Hacking & Security
ISC StormCast for Wednesday, December 11th 2013 http://isc.sans.edu/podcastdetail.html?id=3719, (Wed, Dec 11th)
A third-party advertising framework integrated in hundreds of Android apps contains a vulnerability that could allow hackers to steal sensitive information from users' phones, according to security researchers from antivirus firm Bitdefender.
The framework is called HomeBase SDK (software development kit) and is developed by Widdit, based in Ramat Gan, Israel. It allows Android developers to monetize their apps by displaying ads and custom content on the phone's lock screen.
Adobe also has published updates today for Flash Player, resolving CVE-2013-5331 and CVE-2013- ...(more)...
One zero-day down, one to go.
As expected, Microsoft did today patch a zero-day in its GDI+ graphics component (MS13-096) reported more than a month ago after exploits were spotted in the wild. The fix was one of 11 security bulletins—five critical—released as part of the December 2013 Patch Tuesday security updates.
Another zero-day, one affecting only Windows XP users, still remains unpatched despite active exploits targeting the vulnerability, which is found in the NDProxy driver that manages the Microsoft Telephony API. The attacks depend on a second vulnerability to deliver the exploit against an XP machine. Microsoft recommends turning off NDProxy as a mitigation until a patch is available.
While there were five critical bulletins released today, experts urge IT administrators to also prioritize an ASLR bypass vulnerability that was patched today and rated “important” by Microsoft.
MS13-106 takes care of an Office vulnerability that is being exploited in the wild, Microsoft said. Attackers hosting a malicious exploit online can trigger the vulnerability in the hxds.dll that enables a bypass of ASLR or Address Space Layout Randomization, a security feature in Windows that mitigates memory corruption exploits.
“The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer,” Microsoft said in its advisory. “The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.”
ASLR bypasses have been more frequent this year, and have been rolled into a number of exploit kits. Introduced in Windows Vista, ASLR hampers the reliability of exploits by negating an attacker’s ability to predict where machine instructions will exist in memory. ASLR is particularly effective against buffer overflow attacks.
“This particular library, hxds.dll, has been used by numerous attacks in the wild with great success because it can be easily loaded into memory from a web page by using the ‘ms-help:’ protocol handler,” said Craig Young, security researcher at Tripwire. “Until today, the only options that protect against this were the removal of Office 2007/2010 installs or enabling Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).”
Admins will also have to contend with yet another cumulative update for Internet Explorer. MS13-097 patches a number of remote code execution vulnerabilities in the browser, all the way back to IE 6. IE has been patched almost monthly this year and has been front and center in numerous targeted attacks.
Microsoft also patched a critical bug in its Authenticode signing algorithm that is being exploited. MS13-098 allows remote code execution if a user is enticed to run an application that contains a malicious and signed portable execution file. The patch modifies how the WinVerifyTrust function handles Windows Authenticode signature verification for PE files, Microsoft said.
“Attackers have been abusing installers from legitimate software makers to install malware. These installers are configured in a way to dynamically download code extensions that are not checked for correct signatures, and attackers have found a way to piggyback on that mechanism,” said Qualys CTO Wolfgang Kandek, who added that the patch prepares the system for a more stringent integrity check that prevents such exploits. Microsoft also issued a separate security advisory regarding the Authenticode patch, that after June 10, 2014 it will no longer recognize non-compliant signed binaries.
The two remaining critical bulletins, MS13-099 and MS13-105, patch remote code execution vulnerabilities in Microsoft Scripting Runtime Object Library and Exchange Server respectively. Three of the four Exchange vulnerabilities addressed in the bulletin, it’s worth noting, are publicly disclosed. The most serious is in the WebReady Document Viewing and DLP features of Exchange Server, Microsoft said.
The remaining bulletins—rated “important”—address one remote code execution bug, three privilege escalation issues and an information disclosure vulnerability:
- MS13-100 patches a remote code execution vulnerability in Microsoft SharePoint Server; an attacker would have to be authenticated to the server to exploit the vulnerability. A successful exploit would enable an attacker to run code in the context of the W3WP service account on the SharePoint site.
- MS13-101 fixes a privilege elevation issue in Windows Kernel-Mode Drivers. An attacker would have to log onto a system and run a malicious application to exploit the bug.
- MS13-102 is a patch for a vulnerability in the LRPC Client that would allow an attacker to elevate their privileges on an LRPC server. Doing so would allow an attacker to install programs, manipulate data or create accounts. Valid credentials are needed to exploit this bug.
