June 14, 2021

Google backpedals on its arbitrary vulnerability disclosure policy

google logo(LiveHacking.Com) – Google has been under fire in the last few weeks for arbitrarily disclosing zero-day vulnerabilities which give hackers the information they need to attack susceptible systems. When Google makes these disclosures it knows full well that it is risking the security and privacy of potentially millions of people.

The positive side of these disclosures is that Google guarantees that vendors, like Microsoft, Apple and Adobe, are informed of zero-day flaws and given enough time to patch those flaws before a disclosure is made. By informing the vendor and yet by giving them a period of time to fix the issue, Google is trying to ensure that both “the need of the public to be informed of security vulnerabilities” and the “vendors’ need for time to respond effectively” are balanced.

However until now Google’s 90 day deadline has been completely arbitrary without any consideration of real-world circumstances. The arbitrary nature of the 90 day rule was highlighted recently when Google published the details of a bug in Windows which Microsoft was scheduled to patch on January 13th, but the 90 days passed on January 11th, so Google just published the details anyway. In this way Google was sticking to the letter of the law rather than the spirit of it.

But now it seems that Google has seen the error of its ways and updated its disclosure policy. From now on:

  • Weekends and holidays. If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.
  • Grace period. Google now has a 14-day grace period. If a 90-day deadline will expire but a vendor lets Google know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).
  • Assignment of CVEs. CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, Google will ensure that a CVE has been pre-assigned.

While Microsoft welcomes the changes, it would much rather see Google work more closely with software vendors to apply patches. “When finders release proof-of-concept exploit code, or other information publicly before a solution is in place, the risk of attacks against customers goes up,” Microsoft’s Chris Betz told The Register in an emailed statement. “While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies.”

Microsoft releases details of zero-day vulnerability in Word

Microsoft has published information about a new zero-day vulnerability in its Word product. There is a real-world exploit for the vulnerability and it is currently being exploited in the wild. Microsoft says it is “aware of limited, targeted attacks directed at Microsoft Word 2010.”

According to Microsoft’s Dustin Childs, the vulnerability can be exploited by an attacker and allow “remote code execution if someone was convinced to open a specially crafted Rich Text Format (RTF) file or a specially crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer.”

Microsoft-Word-LogoMicrosoft’s immediate response has been to publish a one-click Fix it  which basically disables support for RTF in Microsoft Word. Although Microsoft wants to “encourage all customers using Microsoft Word” to apply the Fix it, disabling RTF support could be troublesome for those who rely on this document format.

The vulnerability, which was reported to Microsoft by members of the Google Security Team, can be exploited via email or via the web. In the email scenario, the attacker sends a specially crafted RTF document as the contents of the message. The vulnerability is exploited when the message is previewed or opened in Outlook where Microsoft Word is the email viewer. An attacker could also exploit the vulnerability by sending a specially crafted RTF document as an attachment. In the web scenario, the attacker would need to trick the user into downloading the document and then opening it.

This remote code execution vulnerability exists because of bugs in the way that Word parses maliciously crafted RTF documents. The bugs cause a memory corruption and give the attacker a way to execute arbitrary code. The vulnerability can also be exploited through Microsoft Outlook if Word is used as the email viewer, which it is by default in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.

Microsoft is working on a full fix but it isn’t known if the Redmond company will be able to develop and test the fix by April 8th, the date of the company’s next Patch Tuesday. Patch Tuesday is the name given to Microsoft’s monthly security updates which patch Microsoft’s products to fix security issues.

Interestingly, support for Office 2003 ends April 8th and Microsoft has included Word 2003 Service Pack 3 in its list of affected products. If Microsoft doesn’t manage to release a full patch by April 8th then Office 2003 could remain vulnerable without any hope of a solution. Even if Microsoft does release a patch now, this incident highlights the dangers of using Microsoft products which have reached their end-of-life.

Zero-day vulnerability in Windows XP being exploited via a malicious PDF file

microsoft logoMicrosoft has issued a warning to all users of its aging Windows XP operating system about a zero-day vulnerability that allows attackers to gain elevated privileges. Once the attackers have system level privileges they can install programs; view, change, or delete data; or create new accounts with full administrative rights.

The vulnerability is in the Windows kernel and affects Windows Server 2003 as well as XP. Once exploited an attacker can run arbitrary code in kernel mode which automatically gives them full administrative rights.

According to CVE-2013-5065 NDProxy.sys in the kernel of Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application. The vulnerability is being exploited in the wild.

Microsoft has issued a workaround for the vulnerability however by implementing it services that rely on the Windows Telephony Application Programming Interfaces (TAPI) to not function, this includes Remote Access Service (RAS), dial-up networking, and virtual private networking (VPN). Full details of the workaround, which disables NDProxy.sys and reroute all calls to Null.sys, can be found in Microsoft’s security advisory.

According to Symantec there have been a “small number” of in-the-wild attacks happening since early November. Users in the U.S., India, Australia, Saudi Arabia and throughout Europe were targeted.

