Security Week 40: Invincibility in WinRAR, bug veteran in Firefox, Microsoft update-oops

I wonder what will happen when all problems with information security are resolved? Our threatpost.ru news site is re- traded as a photo kitten digest? Will such a bright future come at all? Yes, if we assume that the IT industry is growing too fast, and still heals "childhood" diseases, and when it cures, grace will come. I believe that sometime in the future, the approach to digital security will change qualitatively. But we should not forget that the Internet is a model of the real world, in which there is everything - both single geniuses collecting new Google in the garage, and large companies with their interests, and just people, and finally, those who are ready to profit for their score. Cybercriminals can make life much more difficult, but is it possible to get rid of them altogether?

And an extraordinary event brought me to these reflections: one of the most visited news of the past week (about a bug in Firefox) does not at all relate to security. Well, almost does not apply. Nevertheless, the interest of the Threatpost audience to it was the maximum (the editorial is definitely worth trying cats!). The second news is about the vulnerability, which in fact is not there. The third is about the Microsoft update, which did nothing and disappeared. In short, nothing happened this week. If so, let's talk about the difference between real and theoretical threats. Traditional rules: Every week, the editors of the news site Threatpost selects the three most significant news, to which I add an extended and merciless comment. All episodes of the series can be found here .

(Pseudo) Zero day vulnerability in WinRAR self-extracting archives
News Research Reaction RARLAB.

Iranian researcher Mohammed Reza Espargham discovered a vulnerability in WinRAR, not in the program itself, but in self-extracting archives that can be created with its help. At first glance, everything is serious. Using the archiver's feature, you can make it so that when you try to unpack the archive, arbitrary html-code will be executed that allows you to download from the network and execute anything you want. At the same time, the contents of the archive itself may be harmless. Vulnerable feature allows you to display text on the screen when unpacking, and, as it turned out, accepts and processes HTML.
')


The creators of WinRAR do not agree, and to understand their position, it is enough to simplify the description of the vulnerability to: “something bad can happen to the user if he downloads from the Internet and launches some muddy file”. I did not miss anything? Fundamental and unrecoverable vulnerability of computers: they execute ALL code that runs on them. As evidence, WinRAR cites proof of concept of another “zyrodeya”: for a self-extracting archive, you can configure the launch of the content automatically without asking the user. Fatality!


And here are the seals!

Both are right in their own way. It is the non-standard use of standard tools that can break a serious security hole. With the help of an encryption program, you can encrypt data for security, or you can - to demand ransom from victims of crypto-glass. In general, the danger level is pear with chartreuse shades.

But there is still such a moment. WinRAR is indeed a very common program, and, unlike other software from the “type set”, does not require constant updates. This, you know, is not a browser, where every month something new. It works and works. Two years ago, we published a study that showed how users update vulnerable software. Update, let's say, not very quickly: for example, then it took 7 weeks for at least 30% of users to switch to the new version of Java. The critical vulnerability of WinRAR 3.71 and earlier also came into the study. We did not investigate its prevalence in detail, since no one exploited it especially, but the update data was looked at and terrified: five years after finding a hole, a vulnerable version of WinRAR stood on tens of thousands of computers, and no one was going to update it. Well, yes, and in fact, why? Moreover, the archiver does not have an auto-update mechanism. While there are Java, Flash and browsers, cybercriminals are too lazy to waste time hacking such programs. What if habitual goals become harder to break?

The Incredible Adventures Of A Blank Windows Update
News Discussion on the Microsoft forum with details.

On September 30, without a declaration of war, the Windows update system spoke to users in fish language.

Well, that is, literally. “Hello, this is an important update from the category of language packs, after installing which your computer will need # # ^% @ # $ R @% @% @ # $ pysch # @% # @% # ^ @ ^ $ @ ^ press” . Those few users who are really watching that they are arriving through Windows Update have sounded the alarm: some kind of garbage appeared, tried to install, was defeated, and then instantly disappeared! Later it turned out that a similar (well, at least similar) misfortune occurred on August 20 as well.


Screenshot from the discussion on the Microsoft website.

Later, a company representative confirmed that the update was a test and was sent to users by mistake. You can, so to speak, relax and calm down. Was there any reason for alarm? In fact, it was: the compromise of the Windows update system could create such an apocalypse on the net that no Hollywood dreamed of. Take an arbitrary code, send it to millions of users and install it without their knowledge ... Fortunately, this is unlikely: encryption, digital signatures. In one of the previous episodes, I discussed a particular example of the unlikely hacking of WSUS, which well shows that it is thoroughly impossible to break this system into small pieces.

More precisely, we all very much hope that this is so.

