Security Week 41: Good News

This is enough in the information security industry for drama. The latest means of hacking, grandiose failures in the protection systems of programs and hardware - or the complete absence of these same systems. The daily routine of spam with malicious appendages and phishing, cryptographers and stuff is not as interesting as the most complex cyber attacks, but they have to be dealt with the most.

Finding out that the password does not fit your router - it's about how to detect a broken lock in the front door. And yet, although cyber threats should be taken seriously, the real work on security begins at the moment when everyone ceases to wave their hands and speak unprintable words and get down to business. They updated the router, conducted a training on phishing with employees, installed protection from cryptographers. Even at the moment when everything is bad with information security, it makes sense to imagine how it should be good, and not rushing to move towards a beautiful future. Today is a digest of good news: Google fixed Android security, Cisco fixed Webex, Wordpress fixed Wordpress.

Let's start with the simple news : as reported by The Verge , Google has supplemented the contractual obligations of smartphone manufacturers based on the Android operating system with a separate item about security. Starting from January 31, 2019, all new phones, sold in more than one hundred thousand copies, must regularly receive security patches within two years of their release. Accordingly, manufacturers of more or less popular phones will be required to prepare and distribute these patches.


The practice of delivering patches that close security issues was introduced in 2015 — first for Google’s own phones, and later other manufacturers pulled up. Three years ago, Google began to move away from the traditional scheme of preparing updates for smartphones, when priority was given to new features, and security holes were tackled “as lucky”. In the version of Android 8.0, Oreo was introduced by Project Treble, designed to improve the situation with the fragmentation of the code base. If before this vendors were in no hurry to roll patches, fearing conflicts with their own code, now functionality and security have been completely (or something) separated. Closing vulnerabilities made easy.
')

Not everyone took advantage of these benefits. First, active devices based on the eighth (or higher) version of Android are still in the minority. Secondly, not all vendors regularly send out monthly security patches, as Security Research Labs found out in April. It is time for organizational measures. Of course, the ideal way to improve security is to develop technology so that it works more or less by itself. But this is not always the case, so now vendors will be required to support devices for at least two years. Another good news about Android: the fight against malicious applications on Google Play continues. Nearly three dozen applications with relatively useful functionality and an addition in the form of SMS interception have been removed from the official Google store.

More good news. Cisco fixed a dangerous bug in the Webex newsgroup system. Webex usually requires the installation of client software, which intercepts requests from the browser and ensures that the video stream, the contents of the desktop speaker and other things are transmitted to the user's computer. The client is constantly working, even when you are not using a conference call, and it has often become clear that he can add a couple of extra attack vectors to the system. Back in September, a vulnerability was discovered and closed, in which the WebExService.exe process was used to elevate privileges (if you already had access to the system at the rank of a regular user). And last week, a researcher, known as SkullSecurity, found a similar bug. He studied how WebExService launches the client update process, and was able to redirect this functionality to launch any process with system privileges, and even with the theoretical possibility of remote operation. I recommend reading the original research , there is described in detail the process of picking the study code with IDA Pro, full of tears and disappointments, but with the successful launch of the calculator in the end.


Finally, the good news about Wordpress: 96% of the sites on this engine use a modern version of the software. Just last week, we looked at Wordpress version statistics and came up with similar conclusions. Or did not come. 96% of the sites on Wordpress really use version 4.x, but the most current version 4.9 is used by a little more than 70%, and this release, for a minute, is already a year. At the DerbyCon conference, Wordpress developers decided, apparently, to also focus on the positive and told how they achieved (in any case) a very good indicator. The automatic update system of the engine also helped (far from all implementations work normally - it depends on the admin user), and the security notifications in the Google Search Console, and the Tide rating.


Tide is an automated test suite that evaluates plug-in security. It is assumed that the Tide rating will eventually be displayed alongside the user rating of the plugin (as in the screenshot), which will motivate developers to code more reliably . So far, the rating has not been demonstrated, the system is in development, and, judging by the notes on the project website, release 1.0 is coming. Automated tests by definition can not find all the vulnerabilities, but their task is not in this. Quickly assessing the code for well-known security problems is a good start. Moreover, the real cases of hacking sites on Wordpress most often occur through vulnerable extensions. In addition, Wordpress will now warn users if their site uses a no longer supported version of PHP 5.6. Useful feature for customers of companies that provide "Wordpress out of the box." And topical: according to the W3Techs website , at the time of publication, the fifth version of PHP was used by more than 60% of the sites.


All good!

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.