search menu icon-carat-right cmu-wordmark

Posts by Will Dormann

Life Beyond Microsoft EMET

Life Beyond Microsoft EMET

• Blog
Will Dormann

Approximately eight years ago (September 2010), Microsoft released EMET (Enhanced Mitigation Experience Toolkit) 2.0. In the world of software defenders, there was much rejoicing. EMET allows users to not be at the mercy of their software vendors when it comes to opting in to vulnerability exploit mitigations. As we fast-forward to November 2016, Microsoft released a blog post called Moving Beyond EMET, which announced the end-of-life (EOL) date of EMET and explained why Windows 10...

Read More
When

When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults

• Blog
Will Dormann

As a vulnerability analyst at the CERT Coordination Center, I am interested not only in software vulnerabilities themselves, but also exploits and exploit mitigations. Working in this field, it doesn't take too long to realize that there will never be an end to software vulnerabilities. That is to say, software defects are not going away. For this reason, software exploit mitigations are usually much more valuable than individual software fixes. Being able to mitigate entire...

Read More
Announcing CERT Tapioca 2.0 for Network Traffic Analysis

Announcing CERT Tapioca 2.0 for Network Traffic Analysis

• Blog
Will Dormann

A few years ago, I announced the release of CERT Tapioca for MITM Analysis. This virtual machine was created for the purpose of analyzing Android applications to find apps that don't validate SSL certificates. Since the original release of Tapioca, we have received a request to make it easier to use and add some additional features. The new version of CERT Tapioca improves on the original in multiple ways in that it offers the following:...

Read More
Automatically Stealing Password Hashes with Microsoft Outlook and OLE

Automatically Stealing Password Hashes with Microsoft Outlook and OLE

• Blog
Will Dormann

Back in 2016, a coworker of mine was using CERT BFF, and he asked how he could turn a seemingly exploitable crash in Microsoft Office into a proof-of-concept exploit that runs calc.exe. Given Address Space Layout Randomization (ASLR) on modern Windows platforms, this isn't as easy as it used to be. One strategy to bypass ASLR that is possible in some cases is to leverage a memory leak to disclose memory addresses. Another strategy that...

Read More
The Curious Case of the Bouncy Castle BKS Passwords

The Curious Case of the Bouncy Castle BKS Passwords

• Blog
Will Dormann

While investigating BKS files, the path I went down led me to an interesting discovery: BKS-V1 files will accept any number of passwords to reveal information about potentially sensitive contents! In preparation for my BSidesSF talk, I've been looking at a lot of key files. One file type that caught my interest is the Bouncy Castle BKS (version 1) file format. Like password-protected PKCS12 and JKS keystore files, BKS keystore files protect their contents from...

Read More
The Consequences of Insecure Software Updates

The Consequences of Insecure Software Updates

• Blog
Will Dormann

In this blog post, I discuss the impact of insecure software updates as well as several related topics, including mistakes made by software vendors in their update mechanisms, how to verify the security of a software update, and how vendors can implement secure software updating mechanisms....

Read More
The Twisty Maze of Getting Microsoft Office Updates

The Twisty Maze of Getting Microsoft Office Updates

• Blog
Will Dormann

While investigating the fixes for the recent Microsoft Office OLE vulnerability, I encountered a situation that led me to believe that Office 2016 was not properly patched. However, after further investigation, I realized that the update process of Microsoft Update has changed. If you are not aware of these changes, you may end up with a Microsoft Office installation that is missing security updates. With the goal of preventing others from making similar mistakes as...

Read More
Windows 10 Cannot Protect Insecure Applications Like EMET Can

Windows 10 Cannot Protect Insecure Applications Like EMET Can

• Blog
Will Dormann

Recently, Microsoft published a blog post called Moving Beyond EMET that appears to make two main points: (1) Microsoft EMET will no longer support EMET after July 31, 2018, and (2) Windows 10 provides protections that make EMET unnecessary. In this blog post, I explain why Windows 10 does not provide the additional protections that EMET does and why EMET is still an important tool to help prevent exploitation of vulnerabilities....

