Tag Archives: Use-After-Free

Ubuntu Issues Security Updates for April 2016

In the first week of April Ubuntu issued security updates to address vulnerabilities responsibly disclosed (defined) in the Ubuntu kernel (defined). Each vulnerability addressed was assigned a separate CVE identifier (defined).

Why Should These Issues Be Considered Important?
While no severities were assigned by Ubuntu to these issues any issue within the kernel can be consider high to critical severity (if it is remotely exploitable) since if control of the kernel can be obtained an attacker can then use that control to carry out any action of their choice. Ubuntu does however mention that the most severe of these issues can potential lead to remote code execution (the ability for an attacker to remotely carry out any action of their choice on your Ubuntu device) while the remainder can lead to denial of service conditions (defined).

The types of vulnerabilities addressed are varied and range from use-after-free (defined) vulnerabilities to timing side channel attacks (defined, in this case exploiting the timing within the Linux Extended Verification Module (EVM)) to a buffer overflow (defined) and incorrect file descriptor handling (defined).

How Can I Protect Myself From These Issues?
Within Ubuntu’s security advisory they provide the steps to download the appropriate updates for the version of Ubuntu that you are using. In addition, a system reboot is required for these updates to take effect.

In addition, 3 recent security advisories listed below were also made by available by Ubuntu, please ensure that you have followed the steps within each to ensure that you are protected from these vulnerabilities:

USN-2917-3: Firefox regressions: Addresses 34x CVEs
USN-2951-1: OptiPNG vulnerabilities: Addresses 5x CVEs
USN-2950-1: Samba vulnerabilities: Addresses 8 CVEs (among them the Badlock issue)

Thank you.

Linux Kernel Vulnerability Patched

On the 14th of January the security firm Perception Point responsibly disclosed (defined) a Linux kernel use-after-free (defined) security vulnerability to Red Hat’s security team.

Why Should This Issue Be Considered Important?
Since this issue has existed since 2012 but has only been recently discovered the number of Linux and Google Android systems affected is very high (most likely millions of servers and workstations) and any Android using version 4.4 (KitKat and older). A more comprehensive list of affected devices is available within this blog post by Liquid Web.

The vulnerability exists in the keyrings feature of the kernel that is used to manage encryption keys, authentication keys etc. within Linux. This issue exists due to both an integer overflow (defined) which can then be used to exploit use-after-free issue. In addition, Perception Point in their detailed blog post on this issue describe it pretty easy to exploit. In addition, Red Hat mentions that there is no workaround available for this issue.

How Can I Protect Myself From This Issue?
Details of how to check if your Linux device is vulnerable to this issue are provided in the previously mentioned blog post by LiquidWeb. They also provide steps on how to update your RedHat and CentOS devices.

Perception Point mentions that security mitigations such as SMEP (Supervisor Mode Execution Protection, also discussed here) and SMAP Supervisor Mode Access Prevention will make exploitation of this issue more difficult.

If your Linux device is found to be vulnerable continue to check for updates until one becomes available that resolves this issue. You can check for updates for your Linux device by using the Package Manager bundled with your Linux distribution (see this link(Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux).

Specific information for some of the affected versions of Linux are provided below:

A very useful tutorial for updating your Linux system against this specific issue (detailing a larger number of the distributions) is located here. Once the update is installed you will need to restart/reboot the Linux device to have the update take effect.

Thank you.

Zero Day Initiative (ZDI) Publically Discloses 4 New Internet Explorer Vulnerabilities

Update: 6th August 2015:
Sorry for not updating this post sooner. According to two separate new articles here and here, only one of these zero day flaws affected the desktop version of IE (installed on workstations, laptops and servers). This flaw ZDI-15-359 has been previously patched by Microsoft. In addition, the remaining three flaws affect the version of IE bundled with Windows Phones. A smaller number of Windows Phone users are affected than the number of devices that run the desktop version of IE; however Windows Phone users should monitor for an update to their phone’s software that should resolve these remaining security issues.

