tag:blogger.com,1999:blog-57954267820305675702024-02-06T20:48:24.826-08:00ACROS Security BlogACROS Security BlogMitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comBlogger35125tag:blogger.com,1999:blog-5795426782030567570.post-24114113302125277932016-01-20T13:34:00.000-08:002016-02-26T02:10:11.470-08:00Bridging the "Security Update Gap" With 0patchVulnerability Patches Can be Really Small and Easy to Apply
Yesterday we tweeted a proof-of-concept actual micropatch for the "Winshock" vulnerability (CVE-2014-6321, MS14-066) in Windows schannel.dll. The patch fixes a buffer overflow vulnerability that allowed attackers to execute arbitrary code on any SSL-enabled IIS server. (Thanks to Mike Czumak, BeyondTrust and Malware Tech for their Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-91767267158616609702016-01-12T01:37:00.000-08:002016-02-26T02:14:40.920-08:000patchFixing The Fixing
Those of you following our work have noticed the near-silence in our public department during the last two years. The blog was static, there were no news on the web site to speak of, and googling us gave no recent hits. Sure, our customers know we were as busy as ever under the blanket of serial NDAs, but what was going on in our "free" time?
One word: 0patch. We were buildingMitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-34054337108145875502013-06-06T07:47:00.000-07:002013-06-06T07:47:41.749-07:00Winning An Online Lottery In Just 6 TriesA Case Study of Logical Error in Online Gambling
Gambling is one of the most profitable business models in the online world. There is no shortage of online betting houses and many state lotteries are setting up their own online equivalents to compete with commercial alternatives (if they fail to regulate them off the market, that is, but that's not today's topic). Let's take a look at a Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-26415938623497436382012-05-03T12:54:00.000-07:002012-05-03T12:54:06.280-07:00User-in-the-MiddleJust a quick description for what we think may (or may not) become an important attack technique in the future:
User-in-the-Middle (UITM) - A technique where attacker hides behind a legitimate user of an online service in order to avoid being traced once his/her malicious activities are detected. Applicable where user registration - providing access to said online service and its Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-19104283679414204182012-05-03T12:53:00.001-07:002012-05-03T12:54:42.469-07:00Anatomy Of An Online Bank RobberyThis article is partly a summary of, and partly an update to, my presentation titled "How To Rob An Online Bank And Get Away With It," presented at SOURCE Boston last month and previously at DeepSec Vienna.
The subject of our dissection is an online bank robbery. Not the all-too-common attack against an online banking user, his computer and his identity, but an attack against the bank Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-84280508949829869112012-04-10T16:20:00.002-07:002012-04-11T03:10:23.086-07:00Adobe Reader X (10.1.2) msiexec.exe PlantingOutside The Sandbox, But Not Terribly Critical
Adobe today issued an update for Adobe Reader X (new version is 10.1.3), which, among other issues, fixes the outside-the-sandbox msiexec.exe EXE planting vulnerability (CVE-2012-0776) I roughly demonstrated during my RSA Conference US talk last month titled "Advanced (Persistent) Binary Planting."
This article explains the Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-8862036029581541382012-02-17T08:31:00.000-08:002012-02-17T08:31:11.118-08:00Downloads Folder: A Binary Planting MinefieldBrowser-Aided Remote Binary Planting, Part Deux
This article reveals a bit of our research and provides an advance notification of a largely unknown remote exploit technique on Windows. More importantly, it provides instructions for protecting your computers from this technique while waiting for the affected software to correct its behavior.
Two weeks from now I'll be holding a presentation at Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-82859251108453675892012-02-13T08:09:00.000-08:002012-02-13T08:09:49.588-08:00Should We Be Focusing On Vulnerabilities Or Exploits?Or Maybe Both?
