Downclimb: Summit Route's Weekly Infosec News Recap
2014.11.07 – 2014.11.14: https://SummitRoute.com
"If I didn't love hilarious bugs so much, I think I'd be worried how thoroughly f***ed literally everything is :-)" halvarflake
Patch Tuesday happened this week and a new version of EMET was released. EMET 5.1 improves compatibility issues with some common applications, improves resiliency against some attacks against EMET itself, and added Local Telemetry[1,2].
Kaspersky reports on a threat actor that targets businesses professionals using hotel wifi. The group may be only targeting specific people when they logon to hotel wifi. The malware is signed with certificates that appear to have come from legitimate vendors who were not compromised, but rather these vendors's certificates are cryptographically weak, allowing the attackers to duplicate the certificates.
Microsoft open-sourcing .NET, new version of Visual Studio
Microsoft had previously open-sourced a big chunk of .NET, but it will now be open-sourcing the compiler, run-time, and all libraries. Microsoft released a tech preview of Visual Studio 2015 which has support for compiling for Android via clang and the LLVM, and will also support iOS. They also are phasing out the Visual Studio Express editions (the free version of Visual Studio) for what they are calling Community Edition (which is free), with the main improvement being that it allows plugins now (something the free Express editions didn't).
- .NET open-sourced: http://arstechnica.com/information-technology/2014/11/microsoft-open-sources-net-takes-it-to-linux-and-os-x/
Explanation of American Fuzzy Lop
lcamtuf explains his AFL project by having it transform a file that simply says "hello" into a valid JPEG. AFL fuzzes executables by monitoring what branches are taken in the executable, and changing the input automatically in order to explore as many branches as possible.
One of problems new bug hunters run into is they don't think through their exploit scenarios very well. The "flaws" they find might require full access to the user's computer first, which means the attacker can do anything, including whatever it is the bug hunter found. This also affects a lot of attention grabbing news you see about things like auto hacking, where the attacker first needs physical access to the vehicle and then can turn on the turn signal or something, when they could have just as easily planted a bomb. This is discussed well in the following articles.
HP ZDI's mobile pwn2own competition took place in Tokyo this week[1,2], where the following were successfully exploited:
- Apple iPhone 5S via the Safari browser
- Samsung Galaxy S5 via NFC via two different techniques
- LG Nexus 5 via forced BlueTooth pairing
- Amazon Fire Phone via it's browser
- Windows Phone Lumia 1520 via the browser (exfiltrated cookies but did not escape the sandbox for full system control).
- Nexus 5 running Android via wifi (however, did not elevate privs)
It's safe to say at this point that phones and other mobile devices are just as exploitable as "normal" computers.
Software is not written, it is composed
Discussion involving HP's Security Research and how many vulnerabilities are not in software that was written by the developers of a product, but rather is in a component used in that product.
- Bootkit: past, present, and future: PDF and video on bootkits (TDL4, Rovnix, Gapz, and others) affecting BIOS and UEFI.
- Simple guest to host VM escape for Parallels Desktop
- In-depth article on an Internet Explorer use-after-free vuln.
- Germany's federal intelligence agency is seeking 4.5M euros ($5.6M USD) to buy bugs in HTTPS: These are not to fix but to exploit.
- Exploitation of CVE-2014-6332: Vuln that affects Internet Explorer via it's VBScript capability
- Original stuxnet victims disclosed
- Discussion of the USB propagation of Sednit: Also known as APT28 and Pawn Storm.
- HACK ETF: An ETF was created with the ticker symbol HACK that holds stocks focused on fighting hackers.