Tag Archives: South Carolina

Skype bug allows hackers to execute arbitrary code on victim's machine

Skype flaw opened backdoor

According to Zacharis Alexandros, an independent researcher, a bug in Skype was discovered in January, but it has only recently been bought to light following the successful patch of the problem by Microsoft. He dubbed the bug, Spyke.

In a blog post (at time of publication, the article on LinkedIn (also owned by Microsoft) appears to have disappeared – here is a cached page), Alexandros said the problem mainly affected the Windows version of the VoIP application and to mount an attack, a hacker would need  local access to the login screen of a running Skype instance.

He said that the vulnerability targets the fact that Skype instance contains an embedded Internet Explorer browser used for authentication purposes. An attacker can circumvent the normal authentication process and abuse the login via Facebook function to fingerprint the Internal Browser (IE), execute code in the context of the Skype process, phish credentials, and over communication traces.

“More advanced attacks can use valid exploits of Internet Explorer running inside Skype, to crash Skype and cause code execution of malicious code on the underlying operating system in an attempt to perform local privilege escalation attacks,” said Alexandros.

He added that any system using Skype Client 7.31.0.104 and older versions that allow Facebook Login as an option are vulnerable. “Systems that use Skype and are publicly reachable like info kiosks or smart TV appliances, are particularly more attractive than local private systems (PCs) in order to be used for phishing attacks,” he warned.

The researcher also uploaded a video showing a proof of concept where code can be taken from Facebook’s developer site from inside Skype and crash the app. A hacker could also replace the login with a fake one to phish for a victim’s credentials.

After alerting Microsoft to the problem, the company released a patch to fix the problem on 24 March.

Oliver Pinson-Roxburgh, EMEA director at AlertLogic, told SC Magazine UK that the issue was bad, “because it allows you to get access to malicious tools”.

“Phish users do all sorts through the Facebook developer tools. If the attacker has access to a restricted terminal they can use this flaw to extend access by browsing to exploit kits or download tools,” he said.

“In addition, you could steal local credentials through phishing using this to trick the user.  The other key thing is that a lot of this would look like just normal Skype activity.”

Matan Hart, security researcher at CyberArk Labs, told SC Magazine UK that in many ways, the “Spyke” attack vector has limited power.

“It requires the attacker to have already gained access to the victim’s system, and the attack surface is restricted to the context of the Skype app. However, if Skype is running under administrative credentials this could lead to an effective local privilege escalation. This means attackers could move laterally through the target network to get to a business’s highest value assets and cause irreparable damage,” he said.  

Google Safe Browsing cracks down on repeat offenders

Google has adjusted its Safe Browsing policy in order to stop repeat offender websites from burning users and their machines with malware and phishing scams.

Google has adjusted its Safe Browsing policy in order to stop repeat offender websites from burning users and their machines with malware and phishing scams.

Google on Tuesday announced that it has revised its Safe Browsing policy and will now designate certain websites as repeat offenders if they are caught multiple times engaging in malicious activity such as malware distribution and phishing.

If a website earns this dubious distinction, Google Safe Browsing will flag it as unsafe, issuing a warning to any user that attempts to access the site via a web search. Webmasters will have to wait 30 days before they can request a website review to remove the designation.

The Safe Browsing service helps prevent potentially dangerous searches conducted via Google, the Chrome browser and other browsers that employ the Safe Browsing API. Until this recent change, Google’s policy was simply to remove warnings that a site was unsafe once the company could verify that malicious activity had ceased.

However, according to a corporate blog post written by Google Safe Browsing Team strategist Brooke Heinichen, a “small number” of flagged websites would stop their dubious activity just long enough for Google to remove its warnings, only to resume their malicious operations once again. Google’s adjusted policy is meant to curb such shady practices.

Google noted that when a site is branded a repeat offender, the webmaster will be notified of the decision via an email to his registered Search Console email address. It is through the Search Console that webmasters would normally be able to request a review.

“Browsers are one of the top infection vectors via drive-by download attacks and social engineering. Security filters play a critical role in thwarting many compromises at this particular layer,” said Jerome Segura, lead malware intelligence analyst at Malwarebytes, in an interview with SC Media. “With this revised policy, Google wants to send a clear message that it is not going to play cat-and-mouse with rogue webmasters that want to game the Safe Browsing API.”

“Despite Google saying only a small number of sites are involved in this kind of behavior, we can infer that it is a big enough issue in that it affects Google Safe Browsing’s reputation,” Segura continued.

Google asserted in its blog that websites that are hacked to distribute malware or perform other malicious acts will not be penalized as a repeat offender.

SC Media has reached out to Google for additional comment.