Microsoft Patches Three-Year-Old IE Bug

Microsoft has pushed September security updates that patch more than 94 security holes in its Internet Explorer browser. The updates also patch a nasty three-year-old critical vulnerability [CVE-2016-3351] that was being exploited by cyber criminals.

This bug was first reported in 2015, but Microsoft didn't patch it. It was reported again this year by two security firms, Proofpoint and TrendMicro, providing Microsoft with evidence that the bug is being used by criminals. This time Microsoft took it seriously.

Proofpoint wrote in a blog post that, "During our work with Trend Micro on the AdGholas campaign, we reported it again and it was assigned a CVE ID and patch."

Proofpoint explained that this vulnerability is a "MIME type check used to filter out systems that have certain shell extension associations, including .py, .pcap, and .saz. In some cases, certain extension associations, including .doc, .mkv, .torrent, and .skype are required to trigger the next exploitation step."

Proofpoint further wrote that this vulnerability shows that "software vendors need to maintain comprehensive patching regimens, organizations and users must rethink patching prioritizations, and researchers need to look for new avenues to detect malicious activity."

According to Proofpoint, there is a growing trend among criminals to exploit non-critical bugs, knowing that companies won't prioritize them and that they may remain exposed for a very long time.

Serious iOS Vulnerability Discovered

Apple has released a critical security patch for iOS with 9.3.5 updates. Users are advised to update their iOS devices immediately.

The security update patches a zero-day vulnerability in iOS that was reportedly used by the UAE government to attack award-winning human rights activist Ahmed Mansoor.

According to reports, the UAE government was using a spyware tool called Pegasus to attack Mansoor. Pegasus is developed and sold by Israel-based cyber-arms dealer NSO Group. NSO Group is owned by a US private equity firm, Francisco Partners Management, and sells spyware to governments.

Mansoor grew suspicious when he received a text message about detainees being tortured in UAE, according to a Citizen Labs blog. The text included a link that was said to divulge secrets about the detainees. Instead of opening the link, Mansoor sent it to researchers at Citizen Lab, who connected it to the NSO Group.

Citizen Lab collaborated with LookOut Security to investigate the case and found a series of zero-day exploits in iOS. They discovered that clicking on those links would remotely jailbreak Mansoor's iPhone and install spyware on it. "Once infected, Mansoor's phone would have become a digital spy in his pocket, capable of employing his iPhone's camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements," researchers wrote in the blog.

Citizen Labs and LookOut security worked with Apple to fix the vulnerability.

"iOS vulnerabilities are expensive and can sell for over $1M," wrote security expert Bruce Schneier in his blog. Finding such vulnerabilities and patching them renders them useless. According to Schneier, "The more we can do this, the less valuable these zero-days will be to both criminals and governments – and to criminal governments."

More Than 80% of Android Devices at Risk of Attack

More than 80% of Android devices, or approximately 1.4 billion mobile devices, are vulnerable to a Linux exploit that allows bad actors to spy on users by intercepting unencrypted web traffic.

The root cause of this flaw is a serious vulnerability in the TCP specification that "allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection."

The TCP specification was strictly implemented in Linux since version 3.6 released in 2016. Google uses version 3.6 of the kernel in Android 4.4 KitKat. As a result, any Android device that's running version 4.4 KitKat or above is affected by this flaw.

Other operating systems, including iOS, MacOS X, and Windows have not yet implemented the specification, which leaves those OSs unaffected by the flaw.

The TCP vulnerability was revealed at the 25th USENIX Security Symposium. The researchers said, "Through extensive experiments, we show that the attack is fast and reliable. On average, it takes about 40 to 60 seconds to finish and the success rate is 88% to 97%." The researchers suggested changes to both the TCP specification and its implementation to remove the "root cause" of the problem.