This is the second zero-day vulnerability to be recently exposed in Windows. At the beginning of November Microsoft released  a security advisory about a vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync, that is being exploited in the wild and targeting PC users mainly in the Middle East and South Asia.

Microsoft issues “Fix it” for zero-day exploit attack against IE

internetexplorer_logo(LiveHacking.Com) – Microsoft has issued an emergency “Fix it” to help fend off a zero-day vulnerability attack which is being exploited in the wild. Currently there are reports of targeted attacks specifically directed at Internet Explorer 8 and 9 however the vulnerability is present in all versions of IE from 6 and up to IE 11 – which is to be released to the public with Windows 8.1. The vulnerability is exploited when users visit a web page with malicious content and can allow remote code execution.

The vulnerability is exists because of a use-after-free coding error in the JavaScript SetMouseCapture implementation in Internet Explorer. Further details of the exploit have been posted on pastebin. Microsoft says it is actively working to develop a security update to address the vulnerability and in the mean time users should apply the “Fix it” and also set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones. Microsoft also recommends that users configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.

“We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our customers,” said Dustin Childs, Group Manager of Trustworthy Computing at Microsoft.

Microsoft hasn’t ruled out issuing an out-of-cycle security update to fix this bug, but it says it wants first to complete its investigation and may just provide a solution through its normal monthly Patch Tuesday bulletins, depending on customer needs and the extent of the attack.

In Brief: Remote zero-day vulnerability found in Linksys WRT54GL router

linksys(LiveHacking.Com) –  A zero-day remote root access vulnerability has been found the Linksys WRT54GL routers with the possibility that other routers in the range are also affected. The vulnerability was found by DefenseCode who published a proof-of-concept video on YouTube.

According to DefenseCode, Cisco was contacted about the remote preauth (root access) vulnerability several months ago. The company also passed-on a detailed vulnerability description along with the PoC exploit for the vulnerability.

It seems that Cisco thought that the vulnerability was already fixed in the latest firmware, but according to DefenseCode it isn’t.

“Although we can confirm contact with DefenseCode, we have no new vulnerability information related to our WRT54GL or other home routers to share with customers at this time. We will continue to review new information that comes to light and will provide customer updates as appropriate,” said a Cisco spokeswoman told SC Magazine Australia.

However Cicso, who owns the Linksys brand, did finally admit to the problem: “Following our assessment of information recently released by DefenseCode, we have confirmed a vulnerability in the Linksys WRT54GL home router,” the company said in a e-mail to The Register. “At this point, no other Linksys products appear to be impacted.”

DefenseCode says that it will make a full disclosure of the vulnerability in the next two weeks.

Another zero-day Java exploit for sale on Internet

Java(LiveHacking.Com) –  Less than a day after Oracle patched the zero-day vulnerability in Java 7, security journalist Brian Krebs has discovered that a new Java zero-day exploit is now available to purchase, in a crimeware and malware Internet forum, for US$5,000 per sale.

At the beginning of this week, an administrator of an exclusive cybercrime forum revealed that he is offering exploit code for a new zero-day vulnerability in Java, but he is only willing to sell it twice.

The seller was offering source files to the exploit plus an encrypted, weaponized version, ready for use. Since spotting the forum post, Krebs has noticed that the thread has since been deleted from the forum. This most likely means that buyers were found.

“To my mind, this should dispel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program,” wrote Krebs.

The current frequency of Java exploit has led many to declare Java unsafe. Even after the latest update for Java 7, Adam Gowdiak, the founder and CEO of Security Explorations – who has found several critical vulnerabilities in Java, said that “We don’t dare to tell users that it’s safe to enable Java again.”

This was a sentiment echoed by HD Moore, chief security officer with Rapid7 – the custodians of Metasploit, “The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop.”

It looks like Gowdiak and Moore are right!

After latest vulnerability gets patched in Java, is it now seen as just too dangerous?

java-square(LiveHacking.Com) –  Oracle has released an update to Java 7 to address two Critical vulnerabilities. A few days ago, reports emerged about another new vulnerability in Java that was being exploited in the wild. The vulnerability allowed a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. An exploit for the vulnerability was quickly added to exploit toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK).

These vulnerabilities, known as CVE-2013-0422 and CVE-2012-3174, do not affect Java on servers, Java desktop applications, or embedded Java, however Java running in a web browser is affected.

To exploit the vulnerability, an unsuspecting user is tricked into visiting a website which has been designed specifically to infect their PC with malware. Once at the website the vulnerability allows for the execution of a malicious applet within the browser which then results in the execution arbitrary code (to install malware).

As part of Java 7 update 11, Oracle is switching the Java security settings to “high” by default. This means that users need to expressly allow the execution of any applets, which are either unsigned or are self-signed, in the browser. The idea is that any unsuspecting users visiting malicious web sites will be told before an applet is run.

