A flaw in Safari – that allows an attacker to spoof Attack.Phishing websites and trick Attack.Phishing victims into handing over their credentials – has yet to be patched Vulnerability-related.PatchVulnerability . A browser address bar spoofing flaw was found Vulnerability-related.DiscoverVulnerability by researchers this week in Safari – and Apple has yet issue Vulnerability-related.PatchVulnerability a patch for the flaw . Researcher Rafay Baloch on Monday disclosed Vulnerability-related.DiscoverVulnerability two proof-of-concepts revealing Vulnerability-related.DiscoverVulnerability how vulnerabilities in Edge browser 42.17134.1.0 and Safari iOS 11.3.1 could be abused to manipulate the browsers ’ address bars , tricking victims into thinking they are visiting a legitimate website . Baloch told Threatpost Wednesday that Apple has promised to fix Vulnerability-related.PatchVulnerability the flaw in its next security update for Safari . “ Apple has told [ me ] that the latest beta of iOS 12 also addresses Vulnerability-related.PatchVulnerability the issue , however they haven ’ t provided any dates , ” he said . Apple did not respond to multiple requests for comment from Threatpost . Microsoft for its part has fixed Vulnerability-related.PatchVulnerability the vulnerability Baloch found Vulnerability-related.DiscoverVulnerability in the Edge browser , ( CVE-2018-8383 ) in its August Patch Tuesday release . According to Microsoft ’ s vulnerability advisory released Vulnerability-related.PatchVulnerability August 14 , the spoofing flaw exists because Edge does not properly parse HTTP content . Both flaws stem from the Edge and Safari browsers allowing JavaScript to update the address bar while the page is still loading . This means that an attacker could request data from a non-existent port and , due to the delay induced by the setInterval function , trigger the address bar spoofing . The browser would then preserve the address bar and load the content from the spoofed page , Baloch said in his blog breaking down both vulnerabilities . From there , the attacker could spoof Attack.Phishing the website , using it to lure Attack.Phishing in victims and potentially gather credentials or spread malware . For instance , the attacker could send Attack.Phishing an email message containing the specially crafted URL to the user , convince the user to click it , and take them to the link which could gather their credentials or sensitive information . “ As per Google , Address bar is the only reliable indicator for ensuring the identity of the website , if the Address bar points to Facebook.com and the content is hosted on attacker ’ s website , there is no reason why someone would not fall for this , ” Baloch told Threatpost . In a video demonstration , Baloch showed how he could visit a link for the vulnerable browser on Edge ( http : //sh3ifu [ . ] com/bt/Edge-Spoof.html ) , which would take him to a site purporting to be Attack.Phishing Gmail login . However , while the URL points to a Gmail address , the content is hosted on sh3ifu.com , said Baloch . The Safari proof-of-concept is similar , except for one constraint where it does not allow users to type their information into the input boxes while the page is in a loading state . However , Bolach said he was able to circumvent this restriction by injecting a fake keyboard using Javascript – a common practice in banking sites . No other browsers – including Chrome or Firefox – were discovered Vulnerability-related.DiscoverVulnerability to have the flaw , said Baloch . Baloch is known for discovering Vulnerability-related.DiscoverVulnerability similar vulnerabilities in Chrome , Firefox and other major browsers in 2016 , which also allowed attackers to spoof URLs in the address bar . The vulnerabilities were disclosed Vulnerability-related.DiscoverVulnerability to both Microsoft and Apple and Baloch gave both a 90-day deadline before he went public Vulnerability-related.DiscoverVulnerability with the flaws . Due to the Safari browser bug being unpatched Vulnerability-related.PatchVulnerability , Baloch said he has not yet released a Proof of Concept : “ However considering there is a slight difference between the Edge browser POC and Safari , anyone with decent knowledge of Javascript can make it work on Safari , ” he told us .