Read More
The Risks of Google Sign-In on iOS Devices

The Risks of Google Sign-In on iOS Devices

• Blog
Will Dormann

The Google Identity Platform is a system that allows you to sign in to applications and other services by using your Google account. Google Sign-In is one such method for providing your identity to the Google Identity Platform. Google Sign-In is available for Android applications and iOS applications, as well as for websites and other devices. Users of Google Sign-In find that it integrates well with the Android platform, but iOS users (iPhone, iPad, etc.)...

Read More
Bypassing Application Whitelisting

Bypassing Application Whitelisting

• Blog
Will Dormann

Application whitelisting is a useful defense against users running unapproved applications. Whether you're dealing with a malicious executable file that slips through email defenses, or you have a user that is attempting to run an application that your organization has not approved for use, application whitelisting can help prevent those activities from succeeding. Some enterprises may deploy application whitelisting with the idea that it prevents malicious code from executing. But not all malicious code arrives...

Read More
Who Needs to Exploit Vulnerabilities When You Have Macros?

Who Needs to Exploit Vulnerabilities When You Have Macros?

• Blog
Will Dormann

Recently, there has been a resurgence of malware that is spread via Microsoft Word macro capabilities. In 1999, CERT actually published an advisory about the Melissa virus, which leveraged macros to spread. We even published an FAQ about the Melissa virus that suggests to disable macros in Microsoft Office products. Why is everything old new again? Reliability of the exploit is one reason, but the user interface of Microsoft Office is also to blame....

Read More
Visualizing CERT BFF String Minimization

Visualizing CERT BFF String Minimization

• Blog
Will Dormann

I've been working on a presentation called CERT BFF - From Start to PoC. In the process of preparing my material, I realized that a visualization could help people understand what happens during the BFF string minimization process....

Read More
Supporting the Android Ecosystem

Supporting the Android Ecosystem

• Blog
Will Dormann

A few months ago, a widely-publicized set of vulnerabilities called StageFright hit the Android ecosystem. While Google fixed the vulnerabilities in what appears to be a reasonable amount of time, the deployment of those fixes to end-user devices is another story. Many Android devices have a lengthy supply chain, which can make the process of deploying OS updates a slow and uncertain process. In this blog post, I investigate the supply chain of the Android...

Read More
Instant KARMA Might Still Get You

Instant KARMA Might Still Get You

• Blog
Will Dormann

About a year ago, I started looking into Android applications that aren't validating SSL certificates. Users of these applications could be at risk if they fall victim to a man-in-the-middle (MITM) attack. Earlier this year, I also wrote about the risks of MITM attacks on environments that use SSL inspection. Lately I've been checking whether IOS applications are consistently checking SSL certificates, and they appear to be pretty similar to Android applications in that regard....

Read More
The Risks of Disabling the Windows UAC

The Risks of Disabling the Windows UAC

• Blog
Will Dormann

While investigating a few of the exploits associated with the recent HackingTeam compromise, I realized an aspect of the Windows User Account Control (UAC) that might not be widely known. Microsoft has published documents that indicate that the UAC is not a security boundary. For these or other reasons, some folks may have disabled the UAC on their Windows systems. I will explain in this blog post why disabling the UAC is a bad idea....

Read More
The Risks of SSL Inspection

The Risks of SSL Inspection

• Blog
Will Dormann

Recently, SuperFish and PrivDog have received some attention because of the risks that they both introduced to customers because of implementation flaws. Looking closer into these types of applications with my trusty CERT Tapioca VM at hand, I've come to realize a few things. In this blog post, I will explain The capabilities of SSL and TLS are not well understood by many. SSL inspection is much more widespread than I suspected. Many applications that...

