.
A ‘heap corruption’ is a type of memory corruption that occurs in a computer program when the contents of a memory location are modified due to programmatic behaviour — malicious or not — that exceeds the intention of the original programmer or program language parameters.
Heap Corruption
A so-called heap-smashing attack can be used to exploit instances of heap corruption, according to an academic paper (PDF) co-authored by Nektarios Georgios Tsoutsos, student member of IEEE & Michail Maniatakos, senior member of IEEE.
“Heap Smashing Attacks exploit dynamic memory allocators (e.g., malloc) by corrupting the control structures defining the heap itself.
By overflowing a heap block, attackers could overwrite adjacent heap headers that chain different heap blocks, & eventually cause the dynamic memory allocator to modify arbitrary memory locations as soon as a heap-free operation is executed.
Malicious Payload
The malicious payload can also be generated on-the-fly: i.e., by exploiting Just-In-Time (JIT) compilation, assembled code can be written on the heap,” they wrote.
Neither Microsoft nor Google explain why the Oct. 2020 CVE-2020-15995 is being featured again in both last Thurs. security bulletins. Typically, that is an indication that the original fix was incomplete.
Chromium Bugs Impact Chrome & Edge
12 extra bugs were reported by Google, impacting its Chromium browser engine. Both Google & Microsoft featured the same list of vulnerabilities (CVE-2021-21106, CVE-2021-21107, CVE-2021-21108, CVE-2021-21109, CVE-2021-21110, CVE-2021-21111, CVE-2021-21112, CVE-2021-21113, CVE-2021-21114, CVE-2021-21115, CVE-2021-21116, CVE-2020-16043).
The majority of the bugs were rated high-severity & tied to use-after-free bugs. 3 of the vulnerabilities earned bug hunters $20,000 for their work. Weipeng Jiang from Codesafe Team of Legendsec at Qi’anxin Group is credited for finding both $20,000 bugs (CVE-2021-21106 & CVE-2021-21107).
Autofill Function
The 1st, a use-after-free bug tied to Chromium’s autofill function & the 2nd a use-after-free bug in the Chromium media element.
Leecraso & Guang Gong of 360 Alpha Lab earned $20,000 for a CVE-2021-21108, also a use-after-free bug in the browser’s media component.
No technical details were disclosed, but typically are not until its determined that most Chrome browsers have been updated.
https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/