RSS feed

Weekly infosec news summary for 2017.10.15 – 2017.10.22

Top stories

ROCA: Vulnerable RSA generation

Last week, I mentioned in Downclimb how some Google Chromebooks were affected by an issue with their TPM (link). That issue affects a lot more things. The issue, being called ROCA, is with an implementation of RSA used in many security devices (link). This attack allows for it to feasible to identify the private key of an RSA key pair once the public key is known. 2048-bit keys are breakable for as little as $20K. This impacts some yubikey's (link).

Another macOS supply chain attack

Despite their being less malware targeting macOS, supply chain attacks are the vector of choice against that platform. OSX/Proton infected the Elmedia Player software that was available for download from the official website for the software (link). Once infected, the malware exfills the browser history, login data, and cookies (would allow them to compromise a user's accounts), 1password data, .ssh keys, gpg keys, and more.

I also want to congratulate the Airbnb's binaryalert team, who despite having a somewhat limited signature database in comparison to most antivirus, were flagging this malware although commercial AV had only 1/57 detection for it (link).

Too many features in Microsoft Office causing problems

Kaspersky found an APT group including Flash exploits in Microsoft Word files (link) and DDE has become a popular alternative to Word Macros for getting code execution (link). Microsoft Office has replaced Adobe Reader as the non-browser exploit target of choice in recent years, with recommendations from Microsoft being for all sorts of kill bits, when all anyone wants is just to make Word only display documents.

Browser security beyond sandboxing

Microsoft describes a vuln they discovered in Google Chrome (link). This post high-lites a number of important points:

  1. Shows how they were able to find a new bug through fuzzing using the fuzzer they use against their own browser despite Chrome being fuzzed by every public fuzzer regularly, which shows the code coverage of these fuzzers is not full.
  2. Shows how what looks like a null pointer dereference, which most people would ignore as not exploitable, was actually not.
  3. Shows the power of their Time Travel Debugging for understanding the crash.
  4. Shows in a very educational way how they are able to turn this crash into exploit primitives using some test cases and analysis of the results rather than the reversing path many tutorials take.
  5. Points out how Google is publishing public fixes and test cases before updating users, which meant Chrome users were vulnerable to this issue for a month despite this problem being made public in their git repo.
  6. Describes the benefits of Microsoft's focus on stronger mitigations and the weaknesses of Google's focus on sandboxing (see sections "Achieving Arbitrary Code Execution" and "The dangers of RCE").

That final point is important. Some people commented that Microsoft didn't escape the sandbox and therefore this wasn't a "full" exploit. Microsoft does a good job of explaining how while inside Google's sandbox you can access everything important the browser stores (their email, banking info, etc.) so escaping out of that has become less important. If all the toys you want to play with are already in the sandbox, there isn't much point in leaving it.


  • Atlassian/SPACECRAB: Project for deploying AWS key honey tokens at scale, allowing you to include honeytokens in all your AWS EC2 instances and detect when they are used.
  • logstash-filter-goaudit: A Logstash filter to parse go-audit json logs.
  • Assemblyline: The CSE (Canada's version of the NSA) released a project that enables people to build a pipeline for analyzing files. Given that they don't provide any of the actual analysis tools, I personally think you're better off just building this pipeline yourself as they aren't providing much here. Correction 2017.10.23: They have a lot of decoders (link).

Conference materials and publications

Other reads

  • Improving YARA Rules from TA17–293A: Excellent tutorial from Florian Roth on evaluating IOCs and improving YARA signatures, as had been published originally by the US-CERT.
  • Google Play Security Reward Program: Google will pay for vulns found in apps on Google Play. This is limited to RCE vulns only.
  • Microsoft hack in 2013 targeted bug database: A hack of Microsoft in 2013 by Wild Neutron had infected Macs that were in use by Microsoft and targeted their bug repo. Such access would allow them to learn about unpatched vulnerabilities.
  • AWS ElasticSearch cluster can now be put behind VPCs: One way of judging the maturity of AWS services is whether they work with VPCs, so AWS hosted ElasticSearch is now doing better.
  • You need more than one AWS account: AWS bastions and assume-role: Coinbase describes how to use to use an Identity account and multiple other AWS accounts. There are still some answered questions that I'll need to blog about one day when you use an Identity account such as how to easily onboard people and using SSO with AWS with this setup.
  • An Infrastructure Guide for Founders: Ryan McGeehan walks through important security considerations when using AWS.
  • KRACK: KRACK is an attack against WPA2 protected wifi allowing decryption and tcp hijacking. Matthew Green does a good job explaining that this bug was missed for so long because the specs aren't public, and also interestingly the place where this exists was formally verified (link). Two pieces involved with this were formally verified independently, but not their integration which allowed for this issue. You should already be assuming your networks can't be trusted, especially wifi, because if you're using wifi in your controlled enterprise, you also probably use it at coffee shops, airports, and hotels. This is fixable client-side and Windows, macOS, and iPhones have already been patched for this.

If you find Downclimb useful, please retweet or share internally on your Slacks and with your teams!