Read More
Vulnerabilities and Attack Vectors

Vulnerabilities and Attack Vectors

• Blog
Will Dormann

Occasionally this blog will highlight different posts from the SEI blogosphere. Today we are highlighting a recent post by Will Dormann, a senior member of the technical staff in the SEI's CERT Division, from the CERT/CC Blog. This post describes a few of the more interesting cases that Dormann has encountered in his work investigating attack vectors for potential vulnerabilities. An attack vector is the method that malicious code uses to propagate itself or infect...

Read More
Announcing CERT Tapioca for MITM Analysis

Announcing CERT Tapioca for MITM Analysis

• Blog
Will Dormann

Hi folks, it's Will. Recently I have been investigating man-in-the-middle (MITM) techniques for analyzing network traffic generated by an application. In particular, I'm looking at web (HTTP and HTTPS) traffic. There are plenty of MITM proxies, such as ZAP, Burp, Fiddler, mitmproxy, and others. But what I wanted was a transparent network-layer proxy, rather than an application-layer one. After a bit of trial-and-error investigation, I found a software combination that works well for this purpose....

Read More
Bundled Software and Attack Surface

Bundled Software and Attack Surface

• Blog
Will Dormann

Hi, it's Will. We are all probably annoyed by software that bundles other applications that we didn't ask for. You want a specific application, but depending on what the application is, where you downloaded it from, and how carefully you paid attention to the installation process, you could have some extra goodies that came along for the ride. You might have components referred to as adware, foistware, scareware, potentially unwanted programs (PUPs), or worse. Sure,...

Read More
Heartbleed: Q&A

Heartbleed: Q&A

• Blog
Will Dormann

The Heartbleed bug, a serious vulnerability in the Open SSL crytographic software library, enables attackers to steal information that, under normal conditions, is protected by the Secure Socket Layer/Transport Layer Security(SSL/TLS) encryption used to secure the internet. Heartbleed and its aftermath left many questions in its wake: Would the vulnerability have been detected by static analysis tools? If the vulnerability has been in the wild for two years, why did it take so long to...

Read More
Taking Control of Linux Exploit Mitigations

Taking Control of Linux Exploit Mitigations

• Blog
Will Dormann

Hey, it's Will. In my last two blog entries, I looked at aspects of two exploit mitigations (NX and ASLR) on the Linux platform. With both cases, Linux left a bit to be desired. In this post, I will explain how to add further exploit protections to Linux....

Read More
Differences Between ASLR on Windows and Linux

Differences Between ASLR on Windows and Linux

• Blog
Will Dormann

Hi folks, it's Will again. In my last blog entry, I discussed a behavior of NX on the Linux platform. Given that NX (or DEP as it's known on the Windows platform) and Address Space Layout Randomization (ASLR) work hand-in-hand, it's worth looking into how ASLR works on Linux. As it turns out, the implementation of ASLR on Linux has some significant differences from ASLR on Windows....

Read More
Feeling Insecure? Blame Your Parent!

Feeling Insecure? Blame Your Parent!

• Blog
Will Dormann

Hey, it's Will. I was recently working on a proof of concept (PoC) exploit using nothing but the CERT BFF on Linux. Most of my experience with writing a PoC has been on Windows, so I figured it would be wise to expand to different platforms. However, once I got to the point of controlling the instruction pointer, I was surprised to discover that there was really nothing standing in the way of achieving code...

Read More
Hacking the CERT FOE

Hacking the CERT FOE

• Blog
Will Dormann

Occasionally this blog will highlight different posts from the SEI blogosphere. Today we are highlighting a recent post by Will Dormann, a senior member of the technical staff in the SEI's CERT Division, from the CERT/CC Blog. In this post, Dormann describes how to modify the CERT Failure Observation Engine (FOE),when he encounters apps that "don't play well" with the FOE. The FOE is a software testing tool that finds defects in applications running on...

