Unpatched Zero-Days in Microsoft Edge and IE Browsers Disclosed Publicly

microsoft edge internet explorer hacking

A security researcher today publicly disclosed details and proof-of-concept exploits for two ‘unpatched’ zero-day vulnerabilities in Microsoft’s web browsers after the company allegedly failed to respond to his responsible private disclosure.

Both unpatched vulnerabilities—one of which affects the latest version of Microsoft Internet Explorer and another affects the latest Edge Browser—allow a remote attacker to bypass same-origin policy on victim’s web browser.

Same Origin Policy (SOP) is a security feature implemented in modern browsers that restricts a web-page or a script loaded from one origin to interact with a resource from another origin, preventing unrelated sites from interfering with each other.

In other words, if you visit a website on your web browser, it can only request data from the same origin [domain] the site was loaded from, preventing it from making any unauthorized request on your behalf in order to steal your data, from other sites.

However, the vulnerabilities discovered by 20-year-old security researcher James Lee, who shared the details with The Hacker News, could allow a malicious website to perform universal cross-site scripting (UXSS) attacks against any domain visited using the vulnerable Microsoft’s web browsers.

To successfully exploit these vulnerabilities, all attackers need to do is convince a victim into opening the malicious website [created by hacker], eventually allowing them to steal victim’s sensitive data, like login session and cookies, from other sites visited on the same browser.

“The issue is within Resource Timing Entries in Microsoft Browsers which inappropriately leak Cross-Origin URLs after redirection,” Lee told The Hacker News in an email.

The researcher contacted Microsoft and responsibly shared his finding with the company ten months ago, that’s almost a year, but the tech giant ignored the issues and did not respond to the disclosure till the date, leaving both the flaws unpatched.

Lee has now released proof-of-concept (PoCs) exploits for both issues.

The Hacker News has independently tested and confirmed both the zero-day vulnerabilities against the latest version of Internet Explorer and Edge running on a fully-patched Windows 10 operating system.

The newly-disclosed vulnerabilities are similar to the ones Microsoft patched last year in its Internet Explorer (CVE-2018-8351) and Edge browsers (CVE-2018-8545).

Since the details and PoC for both the zero-days have already been made publicly available, hackers won’t take much time to exploit the flaws in an attempt to target Microsoft users.

What’s disappointing is that there is currently not much that users can do to avoid this problem until Microsoft patches the security issues. You can use other web browsers that are not affected by this vulnerability, such as Chrome or Firefox.

Hackers Steal $19 Million From Bithumb Cryptocurrency Exchange

bithumb cryptocurrency exchange

Hackers yesterday stole nearly $19 million worth of cryptocurrency from Bithumb, the South Korea-based popular cryptocurrency exchange admitted today.

According to Primitive Ventures’ Dovey Wan, who first broke the information on social media, hackers managed to compromise a number of Bithumb’s hot EOS and XRP wallets and transferred around 3 million EOS (~ $13 million) and 20 million XRP (~ $6 million) to his newly-created accounts.

The hacker then distributedly transferred the stolen digital assets to his different accounts created on other cryptocurrency exchanges, including Huobi, HitBTC, WB, and EXmo, via ChangeNow, a non-custodial crypto swap platform does not require KYC/account.

Bithumb has been hacked multiple times in the past. Last time the popular cryptocurrency exchange was hacked in June 2018, when hackers stole $31 million, and in July 2017, when hackers stole $1 million worth of EOS from many wallets belonging to its users.

“And this is the second time Bithumb saw a MAJOR hack, last time it was hacked with a loss over $30m.. lol and after the first hack it was STILL able to get the fiat license from Korea and WTF??” Wan says on Twitter.

bithumb cryptocurrency exchange hacked

It has been reported that the private key for the EOS hot wallet account belonging to Bithumb was stolen (address g4ydomrxhege), which allowed the hacker to transfer the funds to his address, “ifguz3chmamg.”

The above image shared by Changpeng Zhao, CEO of Binance cryptocurrency exchange, explains how hacker distributed his funds after stealing it from Bithumb.

