Pikes in the lake: new bugs to keep us awake

October 17, 2014

A handful of new critical bugs and attacks for them had been revealed this week, all of them rather serious, although none is as concerning as Shellshock or Heartbleed. The cybersecurity world is still on its toes from Shellshock, so almost any bug draws a lot of attention. There’s also a certain new trend formed this year: all of sudden not only malware and APT campaigns started acquiring their own names, but the bugs too. As if they are worth of it.

Vulnerabilities vary. Some are considered critical, some – less problematic; their severity is determined by a few well-known factors such as ease of exploitability and popularity of software. But, no matter their differences they all require serious attention, so that when the next Shellshock-like incident occurs, it won’t take the cybersecurity world by surprise.

wide

So what we are dealing with this week?

Three bugs squashed by Microsoft

First of all, the security consultancy iSIGHT Partners broke the news two days ago, announcing a cyber-espionage campaign dubbed “Sandworm“, that used a 0day vulnerability present in all versions of Windows starting with Vista and later. Windows XP, ironically, wasn’t affected. The zero day had been registered as CVE-2014-4114; it leverages tainted Powerpoint documents to deliver an already well-known Black Energy malware (or rather Black Energy 2, at which Kaspersky Lab has been looking at for a while already). The vulnerability has largely delivered by spearphishing emails since at least August.

It was patched on Tuesday along with two other, less publicized bugs – CVE-2014-4148, which embedded a malicious TTF in a Microsoft Office file, and thus delivered a remote access tool to the targeted system, and CVE-2014-4113, an issue that was used by a certain Hurricane Panda APT actor – for spying needs as well. Since February at least, this campaign has targeted infrastructure companies. The vulnerability was used to elevate the privileges to those of the SYSTEM user.

Microsoft patched this with MS14-058 bulletin, the appropriate updates had been distributed to the end-users via automatic update.

And, by the way, “Sandworm” has nothing to do with malicious worms, so the name itself may look misleading, unless you’ve read Frank Herbert’s “Dune”.

Java Molten Core

The problematic Java Reflection API has drawn attention again, as Oracle released a new Critical Patch Update patching a number of critical vulnerabilities in Java, revealed the same day.

These bugs allowed for remote code execution, but also privilege escalation that could allow a hacker to gain the database administrator role for the Oracle Database. The proof-of-concept exploits, developed by the researchers who disclosed the vulnerabilities, worked against Oracle Database 11g and 12c running on Windows 64-bit systems, Linux x86/x86 64-bit and Solaris x86.

Technical details of the issues are available here.

As a matter of fact, it’s long known that Java should be always high in the “culprit software” list, along with Adobe Flash and Reader. Issues in this software are revealed quite often, and exploited often. For instance, in the latest Oracle Critical Patch Update there are 25 Java bugs covered, 22 of them allowing remote code execution.

The latest problems require serious and immediate attention – i.e. patches should be installed ASAP. But with Java it is actually an almost nominal situation.

POODLE

Researchers at Google revealed a new attack on the SSLv3 protocol that takes advantage of an issue with the protocol that enables a network attacker to recover the plaintext communications of a victim. The technique takes advantage of the fact that when a secure connection attempt fails, servers will fall back to older protocols, such as SSLv3, in an attempt to communicate securely with the remote client. An attacker who can trigger a connection failure can then force the use of SSLv3 and attempt the new attack.

This is a fundamental sort of problem: the “downgrade dance” is used by many TLS clients in order to work with legacy servers that are still operational.

In order to execute the attack, an adversary would need to have control of the victim’s Internet connection and have the ability to run some Javascript inside the victim’s browser.

Technical details are available here. The problem, despite its “fundamentability”, is somewhat easy to mitigate. The easiest way is to disable SSLv3, although that will lead to compatibility issues for browsers, especially older ones, and to problems for site operators. Researchers suggest using the TLS_FALLBACK_SCSV mechanism, that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Conclusion

A danger posed by a vulnerability is determined by several factors, such as the affected software popularity, ease of exploitation and complexity of fixing. “Standard” vulnerabilities are those in the common software, such as Java, Flash, Office, etc., those are fixed by the developers themselves. The only thing the end-users should do here is install the released patches ASAP, not months later. The Microsoft and Java vulnerabilities described above are rather “common”, although they are still critical.

So was Shellshock. It drew a lot of attention largely to the fact that “nobody expected” anything like that from the Open Source software, considered to be safer than the proprietary one. Although when you use a piece of code that obsolete, it’s reasonable to expect it may be imperfect, to say the least.

There are many more unpleasant things such as flaws in the common/fundamental communication and/or encryption protocols, and occasionally it brings a truly global scare. The POODLE attack exploits the inherent weakness of the TSL/SSL architecture, and it’s rather fortunate that it’s been easy to manipulate.

However, as said in the beginning, all vulnerabilities considered to be critical require close and immediate attention, whether common or not. And this is the kind of work that’s better systematic. Again, it’s actually a good thing that, after Heartbleed and Shellshock, software vulnerabilities are something publicized more and more. A pike lives in the lake to keep all fish awake.