Security Week 40: invulnerability in WinRAR, bug veteran in Firefox, Microsoft update

I wonder what will happen when all the problems with information security are resolved? Our news site Threatpost.ru is being re-qualified as a digest of kitty photos? Will such a bright future come about? Yes, if you consider that the IT industry is growing too fast and still treats "childhood" diseases, and when it is cured, grace will come. I believe that sometime in the future, the approach to digital security will change dramatically. But do not forget that the Internet is a model of the real world in which there is everything - single geniuses gathering new Google in the garage, and large companies with their interests, and just people, and finally, those who are ready to profit from them score. The life of cybercriminals can be significantly complicated, but can they be eliminated altogether?

And an extraordinary event led me to these thoughts: one of the most visited news over the past week (about a bug in Firefox) is not related to security at all. Well, almost not true. Nevertheless, the interest of the Threatpost audience in it was maximal (the editorial office is definitely worth a try seals!). The second news is about a vulnerability, which is actually not there. The third is about the update of Microsoft, which did nothing and disappeared. In short, nothing happened this week. If so, let's talk about the difference between real threats and theoretical ones. Traditional rules: every week the editorial board of the Threatpost news site selects the three most significant news, to which I add an extended and merciless comment. All episodes of the series can be found here .

(Pseudo) Zero Day Vulnerability in WinRAR Self-Extracting Archives
News . Research . Reaction RARLAB.

Mohammed Reza Espargham, an Iranian researcher, discovered a vulnerability in WinRAR, but not in the program itself, but in self-extracting archives that can be created with it. At first glance, everything is serious. Using the “feature” of the archiver, you can make it so that when you try to unpack the archive, arbitrary html-code will be executed, which will allow you to download from the network and do anything you want. In this case, the contents of the archive itself can be harmless. A vulnerable function allows you to display text on the screen when unpacking, and, as it turned out, accepts and processes HTML.



The creators of WinRAR do not agree, and to understand their position, it’s enough to simplify the description of the vulnerability to: “something bad can happen to the user if he downloads from the Internet and starts some kind of muddy executable.” I didn’t miss anything? Fundamental and incorrigible vulnerability of computers: they execute ALL the code that runs on them. WinRAR cites another proof of concept as a proof: another self-extracting archive: for a self-extracting archive, you can configure the content to start automatically without asking the user. Fatality!


And here are the cats!

Both sides are right in their own way. It is the non-standard use of standard tools that can break a serious hole in the defense. Using an encryption program, it is possible to encrypt data for security, or it can be used to demand a ransom from victims of the crypto locker. In general, the danger level is pear with shades of chartreuse.

But there is still such a moment. WinRAR is indeed a very common program, and, unlike other software from the “standard set”, it does not require constant updates. This, you know, is not a browser, where every month is something new. It works for itself and works. Two years ago we publishedA study that showed how users update vulnerable software. They update, let's say, not very quickly: for example, then it took 7 weeks for at least 30% of users to switch to the new version of Java. The critical vulnerability of WinRAR 3.71 and earlier fell into the study . We did not begin to investigate its prevalence in detail, since no one exploited it especially, but the update data looked and was horrified: five years after the hole was discovered, the vulnerable version of WinRAR stood on tens of thousands of computers, and no one even intended to update it. Well, yes, but actually, why? Moreover, the archiver does not have an auto-update mechanism. As long as there is Java, Flash and browsers, cybercriminals are too lazy to waste time hacking such programs. What if habitual goals become harder to break?

Incredible Adventures of an Empty Windows
News Update . Discussion on the Microsoft forum with the details.

September 30th, without declaring war, the Windows update system spoke to users in a fish language.

Well, that is, literally. "Hello, this is an important update from the language pack category, after installing which your computer will need to # # ^ ^% @ # $ R @% @% @ # $ pysch # @% # @% # ^ @ ^ $ @ ^ press . " Those few users who really see what arrives through Windows Update sounded the alarm: some garbage appeared, tried to install, was defeated, and then immediately disappeared! It was later discovered that a similar (well, at least a similar) failure occurred also on August 20.


Screenshot from the discussion on the Microsoft website.

Later, a company representative confirmed that the update was a test and was sent to users by mistake. You can, so to speak, relax and calm down. Was there a cause for alarm? In fact, there was: a compromise of the Windows update system could arrange such an apocalypse on the network that no Hollywood dreamed. Take an arbitrary code, send it to millions of users and install it without their knowledge ... Fortunately, this is unlikely: encryption, digital signatures. In one of the previous series, I discussed a particular example of an unlikely hacking of WSUS, which shows well that it is almost impossible to break this system thoroughly into small pieces.

