Downclimb: Summit Route’s Weekly Infosec News Recap
2016.05.08 – 2016.05.15: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

“That awkward moment you realize Docker is an IFrame.” Dan Kaminsky

 

“TIL: http://myfonts.com deletes credit card data when you reset your lost password. That’s a thoughtful and easy-to-implement measure.” nibbler

 

“If you’re in a security-based startup company, then you’ll know that making money requires making excitement, even if the excitement is somebody else’s public humiliation.” Dan Geer in 1998

 

“Mitigations increase exploit prices which attracts more researchers which increases supply. We always win.” Chaouki Bekrar, an exploit broker, on Microsoft mitigations

 

“I wonder what the real cost is of a BugBounty Program when you have so many False Positive submissions that you have to verify” Include Security

 

“Them: ‘I changed it, but I NEVER reuse passwords’
Me: ‘Ok, prove it by posting your email address and old password on pastebin’
Them: ‘No.’” Ryan Huber

 

Top stories

Patch Tuesday ——— Patch Tuesday was relatively uneventful with the usual IE & Edge vulns, some Office vulns, and Escalation of Privs (EoP) in Windows, along with dozens of Adobe vulns patched. One of the EoPs was being actively exploited in the wild according to FireEye in their report on PUNCHBUGGY. In FireEye’s report, they discuss a newly discovered point of sale (POS) malware that used the common technique of sending Office docs with macros to get code execution, and then the EoP 0-day, in order to install a point of sale memory scraper.

Third party incidents

Both Google and Yahoo had incidents this week involving third party vendors. Google’s vendor accidentally sent employee data to the wrong company, and Yahoo’s vendor somehow got access to Tumblr usernames and salted passwords. Third party vendors are like the BYOD problem, except instead of your employees accessing data on devices you don’t control, it’s people you don’t know, with systems you don’t control, handling your data.

Exceptions in Exceptions - Abusing Special Cases in System Exception Handling to Achieve Unbelievable Vulnerability Exploitation

This post by @tombkeeper from Tencent describes a handful of creative and unbelievable tricks for IE exploitation, including getting non-executable code to execute because Microsoft apparently will execute it in certain situations if “it looks like a ATL thunk”.

Business

• AVG Technologies acquires Norman Safeground: The Norwegian antivirus company Norman split up at the start of 2013 into a conservative pure-play antivirus company (Norman Safeground) and a riskier R&D focused company (Norman Shark). Norman Shark was acquired by Blue Coat in late 2013, and this week the other half of the company has been acquired by the Czech antivirus company AVG.

Conference materials and publications

• Windows 10 Security Auditing and Monitoring Reference: This is a 700+ reference for what different Event IDs on Windows mean to help you understand what happened or attempt to create alerting.

Tools

• Authenticode Lint: Blog post and tool to look for extra data, or oddness, in Windows code signed file signatures.

Other reads

• ThreatButt DZIR: If you’re worn out from reading reports like the Verizon DBIR, the satirical fake company ThreatButt brings thier own comedy with this report. For example, “The majority of attacks come from and target population centers or places with a lot of computers.”
• Hobbyists R Us: Quick post on how some of the infosec research we do, while fun and flashy, is not what attackers are actually doing, and specifically how ransomware caught many of us off-guard at it’s effectiveness.
• Multiple 7-zip vulnerabilities discovered by Talos: The popular Windows application for compressing and decompressing zip files and other compressed formats has some vulnerabilities. Unfortunately, this application still requires downloading new versions via HTTP for an unsigned installer, and still lacks compiler security protections.
• Hardening the media stack: Post from Google on how they improved the security against libstagefright vulns by both trying to prevent the vulns and sandboxing the relevant components. Preventing the vulns was done by using the UndefinedBehaviorSanitizer (UBSan), which is part of the LLVM/Clang compiler toolchain, to identify integer overflows.
• CVE-2016-4117: Flash zero-day exploited in the wild: Ignore the title of this post, as Flash 0-days aren’t that interesting, as they are so common. The important part is that the exploit gets execution to run shell-code, which then downloads a second set of shell-code from the server. The second shell-code then downloads and executes malware. What’s important is once you’re capable of simply downloading and executing shellcode as needed, you’re able to move past needing some type of PE file that you write to disk and execute. Instead, you can simply maintain infection in memory. Current EDR solutions, and end-point security products in general, do not focus much on this threat. Also, it’s important to note that the Flash exploit was used for Microsoft Office files, not for browsers. Some security teams disable Flash in the browser, but forget to disable it in Office, where it is even less needed.