Stacks of patches: attackers walk around the updates to keep exploiting

Today’s software packages have become so huge and complex that stacks of patches issued one after the other are increasingly common. This has consequences for system administrators.

So far, 2014 has been a spectacular year in terms of IT security. Everyone heard about those terrifying vulnerabilities called Heartbleed and Shellshock. They have mostly outshone the other creepy vulnerabilities, albeit none of those incited a comparable scare. There have also been a number of long-running APT campaigns discovered, both by Kaspersky Lab and our colleagues. Although, at least one of the “new” APTs, Sandworm, wasn’t exactly new.

Still, Sandworm had some interesting consequences. The 0day vulnerability in Windows (present in all versions later than XP) had been promptly patched by Microsoft, but it soon had to issue yet another advisory regarding the same flaw: The attacker found a way to circumvent the previously released update. Microsoft released a temporary Fix It patch to mitigate the problem. For technical details, refer to this Threatpost’s publication regarding the OLE vulnerabilities exploited by Sandworm APT group. We also recommend the long-announced, brand new research by Kaspersky Lab’s experts covering BlackEnergy, a crimeware tool that Sandworm APT is using (also see Threatpost’s publication on the matter).

Quite recently we have seen something similar to Shellshock, when a seemingly single vulnerability eventually spawned four and the patch released required some extra patching. This also occurred in August when a new update from Microsoft caused a BSOD error and developers had to pull it and release a new one. The patches were breaking down the packages they were intended to update and fix – it is not a Microsoft-specific problem. However, it is a faulty patch problem. With Shellshock and Sandworm we see how patches appeared to be incomplete and/or prone to be circumvented, and the attackers continued to exploit this.

As a matter of fact, software packages become so huge and complex that every vulnerability may be just the tip of the iceberg. Most of the time, this is not the case, however, system administrators have to keep in mind that installing a patch for any important and often targeted software package isn’t a reason to relax. Extra efforts may be required right away.