Author: Dan Goodin

Over the past decade, there's been an explosion of bug bounty programs that pay hackers big cash rewards for finding vulnerabilities in applications and Web services. On Tuesday, ride-hailing service Uber became the latest company to embrace the trend with the unveiling of its own program.

In most respects, the program is similar to those offered by Google, Facebook, and so many other companies. It pays as much as $10,000 for the most critical vulnerabilities and provides a public forum to acknowledge the smarts of researchers who privately report bugs that no one inside the company was able to identify. Still, there are a few features that its designers say make it stand out from what's been done so far.

For instance, the Uber bounty program comes with a technical treasure map of sorts that's intended to help researchers find high-severity bugs quickly. The treasure map included with Tuesday's announcement enumerates some of the company's most security-sensitive subdomains, along with a brief description of types of assets that are at stake and the types of vulnerabilities that might threaten them. A description of partners.uber.com, for instance, describes it as the place driver partners visit to access private driver documents, payment statements, tax information, and other highly sensitive data.

Apple's widely used iMessage communications platform contains a currently unpatched flaw that allowed attackers to decrypt a photo stored on the company's iCloud backup system, according to an article published by The Washington Post.

The vulnerability was discovered by a team of researchers from Johns Hopkins University. According to the Post, the researchers were able to exploit the bug by mimicking an Apple server and then painstakingly chipping away at the encryption protecting the photo, which was sent as a link over iMessage. They eventually were able to obtain the encryption key used to protect the photo by guessing each of its underlying 64 digits in what's known as a brute-force attack.

The vulnerability came to light as the FBI is trying to force Apple to write software that defeats security features built into an iPhone used by one of the San Bernardino shooters. Apple, joined by many security and privacy advocates, has bitterly opposed the move and warned such action can ultimately diminish the security of smartphones everywhere. This iMessage flaw is probably of little benefit to FBI in pulling data from the iPhone of San Bernardino shooter Syed Rizwan Farouk, who along with his wife took part in a shooting rampage that killed 14 people. Still, the bug underscores what security people have long known—cryptography is excruciatingly hard to get right, and common bugs often leave an opening for law enforcement agents and criminal hackers.

Almost 300 million phones running Google's Android operating system are vulnerable to a newly developed drive-by attack that can install malware and take control of key operations, a security firm has warned.

A proof-of-concept exploit dubbed Metaphor works against Android versions 2.2 through 4.0 and 5.0 and 5.1, which together are estimated to run 275 million phones, researchers from Israeli security firm NorthBit said. It attacks the same Stagefright media library that made an estimated 950 million Android phones susceptible to similar code-execution attacks last year. The following video demonstrates how a malicious attacker might use a Metaphor-style attack to take control of a phone after luring an unsuspecting end user to a booby-trapped website.

The NorthBit-developed attack exploits a Stagefright vulnerability discovered and disclosed last year by Zimperium, the security firm that first demonstrated the severe weaknesses in the code library. For reasons that aren't yet clear, Google didn't fix the vulnerability in some versions, even though the company eventually issued a patch for a different bug that had made the Zimperium exploits possible. While the newer attack is in many ways a rehash of the Zimperium work, it's able to exploit an information leak vulnerability in a novel way that makes code execution much more reliable in newer Android releases. Starting with version 4.1, Android was fortified with an anti-exploitation defense known as address space layout randomization, which loads downloaded code into unpredictable memory regions to make it harder for attackers to execute malicious payloads. The breakthrough of Metaphor is its improved ability to bypass it.

Physical weaknesses in memory chips that make computers and servers susceptible to hack attacks dubbed "Rowhammer" are more exploitable than previously thought and extend to DDR4 modules, not just DDR3, according to a recently published research paper.

The paper, titled How Rowhammer Could Be Used to Exploit Weaknesses in Computer Hardware, arrived at that conclusion by testing the integrity of dual in-line memory modules, or DIMMs, using diagnostic techniques that hadn't previously been applied to finding the vulnerability. The tests showed many of the DIMMs were vulnerable to a phenomenon known as "bitflipping," in which 0s were converted to 1s and vice versa. The report was published by Third I/O, an Austin, Texas-based provider of high-speed bandwidth and super computing technologies. The findings were presented over the weekend at the Semicon China conference.

"Based on the analysis by Third I/O, we believe that this problem is significantly worse than what is being reported," the paper warned. "And it is still visible on some DDR4 memory modules."

There are lots of ways to ensure the success of an advanced hacking operation. For a gang called Suckfly, one of the keys is having plenty of stolen code-signing certificates on hand to give its custom malware the appearance of legitimacy.

Since 2014, the group has used no fewer than nine separate signing certificates from nine separate companies to digitally sign its hacking wares, according to a blog post published Tuesday by security firm Symantec. Company researchers first came upon the group last year when they identified a brute-force server message-block scanner that was signed with a certificate belonging to a South Korean mobile software developer. When the researchers searched for other executable files that used the same credential, they eventually uncovered three more custom tools from the same group of black-hat hackers.