Here’s how the hacker distributed and transferred the stolen funds to his accounts on different exchanges:

  • EXMO: 662,600
  • Huobi: 263,605
  • Changelly 143,511
  • KuCoin: 96,270
  • CoinSwitch: 38,725

According to a blog post published by the company today, Bithumb is still investigating the hack, which it believes was performed with the help of an insider, and has reported the breach incident to security firm Korea Internet and Security Agency (KISA) and cyber police.

“We deeply apologize to our members for delaying the cryptocurrency deposit and withdrawal service,” Bithumb said.

“As a result of the inspection, it is judged that the incident is an accident involving insiders because the external intrusion path has not been revealed until now. Based on the facts, we are conducting intensive investigations with KISA, Cyber ​​Police Agency and security companies.”

Meanwhile, Bithumb said the company is working with major cryptocurrency exchanges and foundations in hope to recover the loss of the cryptocurrency equivalent.

Last year when the exchange was hacked and lost $30 million in EOS, it managed to recover half of the stolen funds.

Would Bithumb be able to do the same this time?

Sushma Swaraj intervenes as Indian couple gets stabbed in Germany

New Delhi: External Affairs Minister Sushma Swaraj has extended help to the family of the couple that was stabbed in Munich.

Prashant and Smita Basarur were allegedly stabbed in Munich by an immigrant. Stating that Prashant was killed in the incident and Smita is stable, Swaraj tweeted that the Government of India is facilitating the travel of Prashant’s brother to Germany.

 

“Indian couple Prashant and Smita Basarur were stabbed by an immigrant near Munich. Unfortunately, Prashant has expired. Smita is stable. We are facilitating the travel of Prashant’s brother to Germany. My heartfelt condolences to the bereaved family. I appreciate the good work by @cgmunich.  I have asked our mission to take care of their two children,” Swaraj tweeted.

 

Pilot flying Emiliano Sala wasn’t qualified to fly at night: Report

London: The pilot of a small plane that plunged into the English Channel with newly-signed Premier League striker Emiliano Sala on board was not authorised to fly at night, the BBC reported on Saturday.

The report said the pilot, David Ibbotson, was colour blind, which would have automatically disqualified him from night flights.

 

Contacted by news agency AFP, Britain’s Civil Aviation Authority did not confirm the report, saying only that an investigation was still under way.

The Air Accident Investigations Branch (AAIB) said: “Licensing continues to be a focus of the AAIB’s safety investigation, but matters of legality are an issue for the regulator.”

The AAIB last month said the plane carrying Sala was not authorised to make commercial flights.

But the investigators pointed out that Ibbotson had in the past transported people on a cost-share basis, which is authorised by the regulation for small planes.

Sala was on his way in the late evening from his old club Nantes in France to his new home at Cardiff City.

His body was recovered from the submerged wreckage of the plane. Ibbotson’s body has never been found.

Brexit: One last vote or it’s general polls

London: Theresa May hopes to bring her Brexit deal back to parliament again next week after it was rejected for a third time by MPs – and appears poised to trigger a general election if parliament fails to agree a way forward.

Despite the embattled prime minister’s dramatic promise on Wednesday that she would hand over the keys to 10 Downing Street if her Tory colleagues backed the withdrawal agreement, parliament voted against it on Friday, by 344 to 286.

 

The Commons vote was held on the day when Britain was meant to be leaving the EU, as Parliament Square outside overflowed with raucous pro-Brexit protesters.

A string of leave-supporting Conservative backbenchers who had twice rejected the deal, including Boris Johnson, Jacob Rees-Mogg and former Brexit secretary Dominic Raab, switched sides to support the agreement. But with Labour unwilling to shift its position, and the Democratic Unionist party’s 10 MPs implacably opposed, it was not enough to secure a majority for May

The result was a sense of stunned disbelief in Westminster. Asked what could happen next, one government source said: “Last one out, turn off the lights.” Immediately after the defeat was announced, May told MPs: “The implications of the house’s decision are grave. The legal default now is that the UK is due to leave the EU on 12 April. In just 14 days’ time.”

Under the deal agreed by EU in Brussels, if May had passed her withdrawal agreement this week, Brexit would have been delayed until 22 May. Now, she will have to return to Brussels for an emergency European council summit on 10 April.

