D-Link is in the process of developing a patch for a serious security vulnerability in some of its older routers that essentially functions as a backdoor. The bug, discovered by a security researcher and publicized over the weekend, enables a remote user to log into an affected router as an administrator and take whatever actions he pleases.
The vulnerability is about as serious as they come, especially considering that the routers affected by it are consumer-grade devices that likely are plugged in and then left alone for years at a time. The security researcher who discovered the flaw, Craig Heffner, was reverse engineering a version of the D-Link firmware and came across an interesting string in the code. After looking at the code for a while and researching what it could possibly be doing, he discovered that if an attacker had his user agent set to a certain string, he could log into the router’s admin panel and make any number of changes.
“In other words, if your browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web interface without any authentication and view/change the device settings,” Heffner wrote in a blog post about the bug.
Why the backdoor is present in the routers is a major question. Hardware manufacturers in the past, when confronted with similar questions, have said that they sometimes include such functionality for remote support or as a debugging mechanism during the development process and then mistakenly forgot to remove it. Heffner said that another researcher, Travis Goodspeed, suggested a possible reason for the presence of the D-Link backdoor.
“The ever neighborly Travis Goodspeed pointed out that this backdoor is used by the /bin/xmlsetc binary in the D-Link firmware. After some grepping, I found several binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS). My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something,” Heffner said.
The affected D-Link routers are:
The company reportedly is working on a firmware patch for the vulnerability that will be available by the end of the month. D-Link manufacturers a wide variety of wireless routers for home and small office environments. Until a new version of the firmware is available, security experts recommend that users with affected models ensure that their wireless networks have WPA2 enabled and use random passwords.
Image from Flickr photos of Mark Turnauckas.
Faced with the untenable decision of becoming what he called a “listening post” for the FBI, Lavabit founder Ladar Levison said he had an ethical obligation to his customers and the community to shut down the secure email service used by NSA whistleblower Edward Snowden.
Levison, who this week filed an appeal of the court order demanding the SSL keys that would unlock all the traffic coming in and out of his company’s network, gave a wide-ranging interview with CBC Radio’s The Current program. He told the Canadian show that his company’s fate was sealed the day the FBI showed up on his doorstep looking for help because if he had turned over the keys in secret to the federal authorities and was found out, Lavabit’s customers would have fled.
Levison said he believes there are three things that should be held scared and above all else remain confidential: system passwords, encryption keys and source code.
“They were demanding those encryption keys. They were demanding the password to my business’ identity and once they had it, they could masquerade as my business and intercept everything coming in and out of my network: passwords, credit card numbers, user names, email content, instant messages, all of that was secured by this set of encryption keys,” Levison said.
Levison said the FBI wanted to monitor all of his customers’ movements, not just Snowden’s, whose name has been redacted from court documents as the FBI’s target. The comment merits note because this week during a CATO Institute daylong program on NSA surveillance, ACLU principal technologist Chris Soghoian said companies such as Lavabit, secure messaging provider Silent Circle and secure backup specialists SpiderOak, are differentiated by the privacy and security features in their products.
“The U.S. is a leader in small businesses providing secure communications services,” Soghoian said during a panel discussion. “When the U.S. government compels a Lavabit to comply, it’s a death sentence. Comply, and your reputation is destroyed. Secure communication services are under threat. We should want this part of the economy to grow.”
Levison reiterated during the CBC interview that he did not want to subvert the trust his company had built with its users by turning over the keys in secret and being forced by law to keep quiet about it, even though he believed the FBI was exceeding its statutory authority in demanding Lavabit’s SSL keys.
“I’ve had people tell me that the government describes it as a gap in their surveillance network,” he said of secure messaging providers such as Lavabit. The government even described its frustration with the Tor anonymity network in Snowden documents, in particular a NSA presentation called “Tor Stinks,” released by the Guardian last week. “You’re one of the few services left in the U.S. they are not actively monitoring,” Levison said he was told. “They wanted to close that gap in their surveillance network. But because of the way it was designed, the only way to close that gap was to put a monitoring device on my network and demand my encryption keys. Couple that with the ferocity with which they wanted it kept secret made it even more bothersome.”
Levison said this saga began in May when an FBI agent left a business card on his door along with a note asking him for a meeting. Levison and the agent exchange emails and Levison said the FBI wanted to ask questions about his service, streamlining the process of serving subpoenas and getting him enrolled in Infragard.
Lavabit was a POP or IMap email service provider offering free service along with a paid version that also offered secure storage that included encryption of email messages. He said the FBI wanted to conduct surveillance on the unnamed customer—Levison said he did not know who Snowden was at the time—and wanted the ability to intercept not only his password but content, record it and send it back to their servers.
