January 27, 2017 at 21:11Security Week 04: Missing Botnet, Webex Vulnerability, Apple Patches
An important technical news of the week in the field of information security was the study ( news ) of a security specialist in the Google Project Zero project, Tavis Ormandi, about the vulnerability in the Cisco Webex plug-in for the Chrome browser. Tavis specializes in extraordinary vulnerabilities (several patches for Lab products, by the way, were released thanks to it), but the problem in the plugin for the popular video conferencing service is completely non-standard.The Webex conference is essentially a separate program that runs on your computer after the participation has been initiated in the browser. Accordingly, to run native code, the Cisco Webex plugin uses the Native Messaging interface. The essence of the bug is that if you pass the plugin a URL with a certain “magic string”, then it will run any code without any checks. Perhaps this should be called a feature: it was obviously done to simplify the process of launching the desired application without special ceremonies. As a result, the user can catch the trojan by visiting the prepared web page (any), and once clicking OK on the offer to start a web conference.
The vulnerability was fixed quickly, but, according to several researchers (including Tavis himself), not completely. The new version of the plugin for Chrome restricts the ability to run code if there is a miracle line, only if the URL starts with https: //*.webex.com/. Obviously, this greatly limits the possibility of exploitation, but any XSS vulnerability on webex.com can be used in conjunction with a magic string for attack.
In short, it would be possible to comment on the news in the style of “ah-ah, horror-horror”, and in general, yes, but it seems to me that the reaction time of Cisco is here. The idea is that you need to respond quickly to vulnerabilities, and the fact that Cisco closed the hole in just a couple of days can be assessed positively. Yes, I didn’t close it completely, but judging by the fact that two more plug-in updates were released after the fix , the work is underway. In this case, the researcher could wait for the publication of the data until the final solution of the problem - all the more so since there is no information about the operation of the in-the-wild problem. But did not agree. To better negotiate, vendors and researchers need to understand that they are by no means rivals; rather, they work for a common cause. Despite the abundance of caustic comments on Twitter.
Apple patches vulnerabilities in iOS and Mac OS X
News
Earlier this week, Apple released a pack of updates for the OS and proprietary software, including patches for two serious vulnerabilities in the kernel (respectively, in iOS and Mac OS X). Little data, both on the mobile OS and on computers, a vulnerability like use after free provided escalation of privileges. Another vulnerability was discovered and closed in the libarchive module; it also allowed arbitrary code to be executed when opening a prepared archive. Several serious vulnerabilities were also closed in the WebKit component, so, taken together, it makes sense to update as quickly as possible.
Researchers find on Twitter 350,000 bots Star Wars fans do nothing
News
It seems time to add the heading “From Life” or “Curiosities” to the digest, although this news at some point in the future may suddenly cease to be funny. Two researchers from University College London discovered a botnet ... ok, not a botnet, but a collection of bots on Twitter, numbering over 350 thousand. They claim that this is the largest group of bots that have been able to combine by common features.
The study itself has not yet been published, but there are a couple of interesting details. Bots pretend to be real people with all their might: a profile is drawn up, at some point they published quotes from Star Wars, and even used geotags, and if you put them on a world map, you get even squares. All tweets are marked as published using Windows Phone - but this, of course, looks suspicious.
All bots were created within two months of 2013, each posted no more than 11 tweets, and since then none of the accounts have been active. Either someone tested the technology, or prepared the army for the future - is unclear. Interestingly, machine learning helped identify the bots: based on an analysis of 14 million accounts, the botnet was easily calculated using the most frequently used words, which were very different from those of living people and other bots (the picture above, from the article on Mashable ).
May the force be with us.
What else happened:
Following the discussion of the Guardian article last week about the alleged backdoor in Whatsapp (more in the previous digest ), the cryptographic community collects signatures fordemanding to remove the publication, apologize
An interesting initiative of cryptographers: they reasonably hint that it’s not worth talking about things that you don’t understand, much less do it publicly in the popular media. A good attempt, but no, to return the information-safe discourse back to researchers is no longer possible. It seems to me that it is necessary to explain complex things in simple words (it would be, because I myself am constantly doing this). It is advisable not to move away from the facts, but stick to them or distort them for the sake of a beautiful story - it turns out that this is a personal decision of everyone involved in the process.
Antiquities
"Prudents-1205" A
non-resident very dangerous virus that infects .EXE files by default. If an error occurs during file infection (for example, the reaction of a resident anti-virus monitor when writing to an EXE file), the file is destroyed. Contains the text: "# Prudents virus. Barcelona 20/8/89 #".
Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 80.
Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.