- MS13-104 is a fix for an information disclosure vulnerability in Microsoft Office. Successful exploits could give an attacker access tokens used to authenticate a user on a SharePoint or Office server site.
Microsoft also sent out an advisory that revokes the digital signatures for nine private, third-party UEFI modules for Windows 8 and Windows Server 2012 machines. These modules would be loaded during a UEFI Secure Boot, if it is enabled.
Researchers have recently uncovered two unrelated threats that have the potential to turn some Android devices into remotely controlled bugging and spying devices.
The first risk, according to researchers at antivirus provider Bitdefender, comes in the form of a software framework dubbed Widdit, which developers for more than 1,000 Android apps have used to build revenue-generating advertising capabilities into their wares. Widdit includes a bare-bones downloader that requests a host of Android permissions it doesn't need at the time of installation.
"These permissions are not necessarily used by the SDK [software development kit], but requesting them ensures that anything introduced later in the SDK will work out of the box," Bitdefender researchers Vlad Bordianu and Tiberius Axinte wrote in a blog post published Tuesday. "Among the weirdest permissions we saw are permissions to disable the lock screen, to record audio, or to read browsing history and bookmarks."
Adobe and Microsoft today each separately released security updates to remedy zero-day bugs and other critical vulnerabilities in their software. Adobe issued fixes for its Flash and Shockwave players, while Microsoft pushed out 11 updates addressing at least two dozen flaws in Windows and other software.
Five of today’s 11 update bundles earned Microsoft’s “critical” rating, meaning that the vulnerabilities those patches fix can be exploited remotely by malware or miscreants without any help from users. At the top of the priority list for Windows users should be MS13-096, a patch that plugs a critical zero-day security hole in certain versions of Windows and Office. Microsoft first warned about this flaw on Nov. 5.
Microsoft also is urging customers and system administrators to prioritize two other critical fixes: MS13-097, a cumulative patch for Internet Explorer (all versions), and MS13-099, which fixes a dangerous scripting issue in Windows. All three of these patches fix bugs that Microsoft says are likely to be exploited by attackers in the near future.
Ross Barrett, senior manager of security engineering at Rapid7, points out a noteworthy patch (MS13-104) for users of Microsoft Office 2013′s “cloud” services, which apparently fixes another vulnerability that is actively being exploited. “This information disclosure issue affects the Office ‘client’ and could allow an attacker to hijack an authentication token and gain access to documents stored in cloud resources,” Barrett said.
ADOBE FLASH AND SHOCKWAVE UPDATES
Adobe has issued a patch for its Flash Player software that addresses at least two security holes, including a vulnerability that is already under active attack. Adobe said it is aware of reports of an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content. The company credits researcher Attila Suszter for reporting the flaw; more information about this bug is available at Suszter’s blog.
To find out whether your system has Flash installed and at what version, check this page. Updates are available for Windows, Mac and Linux versions of Flash. The latest version for Windows and Mac users is 11.9.900.170, and 220.127.116.112 for Linux.
Google Chrome auto-updates its own versions of Flash (although not always right away); the newest Flash for Chrome is 11.9.900.170. Internet Explorer 10 and 11 on Windows 8 include an embedded version of Flash that gets updates from Windows Update, rather than through Adobe’s installer. On Windows 7 and earlier, Flash is not embedded, and needs ot be updated via Adobe’s updater or manually by downloading the appropriate version from this page.
In addition, Adode AIR (required by some applications like Pandora Desktop, for example) was updated to v. 3.9.1380 for Windows, Mac and Android devices. Adobe AIR checks for and prompts you to install any available updates anytime you launch an application that uses AIR; in any case, the download link is here.
Adobe also issued an update for its Shockwave Player software that fixes at least two vulnerabilities, bringing Shockwave to v. 18.104.22.168 on Windows and Mac systems. Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.
If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave, then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.
Telecommunications giant AT&T has come under fire from privacy advocates after it acknowledged that it will not publicly disclose any of its dealings with the National Security Agency.
The company claimed that protecting customer privacy is at the crux of its decision not to share government requests in a letter to the U.S. Securities and Exchange Commission.
The letter, right, penned by the company’s legal counsel, is electing that the issue not be brought up at AT&T’s annual shareholder meeting next spring.
Shareholders, along with representatives from the ACLU, have been rallying for the company to publish a transparency report, much like those recently produced by Facebook, Twitter and Google, to clear the air around exactly what – and how much – customer information it shares with the government.
AT&T’s letter however argues that kind of information isn’t anyone’s business, especially its users or shareholders, arguing that it’s “a core management function” and “an integral part of AT&T’s day-to-day business operations.”
