Tag Archives: exploited

Microsoft patches Windows ALPC flaw exploited in the wild

A Windows ALPC vulnerability that has been exploited in the wild for two weeks was finally patched by Microsoft as part of the September 2018 Patch Tuesday release.

The Windows Advanced Local Procedure Call (ALPC) flaw was disclosed with proof-of-concept exploit code on Aug. 27, 2018, by Twitter user SandboxEscaper. The vulnerability affects the Windows Task Scheduler and can allow an attacker to obtain elevated system privileges.

Microsoft noted the issue would require an attacker to log on to the target system. The vendor labeled the Windows ALPC flaw (CVE-2018-8440) as “important,” but not “critical,” in its Patch Tuesday advisory, despite the vulnerability being actively exploited in the wild.

On Sept. 5, Matthieu Faou, malware researcher for ESET, based in Bratislava, Slovakia, first reported seeing a group called PowerPool exploiting the Windows ALPC vulnerability in the wild over the previous week. Faou noted the group did not reuse the proof of concept released by SandboxEscaper and instead modified it slightly.

Allan Liska, threat intelligence analyst at Recorded Future in Somerville, Mass., said this meant PowerPool added the exploit to their arsenal of tools within 48 hours of the exploit being published on Twitter. But it is still unclear how widespread the attacks have been.

“The challenge is that PowerPool is a relatively new group, and they don’t have a large footprint in terms of exploitation — at least as far as we can tell. So, there isn’t a good way to gauge the extent of the damage,” Liska said via email. “As far as Microsoft’s decision, even though the vulnerability was being exploited in the wild, because it is not a remote access vulnerability, nor a critical one, Microsoft probably made the correct decision not releasing an out-of-band patch.”

Although Microsoft chose not to release an out-of-band patch for the Windows ALPC flaw, a third-party patch from micropatching vendor 0patch was released on Aug. 30. Mitja Kolsek, co-founder of 0patch, noted in a blog post that the patch they released was “functionally identical” to the patch released by Microsoft.

Chris Goettl, director of security product management at Ivanti, based in South Jordan, Utah, said consistency is key with update cycles to help plan maintenance. But “on the flip side, security researchers and threat actors do not have set schedules.”

“An exploit can be developed and be released at any time and cannot be planned for. If a researcher finds a threat and the threat is considerable, there should be some urgency put around getting a resolution in place,” Goettl said via email. “In this case, it seems it should have been reasonable to keep this update in the normal update cycle. If it would have been remotely exploitable without authentication and in a protocol like SMB — think Eternal family of exploits — or something of a similar more dire nature, it would have warranted an out-of-band release.”

Intel disclosed Spectre-like L1TF vulnerabilities

A new set of Spectre-like flaws that can, theoretically, be exploited to steal sensitive information was discovered in Intel products.

Two separate teams of researchers discovered the new vulnerabilities within a few weeks of each other in January and reported it to Intel. Intel was then able to identify two closely related variants and disclosed them publically this week, calling them L1 Terminal Fault (L1TF) vulnerabilities.

The three varieties of the L1TF vulnerabilities include CVE-2018-3615, which affects Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which affects operating systems and System Management Mode memory; and CVE-2018-3646, which affects hypervisors and virtual machines.

The flaw affecting Intel SGX — the Foreshadow vulnerability — has caused more of an uproar than the others. Since the discovery of the Meltdown and Spectre vulnerabilities in January, Intel SGX had mostly remained untouched. While Meltdown and Spectre targeted program instructions, Foreshadow targets program data.

As a speculative execution side-channel vulnerability, Foreshadow can enable an attacker to “steal sensitive information stored inside personal computers and third-party clouds,” according to the researchers who discovered the flaws.

In a blog post about the L1TF vulnerabilities, Google explained that in order to exploit Foreshadow, an attacker would need “control of hardware resources that are accessible only with operating system level control of the underlying physical or virtual processors.” The vendor noted that unpatched operating systems could also allow for exploitation.

“Defending against this method of attack is particularly challenging for virtualized environments, as a virtual machine exposes the state necessary to construct an attack,” Google explained. “Specifically, an attacker could intentionally configure their own page tables to direct these faults and probe the cache of the core on which they are currently executing.”

Foreshadow vulnerabilityForeshadow vulnerability

Intel has already released mitigations for the L1TF vulnerabilities and said the new patches work best in conjunction with the microcode updates the company released earlier this year in response to the Meltdown and Spectre vulnerabilities.

“When coupled with corresponding updates to operating system and hypervisor software released starting today by our industry partners and the open source community, these updates help ensure that consumers, IT professionals and cloud service providers have access to the protections they need,” Intel’s executive vice president and general manager of product assurance and security, Leslie Culbertson, said. “Once systems are updated, we expect the risk to consumer and enterprise users running non-virtualized operating systems will be low.”