More precisely, we all really hope that this is so.

Firefox shuts down the 14-year-old memory-eating bug
News . The post of the developer of Adblock Plus, the main victim of the bug. Actually, the bug itself . The news about really important fixes in the Firefox 41 release.



Briefly about the main thing: Firefox browser eats a lot of memory. With the release of Firefox 41, he moderated his appetites if you had the AdBlock Plus extension installed. The problem is that the ad-blocking extension and the browser itself do not interact correctly: while working out the method of hiding ads using CSS styles, the browser reserved large amounts of memory, in some cases up to 2 gigabytes.

The original bug was launched on April 27, 2001, discovered in the prerelease version 0.9.3 . Around the same time, the first Mac OS X, Windows XP, the very first iPod, was released, SATA and USB 2.0 interfaces were introduced. And most importantly, the V.92 modem protocol appeared, and Microsoft killed the clip (pictured right). Eventful was a year!

In general, the bug, although unpleasant, but harmless. I suspect that ten out of fourteen years, Firefox and Adblock developers have figured out which side the problem is on. But really serious vulnerabilities in software are fixed quickly. Yes? Not. In search of ancient bugs, I came across this : in Red Hat distributions (and not only) during the upgrade or installation the authenticity of the installed software is not checked, which theoretically allows you to gain control over the system if it was installed-updated from an infected mirror. The bug was opened on January 30, 1999! There, in general, it was not about mirrors, but about malicious floppy disks. Closed (and not everyone believes that until the end) in August 2014.

Well, okay, this bug, like the “vulnerability” described in WinRAR SFX described above, is not a bug at all, but an observation from the series “if you put a laptop in a fire, it will burn”. And it’s not that they were repaired, but rather used the capabilities of the bug tracker to lead a leisurely discussion about some aspects of security in (any version) of Linux for 15 years. Is this bug proof of a Linux protection failure? Of course not.

Let me go even further and suggest that quickly closing all vulnerabilities alone does not increase security. Right here, for example, they write that on average, software developers spend 100-120 days developing patches. I would like to quickly, but does this mean that all unpatched holes must be cracked? Also no. There are so many types of attacks, potential vulnerabilities that an attempt to analyze everything at once will result in white noise.

Once upon a time there was a threat indicator on the Lab’s website - with its help it was possible to assess how things are going with security for everyone at once. Over time, it turned into an analogue of Doomsday Watch", that is, it made an impression, but it no longer reflected the objective picture, and it was removed. The danger level is now different for each person and company - it depends on how easy it is to hack you, and on the value of the data that can be obtained, and on how seriously you approach the protection of this data.

What else happened:
Actually, there is a lot of news, although everything is pretty routine.
The Stagefright library in Android discovered another vulnerability. If the previous one was operated via MMS, the new one allows you to execute arbitrary code after opening the prepared page in the browser, this time the problem is processing the metadata of the media file (audio or video) library.

101 bug fixedon Mac OS X with the release of the new version of El Capitan. Plus, iOS 9.0.2 closed another way to bypass the lock screen , this time using Siri (Hey Siri, DROP TABLE ).

TrueCrypt searched bookmarks for a very long time (I wrote in more detail in the results of 2014), but did not find it, but found a vulnerability, which also does not allow encrypted encryption. Instead, the installed TrueCrypt can be used to remotely elevate privileges. Fixed in TrueCrypt spin-off called VeraCrypt.

Mobile phones can be used for DDoS. In a particular case, they suspectthat through the advertising network they dragged a banner with JavaScript that “knocked” on the victim’s website. Interestingly, such an attack can cost literally three pennies. And although DDoS protection will beat it off, sites without it are now much more likely to get under the distribution.

Antiquities:
"Bebe" A

non-resident dangerous virus. Infects .COM files of the current directory. Increases the file size to a multiple of a paragraph, copies itself to the end of the file and changes the first 14 bytes (PUSH AX; ...; JMP FAR Loc_Virus). Non-resident, but creates a resident program. To do this, it copies part of its body into the table of interrupt vectors at address 0000: 01CE and sets the interrupt 1Ch (timer) on it. After a while, the message:

VIRUS!
Skagi "bebe">

After “bebe” is entered from the keyboard, the virus responds with “Fig Tebe!” From the vocabulary of the virus, one can quite accurately determine its origin. Contains an error - does not restore DTA. This may cause the computer to freeze. Another mistake - it does not take into account the presence of the pipeline for Intel 80x86 processors and modifies the command that is next to the current one, as a result of which it works only on older IBM PC models. In addition to the listed text, it contains the line "* .COM".

Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 60.

Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.