Read More
Hacking the CERT FOE

Hacking the CERT FOE

• Blog
Will Dormann

Hey folks, it's Will. Every now and then I encounter an app that doesn't play well with FOE. You don't have to throw your hands up in defeat, though. Because FOE (and BFF) are written in Python, it's pretty easy to modify them to do what you like....

Read More
BFF 2.7 on OS X Mavericks

BFF 2.7 on OS X Mavericks

• Blog
Will Dormann

Hi folks, it's Will. Apple has released OS X Mavericks. Because BFF 2.7 was released before Mavericks, BFF doesn't work right out of the box. But it's actually quite simple to get it working....

Read More
Vulnerabilities and Attack Vectors

Vulnerabilities and Attack Vectors

• Blog
Will Dormann

Hi, this is Will Dormann of the CERT Vulnerability Analysis team. One of the responsibilities of a vulnerability analyst is to investigate the attack vectors for potential vulnerabilities. If there isn't an attack vector, then a bug is just a bug, right? In this post, I will describe a few interesting cases that I've been involved with....

Read More
Signed Java Applet Security Improvements

Signed Java Applet Security Improvements

• Blog
Will Dormann

Hi folks, it's Will Dormann. A few months ago I published a blog entry called Don't Sign that Applet! that outlined some concerns with Oracle's guidance that all Java applets should be signed. The problem is that with Java versions prior to 7u25, there is nothing that prevents a signed applet from being repurposed by an attacker to execute with full privileges. As it turns out, Java 7u25 introduced features to prevent a Java applet...

Read More
One Weird Trick for Finding More Crashes

One Weird Trick for Finding More Crashes

• Blog
Will Dormann

Hi folks. It's Will Dormann from the CERT Vulnerability Analysis team. Today we're announcing the release of updates to both of our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.7 and the CERT Failure Observation Engine (FOE) version 2.1. In this blog entry I will describe some of the major changes with these tools....

Read More
One Weird Trick for Finding More Crashes

One Weird Trick for Finding More Crashes

• Blog
Will Dormann

Hi folks. It's Will Dormann from the CERT Vulnerability Analysis team. Today we're announcing the release of updates to both of our fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.7 and the CERT Failure Observation Engine (FOE) version 2.1. In this blog entry I will describe some of the major changes with these tools....

Read More
The Risks of Microsoft Exchange Features that Use Oracle Outside In

The Risks of Microsoft Exchange Features that Use Oracle Outside In

• Blog
Will Dormann

The WebReady and Data Loss Prevention (DLP) features in Microsoft Exchange greatly increase the attack surface of an Exchange server. Specifically, Exchange running on Windows Server 2003 is particularly easy to exploit. It's public knowledge that Microsoft Exchange uses Oracle Outside In. WebReady, which was introduced with Exchange 2007, provides document previews through the use of the Oracle Outside In library. Outside In can decode over 500 different file formats and has a history of...

Read More
Don't Sign that Applet!

Don't Sign that Applet!

• Blog
Will Dormann

Occasionally this blog will highlight different posts from the SEI blogosphere. Today's post by Will Dormann, a senior member of the technical staff in the SEI's CERT Program, is from the CERT/CC (Coordination Center) blog. This post explores Dormann's investigation into the state of signed Java applet security....

Read More
Don't Sign that Applet!

Don't Sign that Applet!

• Blog
Will Dormann

Hi, it's Will. I've recently been looking into the state of signed Java applet security. This investigation was triggered by the Oracle blog post IMP: Your Java Applets and Web Start Applications Should Be Signed, which as the title implies, suggests that all Java developers sign their applets, regardless of the privileges required. In this blog entry, I explain why this practice is a bad idea....

Read More
Don't Sign that Applet!

Don't Sign that Applet!

• Blog
Will Dormann

Hi, it's Will. I've recently been looking into the state of signed Java applet security. This investigation was triggered by the Oracle blog post IMP: Your Java Applets and Web Start Applications Should Be Signed, which as the title implies, suggests that all Java developers sign their applets, regardless of the privileges required. In this blog entry, I explain why this practice is a bad idea....

