Security flaw in Trend Micro unveiled by Google security Researcher

Google security researcher, Tavis Ormandy has found bugs in Password Manager of global security software company, Trend Micro.

Password Manager is a component installed by default with Trend Micro’s Premium Security and Maximum Security home products.

Ormandy informed Trend Micro about his findings on January 05.

The bug which is primarily written in JavaScript with node.js could allow remote code execution by any website and steal all passwords of a user. He also noted that it was also possible to bypass Internet Explorer’s Mark of the web (MOTW) security feature and execute commands without letting the victim receive any notification.

Ormandy took 30 seconds to identify an API that could be leveraged for remote code execution (RCE).  Overall, Ormandy found over 70 APIs exposed to the Internet.

Exploiting a vulnerability can give an attacker deep access to a computer.

Several serious vulnerabilities have been found in the last seven months in antivirus products from vendors including Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes.

Security bug in most popular antivirus softwares

Three most popular antivirus softwares  were  detected with the serious security flaws that could allow hackers to infiltrate the Windows computer via antivirus itself.

enSilo a security researchers have discovered  that AVG, McAfee, and Kaspersky have a common security bug.

This year in March, the security researchers at  enSilo found a security flaw in antivirus engine AVG Internet Security 2015. The security bug creates a memory space with full RWX (read-write-execute) privileges in the predictable address space that a hacker could easily force their malicious code to execute inside that memory address and have the same privileges as the antivirus process (which is system-level).

enSilo informed the AVG employees about the security flaw, and they fixed the issue within two days.

With the seriousness of the bug enSilo decided to tests the other commonly used antivirus software’s. They found the same bug in Intel Security's McAfee Virusscan Enterprise version 8.8 and Kaspersky Total Security 2015 - 15.x.

enSilo notified each company about the security bug.

"Intel Security takes the integrity of our products very seriously. Upon learning of this particular issue, we quickly evaluated the researchers' claims and took action to develop and distribute a solution addressing it," an Intel Security representative told Softpedia.

Keeping the possible widespread nature of the problem in mind, enSilo has created a free checking utility called AVulnerabilityChecker, and advised every user to check that they have all the latest updates.

"We'll continue updating this list as we receive more information," said Tomer Bitton, VP of research at enSilo, in a blog post.

"Given that this is a repetitive coding issue amongst Anti-Virus – an intrusive product, we believe that this vulnerability is also likely to appear in other intrusive products, non-security related, such as application-performing products."

Dell says "sorry" for installing vulnerable digital certificate


Dell has apologized as it confirmed via a blog post that a certificate (eDellRoot), installed on its PCs that introduced a security vulnerability.

It is said that the certificate allows attackers to cryptographically impersonate HTTPS-protected websites. However, the company has issued a software tool that removes the transport layer security credential from affected machines.

The certificate will not reinstall itself, once it is properly removed using the recommended Dell process.

“The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it,” the company said in the blog post.

According to the blog post, Dell’s customers, Hanno Böck, Joe Nord and Kevin Hicks, aka rotorcowboy, informed the company about the presence of such certificate on its PC.

Dell has claimed that the certificate was not a malware but was there to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service their customers.


“We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward,” the company added. 

A Security bug in MetroPCS could allow hackers to access customer data

A critical security bug in MetroPCS could allow anyone who knew your phone number access your personal details from the website including your home address, phone’s model and serial number .

It was revealed in a report by Motherboard that a pair of researchers discovered a bug that left the customer’s personal data exposed to cybercriminals.

With the personal details in hand, cybercriminals could easily move on to identity theft and accessing bank accounts.

 Eric Taylor and Blake Welsh found the flaw on MetroPCS's payment page in mid-October. Motherboard independently verified the flaw and reached out to T-Mobile, which owns MetroPCS, on October 22.

Well-known researchers have claimed it as a pretty nasty bug and a serious privacy exposure.  MetroPCS was unaware of the problem before being contacted by Motherboard prior to their published report. A spokesperson for T-Mobile told Motherboard that the flaw was fixed and the data is not exposed anymore.

But the thing that raised eyebrows was that the hacker won’t even need someone's phone number. An attacker could just run an automated script and obtain the personal data of many MetroPCS customers.

Hackers won $1 million iPhone Jailbreak prize

Zerodium, which had announced to pay $1 million USD to those that could provide a good iOS 9 jailbreak, finally made it public via twitter that some hackers have won $1 million by finding a remote jailbreak of an iPhone.

“Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!,” Zerodium tweeted on November 2.

Last month, the company launched "The Million Dollar iOS 9 Bug Bounty" program which aimed to buy an "exclusive, browser-based, and untethered jailbreak" for Apple's latest mobile operating system,

However, the company has not revealed the winner names or any further details.

A news published in Forbes Magazine, reported that the winners must have spent a significant amount of time trying to meet the tough requirements of the $1 million bounty: a remote attack that successfully took control of an iPhone via either Apple’s Safari browser, Google GOOGL +0.13% competitor Chrome or a text message. The $1 million bounty also required exploits work on the iPhone 6 or 6S, not any earlier models.

As per the news report, it had contacted the Zerodium’s founder, Chaouki Bekrar, however, he had not commented on it.

“The winning team has submitted the exploits just a few hours before the expiration of the Zerodium bounty as they have been working very hard to finish and polish the code until the last day. The exploit chain includes a number of vulnerabilities affecting both Google Chrome browser and iOS, and bypassing almost all mitigations in place. The exploit is still being extensively tested by Zerodium to understand each of the underlying vulnerabilities,” the founder added.

ATMs of Sparkasse Bank not only gives you Money but also Sensitive Information


A security researcher, Benjamin Kunz-Mejri discovered that ATM machines of German savings bank, ‘Sparkasse’ can leak sensitive information during software updates.

Mejri who is a CEO and founder of Germany based security firm Vulnerability Lab, used the ATM of Sparkasse when the machine suddenly ejected his card, and changed its status to “temporarily not available.” The machine later showed details of an update process on the screen which was when Mejri realised that the terminal had become temporarily unavailable because it was performing a software update.

For this attack, Mejri coined the term “timing attack”.

Software updates are normally conducted in the background, but Mejri discovered, the progress and details of the update process can be made visible by interacting with the device as he did.

The researcher found that a lot of sensitive data like bank’s main system branch usernames, serial numbers, firewall settings, network information, device IDs, ATM settings, and two system passwords was vulnerable to the hackers.

During the whole process, the card reader remained available and usable for other operations.

The ATM’s keyboard was also not disabled and the attacker could execute system commands via the available command prompt.

The ATM’s analysed were manufactured by Wincor Nixdorf, a German company that manufactures, sells, installs and services retail and banking hardware and software. The affected ATMs and self-service terminals were running Windows 7 and Windows XP operating systems.

According to the experts, a large scale attack can be coordinated by a criminal ring due to this vulnerability.
An attacker who has a physical access to bank nework can use the information disclosed during the update process to run a man-in-the-middle (MitM) attack on the targeted bank’s local network.

The attacker could push a bogus update to reconfigure the ATMs.

The attacker could conduct fraudulent transactions by forcing the ATM crash and corrupt the logging or debugging mechanism.

If fraudsters can determine the time and date of update schedules, they can conduct a larger, coordinated attack targeting multiple ATMs and self-service terminals as it takes 17 minutes to record all the information displayed on the screen.

There is a possibility that apart from Sparkasse, other banks who use Wincor Nixdorf ATMs and self-service terminals might also be affected.

The bank has already pushed out updates that fix the issue to a limited number of ATMs in German city of Kassel as a pilot project. The update will be installed in other regions after the test of new configuration becomes successful.

It is the first time that a German bank has admitted the security vulnerability in an ATM and rewarded the researcher with undisclosed amount of money.

Last week only, Berlin Police announced that they have been looking for a man who illegally withdrew cash from two ATMs using a USB stick that he connected to the devices after unscrewing their front panel.