Huge number of sites imperiled by critical image-processing vulnerability [Updated]

By | Ars Technica

Attack code exploiting critical ImageMagick vulnerability expected within hours.

A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images.

The vulnerability resides in ImageMagick, a widely used image-processing library that’s supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.

According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker’s choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.

“The exploit is trivial, so we expect it to be available within hours of this post,” Huber wrote in a blog post published Tuesday. He went on to say: “We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software.”

Update, May 4, 2016: 3:55: Almost 24 hours after this post went live, researchers from website security firm Suciri published an independent analysis that concurs with Huber’s assessment. It also sheds new light on how the exploit works. They said that recent versions of ImageMagick don’t properly filter the uploaded file names before passing them to the server processes such as HTTPS. The ommission allows attackers to execute commands of their choosing, leading to a full remote command capability.

“The vulnerability is very simple to exploit,” Sucuri founder and CTO wrote in Wednesday’s post. “An attacker only needs an image uploader tool that leverages ImageMagick. During our research we found many popular web applications and SaaS products vulnerable to it (people love gravatars), and we have been contacting them privately to get things patched. Unfortunately, even with all the media attention, not everyone is aware of this issue.”

As Huber predicted, it didn’t take long for people to develop proof-of-concept exploits. At least one of them is publicly available.

ImageMagick maintainers have also acknowledged the possibility of critical vulnerabilities allowing remote code execution. They haven’t issued any patches, but they did suggest website administrators add several lines of code to configuration files to block at least some of the possible exploits. Huber has made the same recommendation and put the lines in this downloadable file. He went a step further by advising sites that use ImageMagick to also verify that all uploaded image files begin with the expected “magic bytes” corresponding to the image file types before allowing the files to be processed. Admins should consider temporarily suspending image uploading in cases where these mitigations can’t immediately be put in place.

The code-execution bug was discovered by security researcher Nikolay Ermishkin, who is expected to release an advisory in the coming hours. Huber went public in an attempt to prevent malicious attacks after learning the vulnerability details were already being widely disseminated ahead of Ermishkin’s planned disclosure. The code-execution vulnerability came to light after it was used in recent bug bounty submissions.

One attack scenario would involve a social media site, blogging service, or news site that accepts image uploads from untrusted end users. An attacker could upload a file ending with png, jpg, or another supported extension, even though the contents are in a different format. Once ImageMagick detects the mismatched format, it will attempt to transform the image into an intermediate format that in some cases results in an insecure decoding path. That condition, in turn, can lead to code execution on the server.

Huber said that the mitigations he recommended are effective against all of the exploit samples he has seen, but he went on to say there’s no guarantee the measures will eliminate all types of attack. Until the full scope of the vulnerability is disclosed, people using ImageMagick should assume that the mitigations are incomplete. That means admins should monitor this vulnerability closely and be ready to put additional defenses in place. Another option is either to sanitize images before they’re processed by ImageMagick or disable all formats except the ones needed.

The threat at least in part stems from ImageMagick supporting more than 200 different formats, including nroff (man pages) and postscript. In the longer term, admins should consider switching to GraphicMagick, an ImageMagick fork that supports a much smaller number of file types. Update: About 40 minutes after this post went live, security researcher Dan Tentler said he has developed a working proof-of-concept exploit.

Critical WPS vulnerability discovered in Bell Canada Home Hub routers

By | Neowin

In recent years, Wi-Fi has gained attention mainly due to the increased speeds afforded by the 802.11n and 802.11ac specifications. This has seen a flurry of new hardware hit the market enticing owners of older 802.11a/b/g hardware to upgrade to the latest and greatest kit.

However, Wi-Fi has seen numerous security setbacks throughout its lifetime. WEP encryption, deployed as part of the earlier Wi-Fi standards, was later found to be less secure than thought. This prompted the development of WPA with TKIP encryption as an interim measure until a more robust solution could be ratified. Ultimately, WEP ended up being easily cracked in under sixty seconds with the right tools. TKIP was deprecated from the 2012 revision of the 802.11 standard as it was no longer considered to be secure.

