Daily Archives: June 24, 2015

HP Publically Discloses Unpatched Use-After-Free Flaws within (32 bit) Internet Explorer

On Friday of last week HP made available full details of research carried out by 3 security researchers who found new methods of bypassing defences added to Internet Explorer (IE). These are the same researchers that I mentioned in an earlier post. While Microsoft used this research to improve the security of Internet Explorer they only did so for the 64 bit version Internet Explorer. The 32 bit version remains vulnerable to the techniques outlined in this research.

In a blog post HP provided the reasons why Microsoft would not patch the 32 bit version of Internet Explorer. I have summarized these reasons below:

  • 64 bit versions of IE benefit the most from ASLR

While this fact is not in doubt, the 32 bit version of IE is still very widely used as I mentioned in a previous blog post. There is a possibility that the amount of development and testing needed to resolve these flaws in the 32 bit version may be much larger than the benefit they would provide. Use-After-Free flaws are usually given Important or Critical severity ratings since such flaws generally require little to no user intervention for them to take place. If zero day exploits begin to appear, Microsoft may be forced to reverse this decision.

    • MemoryProtect has led to a significant decrease of IE case submissions

Presumably case submissions refers to the number of Use-After-Free and other memory corruption flaws being submitted to Microsoft for analysis. Again while I acknowledge this is the case and that no mitigation/defence is perfect; when known security issues are presented to you and can impact a very large number of users you should still try to either reduce the risk further or (if possible) eliminate these issues completely (by in this instance, patching them).

Aside: What is a Use-After-Free vulnerability?
As a web browser downloads and processes the web page that you have requested to view, it stores the results in memory (the Random Access Memory (RAM) of your PC). When you close a tab of your browser, your browser will mark the memory in which that webpage was stored as free (for further use at a later time).

However where the browser marks memory that it has finished using as free but then tries to use it again (either unintentionally via a software bug resulting from human error or maliciously via a piece of malware), malicious code can be placed by an attacker within that section of memory marked as free and when the browser accesses that section again, it can execute that code. Such exploits are discussed in more detail in this Cisco blog post.

Further alternative definitions of a use-after-free issue are also available:

Red Hat (in reference to a recent Linux kernel vulnerability)
Perception Point: exploiting a use-after-free on a Linux system
Microsoft (also details use-after-free mitigations built into Microsoft Edge and Internet Explorer).

Some may feel that I have been unduly harsh on Microsoft in the above comments. I do believe that not all of the information as to why these issues are not going to be patched has been provided. I also believe that Microsoft should at least consider implementing the suggestions within pages 19 to 21 of this white paper to make exploitation of these issues more difficult.

One interesting point that is raised in the HP blog post is the following “Since Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers).” That comment makes more sense (especially if such non-default configurations are not recommended) but no detail is provided as to what settings make IE vulnerable to these flaws (and thus you can’t make the necessary changes to your configuration to mitigate these flaws). It will be interesting if any more information can be obtained concerning this non-default configuration.

What Can I Do To Defend Myself From These Unpatched Issues?

  1. A suggestion that does not cost any funds and is easy to implement would be to use another web browser (Mozilla Firefox, Apple Safari, Opera and Google Chrome being the most popular choices).
  2. If you are using a 64 bit version of Windows (you can view this page to check which version you have), use the 64 bit version of IE instead of the 32 bit version. This post explains how while this post also provides steps to enable all IE’s processes to be 64 bit rather 32 bit. If you find an add-on that you use frequently does not work with the 64 bit version of IE, simply reverse the steps in the above tutorials temporarily. Alternatively navigate to the folder: C:\Program Files (x86)\Internet Explorer and double click iexplore.exe to open the 32 bit version of IE.
  3. Install and enable the default settings of Microsoft EMET. On my personal PCs which use Windows 8.1 64 bit and Windows 7 64 bit I have all mitigations for IE 11 64 bit enabled (please note that I have ActiveX filtering enabled and thus no add-ons are running within IE on my PCs). The same settings should work for IE 32 bit. A list of known EMET application incompatibilities is available here. You can also ask questions within the EMET forum. The following are very useful tutorials on EMET 5 and EMET 4 (still relevant).
  4. When Windows 10 is released consider using Microsoft Edge since it incorporates additional defences against Use-After-Free flaws and will always be a 64 bit process on a 64 bit version of Windows 10.

The recommendation of using EMET will not only protect against these unpatched flaws but also make exploitation of known flaws much harder. Alternatives to EMET are Malwarebytes Anti-Exploit (free or paid for versions) and HitmanPro.Alert (paid for product).

I hope the above information is useful in defending against these unpatched flaws. When I first read the blog post from HP I initially thought that the 32 bit version of IE was being ignored but the information stating that these issues only affect non-default configurations of 32 bit IE makes these issues much less serious. If any further information on these flaws become available, I will update this blog post.

Thank you.

Adobe Releases Out of Band Security Update For Flash Player

Yesterday evening, Adobe published a security bulletin to announce the availability of a security update for it’s widely used Flash Player web browser plugin. The term “out of band” refers to the fact that this update was not issued according to Adobe’s usual schedule of issuing updates on the second Tuesday of the month.

This update resolves 1 high severity CVE which is currently being exploited by an Advanced Persistent Threat (APT) Group known as APT3. Such an exploit for a flaw that is exploited before it was patched by the vendor is known as a zero day vulnerability. The purpose of the malware being used in this attack is to gain as much access with a corporate network as possible and to install backdoors within those compromised systems (most likely for either further intelligence gathering or intellectual property theft).

The attack begins by the intended victims receiving phishing emails (interestingly these emails are more widespread in nature rather than targeted/customized spear phishing messages). The intended victims are based in large companies that work in varying industries e.g. transport, construction and aerospace (among others). Upon clicking the intended link within the messages, the victim is re-directed to a malicious website where they are profiled (in order to determine which exploit/attack to use to compromise the device visiting the site). A malicious Adobe Flash Player SWF (Small Web Format, formally Shockwave Flash) file and an FLV (Flash video) file are downloaded and are then used to deliver malware to the victim’s device (by exploiting the flaw Adobe has just patched). Full technical details including:

  • How it bypasses operating system defences
  • How the malware un-packs/de-obfuscates itself
  • How it exploits a vulnerable version of Flash Player are provided by FireEye in this blog post.

Other points of interest for this exploit are that its payload is xor (Exclusive OR) encoded and packed using and packed using RC4 encryption. Since a custom encryption scheme was not used it may imply this exploit was developed quickly or the attackers were already confident of success/stealth and thus a more complex encryption scheme to disguise the malware was deemed unnecessary.

Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome and Internet Explorer 10 and 11 (installed on Windows 8.0 and 8.1) should receive updates very soon. Google may issue a component update simply to update Flash Player since it has just updated Chrome for security reasons earlier this week. Microsoft has announced the availability of their Flash update by updating this security advisory.

Update: 29th June 2015: According to the well-known malware researcher Kafeine, the Magnitude Exploit kit is now exploiting the flaw that Adobe patched just 4 days ago to install Cryptowall ransomware on the Windows devices that it compromises.

I would recommend that everyone who uses Adobe Flash Player to apply the appropriate updates as soon as possible in order to avoid this exploit affecting your devices.

Thank you.