The EU27 expect her to ask for a longer delay – requiring Britain to participate in European elections in May – or accept a no-deal Brexit two days later. However, her aides hope the 22 May date could still be in play if her deal is accepted next week.

May did not spell out explicitly what she planned to do next, saying only that she would press ahead with an “orderly Brexit”. However, it became increasingly clear after the vote that Downing Street does not believe the deal is dead.

The prime minister pointed to MPs’ plans to hold a second round of indicative votes on Monday, “to see if there is a stable majority for a particular alternative version of our future relationship with the EU”.

But she told MPs: “I fear we are reaching the limits of this process in this house.” Many regarded that as a warning that if they supported an option she was not prepared to implement, or failed to reach agreement on an alternative, she was ready to call general election.

United States is ‘tracking A-SAT debris’

Washington: The US is tracking 250-270 objects of debris in the space generated due to India’s anti-satellite (ASAT) missile test in lower earth orbit, but the International Space Station or ISS is not at risk, the Pentagon said on Friday.

US Strategic Command’s Joint Force Space Component Command (JFSCC) said 250 pieces of debris associated with an Indian ASAT launch that occurred on Wednesday are being actively tracked.

 

“Debris from the event is being actively monitored by the JFSCC, and conjunction notifications are being issued to satellite owners/operators in accordance with standard notification processes through the Department of Defense’s public space situational awareness sharing website HYPERLINK “http:// www.space-track.org,” it said.

The JFSCC said it will continue to actively track debris associated with the event and issue close approach notifications as required until the debris enters the earth’s atmosphere.

US Air Force Space Command Commander Lt Gen David D. Thompson told lawmakers during a Congressional hearing on Thursday that the JFSCC and Air Force’s 18 space control Squadron are currently “tracking about 270 different objects in the debris” field.

Responding to questions from members of Senate Armed Services Subcommittee on Strategic Forces, he said the number is going to grow as the debris field spreads out as the US collects more sensor information.   

Joe Biden accused of misconduct

Washington: Joe Biden, who is leading polls for the Democratic presidential nomination, on Saturday faced a misconduct accusation by a Nevada ex-lawmaker claiming the then-vice president inappropriately kissed her before a campaign event.

Lucy Flores, the state’s Democratic nominee for lieutenant governor in 2014, said she was beside the stage awaiting her turn to address a rally when Biden put his hands on her shoulders from behind, then leaned in and smelled her hair.

 

“I was mortified,” Flores, 39, recounted in New York magazine. “He proceeded to plant a big slow kiss on the back of my head,” she added.“My brain couldn’t process what was happening. I was embarrassed. I was shocked. I was confused,” and “I wanted nothing more than to get Biden away from me.”

It was unclear just how the accusation might impact Biden’s decision to officially enter the race. Those close to the Democrat have reportedly said Biden, 76, could announce his plans in April.

Biden’s spokesman Bill Russo said on Friday that Biden was “pleased” to support Flores’s candidacy, but does not recall the incident.

6 years imprisonment to Indian priest for child sex abuse in US

New York: An Indian former Roman Catholic priest has been sentenced to six years in prison for sexually abusing a teenage girl in the US, according to a media report.

John Praveen, 38, pleaded guilty in February to sexually touching a 13-year-old girl in the Rapid City church, South Dakota over her clothes last year, Rapid City Journal newspaper reported.

 

Judge Steven Mandel handed down the sentence on Friday after prosecutors asked for the maximum of one year in prison. Mandel said that was “not adequate” for Praveen’s crime, the report said.

He sentenced Praveen to six years in prison, minus 178 days of time served, and said he would be eligible for parole after three years.

The sentencing came after Praveen pleaded guilty to one count of having sexual contact with a child under the age of 16, a crime that carries a maximum 15-year punishment, the report said.

Mandel said if Praveen is granted parole, the parole board could ask Homeland Security to immediately deport him to Hyderabad or have him first serve parole in any state, the report added.

Praveen had joined the Rapid City Diocese for a 10-year assignment in December 2017. He apologised and told the court he wishes he could take back what he did. I “send my sincere apologies to the family and the victim about what I have done,” Praveen said through tears in court Friday.