In addition, while these issues were publically disclosed in July, exact details of the issues were not provided in the above linked to advisories by ZDI. Public disclosure usually means all details are disclosed but in this case the right decision of not to publish exact details should help reduce the risk to users until these remaining issues are patched.

Thank you.
=======================
Original Post:
=======================
Between late 2014 and early 2015 HP’s Zero Day Initiative (ZDI) responsibly disclosed (defined) 4 security vulnerabilities within Internet Explorer (IE) to Microsoft. In all 4 of the disclosures, Microsoft investigated and provided information regarding an expected build/version of IE that would resolve these issues but in all cases, no expected date for this updated build was provided. ZDI notified Microsoft of their intention to disclose details of these flaws publically following the end of a 120 day deadline.

For each of these 4 security vulnerabilities disclosed by ZDI, each must be exploited by a user visiting a compromised legitimate website (as seen in watering hole attacks) or a website specifically designed to exploit these flaws.

What Can I Do To Defend Myself From These Unpatched Issues?

  1. A suggestion that does not cost any funds and is easy to implement would be to use another web browser until these issues are patched e.g. Mozilla Firefox, Apple Safari, Opera and Google Chrome being the most popular choices.
  2. Use caution when clicking on any links in emails, instant messages or social networking posts when the links were received unexpectedly or the wording of such messages is suspicious. For shortened links, consider using a preview service to check the destination of the full link before visiting it. Links to preview services are available within the “Protecting Your PC” page of this blog.
  3. Install and enable the default settings of Microsoft EMET. On my personal PCs which use Windows 8.1 64 bit and Windows 7 64 bit I have all mitigations for IE 11 64 bit enabled. A list of known EMET application incompatibilities is available here. You can also ask questions within the EMET forum. The following are very useful tutorials on EMET 5 and EMET 4 (still relevant).
  4. When Windows 10 is released next week, consider using Microsoft Edge since it incorporates additional defences against Use-After-Free flaws (3 of these flaws are use-after-flaws (defined)) and would not be vulnerable to these issues since Edge is based on a separate codebase to IE (Edge is a development fork of IE). For more background information regarding Microsoft Edge, please see a previous blog post of mine.
  5. Each of the ZDI advisories (linked to below) include disabling Active Scripting within IE. While this is an effective mitigation, it may affect the reliable display of the websites that you visit.

The recommendation of using EMET will not only protect against these unpatched flaws but also make exploitation of known flaws much harder. Alternatives to EMET are Malwarebytes Anti-Exploit (free or paid for versions) and HitmanPro.Alert (paid for product).

I will update this post should more information on mitigations for these issues become available or any further information is shared regarding when these issues may be patched.

Links to the 4 advisories published by ZDI are shown below:

ZDI-15-359: Microsoft Internet Explorer CTableLayout::AddRow Out-Of-Bounds Memory Access Vulnerability

ZDI-15-360: Microsoft Internet Explorer CAttrArray Use-After-Free Remote Code Execution Vulnerability

ZDI-15-361: Microsoft Internet Explorer CCurrentStyle Use-After-Free Remote Code Execution Vulnerability

ZDI-15-362: Microsoft Internet Explorer CTreePos Use-After-Free Remote Code Execution Vulnerability

Thank you.

HP Publically Discloses Unpatched Use-After-Free Flaws within (32 bit) Internet Explorer

On Friday of last week HP made available full details of research carried out by 3 security researchers who found new methods of bypassing defences added to Internet Explorer (IE). These are the same researchers that I mentioned in an earlier post. While Microsoft used this research to improve the security of Internet Explorer they only did so for the 64 bit version Internet Explorer. The 32 bit version remains vulnerable to the techniques outlined in this research.

In a blog post HP provided the reasons why Microsoft would not patch the 32 bit version of Internet Explorer. I have summarized these reasons below:

  • 64 bit versions of IE benefit the most from ASLR

While this fact is not in doubt, the 32 bit version of IE is still very widely used as I mentioned in a previous blog post. There is a possibility that the amount of development and testing needed to resolve these flaws in the 32 bit version may be much larger than the benefit they would provide. Use-After-Free flaws are usually given Important or Critical severity ratings since such flaws generally require little to no user intervention for them to take place. If zero day exploits begin to appear, Microsoft may be forced to reverse this decision.