“When the FBI first approached me with a court order on June 28, they told me they were going after content, passwords and metadata,” Levison told CBC. “Only when I got a lawyer did I realize they had a right only to the metadata. In fact, I was going to add code that would log metadata daily and turn that over to them. The FBI declined the offer and continued to pursue my SSL keys.”
Levison said the FBI wanted to collect metadata and more information on their own from his company’s network, and refused to give him the transparency he requested that they were collecting data only on this one specific customer.
“They said ‘Give us your private information and trust us,’” Levison said. “And that’s not a tenable position for me.”
Wired reported today on Levison’s appeal to the 4th U.S. Circuit Court of Appeals and also has the full 42-page document available on its website.
A pro-Palestine hacker collective went old-school in its takedown of the Metasploit and Rapid7 websites today.
Metasploit creator and HD Moore confirmed via Twitter that Metasploit.com was hacked via a spoofed DNS change request sent via fax to its registrar, Register.com.
“Hacking like it’s 1964,” Moore tweeted a short time ago.
The hacking group known as KDMS hijacked DNS records and replaced the two sites’ respective homepages with a note claiming responsibility for this attack and similar hacks against other security companies.
“You are one of our targets,” the group wrote. “Therefore, we are here.” The group also left a politically charged statement regarding Palestine liberation.
The DNS hijacking attack was resolved within an hour, Moore said.
“We have taken action to address the issue and both sites are now locked down,” Rapid7 said in a statement. “We apologize for the service disruption, and do not anticipate any further implications for our users and customers at this time. We will keep everyone posted as we learn more, and let the community know if any action is needed.”
Moore cautioned in a another set of Twitter messages that this group has the ability to change any domain registered with Register.com. He also confirmed the Metasploit and Rapid7 DNS settings temporarily pointed to 74[.]53[.]46[.]114.
Earlier this week, KDMS claimed responsibility for a similar attack on another registrar Network Solutions. The group was able to change the DNS records managed by Network Solutions for a number of security companies and redirect traffic to a hacker-controlled domain.
Leaseweb, a large hosting provider, disclosed on Monday that it detected malicious activity on its network and hackers managed to redirect traffic from leaseweb.com to another domain its DNS records were changed.
“No internal systems were compromised,” Leaseweb wrote on its blog on Monday. “One of the security measures we have in place is to store customer data separately from any publicly accessible servers; we have no indication that customer data was compromised as a result of this DNS hijack.”
Initially, it was believed the Leaseweb hack was related to an exploit of a WHMcs vulnerability, but Leaseweb said that was not the case.
“Right now, it appears the hijackers obtained the domain administrator password and used that information to access the registrar,” Leaseweb said.
This article was updated at 11 a.m. ET with a statement from Rapid7.
Late last year the world’s largest social network announced that it would begin removing a popular privacy feature that let users regulate whether other users could search for and locate their profiles with the Facebook search function.
At the time of its initial announcement, the social networking giant removed the feature – called “Who can look up my Timeline by name?” – for everyone that wasn’t already using it. Yesterday, Facebook said they will begin removing it for all other users as well, completely eliminating the functionality within the next couple of weeks.
The feature lives on the Facebook privacy settings page, offering users three varying levels of privacy regarding the way that user-profiles are indexed by the site’s search engine. Users could choose who was allowed to search for their profiles by name: friends only, friends of friends, or everyone (the default option).
“Whether you’ve been using the setting or not, the best way to control what people can find about you on Facebook is to choose who can see the individual things you share,” wrote Michael Richter, Facebook chief privacy officer.
In other words, Facebook users can manipulate the visibility of each individual post they publish when they publish it, but they can not control whether their profile is indexed by Facebook’s search function,
“The setting also made Facebook’s search feature feel broken at times,” Richter said. “For example, people told us that they found it confusing when they tried looking for someone who they knew personally and couldn’t find them in search results, or when two people were in a Facebook Group and then couldn’t find each other through search.”
The Google domain for Malaysia was hijacked on Thursday night, redirecting visitors to a page that said a group called Madleets from Pakistan had performed the attack. The domain has been restored now, but the name servers for the domain had been changed to a pair controlled by the attackers.
MYNIC, the company that administers the country TLD for Malaysia, confirmed the attack in a statement issued Friday morning, saying that its internal incident response team had resolved the problem within a short time of learning of the attack.
“We can confirm there was unauthorised redirection of www.google.com.my and www.google.my to another IP address by a group which called themselves TeaM MADLEETS,” the statement says.
“The problem was alerted in the early morning and MYNIC Computer Security Incident Response Team (CSIRT) immediately started to resolve the issue. The domain name www.google.com.my has been restored to their correct information at 7.10 am today and www.google.my is still resolving.”