It goes on to say that disclosing such information could jeopardize the company’s legal strategy, noting several pending lawsuits that require the company to “provide personal information to other entities, such as government agencies, credit bureaus and collection agencies.”
While the letter more or less wholly rejects the concept of a transparency report, AT&T notes that if it were to produce one, it would be limited to the company’s responses to law enforcement requests for information and not information regarding the government’s surveillance activities.
Verizon and AT&T shareholders issued letters (.PDF) in November asking the companies to “publish semi-annual reports, subject to existing laws and regulation, providing metrics and discussion regarding requests for customers’ information by U.S. and foreign governments.”
Those letters cited a controversial June Wall Street Journal article that claimed AT&T “provided millions of U.S. customers’ call records to the U.S. National Security Agency (NSA),” and encouraged the company to follow in the footsteps of major Internet companies that have begun publishing similar transparency reports.
Both companies scored poorly on the Electronic Frontier Foundation’s “Who Has Your Back?” report card, issued back in May. The annual report, which culls major communication and social media companies’ stances on data privacy, points out that both companies fail to tell their users about data requests, fail to publish law enforcement guidelines and will not fight for its users’ privacy rights in court.
Meanwhile, public opposition to AT&T has begun to pick up steam in the wake of its stance.
A petition started by the San Francisco ACLU office urging both companies to be more transparent with what it does with user information has gathered nearly 32,000 supporters in the few days since AT&T’s statement.
“We’re working with our friends at SumOfUs to rally thousands of AT&T and Verizon customers and potential customers and prove to these giant telcos that their silence is putting their public image and bottom line at risk,” reads the petition.
AT&T is understandably absent from a list of eight companies: AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo, who formed a coalition yesterday, Reform Government Surveillance, calling for the reform of the government’s surveillance activities going forward, post-NSA revelations.
*AT&T image via mrbill‘s Flickr photostream, Creative Commons
Adobe published two security bulletins today, resolving a pair of vulnerabilities in both Shockwave and Flash Player.
The Shockwave security update applies to versions 22.214.171.124 and earlier on Windows and Mac OS X and addresses a pair of memory corruption vulnerabilities (CVE-2013-5333 and CVE-2013-5334) that could give an attacker the ability to execute code remotely. Adobe awarded this bug a priority rating of 1, meaning that attackers are likely targeting it – or soon will be targeting it – in the wild.
Adobe also pushed out security updates for versions 11.9.900.152 and earlier of its Flash Player on Windows and Mac OS X and for versions 126.96.36.1997 and earlier for Linux systems. The updates address a type confusion vulnerability (CVE-2013-5331) and a memory corruption vulnerability (CVE-2013-5332), each of which could enable remote code execution, causing crashes, and potentially giving an attacker control of affected machines.
“Adobe is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331,” Adobe says in the bulletin announcement. “Adobe Flash Player 11.6 and later provide a mitigation against this attack.”
Adobe is recommending that users of the following:
- Users of Adobe Flash Player 11.9.900.152 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.9.900.170.
- Users of Adobe Flash Player 188.8.131.527 and earlier versions for Linux should update to Adobe Flash Player 184.108.40.2062.
- Adobe Flash Player 11.9.900.152 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.9.900.170 for Windows, Macintosh and Linux.
- Adobe Flash Player 11.9.900.152 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.9.900.170 for Windows 8.0
- Adobe Flash Player 11.9.900.152 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 11.9.900.170 for Windows 8.1
- Users of Adobe AIR 220.127.116.110 and earlier versions for Windows and Macintosh should update to Adobe AIR 18.104.22.1680.
- Users of Adobe AIR 22.214.171.1240 and earlier versions for Android should update to Adobe AIR 126.96.36.1990.
- Users of the Adobe AIR 188.8.131.520 SDK and earlier versions should update to the Adobe AIR 184.108.40.2060 SDK.
- Users of the Adobe AIR 220.127.116.110 SDK & Compiler and earlier versions should update to the Adobe AIR 18.104.22.1680 SDK & Compiler.
Adobe is considering the Flash bugs in Windows and Mac OS X highest priority, while Linux Flash bug and the Adobe Air vulnerabilities are only receiving priority ratings of three, meaning that it is unlikely that attackers will target these bugs.
Adobe acknowledges Liangliang Song and Honggang Ren from Fortinet for finding the Shockwave bugs and David D. Rude II of iDefense Labs Attila Suszter of Reversing on Windows blog for finding the Flash bugs.