Read More
Signed Java and Cisco AnyConnect

Signed Java and Cisco AnyConnect

• Blog
Will Dormann

A few years ago, I published a blog entry called Signed Java Applet Security: Worse than ActiveX? In that entry, I explained the problems that arise when a vulnerability is discovered in a signed Java applet. Let's see how the Cisco AnyConnect vulnerability is affected. US-CERT Vulnerability Note VU#490097 describes a vulnerability in the Cisco AnyConnect ActiveX and Java clients that allows an attacker to download and execute arbitrary code. The vulnerability note indicates that...

Read More
Effectiveness of Microsoft Office File Validation

Effectiveness of Microsoft Office File Validation

• Blog
Will Dormann

Microsoft recently released a component for Office called Office File Validation that is supposed to help protect against attacks using malformed files. Because I recently performed file fuzzing tests on Microsoft Office, I decided to test the effectiveness of Office File Validation....

Read More
A Security Comparison: Microsoft Office vs. Oracle Openoffice

A Security Comparison: Microsoft Office vs. Oracle Openoffice

• Blog
Will Dormann

Recently, Dan Kaminsky published a blog entry that compared the fuzzing resiliency of Microsoft Office and Oracle OpenOffice. This blog entry contains the results from a similar test that I performed in November 2010. Also included are some other aspects of the Office suites that can affect the software's security....

Read More
CERT Basic Fuzzing Framework

CERT Basic Fuzzing Framework

• Blog
Will Dormann

Hi folks. I've been involved in a fuzzing effort at CERT. One of the ways that I've been able to discover vulnerabilities is through "dumb" or mutational fuzzing. We have developed a framework for performing automated dumb fuzzing. Today we are releasing a simplified version of automated dumb fuzzing, called the Basic Fuzzing Framework (BFF)....

Read More
Plain Text Email in Outlook Express

Plain Text Email in Outlook Express

• Blog
Will Dormann

Reading email messages in plain text seems like a reasonable thing to do to improve the security of your email client. Plain text takes less processing than HTML, which should help minimize your attack surface, right? As it turns out, Outlook Express (and its derivatives) is doing more than you think when it is configured with the "Read all messages in plain text" option enabled....

Read More
Internet Explorer Kill-Bits

Internet Explorer Kill-Bits

• Blog
Will Dormann

The Kill-Bit (or "killbit") is a Microsoft Windows registry value that prevents an ActiveX control from being used by Internet Explorer. More information is available in Microsoft KB article 240797. If a vulnerability is discovered in an ActiveX control or COM object, a common mitigation is to set the killbit for the control, which will cause Internet Explorer to block use of the control. Or will it?...

Read More
Vulnerabilities and Attack Surface

Vulnerabilities and Attack Surface

• Blog
Will Dormann

Two recent US-CERT Vulnerability Notes describe similar issues in the Adobe Reader and Foxit Reader PDF viewing applications. The vulnerabilities, that both applications failed to properly handle JPEG2000 (JPX) data streams, were discovered as part of our Vulnerability Discovery initiative. The two vulnerability notes are quite similar, except for one aspect: attack surface....

Read More
Release of Dranzer ActiveX Fuzzing Tool

Release of Dranzer ActiveX Fuzzing Tool

• Blog
Will Dormann

Hi, it's Will. As previously mentioned, we have been investigating and discovering ActiveX vulnerabilities over the past few years. Today we released the Dranzer tool that we have developed to test ActiveX controls. We've been using the Dranzer ActiveX fuzz testing tool for over three years, and we've found a large number of vulnerabilities with it. I've tagged a few of the US-CERT Vulnerability notes with the "Dranzer" keyword to show the sort of vulnerabilities...