    • MemoryProtect has led to a significant decrease of IE case submissions

Presumably case submissions refers to the number of Use-After-Free and other memory corruption flaws being submitted to Microsoft for analysis. Again while I acknowledge this is the case and that no mitigation/defence is perfect; when known security issues are presented to you and can impact a very large number of users you should still try to either reduce the risk further or (if possible) eliminate these issues completely (by in this instance, patching them).

=======================
Aside: What is a Use-After-Free vulnerability?
As a web browser downloads and processes the web page that you have requested to view, it stores the results in memory (the Random Access Memory (RAM) of your PC). When you close a tab of your browser, your browser will mark the memory in which that webpage was stored as free (for further use at a later time).

However where the browser marks memory that it has finished using as free but then tries to use it again (either unintentionally via a software bug resulting from human error or maliciously via a piece of malware), malicious code can be placed by an attacker within that section of memory marked as free and when the browser accesses that section again, it can execute that code. Such exploits are discussed in more detail in this Cisco blog post.

Further alternative definitions of a use-after-free issue are also available:

Red Hat (in reference to a recent Linux kernel vulnerability)
Perception Point: exploiting a use-after-free on a Linux system
Microsoft (also details use-after-free mitigations built into Microsoft Edge and Internet Explorer).
=======================

Some may feel that I have been unduly harsh on Microsoft in the above comments. I do believe that not all of the information as to why these issues are not going to be patched has been provided. I also believe that Microsoft should at least consider implementing the suggestions within pages 19 to 21 of this white paper to make exploitation of these issues more difficult.

One interesting point that is raised in the HP blog post is the following “Since Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers).” That comment makes more sense (especially if such non-default configurations are not recommended) but no detail is provided as to what settings make IE vulnerable to these flaws (and thus you can’t make the necessary changes to your configuration to mitigate these flaws). It will be interesting if any more information can be obtained concerning this non-default configuration.

What Can I Do To Defend Myself From These Unpatched Issues?

  1. A suggestion that does not cost any funds and is easy to implement would be to use another web browser (Mozilla Firefox, Apple Safari, Opera and Google Chrome being the most popular choices).
  2. If you are using a 64 bit version of Windows (you can view this page to check which version you have), use the 64 bit version of IE instead of the 32 bit version. This post explains how while this post also provides steps to enable all IE’s processes to be 64 bit rather 32 bit. If you find an add-on that you use frequently does not work with the 64 bit version of IE, simply reverse the steps in the above tutorials temporarily. Alternatively navigate to the folder: C:\Program Files (x86)\Internet Explorer and double click iexplore.exe to open the 32 bit version of IE.
  3. Install and enable the default settings of Microsoft EMET. On my personal PCs which use Windows 8.1 64 bit and Windows 7 64 bit I have all mitigations for IE 11 64 bit enabled (please note that I have ActiveX filtering enabled and thus no add-ons are running within IE on my PCs). The same settings should work for IE 32 bit. A list of known EMET application incompatibilities is available here. You can also ask questions within the EMET forum. The following are very useful tutorials on EMET 5 and EMET 4 (still relevant).
  4. When Windows 10 is released consider using Microsoft Edge since it incorporates additional defences against Use-After-Free flaws and will always be a 64 bit process on a 64 bit version of Windows 10.

The recommendation of using EMET will not only protect against these unpatched flaws but also make exploitation of known flaws much harder. Alternatives to EMET are Malwarebytes Anti-Exploit (free or paid for versions) and HitmanPro.Alert (paid for product).

I hope the above information is useful in defending against these unpatched flaws. When I first read the blog post from HP I initially thought that the 32 bit version of IE was being ignored but the information stating that these issues only affect non-default configurations of 32 bit IE makes these issues much less serious. If any further information on these flaws become available, I will update this blog post.

Thank you.