Security Week 34: Nobody Patches Colonel

This week in the world of information security was a sad one. After a fun party of various bugs, Zero-deev and other research yummy, the hangover of the introduction of freshly discovered vulnerable software began. And this is such a very important topic, but utterly boring. When the editors of our site Threatpost sends a selection of important news in which three key ones are about patching holes, I start feeling sad and longing.

No, the topic is really important! Finding a vulnerability is difficult, but even harder to close it without breaking anything. There are always a dozen reasons why the release of the patch is not possible right now, in the current quarter or in general, is impossible in principle. And the problem must be solved. In today's collection of security news, there are three different topics about how vulnerabilities are left unclosed. I remind the rules: each week the editors of the news site Threatpost selects the three most significant news, to which I add an extended and merciless comment. All episodes of the series can be found here .

Another vulnerability in Android, this time in Google Admin
News MWR research .

What did you find?
Have you already noticed that news about vulnerabilities are falling in bundles? Hacked a car? Let's find a dozen more holes in the cars. Around the same pattern is built news background around Android. First Stagefright , then a couple of smaller holes, now here’s another Google Admin (com.google.android.apps.enterprise.cpanel) and escape from the sandbox box. Google Admin - one of the Android system applications - can receive URLs from other applications and, as it turned out, almost any addresses are accepted, including those beginning with "file: //". As a result, the purely network activity of loading web pages into Android WebView begins to take on the features of a file manager. But after all, all Android applications are isolated from each other? No, Google Admin has a higher priority, and by forcing it to read the “wrong” URL, the application can bypass the sandbox and get access to other people's data.
')
How to close
First of all, it is worth telling how independent researchers disclosed information. The hole was discovered in March, and then the information about it was transferred to Google. Five months later, for the third time, researchers asked the vendor how things were going, and found out that the vulnerability was not closed. On August 13, the information was published, and on August 17, Google released the patch.

By the way, Google has its own team of researchers, which finds vulnerabilities not only in its own software. The Zero project pauses 90 days before disclosing information, and in theory for the same three months, Google should patch itself. But in the case of Google Admin, firstly, something went wrong, and secondly, we all know that the release of the patch for Android does not solve the problem on all vulnerable devices. Say monthly security updates? A half a year to develop a patch if you add? Exactly.



Open security vulnerability in Schneider Electric SCADA
News ICS-CERT Advisory .

Welcome to the world of critical infrastructure! Pass, sit down, do not touch the big red switch and do not tear off the sticking out wires. Yes, they stick out here. This is normal. It always has been. But if you tear it, everything will be bad. SCADA systems (or, in our opinion, process control systems) are a special infrastructure that often controls critical critical systems, from a boiler house in a house to a nuclear power plant. Such things usually can not be turned off, change some parameters there, and in general it is better not to touch them. I recommend reading our program article on the topic. In the meantime, let us dwell on the fact that, despite its uniqueness, ordinary computers with normal Windows are sometimes used to manage the infrastructure. Unlike a typical office, where all computers and servers change about once every five years, some robot at a car factory or a centrifuge separating one extremely dangerous chemical from another can work for decades.

What did you find?
And now, in a similar system manufactured by Schneider Electric with the romantic name Modicon M340 PLC Station P34, the CPU found a number of vulnerabilities, including those allowing remote control over (whatever this system would control). Among them was an example of a chronic disease of similar devices, as well as a variety of routers and things from the Internet of things: hard-coded credentials. What specifically was hard-coded in the SCADA-system, for obvious reasons, is not disclosed, but usually it is the default login-password pair, which the vendor leaves for ease of maintenance. Or forgets to remove the test login from the code. Or something like that happens.

How closed?
No way yet. Since the presentation of the researcher Aditya Suda on DEF CON, more than two weeks have passed, but there is no patch from the vendor yet. The manufacturer of such devices can also be understood: and so the difficult task of updating vulnerable software is complicated by the fact that, as a rule, any simple technology controlled by an automated process control system causes huge losses to the owner, and sometimes it is simply impossible to do. And for how long you need to stop the process to roll a patch? And then it just earned? Were all possible features of the application of susceptible devices taken into account? In general, an extremely difficult topic that does not negate the need to patch holes. More than once it has been shown that disconnecting critical infrastructure from the Internet or closing it with a firewall does not save anything.


Developers listen to kinout with information about vulnerabilities in their code.

Open vulnerability in Mac OS X
News

Again raise the topic of responsible disclosure. In the case of a Google vulnerability, researchers waited almost five months before publishing information, although Google itself waits a maximum of 90 days. And how much do you need to wait? How much time to give the developer to close the vulnerability? Is it possible that the vendor will infinitely ask to postpone the publication, and only the publication motivates him enough to release the patch? In general, there is no standard waiting period, but they all more or less agree that it’s completely wrong to disclose the details of the vulnerability without first notifying the software developer.

What did you find?
And here's just an example, when the vendor either notified, or not. He was notified for a short time, so he did not have time to react. 18-year-old Italian researcher Luca Todesko laid out information about a serious vulnerability in Mac OS X Yosemite and Mavericks (10.9.5 - 10.10.5), which allows you to get root privileges on the attacked machine. Not remotely - the user needs to be persuaded to download and launch the exploit, but as practice shows, to persuade is usually obtained . Attached and proof of concept - in general, take it and use it.

How closed?
No way yet. According to the researcher, nobody responded to repeated requests at Apple. The researcher himself compared his publication with the disclosure of information about the new jailbreak method - they say, nothing terrible.



A rather controversial comparison, because jailbreaking is such a thing that people usually go to who know exactly what they are doing. It is impossible to force the owner of the iPhone to jailbreak if he does not want to. With the vulnerability of Todesko - options are possible. It is not surprising that the researchers criticized :



While it is known that the vulnerability does not affect the new version of Mac OS X El Capitan. We are waiting for patches.

What else happened:
Microsoft closed the hole in Internet Explorer (well, at least someone closed something). Urgent out-of-band patch, already the second in the last month.

Data users from the dating site Ashley Madison, who had previously stolen , now finally leaked to the network.

Kaspersky Lab uncovered a large cyber spy campaign, Blue Termite, with numerous victims in Japan. It is noteworthy that the cyber spies, working for at least a couple of years, significantly intensified this summer, when they were able to get to the exploit stolen from the Hacking Team.

Antiquities:
"Justice"

Very dangerous, it infects COM files when it is accessed by DOS 43h, 4Bh, 3Dh, 56h functions. It is written to the end of files and changes 5 bytes of their beginning (NOP; NOP; JMP Loc_Virus). COMMAND.COM is infected by the "Lehigh" virus algorithm. Periodically sends information recorded on the disk to a sector with a different number. It contains the text: "AND JUSTICE FOR ALL". Intercepts int 13h and int 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 72.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.