Security Week 21: a hole in Whatsapp, a new vulnerability in Intel processors, Zero-Day in Windows

    Three interesting events in the field of information security took place last week: the exploited vulnerability in Whatsapp was closed, patches were released for critical vulnerabilities in Windows even for unsupported versions of the OS, and Intel found another Specter-like problem. Let's start with the vulnerability in a component of Remote Desktop Services ( news , post in Microsoft blog). The technical details of the vulnerability were not disclosed, but it is known that the bug allows you to gain control of the system using the RDP protocol without authorization.

    Vulnerabilities are affected by Windows 7 and Windows 2008 Server, as well as unsupported Windows XP and Windows 2003 Server. The article by Brian Krebs points out the similarity of the vulnerability with the EternalBlue bug in the SMB protocol, which in 2017 led to a large-scale epidemic of the WannaCry ransomware trojan. In this case, the attacker can gain access to any unpatched system that is accessible via the RDP protocol, and through it to spread the attack to other computers on the local network. Despite the speedy release of the patch, most likely, we will still hear about the consequences of using this bug.

    To reduce the likelihood of a large-scale attack, Microsoft released patches for Windows XP and 2003 Server, which are no longer officially supported by the company. On May 14, Microsoft closed several more vulnerabilities, including the critical bug CVE-2019-0863 in the Windows Error Reporting system. Unlike the problem in RDP, this vulnerability affects modern versions of the OS up to Windows 10 and can be used to escalate privileges. This vulnerability is actively exploited by cybercriminals.

    The most discussed incident of the past week was the report of a serious vulnerability in the Whatsapp messenger ( news ). Vulnerability CVE-2019-3568 was closed by the Whatsapp update for Android and iOS on May 13. Interestingly, in the announcement of the new version for Android, the main change was not a patch at all, but “full-screen display of stickers”:

    In the discussion, it was noted that ordinary users are more likely to update the client because of the stickers, and few people think about security so far. Check Point Software analyzed the patch and found a couple of new checks on the packet size of the SRTCP protocol used for Internet telephony. Apparently, the absence of these checks caused a buffer overflow. But what happened next - no one knows, we can only assume gaining control over the application and exfiltration of the data. But there was a lot of talk about the source of the exploit.

    According to the Financial Times, the active exploitation of the exploit was noticed simultaneously on Facebook (the current owner of the messenger) and in the human rights organization Citizen Lab. The latter was contacted by a British lawyer who received several video calls from unknown numbers on an Apple phone with an installed messenger. To exploit the vulnerability, you need to send a specially prepared data packet to the addressee, which the WhatsApp client perceives as a video call. There is no need to answer the call. According to the Financial Times, the vulnerability was found by the NSO Group, which specializes in selling exploits to government agencies and special services. It was possible to identify the developer by metadata.

    An interesting development of history was the post of founder of the Telegram messenger Pavel Durov ( original, translation on Habr), entitled "Why WhatsApp will never be safe." How secure is Telegram itself - also a subject for discussion, both technical and emotional. But that’s not the point: Durov’s post is an example of how security is becoming an advertising tool. An advantage (real or imaginary) that considers a significant part of the target audience important. This is good news: if market players somehow have to advertise their services as being protected from hacking, sooner or later they will really need to do something in this direction .

    We will complete the news review with four new attacks on third-party channels ( news) Corresponding vulnerabilities were found in Intel processors; they were discovered during internal checks in the company itself (a detailed article on the Intel website ), as well as researchers at a technical university in Graz in Austria (minisite with a “talking” URL ).

    Independent researchers identified four attack vectors, and for each, they outlined a realistic scenario for obtaining any data of interest to the attacker. In the event of a Zombieload attack, this is the history of the pages visited in the browser. The RIDL attack allows you to pull secrets from applications running on the system or virtual machines. The Fallout attack can only amplify other attacks, receiving information about reading data previously written to the memory by the operating system. Finally, the Store-to-leak Forwarding method can theoretically be used to bypass ASLR.

    At Intel, they try not to adopt the creative (and slightly scary) names of the attacks and call them complex microarchitectural data sampling. The MDS technique allows a local process to read inaccessible data from memory using the same method of attacks on third-party channels as the previously discovered Specter family. Intel promises to close vulnerabilities in the next revisions of processors, and CPUs of the 8th and 9th generations are partially not affected by this attack. A microcode update will be released for the rest of the processors, and for added security from the (so far theoretical) threat, as usual, you will have to pay a drop in performance .

    According to Intel, this is a few percent, but here the fact of determining the security price is interesting, which we all have to pay.

    Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.

    Also popular now: