Subject: Vulnerability Mitigation
The Dangers of VHD and VHDX Files
• CERT/CC Blog
Will Dormann
Recently, I gave a presentation at BSidesPGH 2019 called Death By Thumb Drive: File System Fuzzing with CERT BFF. (The slides from my presentation are available in the SEI Digital Library.) Although my primary goal was to find bugs in kernel file-system-parsing code, a notable part of my research was investigating attack vectors. In particular, I focused on VHD and VHDX files on Windows systems. In this post, I describe some of the risks associated...
Read More
Life Beyond Microsoft EMET
• CERT/CC Blog
Will Dormann
Approximately eight years ago (September 2010), Microsoft released EMET (Enhanced Mitigation Experience Toolkit) 2.0. In the world of software defenders, there was much rejoicing. EMET allows users to not be at the mercy of their software vendors when it comes to opting in to vulnerability exploit mitigations. As we fast-forward to November 2016, Microsoft released a blog post called Moving Beyond EMET, which announced the end-of-life (EOL) date of EMET and explained why Windows 10...
Read More
When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults
• CERT/CC Blog
Will Dormann
As a vulnerability analyst at the CERT Coordination Center, I am interested not only in software vulnerabilities themselves, but also exploits and exploit mitigations. Working in this field, it doesn't take too long to realize that there will never be an end to software vulnerabilities. That is to say, software defects are not going away. For this reason, software exploit mitigations are usually much more valuable than individual software fixes. Being able to mitigate entire...
Read More
The CERT Guide to Coordinated Vulnerability Disclosure
• CERT/CC Blog
Allen Householder
We are happy to announce the release of the CERT® Guide to Coordinated Vulnerability Disclosure (CVD). The guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful CVD process. It also provides insights into how CVD can go awry and how to respond when it does so....
Read More
The Consequences of Insecure Software Updates
• CERT/CC Blog
Will Dormann
In this blog post, I discuss the impact of insecure software updates as well as several related topics, including mistakes made by software vendors in their update mechanisms, how to verify the security of a software update, and how vendors can implement secure software updating mechanisms....
Read More
The Twisty Maze of Getting Microsoft Office Updates
• CERT/CC Blog
Will Dormann
While investigating the fixes for the recent Microsoft Office OLE vulnerability, I encountered a situation that led me to believe that Office 2016 was not properly patched. However, after further investigation, I realized that the update process of Microsoft Update has changed. If you are not aware of these changes, you may end up with a Microsoft Office installation that is missing security updates. With the goal of preventing others from making similar mistakes as...
Read More
Windows 10 Cannot Protect Insecure Applications Like EMET Can
• CERT/CC Blog
Will Dormann
Recently, Microsoft published a blog post called Moving Beyond EMET that appears to make two main points: (1) Microsoft EMET will no longer support EMET after July 31, 2018, and (2) Windows 10 provides protections that make EMET unnecessary. In this blog post, I explain why Windows 10 does not provide the additional protections that EMET does and why EMET is still an important tool to help prevent exploitation of vulnerabilities....
Read More
The Risks of Google Sign-In on iOS Devices
• CERT/CC Blog
Will Dormann
The Google Identity Platform is a system that allows you to sign in to applications and other services by using your Google account. Google Sign-In is one such method for providing your identity to the Google Identity Platform. Google Sign-In is available for Android applications and iOS applications, as well as for websites and other devices. Users of Google Sign-In find that it integrates well with the Android platform, but iOS users (iPhone, iPad, etc.)...
Read More
Bypassing Application Whitelisting
• CERT/CC Blog
Will Dormann
Application whitelisting is a useful defense against users running unapproved applications. Whether you're dealing with a malicious executable file that slips through email defenses, or you have a user that is attempting to run an application that your organization has not approved for use, application whitelisting can help prevent those activities from succeeding. Some enterprises may deploy application whitelisting with the idea that it prevents malicious code from executing. But not all malicious code arrives...
Read More
Who Needs to Exploit Vulnerabilities When You Have Macros?
• CERT/CC Blog
Will Dormann
Recently, there has been a resurgence of malware that is spread via Microsoft Word macro capabilities. In 1999, CERT actually published an advisory about the Melissa virus, which leveraged macros to spread. We even published an FAQ about the Melissa virus that suggests to disable macros in Microsoft Office products. Why is everything old new again? Reliability of the exploit is one reason, but the user interface of Microsoft Office is also to blame....
Read More
Supporting the Android Ecosystem
• CERT/CC Blog
Will Dormann
A few months ago, a widely-publicized set of vulnerabilities called StageFright hit the Android ecosystem. While Google fixed the vulnerabilities in what appears to be a reasonable amount of time, the deployment of those fixes to end-user devices is another story. Many Android devices have a lengthy supply chain, which can make the process of deploying OS updates a slow and uncertain process. In this blog post, I investigate the supply chain of the Android...
Read More
Instant KARMA Might Still Get You
• CERT/CC Blog
Will Dormann
About a year ago, I started looking into Android applications that aren't validating SSL certificates. Users of these applications could be at risk if they fall victim to a man-in-the-middle (MITM) attack. Earlier this year, I also wrote about the risks of MITM attacks on environments that use SSL inspection. Lately I've been checking whether IOS applications are consistently checking SSL certificates, and they appear to be pretty similar to Android applications in that regard....
Read More
Comments on BIS Wassenaar Proposed Rule
• CERT/CC Blog
Allen Householder
Art Manion and I recently submitted comments to the Department of Commerce Bureau of Industry and Security on their proposed rule regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items. While our detailed comments are lengthy, we summarize our contributions here....
Read More
The Risks of Disabling the Windows UAC
• CERT/CC Blog
Will Dormann
While investigating a few of the exploits associated with the recent HackingTeam compromise, I realized an aspect of the Windows User Account Control (UAC) that might not be widely known. Microsoft has published documents that indicate that the UAC is not a security boundary. For these or other reasons, some folks may have disabled the UAC on their Windows systems. I will explain in this blog post why disabling the UAC is a bad idea....
Read More
The Risks of SSL Inspection
• CERT/CC Blog
Will Dormann
Recently, SuperFish and PrivDog have received some attention because of the risks that they both introduced to customers because of implementation flaws. Looking closer into these types of applications with my trusty CERT Tapioca VM at hand, I've come to realize a few things. In this blog post, I will explain The capabilities of SSL and TLS are not well understood by many. SSL inspection is much more widespread than I suspected. Many applications that...
Read More
Vulnerability Coordination and Concurrency Modeling
• CERT/CC Blog
Allen Householder
Hi, it's Allen. In addition to building fuzzers to find vulnerabilities (and thinking about adding some concurrency features to BFF in the process), I've been doing some work in the area of cybersecurity information sharing and the ways it can succeed or fail. In both my vulnerability discovery and cybersecurity information sharing work, I've found that I often learn the most by examining the failures -- in part because the successes are often just cases...
Read More
Bundled Software and Attack Surface
• CERT/CC Blog
Will Dormann
Hi, it's Will. We are all probably annoyed by software that bundles other applications that we didn't ask for. You want a specific application, but depending on what the application is, where you downloaded it from, and how carefully you paid attention to the installation process, you could have some extra goodies that came along for the ride. You might have components referred to as adware, foistware, scareware, potentially unwanted programs (PUPs), or worse. Sure,...
Read More
Taking Control of Linux Exploit Mitigations
• CERT/CC Blog
Will Dormann
Hey, it's Will. In my last two blog entries, I looked at aspects of two exploit mitigations (NX and ASLR) on the Linux platform. With both cases, Linux left a bit to be desired. In this post, I will explain how to add further exploit protections to Linux....
Read More
Differences Between ASLR on Windows and Linux
• CERT/CC Blog
Will Dormann
Hi folks, it's Will again. In my last blog entry, I discussed a behavior of NX on the Linux platform. Given that NX (or DEP as it's known on the Windows platform) and Address Space Layout Randomization (ASLR) work hand-in-hand, it's worth looking into how ASLR works on Linux. As it turns out, the implementation of ASLR on Linux has some significant differences from ASLR on Windows....
Read More
Feeling Insecure? Blame Your Parent!
• CERT/CC Blog
Will Dormann
Hey, it's Will. I was recently working on a proof of concept (PoC) exploit using nothing but the CERT BFF on Linux. Most of my experience with writing a PoC has been on Windows, so I figured it would be wise to expand to different platforms. However, once I got to the point of controlling the instruction pointer, I was surprised to discover that there was really nothing standing in the way of achieving code...
Read More
Forensics Software and Oracle Outside In
• CERT/CC Blog
Will Dormann
Hi, it's Will. In this post I will discuss the risks of using forensics software to process untrusted data, as well as what can be done to mitigate those risks....
Read More
The Risks of Microsoft Exchange Features that Use Oracle Outside In
• CERT/CC Blog
Will Dormann
The WebReady and Data Loss Prevention (DLP) features in Microsoft Exchange greatly increase the attack surface of an Exchange server. Specifically, Exchange running on Windows Server 2003 is particularly easy to exploit. It's public knowledge that Microsoft Exchange uses Oracle Outside In. WebReady, which was introduced with Exchange 2007, provides document previews through the use of the Oracle Outside In library. Outside In can decode over 500 different file formats and has a history of...
Read More
Java in Web Browser: Disable Now!
• CERT/CC Blog
Art Manion
Hi, it's Will and Art here. We've been telling people to disable Java for years. In fact, the first version of the Securing Your Web Browser document from 2006 provided clear recommendations for disabling Java in web browsers. However, after investigating the Java 7 vulnerability from August, I realized that completely disabling Java in web browsers is not as simple as it should be....
Read More
AMD Video Drivers Prevent the Use of the Most Secure Setting for Microsoft's Exploit Mitigation Experience Toolkit (EMET)
• CERT/CC Blog
Will Dormann
Microsoft EMET is an effective way of preventing many vulnerabilities from being exploited; however, systems that use AMD or ATI video drivers do not support the feature that provides the highest amount of protection....
Read More
Mitigating Slowloris
• CERT/CC Blog
Ryan Giobbi
Slowloris is a denial-of-service (DoS) tool that targets web servers. We have some suggestions about mitigation techniques and workarounds to protect your server. However, use caution if you implement any of these suggestions because they will likely have some unintended side effects....
Read More