Security Week 44: zero-day on Windows, Mirai botnet vulnerability, serious MySQL holes

    We have another week of patches with nuances. Let's start with the next news about the Mirai botnet, which was used for at least two large-scale DDoS attacks. Thanks to the source leak, this seemingly one-time story turns into a large-scale series with sequels and prequels. This week there was also a spin-off: researchers from Invincea Labs dug up three vulnerabilities in the Mirai attacking code (in detail in this news or in the original study ).

    The most serious vulnerability leads to a buffer overflow in Mirai code. The problem is the incorrect processing of the HTTP Location header, which may be present in the response of the attacked server. The code is responsible for removing the http: // prefix from the received string. This is done very simply: take the length of the line and subtract from it the number of prefix characters (seven pieces). If you slip a very short Location header (five characters) in the response, then we get a negative number (5-7 = -2), which leads to a buffer overflow and a crash.

    An important point: a failure occurs in the process performing the attack. That is, you can thus stop the attack from an infected device, but not turn it off from the botnet. In general, it turns out some very familiar, but inverted situation. If we were talking about a legitimate program, we would talk about a “critical vulnerability that could be easily exploited by an attacker using a specially prepared response to an http request” or something like that. Urgently patch! And here? In theory, on the contrary, it becomes possible to effectively suppress attacks. But the question of a moral and ethical plan arises: is this procedure not a “hack in response to a hack”?

    Hacking back or, literally, attempts to attack the attackers really lead to some ethical and legal difficulties. There are many reasons for notHack cybercriminal servers, even if you really want to, and names, passwords and appearances are known. Firstly, it is often simply illegal. Secondly, you will most likely break not the resident evil, but an unsuspecting user with a trojan on your computer. Thirdly, such a practice will cause a natural desire to have sharpened sharpened attack tools “just in case”, which incredibly easily migrate to the dark side. Your crusade against the cybercantle eventually turns into the spread of malware.



    Okay, in the context of this vulnerability, Mirai seems to be harmless: in general, there are no exploits here, you just change the configuration of your web server a bit. But as I showed in the paragraph above, conceptually, such an action is no different from exploiting a vulnerability in bona fide software. What do experts advise? The authors of the report do not advise anything: decide for yourself. Here, even the analysis of the Mirai vulnerability itself with examples from the source is unclear how to interpret it - either we inform the public, or we help botanists treat bots.

    Survived.

    Researchers from Google released information on a zero-day vulnerability in Windows before the release of the patch. Microsoft is unhappy.


    The news . Post to Google threat research team blog.

    On October 31, a group of Google security researchers published a brief description of Windows zero-day vulnerability. The vulnerability allows locally increasing user privileges and can be used in the "sandbox escape" mechanism. Researchers at Microsoft transmitted information about the discovered vulnerability on October 21, giving only seven days to develop the patch. Here an interesting moment begins: the generally accepted “waiting time” (while the vendor prepares and distributes the patch) is several weeks, and in this case the time period was much shorter. Microsoft was unable to close the vulnerability in time: it turned out that Google disseminated data about a serious problem while no solution exists. Although, for example, a “crutch” was added to Chrome, making it impossible to use the “escape” in this browser.

    Why is that? Google has a public document that details waiting periods for those vulnerabilities that are actively exploited . According to the researchers of this company, for in-the-wild exploits it is better to disseminate information so that they know about the problem and try to do something on their own, if the vendor has not yet been in time with a patch or at least an announcement. By the way, on October 21, Google sent information about the vulnerability in Adobe regarding Flash, and there everyone managed to .

    The problem is that generally accepted norms of etiquette in the relationship between vendors and researchers do not exist. Obviously, Google’s arguments are true, but Microsoft’s counter-arguments are also true. In their opinion (a detailed analysis in this news) this behavior of Google puts Microsoft customers at risk - because disclosing even a minimal amount of information about vulnerabilities can lead to the fact that the exploit will begin to be used much more widely. Vulnerability is promised to be closed on November 9. But discussions around the ethics of research work in information security will continue for a long time, until everyone finally agrees.

    Critical vulnerabilities detected in MySQL and compatible DBMS


    The news . Legal Hackers study .

    For a change - standard vulnerabilities without nuances and srach . In September, I mentioned the critical vulnerability in MySQL, which is currently closed. The pioneer, David Golunsky of the Legal Hackers group, decided not to stop there and reported two new serious vulnerabilities affecting both MySQL and the MariaDB and Percona Server forks based on the code for this database.

    It is noteworthy that vulnerabilities can be shared, which provides the attacker with full access to the affected system. The first vulnerability (CVE-2016-6663) allows a local DBMS user to increase privileges. Using this problem as a fulcrum, it is possible to apply the second vulnerability and obtain root rights. The second vulnerability (CVE-2016-6664) is associated with unsafe MySQL handling of the error.log file. By the way, the September vulnerability can be used to develop the attack, if it was not patched.

    Vulnerabilities have already been closed in all the mentioned products. An interesting solution came from MariaDB developers: they quickly closed the first hole (6663), and left the patch for the second for later. The argument is simple: without a “springboard”, obtaining superuser rights will not work.

    What else happened


    Patches for iTunes and the iCloud control panel for the Windows platform.

    Laboratory experts published a report on DDoS attacks for the third quarter of the year. On the agenda is the continued increase in the share of DDoS attacks using Linux machines (78.9%).

    Antiquities


    "Goodbye-839"

    A resident, non-dangerous virus that normally infects .COM, .EXE, and OVL files loaded into memory. On Sunday he sings the tune “Goodbye America” by the rock band “Nautilus-Pompilius”. It hooks int 1Ch, 21h.

    Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 68.



    Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.

    Also popular now: