Monthly Archives: June 2015

HP Publically Discloses Unpatched Use-After-Free Flaws within (32 bit) Internet Explorer

On Friday of last week HP made available full details of research carried out by 3 security researchers who found new methods of bypassing defences added to Internet Explorer (IE). These are the same researchers that I mentioned in an earlier post. While Microsoft used this research to improve the security of Internet Explorer they only did so for the 64 bit version Internet Explorer. The 32 bit version remains vulnerable to the techniques outlined in this research.

In a blog post HP provided the reasons why Microsoft would not patch the 32 bit version of Internet Explorer. I have summarized these reasons below:

  • 64 bit versions of IE benefit the most from ASLR

While this fact is not in doubt, the 32 bit version of IE is still very widely used as I mentioned in a previous blog post. There is a possibility that the amount of development and testing needed to resolve these flaws in the 32 bit version may be much larger than the benefit they would provide. Use-After-Free flaws are usually given Important or Critical severity ratings since such flaws generally require little to no user intervention for them to take place. If zero day exploits begin to appear, Microsoft may be forced to reverse this decision.

    • MemoryProtect has led to a significant decrease of IE case submissions

Presumably case submissions refers to the number of Use-After-Free and other memory corruption flaws being submitted to Microsoft for analysis. Again while I acknowledge this is the case and that no mitigation/defence is perfect; when known security issues are presented to you and can impact a very large number of users you should still try to either reduce the risk further or (if possible) eliminate these issues completely (by in this instance, patching them).

Aside: What is a Use-After-Free vulnerability?
As a web browser downloads and processes the web page that you have requested to view, it stores the results in memory (the Random Access Memory (RAM) of your PC). When you close a tab of your browser, your browser will mark the memory in which that webpage was stored as free (for further use at a later time).

However where the browser marks memory that it has finished using as free but then tries to use it again (either unintentionally via a software bug resulting from human error or maliciously via a piece of malware), malicious code can be placed by an attacker within that section of memory marked as free and when the browser accesses that section again, it can execute that code. Such exploits are discussed in more detail in this Cisco blog post.

Further alternative definitions of a use-after-free issue are also available:

Red Hat (in reference to a recent Linux kernel vulnerability)
Perception Point: exploiting a use-after-free on a Linux system
Microsoft (also details use-after-free mitigations built into Microsoft Edge and Internet Explorer).

Some may feel that I have been unduly harsh on Microsoft in the above comments. I do believe that not all of the information as to why these issues are not going to be patched has been provided. I also believe that Microsoft should at least consider implementing the suggestions within pages 19 to 21 of this white paper to make exploitation of these issues more difficult.

One interesting point that is raised in the HP blog post is the following “Since Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers).” That comment makes more sense (especially if such non-default configurations are not recommended) but no detail is provided as to what settings make IE vulnerable to these flaws (and thus you can’t make the necessary changes to your configuration to mitigate these flaws). It will be interesting if any more information can be obtained concerning this non-default configuration.

What Can I Do To Defend Myself From These Unpatched Issues?

  1. A suggestion that does not cost any funds and is easy to implement would be to use another web browser (Mozilla Firefox, Apple Safari, Opera and Google Chrome being the most popular choices).
  2. If you are using a 64 bit version of Windows (you can view this page to check which version you have), use the 64 bit version of IE instead of the 32 bit version. This post explains how while this post also provides steps to enable all IE’s processes to be 64 bit rather 32 bit. If you find an add-on that you use frequently does not work with the 64 bit version of IE, simply reverse the steps in the above tutorials temporarily. Alternatively navigate to the folder: C:\Program Files (x86)\Internet Explorer and double click iexplore.exe to open the 32 bit version of IE.
  3. Install and enable the default settings of Microsoft EMET. On my personal PCs which use Windows 8.1 64 bit and Windows 7 64 bit I have all mitigations for IE 11 64 bit enabled (please note that I have ActiveX filtering enabled and thus no add-ons are running within IE on my PCs). The same settings should work for IE 32 bit. A list of known EMET application incompatibilities is available here. You can also ask questions within the EMET forum. The following are very useful tutorials on EMET 5 and EMET 4 (still relevant).
  4. When Windows 10 is released consider using Microsoft Edge since it incorporates additional defences against Use-After-Free flaws and will always be a 64 bit process on a 64 bit version of Windows 10.

The recommendation of using EMET will not only protect against these unpatched flaws but also make exploitation of known flaws much harder. Alternatives to EMET are Malwarebytes Anti-Exploit (free or paid for versions) and HitmanPro.Alert (paid for product).

I hope the above information is useful in defending against these unpatched flaws. When I first read the blog post from HP I initially thought that the 32 bit version of IE was being ignored but the information stating that these issues only affect non-default configurations of 32 bit IE makes these issues much less serious. If any further information on these flaws become available, I will update this blog post.

Thank you.

Adobe Releases Out of Band Security Update For Flash Player

Yesterday evening, Adobe published a security bulletin to announce the availability of a security update for it’s widely used Flash Player web browser plugin. The term “out of band” refers to the fact that this update was not issued according to Adobe’s usual schedule of issuing updates on the second Tuesday of the month.

This update resolves 1 high severity CVE which is currently being exploited by an Advanced Persistent Threat (APT) Group known as APT3. Such an exploit for a flaw that is exploited before it was patched by the vendor is known as a zero day vulnerability. The purpose of the malware being used in this attack is to gain as much access with a corporate network as possible and to install backdoors within those compromised systems (most likely for either further intelligence gathering or intellectual property theft).

The attack begins by the intended victims receiving phishing emails (interestingly these emails are more widespread in nature rather than targeted/customized spear phishing messages). The intended victims are based in large companies that work in varying industries e.g. transport, construction and aerospace (among others). Upon clicking the intended link within the messages, the victim is re-directed to a malicious website where they are profiled (in order to determine which exploit/attack to use to compromise the device visiting the site). A malicious Adobe Flash Player SWF (Small Web Format, formally Shockwave Flash) file and an FLV (Flash video) file are downloaded and are then used to deliver malware to the victim’s device (by exploiting the flaw Adobe has just patched). Full technical details including:

  • How it bypasses operating system defences
  • How the malware un-packs/de-obfuscates itself
  • How it exploits a vulnerable version of Flash Player are provided by FireEye in this blog post.

Other points of interest for this exploit are that its payload is xor (Exclusive OR) encoded and packed using and packed using RC4 encryption. Since a custom encryption scheme was not used it may imply this exploit was developed quickly or the attackers were already confident of success/stealth and thus a more complex encryption scheme to disguise the malware was deemed unnecessary.

Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome and Internet Explorer 10 and 11 (installed on Windows 8.0 and 8.1) should receive updates very soon. Google may issue a component update simply to update Flash Player since it has just updated Chrome for security reasons earlier this week. Microsoft has announced the availability of their Flash update by updating this security advisory.

Update: 29th June 2015: According to the well-known malware researcher Kafeine, the Magnitude Exploit kit is now exploiting the flaw that Adobe patched just 4 days ago to install Cryptowall ransomware on the Windows devices that it compromises.

I would recommend that everyone who uses Adobe Flash Player to apply the appropriate updates as soon as possible in order to avoid this exploit affecting your devices.

Thank you.

Google Releases Security Update for Chrome 43

Yesterday Google made available Chrome version 43.0.2357.130 for Linux, Mac OS X and Windows. This is a small update which contains fixes for 4 CVEs (2x High severity, 2x Medium severity).

For an explanation of the term CVE, please see the first short aside within this blog post.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Alternatively Chrome can be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines) in the upper right corner of the window and choosing “About Google Chrome” from the menu.

Full details of the update are available in this Google blog post.

While Google Chrome updates generally install without issues, as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

SAP HANA Database Uses Static Encryption Key By Default

Earlier this month leading ERP (Enterprise Resource Planning) vendor SAP released an updated version of their HANA database (a database that is stored in RAM (computer memory) for very fast performance (although the database is periodically written to a hard disk for the purpose of recovery checkpoints)). However it has been revealed that in the vast majority of installations of this product the data encryption key is left at the default value. Thus if an attacker obtains access to the database, they can potentially obtain access to all of the data since the encryption key is static (unchanged) for a very large number of database installations. In addition, the databases have been known to have SQL injection flaws (however one such flaw has been recently resolved).

Please note that I don’t consider the fact that a default encryption key is used by SAP HANA a failing on SAP’s part. It is up to the individuals who manage the HANA database to understand that important default settings should be changed. However I do acknowledge that such important default settings should be set (and that such steps cannot be bypassed) during the installation/setup of the HANA database and that the installer/setup routine should enforce very strong criteria in relation to the complexity of the encryption key since all of the information within the database will be protected by this key.

How Can I Protect Myself From These Issues?
It is recommend to have the most recent version of SAP HANA installed and ensure that it has all of the necessary security updates installed (recent updates are detailed in this blog post). In addition, please follow the advice within the SAP security handbook as well as the administration book specifically the following pages:

SAP HANA Security Handbook:

Page 115 to 120: Encryption keys and admin encryption tasks
Page 121 to 126: Protecting user credential stores and SAP HANA Studio Workspaces

SAP HANA Administration Guide:

Pages 479 to 485: Managing data volume encryption (ignore section 3.3.4 Disable Data Volume Encryption)
Pages 486 – 492: Managing/Changing Encryption Keys

Finally I would also recommend following the advice in the Cross-site Scripting (XSS) flaw blog post (part 2 of that blog post should be published at a later date). The main blog index may also contain posts that you may find useful for your environment. If you are in any doubt or would like further advice, please contact SAP Support for more information.

Please note that the links to the blog posts written by ERPScan were not functioning when the post was added to this blog but were operational when I originally referred to them. The availability of links provided within my blog is a factor outside of my control. I will update this post when these links become functional again. Apologies for the inconvenience.

Update: 5th July 2015: I’ve verified that the blog posts written by ERPScan linked to above are now functional again.

Thank you.

Drupal Releases Security Updates

The very popular website Content Management System Drupal has released security updates to resolve 4 CVEs within versions 6 and 7 of their product. Their pervasiveness of Drupal and thus the huge scale of the risks posed by these issues is detailed in this blog post.

For a definition of the term CVE, please see the first short aside within this blog post for an explanation.

The first security flaw relating to the impersonation of legitimate users (of the Content Management System) is the only flaw to be rated critical by Drupal and should be patched/updated immediately. This flaw could allow a malicious user to log in as an authenticated user (i.e. users who are legitimately accessing the Content Management System) and could be especially severe if that authorized user has high privileges.

A further 2 less critical flaws could cause authenticated users to be re-directed to 3rd party websites of the attacker’s choice without the user’s consent/permission and could place your users in danger of being exploited by other unpatched vulnerabilities on their devices. The final flaw is an information disclosure issue that could allow malicious users to view the content that was previously cached (when they legitimately viewed it) by authenticated users.

Drupal users should upgrade to versions 6.36 or 7.38 to resolve to these issues. Further information and steps to install the updates are available in the Drupal Security Advisory.

Thank you.

Apple App Store Apps Vulnerable to Elevation of Privilege Vulnerabilities

A group of 6 researchers from Indiana University have made available a report that details 4 sets of flaws within apps available in the Apple App Store. The researchers named these collections of flaws; unauthorized cross-app resource access or XARA.

What Are These Flaws and What Data Can They Steal From Me?
The first flaw which lies within Apple’s KeyChain is one mechanism that is used to share information between separate apps (such separation is called “sandboxing” where each app resides in a separate defined area/sandbox). Apps can store information in a private cookie on the computer but this flaw allows a malicious app (which must have been approved by Apple to be available in the App Store) to delete the existing relationship the genuine app has with KeyChain (and thus to it’s private login cookie) and then re-create the relationship but this time with additional permissions given to the malicious app (the app’s ACL) that allows the malicious app to access data that it otherwise couldn’t. As an alternative to deleting the existing relationship, it is also possible to create a relationship with KeyChain for the legitimate app (and including the malicious app) before the legitimate app creates such a relationship in the first instance. This is the elevation of privilege flaw since the malicious app now has more access than it should. The researchers used this flaw to obtain Apple iCloud and Facebook passwords.

What is an ACL?
An Access Control List (ACL) is a list that is present with an object and this list controls who has access to that object and what kind of access they can have (e.g. read only, write, delete etc.). An object is something (e.g. a computer, a folder, a file etc.) that you wish to protect by controlling who has access to it.