The attack appears to have been a DNS cache poisoning attack, so rather than finding the normal Google home page in Malaysia, visitors were redirected to a site hosted in Canada. Both google.com.my and google.my were hijacked during the attack. Integricity, the company that manages the Google domains in Malaysia, said that the attack lasted a few hours, beginning after midnight local time.
“We immediately tried to log into the MYNIC reseller system to check on the status, but were unable to do so. The DNS servers for this domain have been modified and this has caused the URL to be pointed to a page that shows the site has been hacked.”
WhatsApp, a popular mobile message application, suffers from crypto implementation vulnerability that leaves messages exposed.
Thijs Alkemade, a computer science student at Utrecht University in The Netherlands who works on the open source Adium instant messaging project, disclosed a serious issue this week with the encryption used to secure WhatsApp messages, namely that the same key is used for incoming and outgoing messages.
“You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort,” he wrote on Tuesday. “You should consider all your previous WhatsApp conversations compromised.”
Alkemade said a user’s only recourse is to stop using WhatsApp until developers produce a patch.
A hacker sniffing a WhatsApp conversation could recover most of the plaintext bytes sent, Alkemade said. WhatsApp uses RC4, a pseudo-random number generator, to generate a stream of bytes that are encrypted with the xor cipher. That same key is used to encrypt the plaintext and ciphertext, he said.
“That does not directly reveal all bytes, but in many cases it will work,” Alkemade said, adding that messages follow the same structure and are easy to predict from the portion of plaintext that is revealed.
Alkemade said WhatsApp also uses the same HMAC key in both directions, another implementation error that puts messages at risk, but is more difficult to exploit. He added that TLS counters this by using different keys for the HMAC sequence of messages from the server to the client and RC4 for client to server messages.
“There are many pitfalls when developing a streaming encryption protocol. Considering they don’t know how to use a xor correctly, maybe the WhatsApp developers should stop trying to do this themselves and accept the solution that has been reviewed, updated and fixed for more than 15 years, like TLS,” Alkemade said.
Cisco pushed out patches for two products this week, addressing a handful of vulnerabilities in its Firewall Services Module (FWSM) software and Adaptive Security Appliance (ASA) software.
According to security updates posted on the company’s Advisory page yesterday, at least nine separate vulnerabilities exist in ASA:
- IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability
- SQL*Net Inspection Engine Denial of Service Vulnerability
- Digital Certificate Authentication Bypass Vulnerability
- Remote Access VPN Authentication Bypass Vulnerability
- Digital Certificate HTTP Authentication Bypass Vulnerability
- HTTP Deep Packet Inspection Denial of Service Vulnerability
- DNS Inspection Denial of Service Vulnerability
- AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability
- Clientless SSL VPN Denial of Service Vulnerability
Five of the nine can either reload an affected device or lead to a denial of service (DoS) condition.
Three of the nine can result in an authentication bypass and give an attacker access to a network via remote access VPN or management access via Cisco’s Adaptive Security Device Management (ASDM) tool.
The last ASA vulnerability deals with Cisco’s AnyConnect SSL VPN and could also lead to a denial of service. If executed, an attacker could exhaust memory, making the system unstable, unresponsive and ultimately stop forwarding traffic.
ASA is a suite of security solutions that users use to deploy antivirus, antispam, antiphishing, and web filtering services, among other capabilities.
Two vulnerabilities exist in Cisco’s FWSM software, a type of software that primarily handles a series of routers and switches for Cisco networks.
The first one is a big one however. If an attacker successfully exploits the Command Authorization vulnerability, it can “result in a complete compromise of the confidentiality, integrity and availability of the affected system.” The second vulnerability in FWSM is also present in ASA and deals with the SQL *Net Inspection functionality. Like some of the ASA vulnerabilities it can also lead to a denial of service condition if exploited.
While Cisco’s Product Security Incident Response Team (PSIRT) isn’t currently aware of any attacks targeting the vulnerabilities and workarounds exist for a few of them, patches for all vulnerabilities are available through its regular update channels.
Give James Forshaw a good logic bug over a memory-corruption vulnerability any day of the week.
The British researcher says he would rather manipulate weaknesses in code to climb out of an application sandbox than turn a fuzzer against a piece of software and spot a memory leak. But incentivized by Microsoft’s recent announcement that it was offering serious money for novel mitigation-bypass techniques, the temptation was too great for Forshaw to pass up.
The payoff came on Tuesday when after six weeks of research and tweaking exploit code, Forshaw was awarded $100,000 for as-of-yet unnamed bypass of Windows memory protections. The majority of the money, along with a similar $9,400 Internet Explorer bounty paid out on Monday, will go to Forshaw’s employee Context Information Security of London to fund the security research team there.