He said he knows saying sorry isn’t enough, and that he wishes he could take back what he did. He promised to never hurt anyone again. I “send my sincere apologies to the family and the victim about what I have done,” Praveen said through tears in court on Friday.

He said he knows saying sorry isn’t enough, and that he wishes he could take back what he did.

He promised to never hurt anyone again. In an emailed statement, Rapid City Bishop Robert Gruss apologised to the victim and her family on behalf of the Diocese of Rapid City, calling Praveen’s actions “sinful,” traumatic and a betrayal.

“I am deeply sorry that they had to experience these sinful actions at the hands of a priest,” Gruss said. “The pain and suffering of this family have been great. Only those who have been victims of abuse of any kind can understand the trauma. The experience of betrayal is great. Crimes of sexual abuse can never be tolerated, most especially among priests.”

Joe Biden accused of inappropriately kissing former US lawmaker

Washington: Joe Biden, who is leading polls for the Democratic presidential nomination, on Friday faced a misconduct accusation by a Nevada ex-lawmaker claiming then-vice president inappropriately kissed her before a campaign event.

Lucy Flores, the state’s Democratic nominee for lieutenant governor in 2014, said she was beside the stage awaiting her turn to address a rally when Biden put his hands on her shoulders from behind, then leaned in and smelled her hair.

 

“I was mortified,” Flores, 39, recounted in New York magazine.

“He proceeded to plant a big slow kiss on the back of my head,” she added.

“My brain couldn’t process what was happening. I was embarrassed. I was shocked. I was confused,” and “I wanted nothing more than to get Biden away from me.”

It was unclear just how the accusation might impact Biden’s decision to officially enter the race. Those close to the Democrat have reportedly said Biden, 76, could announce his plans in April.

Biden’s spokesman Bill Russo said on Friday that Biden was “pleased” to support Flores’s candidacy, but does not recall the incident.

“Neither then, nor in the years since, did he or the staff with him at the time have an inkling that Ms Flores had been at any time uncomfortable, nor do they recall what she describes,” Russo said in a statement.

He added that Biden “believes that Ms Flores has every right to share her own recollections and reflections, and that it is a change for better in our society that she has the opportunity to do so.”

Biden’s overly familiar approach with women has been a subject of discussion for years.

He has had a reputation for awkwardly touching the wives, mothers or daughters of senators during swearing-in ceremonies, and he came under criticism for massaging the shoulders of new defense secretary Ash Carter’s wife in 2015.

Biden’s behavior is receiving renewed attention in the #MeToo era, when the movement against sexual assault has led to the downfall of dozens of politicians, entertainment figures and businessmen.

At a Democratic Party dinner in Delaware this month, he acknowledged how his physical style has raised questions.

“I’m a tactile politician, always have been. That’s what gets me in trouble as well,” Biden said.

Flores wrote that the celebrated Democrat ignores the “power imbalance” that exists between Biden and the women he touches.

“Even if his behavior wasn’t violent or sexual, it was demeaning and disrespectful,” she added.

Facebook to monitor who can make live videos, after NZ attack

Silicon Valley: Facebook Inc Chief Operating Officer Sheryl Sandberg said on Friday the company was looking to place restrictions on who can go live on its platform based on certain criteria in the aftermath of the Christchurch massacre.

The company will monitor who can go “Live” on Facebook depending on factors such as prior community standard violations, Sandberg said in a blog post.

 

A lone gunman killed 50 people at two mosques in New Zealand on March 15, while livestreaming the massacre.

Facebook has identified more than 900 different videos showing portions of the 17-minutes of carnage and has used its existing artificial intelligence tools to identify and remove hate groups in Australia and New Zealand, the blog said.

Last week, the social networking giant said it removed 1.5 million videos globally that had footage of the New Zealand mosque attack in the first 24 hours after the attack.

Earlier this week, one of the main groups representing Muslims in France said it was suing Facebook and YouTube, accusing them of inciting violence by allowing the streaming of the video.

Facebook, the world’s largest social network with 2.7 billion users, has faced growing discontent over its approach to privacy and user data amid increasing concerns over its advertising practices.