search menu icon-carat-right cmu-wordmark

Subject: Best Practices

When

When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults

• CERT/CC Blog
Will Dormann

As a vulnerability analyst at the CERT Coordination Center, I am interested not only in software vulnerabilities themselves, but also exploits and exploit mitigations. Working in this field, it doesn't take too long to realize that there will never be an end to software vulnerabilities. That is to say, software defects are not going away. For this reason, software exploit mitigations are usually much more valuable than individual software fixes. Being able to mitigate entire...

Read More
Automatically Stealing Password Hashes with Microsoft Outlook and OLE

Automatically Stealing Password Hashes with Microsoft Outlook and OLE

• CERT/CC Blog
Will Dormann

Back in 2016, a coworker of mine was using CERT BFF, and he asked how he could turn a seemingly exploitable crash in Microsoft Office into a proof-of-concept exploit that runs calc.exe. Given Address Space Layout Randomization (ASLR) on modern Windows platforms, this isn't as easy as it used to be. One strategy to bypass ASLR that is possible in some cases is to leverage a memory leak to disclose memory addresses. Another strategy that...

Read More
The CERT Guide to Coordinated Vulnerability Disclosure

The CERT Guide to Coordinated Vulnerability Disclosure

• CERT/CC Blog
Allen Householder

We are happy to announce the release of the CERT® Guide to Coordinated Vulnerability Disclosure (CVD). The guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful CVD process. It also provides insights into how CVD can go awry and how to respond when it does so....

Read More
The Consequences of Insecure Software Updates

The Consequences of Insecure Software Updates

• CERT/CC Blog
Will Dormann

In this blog post, I discuss the impact of insecure software updates as well as several related topics, including mistakes made by software vendors in their update mechanisms, how to verify the security of a software update, and how vendors can implement secure software updating mechanisms....

Read More
The Twisty Maze of Getting Microsoft Office Updates

The Twisty Maze of Getting Microsoft Office Updates

• CERT/CC Blog
Will Dormann

While investigating the fixes for the recent Microsoft Office OLE vulnerability, I encountered a situation that led me to believe that Office 2016 was not properly patched. However, after further investigation, I realized that the update process of Microsoft Update has changed. If you are not aware of these changes, you may end up with a Microsoft Office installation that is missing security updates. With the goal of preventing others from making similar mistakes as...

Read More
The Risks of Google Sign-In on iOS Devices

The Risks of Google Sign-In on iOS Devices

• CERT/CC Blog
Will Dormann

The Google Identity Platform is a system that allows you to sign in to applications and other services by using your Google account. Google Sign-In is one such method for providing your identity to the Google Identity Platform. Google Sign-In is available for Android applications and iOS applications, as well as for websites and other devices. Users of Google Sign-In find that it integrates well with the Android platform, but iOS users (iPhone, iPad, etc.)...

Read More
Bypassing Application Whitelisting

Bypassing Application Whitelisting

• CERT/CC Blog
Will Dormann

Application whitelisting is a useful defense against users running unapproved applications. Whether you're dealing with a malicious executable file that slips through email defenses, or you have a user that is attempting to run an application that your organization has not approved for use, application whitelisting can help prevent those activities from succeeding. Some enterprises may deploy application whitelisting with the idea that it prevents malicious code from executing. But not all malicious code arrives...

Read More
Who Needs to Exploit Vulnerabilities When You Have Macros?

Who Needs to Exploit Vulnerabilities When You Have Macros?

• CERT/CC Blog
Will Dormann

Recently, there has been a resurgence of malware that is spread via Microsoft Word macro capabilities. In 1999, CERT actually published an advisory about the Melissa virus, which leveraged macros to spread. We even published an FAQ about the Melissa virus that suggests to disable macros in Microsoft Office products. Why is everything old new again? Reliability of the exploit is one reason, but the user interface of Microsoft Office is also to blame....

Read More
Supporting the Android Ecosystem

Supporting the Android Ecosystem

• CERT/CC Blog
Will Dormann

A few months ago, a widely-publicized set of vulnerabilities called StageFright hit the Android ecosystem. While Google fixed the vulnerabilities in what appears to be a reasonable amount of time, the deployment of those fixes to end-user devices is another story. Many Android devices have a lengthy supply chain, which can make the process of deploying OS updates a slow and uncertain process. In this blog post, I investigate the supply chain of the Android...

Read More