June 14, 2021

Google backpedals on its arbitrary vulnerability disclosure policy

google logo(LiveHacking.Com) – Google has been under fire in the last few weeks for arbitrarily disclosing zero-day vulnerabilities which give hackers the information they need to attack susceptible systems. When Google makes these disclosures it knows full well that it is risking the security and privacy of potentially millions of people.

The positive side of these disclosures is that Google guarantees that vendors, like Microsoft, Apple and Adobe, are informed of zero-day flaws and given enough time to patch those flaws before a disclosure is made. By informing the vendor and yet by giving them a period of time to fix the issue, Google is trying to ensure that both “the need of the public to be informed of security vulnerabilities” and the “vendors’ need for time to respond effectively” are balanced.

However until now Google’s 90 day deadline has been completely arbitrary without any consideration of real-world circumstances. The arbitrary nature of the 90 day rule was highlighted recently when Google published the details of a bug in Windows which Microsoft was scheduled to patch on January 13th, but the 90 days passed on January 11th, so Google just published the details anyway. In this way Google was sticking to the letter of the law rather than the spirit of it.

But now it seems that Google has seen the error of its ways and updated its disclosure policy. From now on:

  • Weekends and holidays. If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.
  • Grace period. Google now has a 14-day grace period. If a 90-day deadline will expire but a vendor lets Google know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).
  • Assignment of CVEs. CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, Google will ensure that a CVE has been pre-assigned.

While Microsoft welcomes the changes, it would much rather see Google work more closely with software vendors to apply patches. “When finders release proof-of-concept exploit code, or other information publicly before a solution is in place, the risk of attacks against customers goes up,” Microsoft’s Chris Betz told The Register in an emailed statement. “While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies.”

Google discloses three more zero-day vulnerabilities, this time for OS X

Apple-logo(LiveHacking.Com) – Google recently came under some heavy criticism when it disclosed a zero-day vulnerability in Windows just days before Microsoft was scheduled to release a fix. Now the search giant as done it again. But this time Google shows that it is truly non-partisan because the disclosures aren’t for Windows, but for OS X.

The first vulnerability allows an attacker to pass arbitrary commands to the networkd OS X system daemon in XPC  messages. XPC provides a lightweight mechanism for basic interprocess communication. The problem is that the daemon uses the values from  xpc_dictionary_get_value and xpc_array_get_value without subsequent checking of the type of the returned value. Google posted proof-of-concept (POC) code that allows a shell command to be executed as networkd on OS X 10.9.5. The POC uses a specially crafted XPC message which results in “touch /tmp/hello_networkd” being executed. That is a benign command, but it can be replaced with something more malicious.

The second vulnerability in IOKit IOService allows an attacker to  execute code on an OS X machine with root privileges through a null pointer dereferencing. The third flaws also relates to IOKit, this time in the Bluetooth subsystem. To exploit it the machine needs to have a Bluetooth device attached, for example a Apple Bluetooth keyboard. Once exploited it allows an attacker to write into kernel memory, potentially allowing them to create a denial of service situation or to access private data.

The security flaws were reported to Apple in October 2014. All three advisories were subsequently published by Google after the expiration of the 90-day grace period give under Project Zero.

Microsoft releases details of zero-day vulnerability in Word

Microsoft has published information about a new zero-day vulnerability in its Word product. There is a real-world exploit for the vulnerability and it is currently being exploited in the wild. Microsoft says it is “aware of limited, targeted attacks directed at Microsoft Word 2010.”

According to Microsoft’s Dustin Childs, the vulnerability can be exploited by an attacker and allow “remote code execution if someone was convinced to open a specially crafted Rich Text Format (RTF) file or a specially crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer.”

Microsoft-Word-LogoMicrosoft’s immediate response has been to publish a one-click Fix it  which basically disables support for RTF in Microsoft Word. Although Microsoft wants to “encourage all customers using Microsoft Word” to apply the Fix it, disabling RTF support could be troublesome for those who rely on this document format.

The vulnerability, which was reported to Microsoft by members of the Google Security Team, can be exploited via email or via the web. In the email scenario, the attacker sends a specially crafted RTF document as the contents of the message. The vulnerability is exploited when the message is previewed or opened in Outlook where Microsoft Word is the email viewer. An attacker could also exploit the vulnerability by sending a specially crafted RTF document as an attachment. In the web scenario, the attacker would need to trick the user into downloading the document and then opening it.

This remote code execution vulnerability exists because of bugs in the way that Word parses maliciously crafted RTF documents. The bugs cause a memory corruption and give the attacker a way to execute arbitrary code. The vulnerability can also be exploited through Microsoft Outlook if Word is used as the email viewer, which it is by default in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.

Microsoft is working on a full fix but it isn’t known if the Redmond company will be able to develop and test the fix by April 8th, the date of the company’s next Patch Tuesday. Patch Tuesday is the name given to Microsoft’s monthly security updates which patch Microsoft’s products to fix security issues.

Interestingly, support for Office 2003 ends April 8th and Microsoft has included Word 2003 Service Pack 3 in its list of affected products. If Microsoft doesn’t manage to release a full patch by April 8th then Office 2003 could remain vulnerable without any hope of a solution. Even if Microsoft does release a patch now, this incident highlights the dangers of using Microsoft products which have reached their end-of-life.

Microsoft issues “Fix it” for zero-day exploit attack against IE

internetexplorer_logo(LiveHacking.Com) – Microsoft has issued an emergency “Fix it” to help fend off a zero-day vulnerability attack which is being exploited in the wild. Currently there are reports of targeted attacks specifically directed at Internet Explorer 8 and 9 however the vulnerability is present in all versions of IE from 6 and up to IE 11 – which is to be released to the public with Windows 8.1. The vulnerability is exploited when users visit a web page with malicious content and can allow remote code execution.

The vulnerability is exists because of a use-after-free coding error in the JavaScript SetMouseCapture implementation in Internet Explorer. Further details of the exploit have been posted on pastebin. Microsoft says it is actively working to develop a security update to address the vulnerability and in the mean time users should apply the “Fix it” and also set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones. Microsoft also recommends that users configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.

“We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our customers,” said Dustin Childs, Group Manager of Trustworthy Computing at Microsoft.

Microsoft hasn’t ruled out issuing an out-of-cycle security update to fix this bug, but it says it wants first to complete its investigation and may just provide a solution through its normal monthly Patch Tuesday bulletins, depending on customer needs and the extent of the attack.

More zero-day vulnerabilities found in Java

java-square(LiveHacking.Com) – Java was last updated only a few days ago when Oracle released an updated patch for Java SE to included five additional fixes that did not make it into the original patches delivered on February 1st. Now Adam Gowdiak, from Security Explorations, has posted to the full disclosure mailing list revealing details of two more zero-day vulnerabilities in the latest Java version.

According to Gowdiak, his company started to analyze the February 19th update and found two new security issues which when combined together can be successfully used to gain a complete Java security sandbox bypass. The company immediately reported the vulnerabilities to Oracle along with working Proof of Concept code.

Oracle did some investigation and has confirmed that the two issues when combined result in a full sandbox bypass for Java SE 7 Update 15. However, Oracle did note that one of the issues was actually the intended behavior, something that the team at Security Explorations reject. According to Gowdiak, there is a mirror case corresponding to the issue that leads to an access denied condition and a security exception.

“That alone seems to be enough to contradict the ‘allowed behavior’ claim,” said Adam Gowdiak. “Is it possible to claim a non-security vulnerability when access is denied for a public API, but allowed for some private code path?”

It seems that Gowdiak is going to release details of the issue which he claims is a security vulnerability, but Oracle claim is the ‘allowed behavior’, if Oracle doesn’t change its stance.

Both the issues are specific to Java SE 7 only as they abuse the Reflection API in a particularly interesting way.

New zero-day Java exploit on sale for a five digit sum

(LiveHacking.Com) – A new zero-day Java exploit has been offered for sale on an underground black market cyber criminal Internet forum. The new threat is advertised as working on Java JRE 7 Update 9, the most recent version of Java, but doesn’t affect Java 6 or earlier versions.

According to Brian Krebs, the exploit is serious enough that an attacker could use it to remotely seize control over any systems running the program. This typically means it would be used to spread malware. If a cyber criminal did buy this exploit it would most likely be used to spread a banking Trojan so that the buyer could recoup the money spent. In the end it is all about money (illegally and immorally gained of course).

The exploit has been offered for sale on an invite-only Underweb forum for an undisclosed sum but the seller suggested that it needs to be five digits (meaning $100,000 or more). There are not many details, but the vulnerability is said to be in ‘MidiDevice.Info,’ a Java class which handles MIDI devices. The seller has tested the exploit on Firefox and Internet Explorer running on Windows 7.

“I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly,” the exploit seller is reported to have written.

Many security experts, including us here at Live Hacking, have lots of concerns about the number of possible vulnerabilities in Java. If you don’t need Java it is best to remove it completely from your system.

As an alternative you can also disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. For Windows systems, go to “Control Panel” and select “Java”. When the “Java Runtime Environment Settings” dialog box appears, select the “Java” tab. From there, click the “View” button. You will see a list of the currently installed versions of Java. Uncheck the “Enabled” check box to disable that installation from being used by Java Plug-in and Java Web Start. Oracle has published a detailed description of these settings.

Adobe Reader PDF zero-day exploit selling for $50,000 on black market

(LiveHacking.Com) – Although Adobe added sandboxing to Adobe Reader X it still seems that malicious hackers are find ways of compromising the security of computers via specially formed PDF files. Russian security  firm Group-IB has announced that there is a new zero-day exploit for the popular PDF file reader which is being sold in the underground for up to $50,000. The exploit, which targets Windows-based installations of Adobe X and IX, has also been included in a modified version of the notorious BlackHole exploit toolkit.

At the moment the exploit is only being distributed in a small circles of underground hackers but, of course, there is every possibility that its use will become wide spread. The new unpatched zero day threat allows malware writers and bot authors further opportunities to create new attacked vectors by which malware can be loaded into a victims computer.

“The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document. Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution,” said Andrey Komarov, the Head of International Projects Department of Group-IB.

A video showing a proof of concept can be seen here: http://www.youtube.com/watch?v=uGF8VDBkK0M&feature=youtu.be. As the video shows, for the payload to run the web browser needs to be restarted. This means that the malware might not infect the PC at the moment the PDF file is opened, but it will most likely succeed at a future time whenever the web browser is closed.

“We saw the announcement from Group IB, but we haven’t seen or received any details,” Adobe spokeswoman Wiebke Lips told SCMagazine.com in an email. “Adobe PSIRT (Product Security Incident Response Team) has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately — beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”

Brian Krebs has pointed out that Blackhole is by far the most prevalent exploit kit in use today. At any rate, consumers should realize that there are several PDF reader option apart from Adobe’s,  including FoxitPDF-Xchange Viewer,Nitro PDF and Sumatra PDF.

Microsoft to release out-of-band fix for Internet Explorer

(LiveHacking.Com) – Microsoft has announced that it will release an out-of-band update to Internet Explorer to fix the recently found zero-day vulnerability that affects IE 6, 7, 8 and 9. The flaw was discovered by Eric Romang, a security researcher, who was monitoring some servers suspected of serving malware. On one of the server he found four files which upon analysis turned out to be a zero-day vulnerability exploit for Internet Explorer.

Microsoft subquently published Security Advisory 2757760 which confirms that the flaw exists in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Then it published the “Prevent Memory Corruption via ExecCommand in Internet Explorer” Fix it solution, designed to be a easy-to-use, one-click, workaround for the vulnerability.

“A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

Now, Microsoft has released details of an out-of-band update to Internet Explorer to fully address the issue as well as four other Critical-class remote code execution issues. Microsoft will release the cumulative update for IE today at 10 a.m. PDT. The update applies to IE 6, 7, 8 and 9 on all supported versions of Windows (XP, Vista, 7, Windows server). It will be made available through Windows Update and it is recommended that you install it as soon as it is available. If you have automatic updates enabled you won’t need to take any action. Microsoft has previously reported that there are targeted attacks, that attempt to exploit this vulnerability, happening in the wild.

Microsoft to release “Fix it” as workaround for IE zero-day vulnerability

(LiveHacking.Com) – In the next few days Microsoft will release a “Fix it” as a workaround for the recently discovered IE zero-day vulnerability. Previously Microsoft had urged user to install the Enhanced Mitigation Experience Toolkit (EMET) to help to prevent a malicious website from exploiting the vulnerability. However many commentors have pointed out that the EMET needs to be installed and configured manually, a task would could be beyond some users.

“The Fix it is an easy-to-use, one-click, full-strength solution any Internet Explorer user can install. It will not affect your ability to browse the Web, and it will provide full protection against this issue until an update is available. It won’t require a reboot of your computer,” said Microsoft in a statement.

The German government is taking this vulnerability very seriously, so much so its Federal Office for Information Security (BSI) has published an advisory, telling Internet Explorer users to switch to alternative browsers until a patch is released for IE. Microsoft is saying that it has only seen a “few attempts to exploit the issue” and that it has impacted “an extremely limited number of people,” however it is still working to fix the issue.

Microsoft will release the “Fix it” for everyone to download and install within the next few days.

Microsoft releases security advisory about zero day vulnerability in IE

(LiveHacking.Com) – I wrote yesterday about a new zero-day vulnerability in Internet Explorer that was discovered by security researcher Eric Romang while he was monitoring some servers suspected of serving malware. He discovered four files which upon analysis turned out to be a zero-day vulnerability in Internet Explorer. As a response to these reports, Microsoft has published  Security Advisory 2757760 which confirms that the flaw exists in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Microsoft also reports that there are targeted attacks, that attempt to exploit this vulnerability, happening in the wild.

The vulnerability leads to corrupt memory which can then allow an attacker to execute arbitrary code. It exists because of the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated.

“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer need,” wrote Microsoft in a statement.

As this is a zero day vulnerability there is currently no fix, but Microsoft are recommending that users deploy the Enhanced Mitigation Experience Toolkit (EMET) to help to prevent a malicious website from successfully exploiting the vulnerability.

The advisory also details a full set of alternative workarounds, to deploying EMET, which include:

  • Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
    This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
  •  Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
    This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.