The saga of CVE-2017-0199 , a recently patched zero-day vulnerability affecting Vulnerability-related.DiscoverVulnerability Microsoft Office and WordPad , just got a little stranger yesterday after cyber-security firm FireEye revealed Vulnerability-related.DiscoverVulnerability the vulnerability was used by both cyber-criminals pushing mundane malware , and also by state-sponsored cyber-espionage groups . This twisted tale starts in July 2016 , when security researcher Ryan Hanson discovered Vulnerability-related.DiscoverVulnerability a flaw in RTF files that he could exploit to execute code on the underlying operating system . After finishing his research , Hanson submitted a write-up Vulnerability-related.DiscoverVulnerability on the three bugs he found Vulnerability-related.DiscoverVulnerability to Microsoft in October 2016 , via the company 's bug bounty program . Uncharacteristic to Microsoft , the company took almost six months to fix Vulnerability-related.PatchVulnerability the three bugs discovered Vulnerability-related.DiscoverVulnerability by Hanson , delivering Vulnerability-related.PatchVulnerability patches for all three ( CVE-2017-0106 , CVE-2017-0199 , and CVE-2017-0204 ) in April 's Patch Tuesday . A few days before Microsoft patched Vulnerability-related.PatchVulnerability the zero-day , news about it broke via blog posts from McAfee and FireEye , both companies revealing Vulnerability-related.DiscoverVulnerability the zero-day was under active exploitation . Unfortunately , this long patching period gave others the time to discover Vulnerability-related.DiscoverVulnerability the same flaw . While initially McAfee and FireEye restrained from revealing Vulnerability-related.DiscoverVulnerability any details about the zero-day , now that a patch is available Vulnerability-related.PatchVulnerability , several security firms are now sharing more behind-the-scenes details . According to FireEye , the zero-day first came on their radar on January 25 , 2017 , when they discovered Vulnerability-related.DiscoverVulnerability a FinSpy module exploiting the flaw . While FireEye discovered only this campaign , the cyber-security firm believes Gamma Group made available this new Microsoft zero-day to all of its clients , meaning it was likely used in other countries where the company sold its `` lawful intercept '' spyware . Two months after this campaign , towards the end of March , FireEye says it detected Vulnerability-related.DiscoverVulnerability the zero-day again , but this time used by a group of cyber-criminals spreading LatentBot , a sophisticated backdoor trojan , usually found Vulnerability-related.DiscoverVulnerability in enterprise environments and used for economic espionage campaigns . This group apparently started a yard sale after McAfee and FireEye disclosed Vulnerability-related.DiscoverVulnerability the zero-day in public . Fearing that a patch was coming Vulnerability-related.PatchVulnerability , this group shared Vulnerability-related.DiscoverVulnerability ( most likely sold ) the zero-day exploit with other crimeware groups . While initially this zero-day was classified Vulnerability-related.DiscoverVulnerability as an Office vulnerability , Microsoft 's security advisory revealed Vulnerability-related.DiscoverVulnerability this vulnerability also affected Vulnerability-related.DiscoverVulnerability WordPad , a free document viewer included by default with all Windows versions . This means that if users did n't have Office installed , they were at risk if they chose to open the booby-trapped files with WordPad . In this case , the exploit packed within the file would execute , download an HTA ( HTML application ) file disguised as an RTF , which in turn would run PowerShell commands that exploited the user 's computer .