“[Microsoft] has pretty much banned me from specifying any detail,” Forshaw said. “What I can share is that it’s a bypass for a number of platform mitigations that allows you to get code execution without troubling DEP or ASLR.”
Data Execution Prevention and Address Space Layout Randomization are exploit mitigations native to Windows, and other operating systems, that are supposed to prevent code from executing in areas of memory where it should not. Numerous exploits, including a recent Internet Explorer zero day, have been able to defeat or sidestep both mitigations, but that doesn’t mean it’s not a challenge to researchers and hackers alike.
“So I have written exploits that go after these sorts of technologies in the past; there are different ways of defeating ASLR and DEP to get information leaks or get DLLs to work that are not ASLR-enabled (such as the IE zero day managed),” Forshaw said. “But I’m more of a logic bug finder than memory corruption.”
Earlier this year at Pwn2Own, Forshaw cashed in with a Java exploit for a vulnerability in a trusted class in the Java framework that allowed him to bypass the sandbox and execute code remotely. That Java bug was patched in April with the release of Java 7u21 and the researcher explained in a blogpost shortly thereafter that his code allowed him to disable the security manager in Java and run malicious code as trusted.
Microsoft engineer Thomas Garnier also found a similar attack as the one submitted by Forshaw, but Microsoft senior security strategist Katie Moussouris said Forshaw’s entry was worthy of a full payout, the first since the bounty was announced.
“Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty,” Moussouris said.
Forshaw said he spent three weeks doing research related to his bypass.
“Once I came up with something I felt was viable, I submitted it and learned two weeks ago Microsoft had accepted the entry,” Forshaw said. “I think I was sort of about 50 percent it was going to be accepted. There were a few things which it wasn’t clear from the rules whether it would meet their bar. There are seven criteria to meet, and I felt met them all, but it was a bit of a tense time.”
According to Microsoft, bypass submissions must demonstrate a novel way of exploiting a remote code execution vulnerability in Windows and must be capable of exploiting an application that makes use of stack- and heap-corruption mitigations as well as code-execution mitigations. The bypass must also meet seven criteria: it must be generic in that it’s applicable to more than one memory corruption vulnerability; the exploit must be reliable and have reasonable requirements; it must be applicable to a high-risk application such as a browser or document reader; it must be applicable to user mode applications; it must also target the latest version of a Microsoft product; and it must be novel, Microsoft said.
“It was the aspect of novelty I was worried about,” Forshaw said. “I couldn’t say for certain no one had ever used it before. I did my due diligence on my technique to see whether it had been published or used in anger before. I couldn’t find anything.”
While winning more than $100,000 this week may keep the accountants at Context smiling, Forshaw also took satisfaction in knowing he was on a similar track as a Microsoft engineer intimate with Windows code.
“There are quite clever people at Microsoft actively looking at these things. Beating them is quite a challenge,” Forshaw said, adding he much prefers these types of defensive-oriented competitions. “I think it’s certainly an interesting approach to take, focusing more on the defensive than offensive side. Only Microsoft is in position to do that; Google might be able to as well with the Chrome OS. Microsoft is wise to choose this approach versus an all-out free-for-all to find bugs.”
Google, one of the first companies to offer a significant bug bounty program, is extending its rewards to researchers and developers who contribute patches to a variety of open source projects and have an effect on the security of the project.
The new rewards will range from $500 to $3,133.70, and are the result of the company looking for new ways to improve the security of its core offerings, such as Chrome OS and the Chrome browser. Google has had a vulnerability reward program for those offerings for several years now, and they have attracted a large volume of submissions. The release notes for new versions of Chrome, for example, often credit a litany of external researchers for submitting bugs. The rewards often are in the $1,000 to $3,000 range, but can skyrocket into the tens of thousands for especially serious vulnerabilities.
But the extension of the program is an indication of how difficult it can be to secure applications, especially open source projects that rely on code from a variety of sources. So Google will now pay developers rewards for security related improvements to things such as OpenSSL, OpenSSH and BIND.
“Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR – we want to help!” Michal Zalewski of the Google security team said in a blog post.
“We intend to roll out the program gradually, based on the quality of the received submissions and the feedback from the developer community.”
The components that are part of the program during the initial phase include:
- Core infrastructure network services: OpenSSH, BIND, ISC DHCP
- Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
- Open-source foundations of Google Chrome: Chromium, Blink
- Other high-impact libraries: OpenSSL, zlib
- Security-critical, commonly used components of the Linux kernel (including KVM)
In order to qualify for a reward from Google, the patch submission from the developer has to have a “demonstrable, significant, and proactive impact on the security” of a given component. The program extends to developers who work on the projects as well as external developers who just see a problem they want to help fix. To qualify for a reward, the submitted patch has to actually ship.
In addition to the reward of up to $3,133.7, Google may pay out higher rewards for really clever submissions.
“We may choose higher rewards for unusually clever or complex submissions; we may also split the reward between the submitter and the maintainers of the project in cases where the patch required a substantial additional effort on behalf of the development team,” the rules of the program say.
Developers submit their patches directly to the maintainers of a given project, and once the patch actually ships as part of the project, they simply send an email to Google with the details.
If you’re looking for silver linings among the Snowden leaks and the breadth of the NSA’s surveillance activities, they could be found in two things: 1) the math upholding encryption technology is, as far as we know, solid; and 2) Tor apparently drives the U.S. spy agency batty.
“I’m surprised,” said Matt Blaze, cryptographer and professor at the University of Pennsylvania, “at how few of the NSA’s secrets relate to how to break cryptography.”
Aside from that—and recent revelations that the NSA has had relatively little success monitoring individuals who communicate and move online using the Tor network, going to far as to create a top-secret internal presentation called “Tor Stinks,”—there doesn’t seem to be much making technologists smile these days.
Blaze was one of five experts on a technology panel Wednesday during a daylong Cato Institute program on NSA surveillance. The panel, which included Karen Reilly of the Tor Project, David Dahl of SpiderOak, Jim Burrows of Silent Circle, and Chris Soghoian of the ACLU, cast technical scrutiny on the NSA’s activities and its impact on trust in technology and the Internet’s ability to securely support communication and ecommerce.
Senator Ron Wyden, D-Oregon, beat the economic drum early in the day with a passionate keynote drumming up support for his bipartisan bill he hopes will end bulk collection of Americans’ phone records by the NSA as well as bring about surveillance reform. Wyden also pointed out that he’s had conversations with major business leaders concerned about the economic impact of the NSA’s alleged subversion of security technologies and the relationships it has with large telecommunications and Internet companies in terms of long-term access to customer data.
“Policy makers who sign off on overly broad surveillance programs should be thinking about the impact on American jobs and trust,” Wyden said. “Trust is so important for American companies to have around the world. They don’t have this trust by osmosis, but it was earned over the years through solid business practices.”
Soghoian pointed out that companies such as SpiderOak, which provides a secure backup service, and Silent Circle, which provides a secure phone service, are in a unique position because they are differentiated by the security and privacy features in their products. Silent Circle recently shuttered its email service rather than someday be compelled to hand over customer data to the government; its decision came on the heels of Lavabit’s decision to close its doors. Lavabit was a secure email provider as well; it was used by Edward Snowden, and rather than turn over private keys to decrypt the whistleblower’s emails, it decided to close its doors permanently.
“The U.S. is a leader in small businesses providing secure communications services,” Soghoian said. “When the U.S. government compels a Lavabit to comply, it’s a death sentence. Comply, and your reputation is destroyed. Secure communication services are under threat. We should want this part of the economy to grow.”
The NSA is accused of subverting encryption standards, injecting themselves into the development of such standards by participating and contributing to the National Institute of Standards and Technology (NIST) and then weakening standards deliberately, or going so far as to inject backdoors in order to access communication later on. It has also been accused to similar activity with security software and hardware, planting backdoors in code and hardware in order to maintain perpetual access and surveillance to those products.
Soghoian implored journalists with access to the Snowden documents to reveal secrets that have so far been redacted, likely done in cooperation with the government.
“The things we need to see are the sources journalists need to keep secret—the names of the algorithms that have been subverted. The names of the companies the NSA has subverted and sabotaged products,” Soghoian said. “We need to know this to protect the public.”
Soghoian said top secret slide presentations released to the public by the Guardian redacted the names of two VPN chip manufacturers that had been backdoored by the NSA and GCHQ.
“We want to know which are backdoored in order to protect people,” Soghoian said. “Those are things journalists feel they must protect.”
Tor, meanwhile, is standing up as a reliable medium. Being open source, Reilly said, forces users to trust the code rather than the people behind it. She stressed that the premise behind how Tor operates remains sound despite the modest success the NSA revealed it had in tracking a small number of users.
“We will add more cryptography between relays soon, but I’m confident the distributed trust model will continue to work and be adopted by more technologies,” Reilly said.
Burrows, meanwhile, said he took great joy in the NSA’s struggles with Tor.
“Yes they have methods for getting at certain people occasionally, but even they say Tor works and it’s held up,” Burrows said. “And that it’s held up to them pleased me more than anything else.”
This was a two-for-one deal that Windows administrators could have done without.
Already expecting one patch for an Internet Explorer zero-day being actively exploited, admins got fixes for two zero days instead yesterday as part of Microsoft’s October 2013 Patch Tuesday security updates.