After tracing the hacking group's traffic to IP addresses in Chengdu, China, Symantec researchers ultimately identified a much larger collection of custom-developed backdoors and hacking tool that were signed by nine different certificates from nine different companies. Curiously, all nine of the compromised companies are located within a few miles of each other in Seoul. While the physical proximity is suspicious, the researchers ultimately speculated it was coincidental, and that the certificate theft was most likely the result of the owners being infected with malware that had the ability to search for and extract signing certificates.

Mainstream websites, including those published by The New York Times, the BBC, MSN, and AOL, are falling victim to a new rash of malicious ads that attempt to surreptitiously install crypto ransomware and other malware on the computers of unsuspecting visitors, security firms warned.

The tainted ads may have exposed tens of thousands of people over the past 24 hours alone, according to a blog post published Monday by Trend Micro. The new campaign started last week when "Angler," a toolkit that sells exploits for Adobe Flash, Microsoft Silverlight, and other widely used Internet software, started pushing laced banner ads through a compromised ad network.

According to a separate blog post from Trustwave's SpiderLabs group, one JSON-based file being served in the ads has more than 12,000 lines of heavily obfuscated code. When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.

The FBI's legal showdown with Apple over iPhone security has spilled into just about every facet of popular culture, from endless news coverage to Congressional hearings and even to comments from President Obama. On Sunday, it got treatment from comedian John Oliver, whose weekly HBO series Last Week Tonight does a better job than most news shows covering the important news stories of the day.

In an 18-minute segment, Oliver brought the stakes of the fight front and center and explained in some of the most concrete terms yet why—contrary to the repeated claims of the Obama administration—the outcome concerns the security of mobile data everywhere. Not only that, but Oliver kept the whole thing highly entertaining while steering clear of lionizing Apple.

Think of the government as your dad

Putting to rest the FBI's highly flawed analysis that the debate is about the security of a single iPhone belonging to slain San Bernardino shooter Syed Rizwan Farook, Oliver reminded his audience that law enforcement officers have a whole battery of other seized iPhones they also want unlocked. Compelling Apple engineers to develop a special version of iOS that bypasses safety features built in to Farook's phone, then, is only the beginning. Or as Oliver put it:

A botched security fix released for the Java software framework 30 months ago has left millions of users vulnerable to attacks that Oracle had claimed were no longer possible, a security researcher said.

The bypass code, which was released Thursday by Polish security firm Security Explorations, contains only minor changes to the original proof-of-concept, according to an e-mail posted to the Full Disclosure security list. Security Explorations released the original exploit in October 2013 following the release of a patch from Oracle. Thursday's bypass changes only four characters from the 2013 code and uses a custom server to work. The bypass means that millions of Java users have remained vulnerable to the flaw, categorized as CVE-2013-5838, despite assurances from Oracle that the attacks were no longer possible.

"We implemented a Proof of Concept code that illustrates the impact of the broken fix described above," Security Explorations researchers wrote in a report. "It has been successfully tested in the environment of Java SE Update 97, Java SE 8 Update 74, and Java SE 9 Early Access Build 108. In all cases, a complete Java security sandbox escape could be achieved."

Adobe has issued an emergency update for its Flash media player that patches almost two dozen critical vulnerabilities, including one that's being maliciously exploited in the wild.

"These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system," Adobe officials wrote in an advisory published Thursday. "Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks." The notice advises Flash users to install the update as soon as possible.

CVE-2016-1010 is the common vulnerabilities and exposures designation for an integer overflow vulnerability that allows attackers to remotely execute malicious code on vulnerable computers. Adobe credited Anton Ivanov of Kaspersky Lab with discovering the zero-day vulnerability but provided no additional details. In an e-mail, a Kaspersky representative wrote:

In the late 1990s, Microsoft Office macros were a favorite vehicle for surreptitiously installing malware on the computers of unsuspecting targets. Microsoft eventually disabled the automated scripts by default, a setting that forced attackers to look for new infection methods. Remotely exploiting security bugs in Internet Explorer, Adobe Flash, and other widely used software soon came into favor.

Over the past two years, Office Macros have made a dramatic comeback that has reached almost a fevered pitch in the past few months. Booby-trapped Excel macros, for instance, were one of the means by which Ukrainian power authorities were infected in the weeks or months leading up to December's hacker-caused outage that affected 225,000 people. "Locky," a particularly aggressive strain of crypto ransomware that appeared out of nowhere two weeks ago, also relies on Word macros. The return of the macro-delivered malware seemed to begin in late 2014 with the advent of a then-new banking trojan called Dridex.

The return of the macro may have been a reaction to security improvements that Adobe, Microsoft, and Oracle have made to their software. Not only were the companies patching dangerous bugs more quickly, but in many cases, they fortified their code with defenses that caused exploits to simply crash the application rather than force it to execute malicious code. Streamlined update mechanisms and greater end user awareness about the importance of installing security patches right away may also have made code-execution exploits to fall out of favor.