Since update 10 of  Java 7, it is possible to disable Java content in web browsers through the Java control panel applet. To do this de-select the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab).

However questions are now being raised about the long-term viability of Java support in web browsers. Adam Gowdiak, the founder and CEO of Security Explorations – who has found several critical vulnerabilities in Java, told Reuters that “”We don’t dare to tell users that it’s safe to enable Java again.”

“The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop,” said HD Moore, chief security officer with Rapid7  – the custodians of Metasploit.

Microsoft to fix IE8 zero-day vulnerability today with out-of-band fix

security news at livehacking.com(LiveHacking.Com) –  Microsoft will release an update to Internet Explorer today to fix the zero-day vulnerability which was found at the end of last year. An exploit was found, in the wild, for a previously unknown (zero-day) vulnerability during the clean up of the Council on Foreign Relations (CFR) website, which had been compromised by hackers, probably from China. The exploit found used a heap spray attack against the zero-day vulnerability.

Microsoft issued  Security Advisory 2794220 which confirmed that the issue impacts Internet Explorer 6, 7, and 8. Internet Explorer 9 and 10 are not affected by this issue, so upgrading mitigates the problem, however neither IE 9 or IE 10 is available for Windows XP users.

A few days later, Microsoft published a Fix It as a temporary measure until the full patch is available. The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution. However once the Fix It was out, security information company Exodus Intelligence published details on how it had managed to bypass the shim and make IE vulnerable again. This placed greater pressure on Microsoft to issue an out-of-band fix, which it will now do today.

“While we have still seen only a limited number of customers affected by the issue, the potential exists that more customers could be affected in the future.  The bulletin has a severity rating of Critical, and it addresses CVE-2012-4792,” said Dustin Childs, Group Manager of Microsoft’s Trustworthy Computing unit.

The patch will be made available for Windows XP, Vista and Windows 7 along with Windows Server 2003 and 2008. Microsoft will release the out-of-band security update at 10 a.m. PST on Monday, January 14, 2013.

New zero-day Java 7 vulnerability being exploited in the wild

Java(LiveHacking.Com) – US-CERT has issued a security advisory about an unspecified vulnerability in the most up to date version of Java ( Java 7 Update 10) that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. According to TrendLabs the zero-day exploit is being used by toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK). Brain Krebs has noted that the author of the Blackhole exploit kit is calling the new exploit a ‘New Year’s Gift,’ to customers who use Blackhole.

Initial analysis of the exploit shows that it is probably bypassing certain security checks  tricking the permissions of certain Java classes like  in CVE-2012-4681 . According to US-CERT, the exploit works by leveraging unspecified vulnerabilities involving Java Management Extensions (JMX) MBean components and sun.org.mozilla.javascript.internal objects, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing.

The only good bits of news are that Java 6 doesn’t seem to affected and that since update 10 of  Java 7, it is possible to disable Java content in web browsers through the Java control panel applet. To do this de-select the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab).

US-CERT (and others) where alerted to the existance of the zero-day vulnerability by a blogger named Kafeine at the site Malware don’t need Coffee.

“We can confirm that this is a new vulnerability,” said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, in an email to Computerworld. “We reproduced the exploitation mechanism on Java 1.7 Update 9 and Update 10. Other versions may be vulnerable as well, we’re currently analyzing whether other older updates are vulnerable.”

Someone has bypassed Microsoft’s Fix It for the IE 8 zero-day vulnerability already

security news at livehacking.com(LiveHacking.Com) – Security information company Exodus Intelligence has published a blog post claiming to have bypassed Microsoft’s Fix It for the current zero-day vulnerability in Internet Explorer 8. The official Fix It was released by Microsoft as a temporary workaround to the zero-day vulnerability found in Internet Explorer 6,7 and 8. The bug in IE can corrupt memory in such a way that it allows an attacker to execute arbitrary code in the context of the current user within IE. To exploit it, users are tricked into visiting a specially crafted website which uses either Flash or Javascript to generate a heap spray attack against IE. The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution.

According to Exodus Intelligence it is now possible to bypass the shim and compromise a fully-patched system. Due to the nature of its business, Exodus Intelligence has passed on the details about the bypass to its customers. Thankfully it has also notified Microsoft. The company promises to fully disclose the details of the bypass once Microsoft has fully addresses the issue.

“After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week,” said Exodus Intelligence on its blog.

Microsoft will release seven security bulletins today to address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools, Microsoft Server Software and the .NET Framework. However a fix for the Internet Explorer vulnerability will not be among the patches.

Internet Explorer 9 and 10 are immune to the attack and upgrading to the later versions of IE will protect users (as will using a different browser like Firefox or Chrome), the problem is that XP users can’t upgrade IE beyond 8. Also Enterprise users may still be stuck on older versions of IE due to legacy application support. In combination this means that pressure is now mounting on Microsoft to make an out-of-band release for IE to fix the vulnerability.