As such, the standing recommendation for any new Wi-Fi network has been to use WPA2+AES to ensure maximum security against attacks of any nature.

Unfortunately, it seems as though owners of the Bell Canada Home Hub 1000 and 2000 series routers may be in for a rude surprise. According to an anonymous user on DSL Reports and SergeantAlPowell on Reddit, a vulnerability in WPS (Wi-Fi Protected Setup) has been discovered that can compromise networks that have been secured with WPA2+AES.

Despite WPS being disabled, it seems that these Home Hub routers continued to respond to WPS requests. Furthermore, a default PIN of “12345670” coaxed these routers into supplying the passphrase that could be used to connect to the corresponding Wi-Fi network.

It seems that Bell has released a patch for the vulnerability in the form of a silent update for these affected devices. However, Bell Canada has not officially acknowledged the existence of the security issue or its rectification in the firmware version history.

Source: Reddit | DSL Reports

Microsoft rolls out emergency fix for critical flaw affecting all versions of Internet Explorer

Microsoft has issued an emergency update to patch a critical vulnerability that affects all supported versions of Internet Explorer. If you haven’t already installed the fix, it’s recommended that you do so ASAP as hackers are said to be actively exploiting it. Here’s everything you need to know.

Security bulletin MS15-093 pertains to a remote code execution flaw found in found in all supported versions of Internet Explorer (IE7 and newer; Microsoft’s Edge browser for Windows 10 isn’t at risk) including 32- and 64-bit variants.

Specifically, the vulnerability deals with improperly accessing objects in memory which could subsequently corrupt memory in a manner that allows an attacker to run code remotely. Said hacker could also gain the same user rights as the current user. As such, those with full admin rights are at a greater risk than users with restricted access.

Microsoft says an Internet Explorer user visiting a specially crafted website designed to exploit the flaw could become victimized. What’s more, attackers don’t need their own site as the bug can be exploited over ad networks used on legitimate sites. Getting users to a compromised or crafted page is actually easier than it sounds as a phishing attempt via e-mail would certainly do the trick.

Again, Microsoft notes that the vulnerability is being actively exploited although it didn’t provide any further details on the matter. Users can grab the patch via Windows Update or obtain the standalone fix via the Microsoft Download Center.

via Microsoft rolls out emergency fix for critical flaw affecting all versions of Internet Explorer – TechSpot.

Attackers actively exploit Windows bug that uses USB sticks to infect PCs

Attackers are actively exploiting a vulnerability in all supported versions of Windows that allows them to execute malicious code when targets mount a booby-trapped USB on their computers, Microsoft warned Tuesday in a regularly scheduled bulletin that patches the flaw.

In Tuesday’s bulletin, Microsoft officials wrote:

An elevation of privilege vulnerability exists when the Mount Manager component improperly processes symbolic links. An attacker who successfully exploited this vulnerability could write a malicious binary to disk and execute it.

To exploit the vulnerability, an attacker would have insert a malicious USB device into a target system. The security update addresses this vulnerability by removing the vulnerable code from the component.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft has reason to believe that this vulnerability has been used in targeted attacks against customers.

The vulnerability is reminiscent of a critical flaw exploited around 2008 by an NSA-tied hacking group dubbed Equation Group and later by the creators of the Stuxnet computer worm that disrupted Iran’s nuclear program. The vulnerability—which resided in functions that process so-called .LNK files Windows uses to display icons when a USB stick is plugged in—allowed the attackers to unleash a powerful computer worm that spread from computer to computer each time they interacted with a malicious drive.

When Microsoft patched the .LNK vulnerability in 2010 with MS10-046, company officials classified the vulnerability as “critical,” the company’s highest severity rating. The classification seemed appropriate, considering the success of the .LNK exploits in infecting large numbers of air-gapped computers. For reasons that aren’t clear, Tuesday’s vulnerability has been rated “important,” Microsoft’s second-highest severity rating. Update: As Virus Bulletin researcher Martijn Grooten pointed out, the .LNK vulnerability was remotely exploitable, allowing it to infect millions of people. By contrast, the bug patched Tuesday appears to require a USB stick, a requirement that would greatly limit the scale of attacks. That’s the likely reason for the lower severity rating.

In addition to fixing the bug, Microsoft is also releasing software that allows patched computers to log attempts to exploit the bug. That will make it easier for people to know if they were targeted by attackers.

Separately, a word of caution: the installation of Windows language packs will require Tuesday’s patch to be reinstalled. Accordingly, before running the update, users should make sure they install any language packs they expect to need in the future.

The fix for the USB vulnerability was one of 14 patch bulletins Microsoft published on Tuesday as part of its monthly update cycle. Microsoft typically identifies by name the person or group reporting the vulnerabilities that get fixed. In this case, however, the company didn’t elaborate beyond saying notification came “through coordinated vulnerability disclosure.”

via Attackers actively exploit Windows bug that uses USB sticks to infect PCs | Ars Technica.

Adobe patches zero-day Flash Player flaw used in targeted attacks

Adobe Systems released an emergency security update for Flash Player Tuesday to fix a critical vulnerability that has been exploited by a China-based cyberespionage group.

Over the past several weeks, a hacker group identified as APT3 by security firm FireEye has used the vulnerability to attack organizations from the aerospace, defense, construction, engineering, technology, telecommunications and transportation industries.

The hacking group targeted the companies with generic phishing emails that contained a link to a compromised server, researchers from FireEye said in a blog post Tuesday. The server used JavaScript code to profile potential victims and then served the Flash exploit to the ones meeting attackers’ criteria, the company said.

The attackers use the exploit to install a backdoor known as SHOTPUT or CookieCutter and then move through the organization’s network, using other techniques and exploits to compromise additional systems.

In order to be protected against this vulnerability, which is tracked as CVE-2015-3113, Adobe advises users to update to the newly released Flash Player versions: for Windows and Mac, for Linux, and for the extended support release.

The Flash Player plug-in that’s installed by default with Google Chrome and Internet Explorer on Windows 8.x will be automatically updated. Flash Player users on Windows or Mac who have selected “allow Adobe to install updates” will also get the update automatically.

APT3 is a sophisticated group known for using other zero-day browser-based exploits in the past for Internet Explorer, Firefox and Flash Player, according to FireEye. The group also uses custom backdoors and often changes command-and-control infrastructure, making it hard for researchers to track its activity.

via Adobe patches zero-day Flash Player flaw used in targeted attacks | PCWorld.

Venom vulnerability more dangerous than Heartbleed, targets most virtual machines

Researchers have uncovered a new bug that’s much more dangerous than last year’s Heartbleed vulnerability. Venom, short for Virtualized Environment Neglected Operations Manipulation, could allow an attacker to infiltrate a datacenter and take over its entire network.

As ZDNet notes, most datacenters use virtual machines to segregate customers, allowing the admins to run multiple instances on a single server. The virtual machines all share resources but operate as separate entities in the host hypervisor, which is responsible for powering the virtual machines.

Venom allows a bad actor to escape their own virtual machine and access others on the network.

Discovered by Jason Geffner from security firm CrowdStrike, the zero-day vulnerability dates back to 2004 and is caused by a legacy floppy disk controller that, when sent a specific string of code, can crash the hypervisor.

A number of modern virtualization platforms such as KVM, VirtualBox and Ken are all vulnerable. Datacenters running Bochs hypervisors, Microsoft Hyper-V and VMware are safe. Geffner told the publication in a phone interview that millions of virtual machines are using one of the vulnerable platforms.

How bad is it compared to Heartbleed?

The security researcher said Heartbleed lets a hacker look through a window of a house and gather information based on what they see. Continuing the analogy, he added that Venom allows a bad actor to break into a house then subsequently do the same to every other house in the neighborhood.