Read More
Windows Installer Application Resiliency

Windows Installer Application Resiliency

• Blog
Will Dormann

Hi, it's Will again. Recently, I was investigating the effectiveness of the workarounds for the Adobe Reader JBIG2 vulnerability, and I encountered an unexpected situation. In certain situations, the application resiliency feature of Windows Installer can actually undo some of the steps taken to mitigate a vulnerability....

Read More
Internet Explorer Vulnerability Attack Vectors

Internet Explorer Vulnerability Attack Vectors

• Blog
Will Dormann

Hey, it's Will. I noticed that several blogs, including Trend Micro and McAfee, have been talking about the recent attacks on the Internet Explorer 7 vulnerability that was fixed in MS09-002. An interesting thing about these exploits is the attack vector. The technique used in these attacks has several security impacts that may not be immediately obvious....

Read More
Reference Implementations for Securing Your Web Browser Guidelines

Reference Implementations for Securing Your Web Browser Guidelines

• Blog
Will Dormann

It's Will again, with the first blog entry of 2009. Our Securing Your Web Browser document describes how to make your web browser more secure, but applying all of the necessary changes can be a bit tedious. To make the process easier, we developed reference implementations of the guidelines for both Microsoft Internet Explorer and Mozilla Firefox....

Read More
Reported Vulnerability in CERT Secure Coding Standards Website

Reported Vulnerability in CERT Secure Coding Standards Website

• Blog
Will Dormann

Hi, it's Will. Recently, a blog author reported that the CERT® Secure Coding Standards website, which runs on Atlassian Confluence, contained a SQL injection vulnerability. After analyzing the report and discussing it with the Confluence vendor, we have concluded that the behavior described is not a vulnerability....

Read More
Carpet Bombing and Directory Poisoning

Carpet Bombing and Directory Poisoning

• Blog
Will Dormann

Hey, it's Will. Earlier this year, details about "carpet bombing" attacks were released. Apple addressed the issue by prompting users before downloading files, but recent news indicates that Google Chrome, which is based on Apple's WebKit code, is also vulnerable to the same type of attack. However, some people seem to be missing an aspect of the attack that affects all web browsers....

Read More
ActiveX Vulnerability Discovery at the CERT/CC

ActiveX Vulnerability Discovery at the CERT/CC

• Blog
Will Dormann

Hi, it's Will. Anybody who has been keeping an eye on the US-CERT Vulnerability Notes has probably noticed that I've published a lot of ActiveX vulnerabilities. So it should be no surprise to learn that we have been testing ActiveX controls and discovering vulnerabilities in the process....

Read More
Signed Java Applet Security: Worse than ActiveX?

Signed Java Applet Security: Worse than ActiveX?

• Blog
Will Dormann

Hi, it's Will again. ActiveX vulnerabilities seem to be getting a lot of attention lately. However, Java applets are also a concern. The classic understanding of a Java applet is that it runs in a sandbox in your web browser. This model prevents a Java applet from accessing sensitive resources, such as your file system or registry. So, barring vulnerabilities in the Java Virtual Machine (JVM), Java applets should not have the ability to do...

Read More
Is Your Adobe Flash Player Updated?

Is Your Adobe Flash Player Updated?

• Blog
Will Dormann

Hey, it's Will. As you may already be aware, there is active exploitation of a vulnerability in Adobe Flash. So, it's a good idea to make sure that you have the latest version of Flash Player, which, at the time of this writing, is 9.0.124.0. Even if you think that you are up to date, can you be sure?...

Read More
The Dangers of Windows AutoRun

The Dangers of Windows AutoRun

• Blog
Will Dormann

Hi, this is Will Dormann of the CERT/CC Vulnerability Analysis team. A few months ago, reports of infected digital picture frames hit the media. I was curious about how the malicious code was being executed, so I began investigating the Microsoft AutoRun and AutoPlay features....

Read More

Contact the Author

Will Dormann

SEI Digital Library

SEI Publications

Visit the SEI Digital Library to see other publications by Will Dormann

View publications