This post was inspired by a recent ZDNET article "Offensive security research community helping bad guys" and this ThreatPost interview after the Kaspersky security analyst summit, in which Adobe security chief Brad Arkin explains his (Adobe's) philosophy on addressing software vulnerabilities. The crux of this philosophy can be summarized Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-63479062472394426442012-01-09T08:14:00.000-08:002012-01-13T05:49:23.943-08:00Is Your Online Bank Vulnerable To Currency Rounding Attacks?A Hefty Discount Your Bank Never Intended To Give You
In the 12+ years of doing penetration tests against various critical environments, we've seen numerous online banking servers and found all sorts of vulnerabilities in them, including bugs that allowed users to take money from other users' accounts, make unlimited overdrafts on their own accounts, transfer negative amounts to other accounts (Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-45392320802981443502012-01-04T06:04:00.000-08:002012-01-04T06:04:57.590-08:00Google Chrome HTTPS Address Bar SpoofingThe Fixed Bounty Bug Revealed
Last month Google awarded our security analyst Luka Treiber a Chromium Security Reward for a high-severity vulnerability fixed in version 16 of the Chrome web browser. Due to Chrome's automatic update mechanism we expect most browsers to be updated by now, which seems to be supported by StatCounter's Global Stats for January 2012, where Chrome 16 is the only Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-86526627228971555962011-10-20T10:30:00.000-07:002011-10-27T07:26:18.484-07:00Google Chrome pkcs11.txt File PlantingA Vuln, Or Not A Vuln, That Is The Question
[Update 10/27/2011: Chrome 15, released two days ago, makes this bug even harder to exploit as its phishing and malware protection (enabled by default in Chrome's Under the Hood options) now sends an HTTPS request to one of its servers immediately upon startup. Therefore, in addition to not having Google as the search engine and not having visitedMitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-41916924569233436412011-09-26T08:56:00.000-07:002011-09-26T15:03:55.729-07:00More Misconceptions About Binary PlantingLast year, soon after revealing our binary planting research project, we published a blog post clearing up five frequently-appearing misconceptions at that time. Over a year (and about a hundred publicly fixed binary planting bugs in all sorts of software products) later, we're noticing a different set of misconceptions in public forums and on mailing lists. While we made our best effort to Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-58639438927598273662011-09-15T02:52:00.000-07:002011-09-15T02:52:04.684-07:00Microsoft's Binary Planting Clean-Up MissionSlow, But Moving In The Right Direction
Since our presentation of COM server-based binary planting exploits at the Hack in the Box conference in May this year, Microsoft has introduced a number of relevant changes to Windows and Internet Explorer. To refresh our memory: in Windows, so-called "special folders" (e.g., Control Panel or My Computer) are implemented as in-process COM servers Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-83710966242105567312011-07-08T10:28:00.000-07:002011-07-08T10:28:48.486-07:00Binary Planting Goes "Any File Type"File Planting: A Sample From Our Security Research
It's been almost a year since we revealed our Binary Planting research project which identified 520+ remote execution vulnerabilities in almost all Windows applications. During this period, hundreds of binary planting vulnerabilities have been publicly reported and some have actually been fixed.
While some in the security community still seem Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-32475063100614820552011-06-02T07:29:00.000-07:002011-09-19T03:47:08.749-07:00COM Server-Based Binary Planting Proof Of Concept[Update September 19, 2011: Windows update MS11-071 breaks this proof of concept by removing the deskpan.dll registry reference. It thus no longer works but can still be used as a learning reference.]
For educational purposes we decided to publish a proof of concept (PoC) for the COM Server-Based Binary Planting attacks described in our previous post. We prepared both online and offline Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-76267527729107073072011-05-24T11:30:00.000-07:002011-06-02T07:31:55.652-07:00The Anatomy of COM Server-Based Binary Planting Exploits[May 6, 2011 update: we published a proof of concept for this vulnerability.]
Last week at the Hack In The Box conference in Amsterdam we presented some techniques for advanced exploitation of binary planting bugs. The stage was set by our previous blog post where we described how unsafely registered COM server DLLs, as well as safely registered COM server DLLs that make unsafe binary Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-76537820798733881892011-05-10T10:28:00.000-07:002011-09-16T05:32:23.098-07:00"Binary Planting" vs. "DLL Hijacking" vs. "Insecure Library Loading"Binary Planting's Multiple Identities
When a new thing occurs or is invented, or when a previously obscure thing becomes popular, a need emerges to give it a name so we can talk and write about it. It was no different with binary planting, DLL hijacking, DLL preloading, insecure library loading, DLL load hijacking and DLL spoofing. Except that, unfortunately, these different Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-63199891624333934852011-05-06T05:56:00.000-07:002011-05-24T11:32:08.986-07:00Silently Pwning Protected-Mode IE9 and Innocent Windows ApplicationsBinary Planting Through COM Servers
This blog post sets up the stage for our Hack in the box presentation in Amsterdam on May 19.