Dan Kaminsky, a well-known security researcher, said the bug went unnoticed for so long simply because hardly anyone bothered to look at the legacy disk drive system.

The good news is that because the flaw was found in-house at CrowdStrike, there’s no publicly known code to exploit it which will give companies some lead time in resolving the bug and issuing patches

via Venom vulnerability more dangerous than Heartbleed, targets most virtual machines – TechSpot.

Just-released WordPress 0day makes it easy to hijack millions of websites [Updated]

Our blog was not affected…NCCT

Update: About two hours after this post went live, WordPress released a critical security update that fixes the 0day vulnerability described below.

The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server. Attack code has been released that targets one of the latest versions of WordPress, making it a zero-day exploit that could touch off a series of site hijackings throughout the Internet.

Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs. They allow an attacker to inject code into the HTML content received by administrators who maintain the website. Both attacks work by embedding malicious code into the comments section that appear by default at the bottom of a WordPress blog or article post. From there, attackers can change passwords, add new administrators, or take just about any other action legitimate admins can perform. The most serious of the two vulnerabilities is in WordPress version 4.2 because as of press time there is no patch.

“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” Jouko Pynnönen, a researcher with Finland-based security firm Klikki Oy, wrote in a blog post published Sunday evening. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”

The exploit works by posting some simple JavaScript code as a comment and then adding a massive amount of text—about 66,000 characters or more than 64 kilobytes worth. Once the comment is processed by someone logged in with WordPress administrator rights to the site, the malicious code will be executed with no outward indication that an attack is under way. By default, WordPress doesn’t automatically publish comments to a post unless the user has already been approved by an administrator. Attackers can work around this limitation by posting a benign comment that gets approved. By default, subsequent comments from that person will be automatically approved and published to the same post.

Here’s a video of the proof-of-concept attack in progress:

The attack is similar to one disclosed last week by researcher Cedric Van Bockhaven. That attack also embedded malicious comments into comments that were executed when viewed by admins. The underlying vulnerability was fixed with last week’s release of WordPress 4.2. A swarm of WordPress plugins were also recently updated to kill XSS vulnerabilities. At the moment, there’s no fix for the most recently disclosed bug. Once a patch is available, WordPress admins should install it right away. In the meantime, they should consider disabling comments or installing a comment plugin such as Akismet to mitigate exploits.

via Just-released WordPress 0day makes it easy to hijack millions of websites [Updated] | Ars Technica.

Drupal users: Assume your site was hacked if you didn’t apply Oct. 15 patch immediately

Users of Drupal, one of the most popular content management systems, should consider their sites compromised if they didn’t immediately apply a security patch released on Oct. 15.

The unusually alarming statement was part of a “public service announcement” issued by the Drupal project’s security team Wednesday.

“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection,” the Drupal security team said. “You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.”

The SA-CORE-2014-005 advisory, published Oct. 15, warned used about a highly critical SQL injection vulnerability that affects Drupal versions older than 7.32. Exploiting the vulnerability does not require authentication and can lead to a complete website compromise.

The reason why Drupal’s security team came out with a stronger warning and additional guidance Wednesday was because of the speed with which attackers began targeting this vulnerability and because a potential compromise can be very hard to detect.

“Attackers may have copied all data out of your site and could use it maliciously,” the Drupal security team said. “There may be no trace of the attack.”

The vulnerability also allows the installation of multiple backdoors in the site’s database, code, file directories and other locations and it’s impossible for an administrator to say with complete confidence that all of them were found. Attackers may use such backdoors to attack and compromise other services on the underlying Web server, allowing them to expand their access beyond the website itself, the Drupal security team said.

Users should try to determine whether their websites were patched by their hosting providers before the attacks began or if those providers successfully blocked all attack attempts. If that cannot be guaranteed, the best course of action, according to the Drupal team, is to take the sites offline, delete all their files and databases, restore them from backups made before Oct. 15 and then patch the sites before bringing them back online.