The second flaw, Container Cracking is where one app’s private data store e.g. the contents of your Evernote folder can be accessed by another malicious app simply by that malicious app masquerading as the genuine app by assuming the genuine app’s BID (Bundle ID). If the malicious app can be launched first with the genuine app’s BID, then the operating system will add that malicious app to the ACL that will allow that app to access the private data store, in this case your Evernote folder.

The third flaw, IPC Interception would allow a malicious app to impersonate a legitimate app, the security researchers gave the example of a malicious app impersonating the 1Password Browser extension and could thus intercept data travelling on an internet port (assigned to the browser extension) to capture the login data for a specific website where a user is attempting to login. 1Password has offered advice in this blog post on preventing this attack and discusses approaches that it is currently considering in order to mitigate this issue in the long-term.

For the fourth and final flaw; Scheme Hijacking, the researchers found that a URL scheme used to share information between apps could be hijacked by the first app registering that specific scheme (in Apple iOS, it is the most recent app that registers for that URL scheme is then allowed to make use of it). For OS X the researchers were able to hijack the access token of Wunderlist (a To Do list app). For iOS the researchers were able to hijack the URL scheme for communicating between Facebook and Pinterest apps allowing the Pinterest app to access data within the Facebook app.

To see the extent of which apps are vulnerable to such flaws (within the 4 categories mentioned above), please see Table 1 located on page 9 of the researcher’s report. In addition, for a detailed list of the types of data that can be exposed during these attacks, please refer to Table 2 on Page 10 of their report.

How To Defend Against These Attacks
Since the researchers reported these flaws to Apple in October last year it is reasonable to assume that Apple is working to resolve them and would have more strict checks in place to prevent further apps becoming certified within their Store containing these flaws.
These flaws are not trivial for Apple to resolve since the apps are working as intended and these flaws stem from design decisions that have been abused in novel ways. Thus to resolve them will either mean re-designing these apps intercommunication mechanism to prevent these flaws having malicious effect or adding stricter checks to prevent apps being placed in the Store that inadvertently use these mechanisms in ways that were not intended by Apple. Thus to defend against the exploitation of these flaws I would simply recommend only downloading apps that you know and trust from the Apple App Store.

Further resources discussing these flaws are this post and this post.

Thank you.

Important Security Updates Available for Adobe, VMware and Wireshark Products

Earlier this week Adobe made available security updates for Adobe Photoshop CC (resolves 4 CVEs) and Adobe Bridge CC (3 CVEs resolved, shares the same CVE identifiers fixed in the Photoshop update). These updates are installed simply by checking for updates within the affected applications (please see the above linked Security Bulletins for more details).

VMware released security updates for VMware Fusion, VMware Horizon clients, VMware Player, and VMware Workstation last week resolving 7 CVEs. This week further updates for VMware Fusion, VMware Player and VMware Workstation were also made available. The second set of Fusion and Workstation updates each resolve 8 CVEs, the Player update does not mention CVEs but likely includes fixes too (since Player and Workstation mostly share the same code base). The Fusion and Workstation updates include updated versions of the OpenSSL library (updating to version 1.0.1m to resolve all 8 CVEs previously mentioned). Please follow the steps mentioned within the in-product update messages or download the updates using the appropriate links within the release notes linked to above. The updates for Fusion, Player and Workstation from this week also include the fixes that were issued last week.

In addition, yesterday Wireshark released updates (version 1.12.6) that include fixes for software bugs and security issues (2 CVEs resolved). For Linux distributions updates can be obtained using the operating systems standard package manager (if the latest version is not installed automatically you can instead compile the source code). For Mac OS X and Windows, the updates are available within the downloads section of the Wireshark website.

Update: 12th July 2015: VMware have released a further security advisory for VMware Player, Workstation and Horizon View Clients. Older versions of these applications were mainly affected while some newer versions already received the appropriate updates as previously detailed above. Please check this new advisory and apply any updates that you may not yet have installed.

If you have not encountered the term CVEs before, please see the first short aside within this blog post for an explanation.

If you use any of the above mentioned products, please install the appropriate updates when you can. If these products are installed on critical production systems or systems that contain your critical data, please back up your data before installing these updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.