[Update: Find the continuation of this blog post here.]
Those familiar with Windows COM servers know that they come in two types, in-process and out-of-process. For this post, the former type is of interest: an in-process COM server is a dynamic link library (DLL) Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-38589325259963792632011-04-13T08:28:00.000-07:002011-04-13T08:28:56.501-07:00Microsoft Patches Binary Planting Issues In Various Vendors' ProductsThat is, after making them vulnerable in the first place
Last October our company reported that Microsoft Visual Studio 2010 and 2008 (we didn't test 2005) injected an easily exploitable binary planting vulnerability into every MFC (Microsoft Foundation Class) application built with these development environments - and also into any other application using the Visual C++ redistributable Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-57712018123197455432011-01-11T11:00:00.000-08:002011-01-12T16:00:54.154-08:00How To Secure a Security ProductAnd Whose Bug Is It, Anyway?
Our company issued a security advisory today about a binary planting vulnerability in multiple F-Secure products, including F-Secure Internet Security 2011. F-Secure has issued automatically deployed fixes for this vulnerability last month, and all affected users can at this moment safely be presumed safe, so to speak. Before going any further, it has to beMitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-55723063920594977372010-12-15T09:26:00.000-08:002010-12-15T09:27:15.285-08:00Updated Online Binary Planting Exposure TestYesterday Microsoft issued a security update for the Windows Address Book binary planting vulnerability, which was used in our Online Binary Planting Exposure Test. Since the launch of this online test, thousands of Windows users worldwide used it to check their exposure to Internet-based binary planting attacks, and we're happy to see people using it for testing their countermeasures.
ObviouslyMitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-74760276148894814852010-11-23T16:38:00.000-08:002010-11-24T15:39:54.919-08:00The Unbearable Lightness Of Non-FixingA Short Study on Security Reactiveness And Proactiveness
Exactly 97 days after a new old vulnerability type called Binary Planting, DLL Hijacking, DLL Preloading and Insecure Library Loading has gained public attention, it is clear that:
These bugs are ubiquitous and can be found in many widely-used as well as less known applications;
Not just DLL loading, but also EXE loading is affected;
Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-55614356410623113062010-11-10T05:03:00.000-08:002010-11-12T03:54:24.765-08:00Analysis Of The Microsoft Office 2010 Binary Planting BugsKeeping binary planting bugs out of 120 million lines of code
In the course of the ongoing binary planting research, our company has discovered five binary planting bugs in Microsoft Office 2010: two in Word 2010, one in PowerPoint 2010 and one in Excel 2010. We notified Microsoft about the PowerPoint bug on July 20th (about 110 days ago), but subsequently this bug was also found and Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-84557473439190450572010-10-27T07:06:00.000-07:002010-10-28T16:49:56.551-07:00Breaking The SetDllDirectory Protection Against Binary PlantingThe curious case of Windows environment variables or how to re-hack fixed iTunes and Safari
If you're a Windows developer trying to protect your applications from binary planting attacks, you have probably heard of the SetDllDirectory function. This function removes the current working directory from the search path when loading DLLs and allows you to replace it with a (hopefully safeMitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-60599638107257385762010-10-18T09:34:00.000-07:002011-04-13T08:31:43.274-07:00How Visual Studio Makes Your Applications Vulnerable to Binary PlantingCreating a Binary Planting-Positive Application Without Writing a Single Line of Code
As attendees of the Hack In The Box conference learned last week, Microsoft Visual Studio makes it possible to develop a binary planting-positive (i.e., vulnerable) application without you having to write a single line of code in just 34 seconds. Let's look at the video first.
The video shows the Mitja Kolsekhttp://www.blogger.com/profile/00089863558178974677noreply@blogger.com