In other news:

  • President Donald Trump has reversed an Obama-era memorandum on how and when the U.S. government can use cyberattacks against adversaries, according to The Wall Street Journal. Trump signed an order to undo Presidential Policy Directive 20, which outlined a complex interagency process that had to be followed before the government could target a cyberattack at foreign adversaries. Presidential Policy Directive 20 was signed by then-President Barack Obama in 2012. Trump has yet to issue a replacement for the memorandum, though The Wall Street Journal reported “a number of current U.S. officials confirmed the directive had been replaced, but declined to comment further,” because it’s classified.
  • August’s Patch Tuesday brought five Flash patches from Adobe and 17 updates to fix at least 60 vulnerabilities — including two actively exploited zero-day vulnerabilities — from Microsoft. The first zero-day flaw Microsoft patched was a critical vulnerability in Internet Explorer that would target users with malware. The other zero-day was a vulnerability in the Windows 10 shell that would enable an attacker to run code remotely. Microsoft also patched the Foreshadow vulnerability. Another 23 patches were for critical flaws in Internet Explorer, Edge and Chakra Scripting. Adobe patched Flash vulnerabilities with a new version of it for macOS, Chrome and Linux.
  • The NIST Small Business Cybersecurity Act — formerly called the MAIN STREET Cybersecurity Act — became a law this week. The law requires the National Institute of Standards and Technology to provide informational resources to small businesses to help them with cybersecurity. The law is the result of a bipartisan effort from U.S. Sens. Brian Schatz (D-Hawaii) and James Risch (R-Idaho), and co-sponsored by Sens. John Thune (R-S.D.), Maria Cantwell (D-Wash.), Bill Nelson (D-Fla.), Cory Gardner (R-Colo.), Catherine Cortez Masto (D-Nev.), Maggie Hassan (D-N.H.), Claire McCaskill (D-Mo.), and Kirsten Gillibrand (D-N.Y.). The resources NIST provides to small businesses must be applicable to a wide variety of small businesses, vary based on the size of the company and the sensitivity of the data it deals with, include basic ways to promote a cybersecurity-aware environment, include case studies, are technology- and vendor-neutral and be based on international standards as much as possible.

Adobe zero-day fix precedes June Patch Tuesday

An Adobe zero-day vulnerability in Flash Player that was actively exploited stirred up excitement for admins in the week leading up to June Patch Tuesday.

Adobe released a fix for the zero-day (CVE-2018-5002) and three other vulnerabilities for the Windows client operating system on June 7.

The zero-day exploit launched its attacks from Excel documents sent via email. Users who open these infected Excel attachments on unpatched systems could allow the execution of arbitrary code under the exploited user account.

Chris Goettl, director of product management, IvantiChris Goettl

After the Adobe zero-day issue, the patching workload for administrators is lighter than usual for June Patch Tuesday, with about 50 unique vulnerabilities to correct — including 11 rated critical.

“Our recommendation is the Flash patch — if it already hasn’t been pushed out, [give that] high priority,” said Chris Goettl, director of product management at Ivanti, based in South Jordan, Utah.

June Patch Tuesday closes about 50 vulnerabilities

Microsoft released an update for the only publicly disclosed vulnerability (CVE-2018-8267) for June Patch Tuesday, which affects the Microsoft scripting engine on all supported versions of Internet Explorer. Attacks can exploit this flaw through a compromised website, or user-contributed ads or content, to take control of the target machine.

On an unpatched system, attackers could execute arbitrary code as the hacked user. Organizations that follow least-privilege rules that restrict the use of higher full permissions will reduce the damage from a breach.

Jimmy Graham, director of product management at QualysJimmy Graham

Microsoft’s June Patch Tuesday fixes also closed a remote code execution vulnerability (CVE-2018-8225) that affects all supported versions of Windows. This vulnerability could allow an attacker to compromise systems through a domain name system (DNS) server.

“That would be higher risk for mobile workstations, where it’s likely the system will be accessing an untrusted DNS server through public Wi-Fi,” said Jimmy Graham, director of product management at Qualys, based in Redwood City, Calif.

A memory corruption vulnerability (CVE-2018-8229) in the Edge browser’s Chakra scripting engine would let an attacker exploit an unpatched system through specially crafted websites or user-provided content. The effects depend on the level of privilege on the system.

Spectre vulnerabilities continue

Just when it seemed the Meltdown and Spectre vulnerabilities were winding down, security researchers uncovered another CPU bug. The vulnerability, called Spectre variant 4, is similar to the other speculative execution side-channel vulnerabilities disclosed in January, but they are rated with moderate severity.  

Jann Horn, a security researcher at Google’s Project Zero, and Ken Johnson, of the Microsoft Security Response Center, discovered Spectre variant 4 (CVE-2018-3639). This exploit enables malicious actors to read privileged data across trust boundaries.

Microsoft released its ADV180012 advisory in January to assist administrators with closing the exploits from the speculative execution side-channel vulnerabilities. The company continues to update the site, and it added further mitigation instructions to address Spectre variant 4. There are still no active attacks on Meltdown or Spectre, but administrators should install the patches and microcode updates when the CPU manufacturers release them.

For more information about the remaining security bulletins for June Patch Tuesday, visit Microsoft’s Security Update Guide.