The second caught everyone by surprise, especially organizations already swaying in the wind without a patch for one IE bug being used in active attacks, and for which a Metasploit exploit was available. The bonus fix was for an unrelated bug in the wild for close to a month and also targeting organizations in Japan and Korea, similar to the first zero day.
Researchers at the National Cyber Security Centre of the Netherlands, IOprotect GmbH and Trustwave’s SpiderLabs were credited in the advisory by Microsoft for reporting the vulnerability. SpiderLabs’ Director of Security Research Ziv Mador told Threatpost the company’s researchers were monitoring an attack server that had up until two weeks ago been serving exploits for patched vulnerabilities only. That changed on Sept. 12, Mador said, when an IE 8 exploit bubbled to the surface that his researchers hadn’t seen before.
“It is being used to distribute general malware,” Mador said. “Unlike the previous zero day in IE, this one distributes malware to steal credentials from online gamers, or disrupt access to banking sites. It’s general malware, not targeted attacks.”
The previously reported IE zero day had been used in very targeted attacks against Japanese media companies. The media sites were compromised as part of a watering hole attack and were serving exploits, according to researchers at FireEye, targeting government, high-tech and manufacturing organizations in Japan. FireEye called it a large-scale intelligence gathering operation.
Microsoft had released a Fix-It tool as a temporary mitigation upon disclosing that attacks were in the wild. Last Friday, a Metasploit exploit module was added to the toolkit, ramping up the possibility that more widespread attacks could be imminent.
The second zero day targeted users in Japan and Korea via drive-by downloads. One feature was its ability to identify the language the infected machine was configured to. If neither Japanese nor Korean, IE would redirect to Google and the attack would be terminated, Trustwave said in a blogpost.
However, if it validates the language and IE 8, the attack uses ROP chains to bypass memory protections native to Windows such as DEP and ASLR.
The attack payload includes no fewer than 10 drivers, executables and DLLs dropped onto the victim’s machine, Trustwave said. It will try to disable a number of security products on the computer, redirect banking sites to an attacker-controlled domain and also has components that try to steal gaming credentials.
“The exploit is not trivial and these types of exploits are often not trivial. They require a number of quite creative combinations to work,” Mador said. “That was the case here.”
In addition to the ROP chains, the attack also uses the DOM Element Property Spray technique used in the other IE zero day patched yesterday.
“There are a million ways to develop HTML pages or Web applications, so many attributes, tags, scripts. People who develop browsers have to deal with a huge amount of possible scenarios,” Mador said, pointing to a number of natural places where vulnerable code could lurk in the parsing and rendering of any of these components.
“When we look at exploit code for browser vulnerabilities, quite often they use weird combinations from an HTML perspective that don’t make sense,” Mador said. “They don’t seem to show anything interesting, but the purpose of the combinations is to trigger some vulnerability in the code parsing or memory management.”
The patch was part of a cumulative update for IE addressed in MS13-080; IE has been patched nearly every month in 2013, including an out of band patch earlier this year.
Microsoft and Adobe weren’t the only companies releasing security updates yesterday. BlackBerry piled on the patch parade with an update for its BlackBerry Enterprise Service 10 mobile device management product, fixing a remote code execution vulnerability.
The problem lies in the Universal Device Service (UDS) that’s installed by default in BlackBerry Enterprise Service (BES) versions 10.0 to 10.1.2. If an attacker has access to the corporate network that’s hosting the UDS and can determine its address, they can execute code as the BES10 admin service account without authentication.
This is because JBoss, BES10’s open source hosting environment, is misconfigured. In its current incarnation, JBoss allows non-admin users to upload packages and make them available to clients. If successfully exploited, the vulnerability also lets attackers execute arbitrary code.
It sounds easier said than done though.
“In order to exploit this vulnerability, an attacker must use the Remote Method Invocation (RMI) interface to serve a malicious package to JBoss from a second server on the network that is not blocked by a firewall,” reads BlackBerry’s advisory.
If for some reason BlackBerry users can’t update their system right away, there are a series of workarounds, considered “temporary measures,” by BlackBerry, that users can follow. These mitigations involve tweaking the RMI interface, blocking certain ports and updating Java.
BlackBerry’s BES10 is a mobile device management solution that allows IT professionals to control their users’ BlackBerry devices, Android devices, and iOS devices. Administrators can install and revoke licenses, manage accounts and conduct day-to-day administrative tasks with the service.
While they’re not aware of any attacks exploiting the vulnerability, BlackBerry is urging any Enterprise Service 10 administrators to apply the software update that released yesterday on the company’s Knowledge Base site.
