Weekly infosec news summary for 2016.10.23 – 2016.10.30

Quotes

“To the giant shitlords attacking my domain. I’ve pointed it to 147.237.0.71 - you are now hitting Israeli Intelligence (Mossad). Good luck.” @th3j35t3r

Top stories

drammer

A project called drammer was released that uses Rowhammer bitflips to root Android phones. They released an app to the Google Play store to do this, which was taken down. They were able to successfully use this technique on a number of phones including Nexus, G4 from LG, Motorola phones, Galaxy phones from Samsung, and the One from OnePlus (link). Google awarded them a $4K bounty for this, and will be releasing an update to mitigate it, but the only real fix is to use ECC (error-correcting code) RAM, meaning a hardware change.

New MacBook with touch bar

Apple announced a new MacBook this week with a touch bar above the keyboard that runs on watchOS and has TouchID, meaning the laptop has two separate computers running on it (link). This opens up opportunities to allow the main computer, running macOS, to remain as a general purpose computer, while the touch bar could do more restricted and high security tasks. As an example, 1password is working to integrate that into their product (link).

Conference materials and publications

• Phrack: Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622: Phrack has released a new article.
• CanSecWest slides: Conference in Vancouver, Canada in March.
• BruCON videos: Conference in Belgium this week.
• Black Hat Asia slides and papers: Conference in Singapore in March.
• PacSec slides: Conference in Tokyo in mid-October(Many not in English).
• SECtor slides: Conference in Toronto, Canada this past week.

Tools

• Microsoft/krabsetw: C++ wrapper around the low-level ETW (Event Tracing for Windows).
• Windbg JavaScript Extensibility: The Windows debugger, windbg, now has support for javascript.

Other reads

• ARMv8.3-A adds ROP protection: Arm’s AArch64 is adding Pointer Authentication Code (PAC) to protect against ROP.
• task_t considered harmful: Discussion of a design issue in macOS and iOS from Google’s Project Zero. This allows for sandbox escapes and privilege escalation. Also of interest from this is the vulnerability disclosure timeline (link), wherein Apple repeatedly requests more time and Project Zero declines the request, until finally Apple invokes sudo and “Apple’s senior leadership contacts Google’s senior leadership to request that Project Zero delay disclosure of the task_t issue.” This results in a 5 week extension.
• Test New macOS Versions Early to Protect Your Users: IT administration post from Duo on how to get access to Apple’s macOS beta releases in order to test them before your organization updates to them, potentially breaking things.
• How to Enable MFA Protection on Your AWS API Calls: Shows example policies for Amazon AWS permissions to enforce Multi-factor auth.
• Bulletproof TLS Newsletter #21: Periodic newsletter focused on TLS related news.
• Freeing my tablet (Android hacking, SW and HW): Walkthrough on how someone figured out how to root their Android tablet.
• AtomBombing: New technique for injecting code from one process to another on Windows. This is just lateral movement across processes on the same system. An attacker has already won by the time they can use something like this and as such there hasn’t been a lot of focus on protecting against attacks like this, so there are likely many other ways of accomplishing this.

To receive a weekly email notification of this newsletter, email scott@summitroute.com