The saga of CVE-2017-0199 , a recently patched zero-day vulnerability affecting Vulnerability-related.DiscoverVulnerability Microsoft Office and WordPad , just got a little stranger yesterday after cyber-security firm FireEye revealed Vulnerability-related.DiscoverVulnerability the vulnerability was used by both cyber-criminals pushing mundane malware , and also by state-sponsored cyber-espionage groups . This twisted tale starts in July 2016 , when security researcher Ryan Hanson discovered Vulnerability-related.DiscoverVulnerability a flaw in RTF files that he could exploit to execute code on the underlying operating system . After finishing his research , Hanson submitted a write-up Vulnerability-related.DiscoverVulnerability on the three bugs he found Vulnerability-related.DiscoverVulnerability to Microsoft in October 2016 , via the company 's bug bounty program . Uncharacteristic to Microsoft , the company took almost six months to fix Vulnerability-related.PatchVulnerability the three bugs discovered Vulnerability-related.DiscoverVulnerability by Hanson , delivering Vulnerability-related.PatchVulnerability patches for all three ( CVE-2017-0106 , CVE-2017-0199 , and CVE-2017-0204 ) in April 's Patch Tuesday . A few days before Microsoft patched Vulnerability-related.PatchVulnerability the zero-day , news about it broke via blog posts from McAfee and FireEye , both companies revealing Vulnerability-related.DiscoverVulnerability the zero-day was under active exploitation . Unfortunately , this long patching period gave others the time to discover Vulnerability-related.DiscoverVulnerability the same flaw . While initially McAfee and FireEye restrained from revealing Vulnerability-related.DiscoverVulnerability any details about the zero-day , now that a patch is available Vulnerability-related.PatchVulnerability , several security firms are now sharing more behind-the-scenes details . According to FireEye , the zero-day first came on their radar on January 25 , 2017 , when they discovered Vulnerability-related.DiscoverVulnerability a FinSpy module exploiting the flaw . While FireEye discovered only this campaign , the cyber-security firm believes Gamma Group made available this new Microsoft zero-day to all of its clients , meaning it was likely used in other countries where the company sold its `` lawful intercept '' spyware . Two months after this campaign , towards the end of March , FireEye says it detected Vulnerability-related.DiscoverVulnerability the zero-day again , but this time used by a group of cyber-criminals spreading LatentBot , a sophisticated backdoor trojan , usually found Vulnerability-related.DiscoverVulnerability in enterprise environments and used for economic espionage campaigns . This group apparently started a yard sale after McAfee and FireEye disclosed Vulnerability-related.DiscoverVulnerability the zero-day in public . Fearing that a patch was coming Vulnerability-related.PatchVulnerability , this group shared Vulnerability-related.DiscoverVulnerability ( most likely sold ) the zero-day exploit with other crimeware groups . While initially this zero-day was classified Vulnerability-related.DiscoverVulnerability as an Office vulnerability , Microsoft 's security advisory revealed Vulnerability-related.DiscoverVulnerability this vulnerability also affected Vulnerability-related.DiscoverVulnerability WordPad , a free document viewer included by default with all Windows versions . This means that if users did n't have Office installed , they were at risk if they chose to open the booby-trapped files with WordPad . In this case , the exploit packed within the file would execute , download an HTA ( HTML application ) file disguised as an RTF , which in turn would run PowerShell commands that exploited the user 's computer .

The zero-day memory corruption flaw resides in Vulnerability-related.DiscoverVulnerability the implementation of the SMB ( server message block ) network file sharing protocol that could allow a remote , unauthenticated attacker to crash systems with denial of service attack , which would then open them to more possible attacks . According to US-CERT , the vulnerability could also be exploited Vulnerability-related.DiscoverVulnerability to execute arbitrary code with Windows kernel privileges on vulnerable systems , but this has not been confirmed Vulnerability-related.DiscoverVulnerability right now by Microsoft . Without revealing Vulnerability-related.DiscoverVulnerability the actual scope of the vulnerability and the kind of threat the exploit poses , Microsoft has just downplayed Vulnerability-related.DiscoverVulnerability the severity of the issue , saying : `` Windows is the only platform with a customer commitment to investigate reported security issues , and proactively update impacted devices as soon as possible . We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection . '' However , the proof-of-concept exploit code , Win10.py , has already been released Vulnerability-related.DiscoverVulnerability publicly for Windows 10 by security researcher Laurent Gaffie and does not require targets to use a browser . The memory corruption flaw resides in Vulnerability-related.DiscoverVulnerability the manner in which Windows handles SMB traffic that could be exploited Vulnerability-related.DiscoverVulnerability by attackers ; all they need is tricking victims to connect to a malicious SMB server , which could be easily done using clever social engineering tricks . `` In particular , Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure , '' CERT said in the advisory . `` By connecting to a malicious SMB server , a vulnerable Windows client system may crash ( BSOD ) in mrxsmb20.sys . '' Since the exploit code is now publicly available to everyone and there is no official patch from Microsoft , all Windows users are left open to potential attacks at this time . Until Microsoft patches Vulnerability-related.PatchVulnerability the memory corruption flaw ( most probably in the upcoming Windows update or out-of-band patch ) , Windows users can temporarily fix Vulnerability-related.PatchVulnerability the issue by blocking outbound SMB connections ( TCP ports 139 and 445 and UDP ports 137 and 138 ) from the local network to the WAN .

