Tag

exploits

Browsing

Thanks to the recent string of zero-day vulnerabilities, Adobe has been busy at work modifying the architecture and strengthening the defenses of how Flash operates:

At the moment, the defenses are fully implemented only in the Flash version included in Google Chrome, having made their debut earlier this week. One of the two mitigations is available in other versions of Flash, and the remaining one is expected to be added to other browsers in August. Had they been widely available earlier, they likely would have blunted the effects of at least some of the three most recent zero-day vulnerabilities, which were leaked following the thorough hack of Hacking Team, the malware-as-a-service provider that catered to governments around the world. To block entire classes of new exploits, Adobe engineers, with the help of their counterparts at Google’s Project Zero team, have made two key changes, which were documented in a blog post published Thursday.

The first, which is currently available only in Chrome, is a new partition added to the heap, which is a large pool of computer memory. The partition isolates different types of memory contents, typically known as objects, from each other so one can’t be used to hijack or otherwise tamper with another. Heap partitioning has long been a mainstay in Chrome and other browsers. Now it’s a key defense in Flash.

Had heap partitioning been a part of Flash earlier, it would have significantly complicated some of the exploits that recently came to light in the Hacking Team breach. That’s because the exploits modified the “Vector.” object after a portion of heap where it had resided was freed. The tampering allowed the attackers to inject malicious code into computer memory and from there install their malicious software on the underlying computer. Similar Vector. tampering was also a part of separate, in-the-wild exploitsfrom earlier this year

FireFox has made the right move and now blocks Flash, the antiquated and software equivalent of swiss cheese by default:

The Mozilla Firefox web browser now blocks Flash by default. And when I say “blocks,” I don’t mean it asks you nicely if you’d really like to use Flash. I don’t mean it automatically pauses Flash videos like Google Chrome. I mean Mozilla has decided that Flash is going down.

Why such a hard-on for Flash? Why now? Well, it could be that the world just rediscovered just how prone Flash is to nasty, nasty vulnerabilities. When the Hacking Team—an Italian security company that sold intrusive spy tools—got hacked, one of those tools got out into the wild. A nasty hole in Flash that Adobe has yet to patch.

And in fact, Mozilla’s Mark Schmidt says that once the “publicly known vulnerabilities” are fixed, Firefox will stop actively blocking Flash.

So what about the bigger picture? Why ask to get rid of Flash once and for all?

This is only good for older versions of Flash with known vulnerabilities. The most recently issued version of Flash appears not to be blocked .. yet.

As more security researchers sift through the mountain of data and list of exploits the company leveraged, new critical discoveries are being made almost daily. Today we find out Hacking Team uses UEFI BIOS rootkit to keep RCS 9 Agent in target systems:

The dissection of the data from the Hacking Team leak has yielded another critical discovery: Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.

They have written a procedure specifically for Insyde BIOS (a very popular BIOS vendor for laptops). However, the code can very likely work on AMI BIOS as well.

A Hacking Team slideshow presentation claims that successful infection requires physical access to the target system; however, we can’t rule out the possibility of remote installation. An example attack scenario would be: The intruder gets access to the target computer, reboots into UEFI shell, dumps the BIOS, installs the BIOS rootkit, reflashes the BIOS, and then reboots the target system.

Ars Technica on an horribly thought out support feature that now has Cisco warning of a default SSH key exploit on their appliances:

The common default key was apparently inserted into the software, Fisher reported, for “support reasons.”

The second vulnerability on the same set of virtual appliances is “a preinstalled set of SSH host keys that allow access to communication secured by those keys,” Cisco’s security team warned in the advisory. These keys are used to protect appliance-to-appliance communications. “Because all deployments of WSAv or ESAv use the same set of default SSH host keys, accessing any of the private keys on a single deployment could allow an attacker to decrypt communication on WSAv, ESAv, or SMAv,” the advisory stated. “At attacker with possession of compromised keys, who is able to intercept traffic between the WSAv or ESAv and a host it is communicating with, would be able to decrypt the communication with a man-in-the-middle attack.”

Security Affairs on OPM data from the recent breach of four-million users is now being offered for sale on the dark web:

While security experts speculate on the possible responsible for the recent data breach at US the Office of Personnel Management (OPM) the alleged data appeared in the dark web. I have personally found it on a popular black market available for sale. The OPM DB sample is offered by a user that use the pseudonymous of PING.

According to a number of colleagues that noticed the same OPM DB dump for sale, the information is being traded actively.

We are speaking of more than 4.1 million federal government employee records dating back to the 1980s.

Start monitoring your financial records *very* closely because it is about to get very dirty, very quickly.

According to the EFF, the US Navy is soliciting requests for proposals to purchase zero-day and other security exploits online:

The Navy put up a solicitation explaining that the government wants “access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software,” including Microsoft, Adobe, Android, Apple, “and all others.” If that weren’t clear enough, the solicitation explains that “the vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). . . .The government will select from the supplied list and direct development of exploit binaries.”

Although this solicitation was posted on a publicly accessible site, it seems the Navy didn’t want the attention and pulled it down the day after Dave tweeted about it. (We’ve uploaded the cached copy from Google.) Even so, the fact that the United States government is looking for vendors to sell it software vulnerabilities isn’t news—we’ve known for some time that the government uses software vulnerabilities, sometimes known as zero-days, for offensive intelligence-gathering and espionage. The media has also reported on the government’s purchases of zero-days from outside vendors.

What’s more noteworthy is how little regard the government seems to have for the process of deciding to exploit vulnerabilities. As we’ve explained before, the decision to use a vulnerability for “offensive” purposes rather than disclosing it to the developer is one that prioritizes surveillance over the security of millions of users.

The fact that the US Navy is looking to purchase zero-day and other security vulnerabilities should come as no surprise to anyone. What is surprising is this solicitation was publicly accessible. Considering the sensitive nature of such a request, I would not have expected to see this acquisition request in such a blatantly obvious location.