Security Week 04: missing botnet, Webex vulnerability, Apple patches

An important technical news of the week in the field of information security was the study ( news ) of a security specialist in the Google Project Zero project Tavis Ormandi about a vulnerability in the Cisco Webex plugin for the Chrome browser. Tavis specializes in non-ordinary vulnerabilities (several patches for Lab products, by the way, were released thanks to him), but the problem in the plugin for the popular video conferencing service is very non-standard.

The Webex conference is essentially a separate program that runs on your computer after participation has been initiated in the browser. Accordingly, to execute the native code, the Cisco Webex plugin uses the Native Messaging interface. The essence of the bug is that if you pass a URL with a certain “magic string” to the plugin, it will run any code, without any checks. Perhaps it should be called a feature: it was clearly done to simplify the process of launching the desired application without any special ceremonies. As a result, the user can catch the Trojan by visiting the prepared web page (any), and clicking once with OK on the offer to start the web conference.

The vulnerability was fixed quickly, but, according to a number of researchers (including Tavis himself), not completely. The new version of the plugin for Chrome limits the ability to run code in the presence of a wonderful line, only if the URL starts with https: //*.webex.com/. Obviously, this greatly limits the possibility of exploitation, but any XSS vulnerability on webex.com can be used in conjunction with a magic string to attack.


In short, it would be possible to comment on the news in the style “oh, oh, horror-horror”, and in general, yes, but the interesting point, it seems to me, is the reaction time of Cisco. In theory, vulnerabilities must be responded quickly, and the fact that Cisco closed the hole in just a couple of days can be assessed positively. Yes, it did not close to the end, but judging by the fact that after fixing two more updates of the plug-in were released, the work is underway. In this case, the researcher could delay the publication of the data until the final solution of the problem, especially since there is no information about the in-the-wild operation of the problem. But did not agree. In order to better negotiate, vendors and researchers need to understand that they are by no means rivals, rather they work for a common cause. Despite the abundance of caustic comments on Twitter.
')

Apple patches iOS and Mac OS X vulnerabilities
News

Earlier this week, Apple released a pack of updates for the OS and proprietary software, including patches for two major vulnerabilities in the kernel (respectively, in iOS and Mac OS X). There is little data, both on the mobile OS and on computers, the use after free vulnerability provided escalation of privileges. Another vulnerability was discovered and closed in the libarchive module; it also allowed to execute arbitrary code when opening a prepared archive. Several serious vulnerabilities have also been closed in the WebKit component, so, in aggregate, it makes sense to upgrade as quickly as possible.

Researchers have discovered on Twitter 350,000 bots - Star Wars fans who do nothing
News

It seems to be time to add to the digest the rubric of “From life” or “Curiosities”, although the news at some point in the future may suddenly cease to be ridiculous. Two researchers from London University College discovered a botnet ... ok, not a botnet, but a collection of bots on Twitter, numbering more than 350 thousand. They claim that this is the largest group of bots that could be combined according to common features.

The study itself has not yet been published, but there are a couple of interesting details. Bots struggled to pretend to be real people: a profile was designed, at some point they published quotes from Star Wars, and even used geotags, and if you plot them on a world map, you will get even squares. All tweets are marked as published using Windows Phone - and this, of course, looks suspicious.



All bots were created during two months of 2013, each published no more than 11 tweets, and since then none of the accounts have been active. Whether someone tested the technology, or prepared the army for the future - it is not clear. Interestingly, machine learning helped identify bots: based on an analysis of 14 million accounts, the botnet was easily calculated from the most frequently used words, which were very different from those of living people and other bots (picture above, from an article on Mashable ).

May the force be with us.

What else happened:

Following the discussion of the Guardian’s article last week on whatsapp backdoor in Whatsapp (in more detail in the previous digest ), the cryptographic community collects signatures on the requirement to remove the publication, apologize and stop printing amateurish security articles . The Guardian is still holding, although the article was updated, restrainingly acknowledging that there was no backdoor.

An interesting initiative of cryptographers: they reasonably hint that you shouldn’t talk about things you don’t understand, much less to do it publicly in the popular media. A good attempt, but no, returning the information-safe discourse back to researchers will not work anymore. It seems to me that it is necessary to explain complex things in simple words (of course, since I myself am constantly engaged in this). It is desirable not to move away from the facts, but to adhere to them or distort for the sake of a beautiful story - it turns out that this is a personal decision of everyone involved in the process.

Antiquities

"Prudents-1205"

Non-resident very dangerous virus, standardly infects .EXE files. If an error occurs during file infection (for example, the response of a resident anti-virus monitor when writing to an EXE file), the file is deleted. It contains the text: "# Prudents virus. Barcelona 20/8/89 #".

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 80.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.