Firefox shut down 14-year memory bug
News Post developer Adblock Plus, the main victim of the bug. Actually, the bug itself. The news of the really important fixes in the release of Firefox 41.



Briefly about the main thing: Firefox browser eats a lot of memory. With the release of Firefox 41, he suppressed his appetites, if you have the AdBlock Plus extension installed. The problem is that the ad-blocking extension and the browser itself do not interact correctly: by practicing the method of hiding ads using CSS styles, the browser reserved large amounts of memory, in some cases up to 2 gigabytes.

The original bug was launched on April 27, 2001, and was discovered in another version 0.9.3 of prerelease . Around that time, the first Mac OS X, Windows XP, the very first iPod player, was released, featuring SATA and USB 2.0 interfaces. And most importantly, the V.92 modem protocol appeared, and Microsoft killed a paper clip (in the photo on the right). Eventful year was a year!

In general, a bug, though unpleasant, but harmless. I suspect that ten of the fourteen years old Firefox and Adblock developers have figured out which side the problem is. And really serious vulnerabilities in the software are repaired quickly. Yes? Not. In search of ancient bugs, I stumbled upon this one : in Red Hat distributions (and not only) when upgrading or installing, the authenticity of the installed software is not checked, which theoretically allows you to get control over the system if it was installed-updated from an infected mirror. Bug opened January 30, 1999! There in general it was not about mirrors, but about malicious diskettes. Closed (and not everyone thinks that until the end) in August 2014.

Well, okay, this bug, like the “vulnerability” described above in WinRAR SFX, is not a bug at all, but the observation from the series “if we put the laptop in the fire, then it will burn”. And it's not something that was repaired, but rather used the possibilities of a bug tracker to lead a leisurely discussion about some aspects of security in (any variants) of Linux for 15 years. Is this bug proof of failing to protect Linux? Of course not.

Let me take it a step further and assume that the rapid closure of all vulnerabilities does not in itself increase security. Here, for example, they write that, on average, software developers spend 100-120 days to develop patches. I would like to quickly, but does this mean that all non-patched holes must be broken? Also no. There are so many types of attacks, potential vulnerabilities that an attempt to analyze everything at once will result in white noise.

Once upon a time, there was a threat indicator on the Laboratories website - with its help, it was possible to assess how things are going with security for all at once. Over time, it turned into an analogue of the Doomsday Clock , that is, it made an impression, but it no longer reflected the objective picture, and it was removed. The danger level is now for each person and company of their own - it depends on how easy it is to hack you, and the value of the data that can be obtained, and how seriously you approach the protection of this data.

What else happened:
There is actually a lot of news, although everything is pretty routine.
In the library Stagefright in Android found another vulnerability. If the previous one was operated via MMS, then the new one allows to execute arbitrary code after opening the prepared page in the browser. This time, the problem is in the processing of the media metadata (audio or video) by the library.

101 bug fixed in Mac OS X with the release of the new version of El Capitan. Plus, iOS 9.0.2 closed another way to bypass the lock screen , this time using Siri (Hey Siri, DROP TABLE ).

TrueCrypt searched bookmarks for a very long time (I wrote more in the results of 2014), but they didn’t find them, but found a vulnerability, which, incidentally, also does not allow decrypting the encrypted one. Instead, the installed TrueCrypt can be used for remote privilege escalation. Fixed in spin-off TrueCrypt called VeraCrypt.

Mobile phones can be used for DDoS. In a particular case, it is suspected that a banner with JavaScript, which “knocked” on the victim’s website, was dragged through the advertising network. Interestingly, such an attack can cost, literally, a penny. And although DDoS protection will discourage it, sites without one are now much more likely to fall under the distribution.

Antiquities:
"Bebe"

Nonresident dangerous virus. It infects the .COM files of the current directory. Increases the file size to a multiple of a paragraph, copies itself to the end of the file and modifies the first 14 bytes (PUSH AX; ...; JMP FAR Loc_Virus). Non-resident, but creates a resident program. To do this, it copies a part of its body into the table of interrupt vectors at address 0000: 01CE and sets the interrupt to it 1Ch (timer). After a while, a message appears on the screen:

VIRUS!
Skagi "bebe">

After typing “bebe” from the keyboard, the virus responds with “Fig Tebe!” From the vocabulary of the virus, one can quite accurately determine its origin. It contains an error - does not restore DTA. This may cause the computer to freeze. Another error - does not take into account the presence of the pipeline for Intel 80x86 processors and modifies the following command after the current one, resulting in the work only on older IBM PC models. In addition to the listed text contains the line "* .COM".

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 60.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.