Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday January 16 2021, @09:34AM   Printer-friendly
from the burned-a-lot-of-resources dept.

Hackers used 4 zero-days to infect Windows and Android devices:

Google researchers have detailed a sophisticated hacking operation that exploited vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.

Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers (both companies have since patched the security flaws). The hackers delivered the exploits through watering-hole attacks, which compromise sites frequented by the targets of interest and lace the sites with code that installs malware on visitors' devices. The boobytrapped sites made use of two exploit servers, one for Windows users and the other for users of Android.

[...] In all, Project Zero published six installments detailing the exploits and post-exploit payloads the researchers found. Other parts outline a Chrome infinity bug, the Chrome exploits, the Android exploits, the post-Android exploitation payloads, and the Windows exploits.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by fakefuck39 on Saturday January 16 2021, @06:17PM (3 children)

    by fakefuck39 (6620) on Saturday January 16 2021, @06:17PM (#1101208)

    here's an old exploit I remember where going to a website launches calc.exe locally on your PC.
    https://www.youtube.com/watch?v=c8cQ0yU89sk [youtube.com]

    so this new one looks like the same thing, but they've added another OS exploit to the toolchain to deliver a custom executable, and another to launch it as admin.

    what I don't get is why it's so hard for a kernel to not have priv escalation exploits. yes, operating systems are complex things. but why don't we have something similar to protected memory space, but with an "admin" bit on the CPU? for example, take some reserved memory and create a range table for "admin" processes in memory. the the CPU enforces write access to that memory, only from code stored in admin space already. so unless you're compromised from boot time, a userland process simply won't get access.

    yes, this means taking some things that are on-demand admin processes and turning them into persistent services that mostly sleep. but that's a tiny amount of overhead.

    • (Score: 0) by Anonymous Coward on Saturday January 16 2021, @07:59PM (2 children)

      by Anonymous Coward on Saturday January 16 2021, @07:59PM (#1101238)

      Do you know that x86 has more than just ring0? That virtual addressing is the only addressing method available in modern OSes?

      • (Score: 3, Touché) by fakefuck39 on Saturday January 16 2021, @11:01PM (1 child)

        by fakefuck39 (6620) on Saturday January 16 2021, @11:01PM (#1101279)

        Do I know that since I coded .com files in asm we got protected mode and .exe files? Do you know I'm not talking about the OS addressing anything, but about a new hardware extension to partition up memory between kernel and user space on the CPU, in addition to protected mode rings? Do you know rings 1 and 2 are for things like drivers, in order to not have hardware crash the kernel, and I'm not talking about anything to do with hardware, but applications in the OS accessing parts of kernel space, and other applications?

        did you know you have a whole bunch of root processes that run in ring3? because I don't think you do, because I don't think you know what protection rings actually do.

        I'm proposing something that is not rings. I am proposing that "root" has an allocation range map, and only root processes can add ranges to that map. what this means is sudo runs as a service. what this means is su runs as a service. it means there is no such thing as privilege escalation.

        something like chrome runs in ring 3. how we have it now, is it can execute another application as root. suid on root-owned files. instead you ask the root service to load an executable, it vforks and loads it. your process has no access to add to root memory space. is an example of this. i'm saying literally prevent this with hardware, and if you need to execute something as root, that's too bad. And so we don't have escalation bugs like the article talks about, this is enforced on the CPU, by keeping track of where in memory the malloc/fork is coming from. so there would be no way for chrome to create a root/admin process, period, irrelevant of what bugs are in the OS.

        • (Score: 0) by Anonymous Coward on Sunday January 17 2021, @01:40PM

          by Anonymous Coward on Sunday January 17 2021, @01:40PM (#1101485)
          Currently it still seems common to pass parameters in the address stack. That's so unhygienic. That's like putting plates of poop and plates of food in the same serving tray, only safe as long as nobody screws up.

          With all the memory and zillions of transistors modern computers have they should have at least two stacks - one for return addresses and one for passing parameters. That way even if there's a bug/pwn attempt, the addresses are never clobbered.
  • (Score: 0) by Anonymous Coward on Saturday January 16 2021, @10:00PM

    by Anonymous Coward on Saturday January 16 2021, @10:00PM (#1101266)

    And the two windows exploits are in the font engine. More MDC posts in 2021 than people surprised to hear of font engine bugs.

(1)