Users should also notify their server administrators that attackers might have compromised other sites and applications hosted on the same servers. If possible, the server should be changed completely before restoring a site. If restoring from a backup is not possible, rebuilding the site from scratch is a better alternative than attempting to clean it up, because backdoors can be extremely difficult to find, the Drupal security team said.

What can make this incident worse is that Drupal, unlike other content management systems like Joomla and WordPress, is heavily used by large organizations, said Daniel Cid, the chief technology officer of Web security firm Sucuri, in a blog post.

Unlike consumers and small businesses, large organizations have certain processes they have to follow when deploying patches and those can take time, he said.

“This is a recipe for disaster, if it’s true and those websites are in fact compromised, they could be leveraged and daisy chained for a massive malware distribution campaign,” Cid said. “Take that into consideration with the size and audience of brands and the impact grows exponentially.”

via Drupal users: Assume your site was hacked if you didn’t apply Oct. 15 patch immediately | PCWorld.

Hackers target Yahoo, compromise multiple servers using Shellshock bug

Shellshock has claimed another victim as Yahoo recently revealed that three of its servers were compromised over the weekend by hackers that managed to exploit the vulnerability.

In a statement issued to Bloomberg via e-mail, Yahoo spokesperson Elisa Shyu said the company began patching its systems as soon as they became aware of the issue and have been closely monitoring their network. Yahoo isolated a handful of servers that were impacted and at this time, Shyu added, there is no evidence of a compromise to user data.

Security researcher Jonathan Hall was the first to report the breach, the details of which can be found in this lengthy post over at Future South Technologies. To summarize, Hall claims Romanian hackers trying to build a large botnet are responsible for the attack. In addition to Yahoo, he also found evidence of an attack on utility software developer WinZip.

The security flaw, first disclosed publically on September 24, poses an even bigger threat than the Heartbleed bug from earlier in the year as it allows a bad actor to potentially gain complete control over a target system.

Security firm Incapsula estimates that there were nearly a billion attempts to use the bug and its own web application firewall dealt with more than 217,000 exploit attempts in the week following the bug’s disclosure.

There are likely thousands of Shellshock victims at this point although Yahoo is by far the biggest (that we know about).

via Hackers target Yahoo, compromise multiple servers using Shellshock bug – TechSpot.

Researchers uncover fundamental USB security flaw, no fix in sight

A pair of security researchers from SR Labs have uncovered a fundamental flaw in the way USB devices work. It affects every single USB device out there and worse yet, there’s no line of defense short of prohibiting USB stick sharing or filling your USB ports with superglue.

The flaw that security researchers Karsten Nohl and Jakob Lell plan to present next week at the Black Hat security conference in Las Vegas runs deeper than simply loading a USB drive with malware. Instead, it’s built into the core of how the technology works.

After spending several months reverse engineering the firmware that handles the basic communications functions of USB devices, they were able to reprogram the firmware to hide malicious code. This firmware is present on every USB device within the controller chip – the component that facilitates communication between the USB device and the computer it’s plugged in to.

By loading malicious code on the firmware, it’s essentially hidden from sight. Anti-virus scanners can’t pick it up and formatting won’t help, either.

To prove their point, the team created a piece of malware called BadUSB that can be used to completely take over a PC, alter files invisibly and even redirect a user’s Internet traffic.

And just to be clear, we aren’t talking about just USB flash drives but any device that connects via USB: keyboards, mice, smartphones, tablets, you name it. Worst yet, it’s nearly impossible to determine if a device has been tampered with. The researchers say there isn’t even any trusted USB firmware to compare code against.

Matt Blaze, a computer science professor at the University of Pennsylvania, speculates the attack may already be common practice for the NSA. He points to a spying device called Cottonmouth that was mentioned in one of Edward Snowden’s many leaks. Exact details of the device weren’t mentioned but the leak claimed the tool hid in a USB peripheral plug.

via Researchers uncover fundamental USB security flaw, no fix in sight – TechSpot.