As expected, Microsoft began shipping its latest batch of Patch Tuesday patches earlier this afternoon. However, while it was heavily presumed the update would fix at least one Internet Explorer zero day, the update actually fixes two critical vulnerabilities in the browser.
Eight bulletins — four critical – and 28 vulnerabilities in total are addressed by the update, the 10th anniversary release of the company’s popular flaw remediation program.
Naturally, at the top of the list is MS13-080 which addresses the much-buzzed about use-after-free bug (CVE-2013-3893) on the Microsoft HTML rendering engine in IE. The zero day targeted all builds of IE over the course of the last month or so and this patch, which also loops in nine other IE fixes, builds off of a FixIt tool Microsoft released for the issue in mid-September.
Among those nine IE vulnerabilities, CVE-2013-3897, is also getting the attention of researchers today. The issue, a memory corruption vulnerability that’s been spotted in targeted exploitation, was discovered in part by the National Cyber Security Centre of the Netherlands according to Microsoft.
Trustwave’s SpiderLabs posted a brief synopsis of the vulnerability today and claims the zero day has been in the wild for more than a month and campaigns initially targeted Japanese and Korean users.
According to Wolfgang Kandek, the CTO of cloud security firm Qualys, the vulnerability was still shoehorned into Internet Explorer’s cumulative security update, despite only recently being discovered.
“In the last two weeks, attacks against the same vulnerability became public, again limited and targeted in scope, but since the fix was in the code already, it enabled Microsoft to address the vulnerability… in record time,” Kandek said Tuesday.
Much like the user-after-free bug issue, attacks against CVE-2013-3897 were spotted in the wild but weren’t widespread enough to force Microsoft to issue an out-of-band patch before this week’s update.
The rest of the month’s updates address remote code execution issues in Windows, Office, .NET, Server, SharePoint and an information disclosure issue in Silverlight.
While they’re not known to be actively exploited, three of those issues are marked critical, including vulnerabilities in both Windows’ kernel mode driver (MS13-081) and .NET Framework (MS13-082) that stem from problems with embedded OpenType fonts.
The last critical issue involves a remote, server-side vulnerability in ASP.NET that could let attackers send a specially crafted web request to an ASP.NET web app running on an affected system and in turn, run arbitrary code.
Rapid 7’s Ross Barrett, senior manager of security engineering, called the vulnerability a “real, honest to goodness, potentially “wormable” condition” Tuesday, warning it could spread rapidly.
“If the “bad guys” figure out a way to automate the exploitation of this, it could spread rapidly and the defense in depth measures of your organization will be tested,” Barrett said.
The rest of the patches address relatively minor issues – at least in comparison to the IE vulnerabilities – in Sharepoint, Microsoft Word, Excel and the company’s application framework, Silverlight.
Per usual the updates will be deployed on most users’ machines automatically over the next day or so. Those who don’t have automatic updates enabled will want to check for updates and install the updates, especially those who run any version of Internet Explorer, manually.
One day after announcing that it had paid researchers $28,000 for reporting a number of vulnerabilities in Internet Explorer 11, Microsoft revealed that it has written a much bigger check–this one for $100,000–to a researcher who has discovered a new attack technique that bypasses all of the exploit mitigations on the newest version of Windows.
James Forshaw, a researcher who also won a reward in the IE 11 bounty program this summer, submitted the technique to Microsoft, which validated it. The reward is part of the company’s bug bounty program that incentivizes researchers to look for novel attack techniques that can defeat the modern anti-exploit technologies such as DEP and ASLR implemented in Windows. The program was announced in June, but Forshaw’s technique is the first one to qualify for the $100,000 payout.
Microsoft officials said that one of the company’s security engineers had discovered a portion of the technique as well, but that didn’t prevent Forshaw from winning the bounty. Katie Moussouris, a senior security strategist at Microsoft, said that the company won’t disclose the details of Forshaw’s technique until engineers have had a chance to analyze it and implement defenses in Windows.
“Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty,” Moussouris said.
“While we can’t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.”
The $100,000 reward program is an ongoing one through which Microsoft aims to spur researchers to look for new offensive techniques that can get past the state-of-the-art exploit mitigations. It’s the first time that Microsoft has offered monetary rewards for vulnerability or attack information, following the company’s successful Blue Hat Prize contest, which paid large rewards for novel defensive techniques. Moussouris, who spearheaded the work on both the Blue Hat Prize and the bug bounty program, said that the company was motivated to help find and protect users against large classes of attacks rather than individual bugs.
“We’re thrilled to receive this qualifying Mitigation Bypass Bounty submission within the first three months of our bounty offering. James’ entry will help us improve our platform-wide defenses and ultimately improve security for customers, as it allows us to identify and protect against an entire class of issues,” she said.