This file photo taken on August 13 , 2008 shows a man walking over the seal of the Central Intelligence Agency ( CIA ) in the lobby of CIA Headquarters in Langley , Va. Wikileaks ' latest data dump Attack.Databreach , the `` Vault 7 , '' purporting to reveal the Central Intelligence Agency 's hacking tools , appears to be something of a dud . If you did n't know before that spy agencies could apply these tools and techniques , you 're naive , and if you think it undermines the attribution of hacker attacks on the Democratic National Committee and other targets , you 'll be disappointed . On the surface , the dump Attack.Databreach — touted by Wikileaks as the biggest ever publication of confidential CIA documents — offers some explosive revelations . They 're all over the news pages : The CIA is able to use your Samsung smart TV to eavesdrop Attack.Databreach on you ! The CIA can get into your iPhone or Android device , as well as your Windows , Mac or Linux PC , and harvest Attack.Databreach your communications before they are encrypted ! No encryption app — not even the Edward Snowden favorite , Signal , or WhatsApp , which uses the same encryption — is safe ! The CIA hoards `` zero day '' vulnerabilities — weaknesses not known to the software 's vendors — instead of revealing Vulnerability-related.DiscoverVulnerability them to the likes of Google , Apple and Microsoft ! CIA hackers use obfuscation tools to pretend its malware was made by someone else , including Russian intelligence ! There 's even a Buzzfeed story quoting current and former U.S. intelligence officers that the dump is `` worse than Snowden 's . '' There is little content in the dump to support these panicky reactions . Nothing in it indicates that the CIA has broken messenger encryption , as Open Whisper Systems , the software organization responsible for Signal , has been quick to point out . The CIA can read Attack.Databreach messenger communications only if it plants malware on a specific phone or computer ; then it can harvest Attack.Databreach keystrokes and take screenshots . This is not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets . Open Whisper Systems tweeted on March 7 : `` Ubiquitous e2e encryption is pushing intelligence agencies from undetectable mass surveillance to expensive , high-risk , targeted attacks . '' It 's not much of a secret that using a hacked phone or computer renders end-to-end encryption useless . It was the essence of Apple 's dispute with the Federal Bureau of Investigation last year , when the company would n't help the FBI get into a phone owned by San Bernardino shooter Syed Rizwan Farook . The Big Brother-style implications of a hacked Samsung TV are undermined by the nature of the documents that describe the hack . The CIA needs physical access to the TV set to weaponize it . Robert Graham , founder of Errata Security , wrote on the firm 's blog : `` The docs are clear that they can update the software running on the TV using a USB drive . There 's no evidence of them doing so remotely over the Internet . If you are n't afraid of the CIA breaking in an installing a listening device , then you should't be afraid of the CIA installing listening software . '' The Wikileaks cache contains a manual for CIA hackers on making their malware harder to trace , for example , by adding foreign languages . Wikileaks also said that the CIA `` collects Attack.Databreach and maintains a substantial library of attack techniques ' stolen Attack.Databreach ' from malware produced in other states including the Russian Federation . '' The library , however , contains all sorts of publicly available malware , as well as samples tentatively attributed to foreign intelligence services ; all that does is confirm that hackers , including CIA ones , are n't picky about the origins of the products they use . The important thing is that the malware should work . This should n't affect serious attempts to attribute hacker attacks . I 'm not sure this is fully understood within the U.S. intelligence community itself — at any rate , the declassified report on Russian hacking it released late last year appeared to base attribution on the use of specific publicly available malware . But industry experts usually need much more evidence . A number of possible Russian attacks were attributed to Moscow 's intelligence services because the attackers used specific command and control centers — servers — to collect Attack.Databreach information from various Russia adversaries . To set up a false flag operation , the CIA would need to go much further than obfuscating the origins of its malicious code . So all the jubilant tweets from Trump supporters declaring the CIA was behind the `` Russian hacks '' are at least premature and probably inaccurate .