Blog: Microsoft Updates October 2013 - Older Versions of Internet Explorer, Office, Silverlight become Ghastly, Ghoulish Treehouse of Horrors
Adobe, still reeling from the public disclosure of a massive breach of source code and customer information, released two security advisories today patching vulnerabilities unrelated to the recent break-in.
The first concerns a vulnerability in Adobe RoboHelp 10 for Windows that could allow an attacker to remotely run malicious code on the underlying system supporting the software. RoboHelp 10 is publishing software that enables users to collaboratively develop HTML 5 websites. Content can also be delivered onto third-party software formats such as PDF and mobile apps.
Adobe gives this vulnerability a relatively low priority rating of 3 and said it is not aware of any public exploits of this bug. The security update can be found here.
Adobe, meanwhile, has not commented further on the breach which was made public last Thursday. The company was compromised sometime between July 31 and Aug. 15, and the attack was not discovered by Adobe until Sept. 17. The company disclosed that in addition to the hackers accessing source code for a number of products including Adobe’s ColdFusion Web application server, Acrobat, Publisher and possibly other products, close to three million customer records, including encrypted credit card numbers, were stolen.
On Friday, it was revealed that the gang behind the Adobe attacks had also infiltrated other large companies that were in the process of being notified. The attackers have been active for much of the year using ColdFusion exploits to hit a number of high-value targets. ColdFusion has been patched several times by Adobe this year, going as far back as Jan. 4 when the company reported that ColdFusion exploits were in the wild for unpatched vulnerabilities in the software.
“I would characterize the breach as one of the worst in U.S. history because the source code of an end user product such as Adobe Reader and Adobe Publisher was breached and leaked,” said Alex Holden of Hold Security LLC, who along with security reporter Brian Krebs discovered and investigated a 40Gb stash of Adobe data found online. “This allows additional attack vectors to be discovered and viruses to be written for which there are no defenses.
“This gang is sophisticated and some new things may follow, I’m sure,” Holden said. “The source code leaks and attacks sourced from this situation may be devastating.”
A popular Android mobile ad library available on Google Play can be used to collect device data or execute malicious code, security researchers have discovered.
The most alarming aspect to the library is that close to 2 percent of Android apps with more than 1 million downloads on Google Play use this particular library, and those apps have been downloaded more than 200 million times, researchers at FireEye said yesterday.
The researchers won’t disclose the name of the library, but said they have informed Google and the library’s vendor, both of whom are reportedly addressing the situation.
Mobile ad libraries enable apps to host advertisements; they generally collect IMEI and IMSI device identifiers. But this particular library, nicknamed Vulna by FireEye, is far more intrusive and capable of collecting text messages, contacts and call details, as well as having the capability to execute code.
“Vulna [also] contains a number of diverse vulnerabilities,” FireEye researchers said. “These vulnerabilities when exploited allow an attacker to utilize Vulna’s risky and aggressive functionality to conduct malicious activity, such as turning on the camera and taking pictures without user’s knowledge, stealing two-factor authentication tokens sent via SMS, or turning the device into part of a botnet.”
One of the vulnerabilities discovered by FireEye is the practice of transferring users’ private information in plain text over HTTP allowing an attacker to view it. It also uses HTTP for receiving orders from its command and control server. “An attacker can convert Vulna to a botnet by hijacking its HTTP traffic and serving malicious commands and code,” the researchers said.
The researchers said the library puts the user’s device at risk to a number of exploits, including man-in-the-middle attacks over public Wi-Fi hotspots or even DNS hijacking attacks, redirecting the device’s mobile browser to an attacker-controlled site.
Worse, the library’s activities are difficult to detect because the commands it receives from the C&C server use data encoded in the HTTP header fields rather than in the response body. Source code is obfuscated as well, the researchers said, adding that its behaviors are difficult to analyze.
“In one popular game, Vulna is executed only at certain points in the game, such as when a specific level is reached,” the researchers said, adding that any malicious behavior happens in the background away from the reach of the user.
FireEye cautions that malicious ad libraries such as Vulna are a growing threat, especially for enterprises that allow personal mobile devices to access network resources.
“[These] ad libraries are disturbingly aggressive at collecting users’ sensitive data and embedding capabilities to execute dangerous operations on demand, and they also contain different classes of vulnerabilities which allow attackers to utilize their aggressive behaviors to harm users,” FireEye said. “App developers using these third-party libraries are often not aware of the security issues in them.”
During the last days, several high profile domains have been defaced including domains from two prominent security companies. In addition to these, high profile domains such as alexa.com, whatsapp.com and redtube.com were also defaced. From our quick analysis It does not seem that the actual webserver has been compromised, the most possible attack vector was that the DNS have been hijacked.