tag:blogger.com,1999:blog-57954267820305675702012-01-24T09:02:12.410-08:00ACROS Security BlogMitja Kolseknoreply@blogger.comBlogger271100tag:blogger.com,1999:blog-5795426782030567570.post-63479062472394426442012-01-09T08:14:00.000-08:002012-01-13T05:49:23.943-08:00

A Hefty Discount Your Bank Never Intended To Give You In the 12+ years of doing penetration tests against various critical environments, we've seen numerous online banking servers and found all sorts of vulnerabilities in them, including bugs that allowed users to take money from other users' accounts, make unlimited overdrafts on their own accounts, transfer negative amounts to other accounts (

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-45392320802981443502012-01-04T06:04:00.000-08:002012-01-04T06:04:57.590-08:00

The Fixed Bounty Bug Revealed Last month Google awarded our security analyst Luka Treiber a Chromium Security Reward for a high-severity vulnerability fixed in version 16 of the Chrome web browser. Due to Chrome's automatic update mechanism we expect most browsers to be updated by now, which seems to be supported by StatCounter's Global Stats for January 2012, where Chrome 16 is the only Chrome

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-86526627228971555962011-10-20T10:30:00.000-07:002011-10-27T07:26:18.484-07:00

A Vuln, Or Not A Vuln, That Is The Question [Update 10/27/2011: Chrome 15, released two days ago, makes this bug even harder to exploit as its phishing and malware protection (enabled by default in Chrome's Under the Hood options) now sends an HTTPS request to one of its servers immediately upon startup. Therefore, in addition to not having Google as the search engine and not having visited any

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-41916924569233436412011-09-26T08:56:00.000-07:002011-09-26T15:03:55.729-07:00

Last year, soon after revealing our binary planting research project, we published a blog post clearing up five frequently-appearing misconceptions at that time. Over a year (and about a hundred publicly fixed binary planting bugs in all sorts of software products) later, we're noticing a different set of misconceptions in public forums and on mailing lists. While we made our best effort to

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-58639438927598273662011-09-15T02:52:00.000-07:002011-09-15T02:52:04.684-07:00

Slow, But Moving In The Right Direction Since our presentation of COM server-based binary planting exploits at the Hack in the Box conference in May this year, Microsoft has introduced a number of relevant changes to Windows and Internet Explorer. To refresh our memory: in Windows, so-called "special folders" (e.g., Control Panel or My Computer) are implemented as in-process COM servers

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-83710966242105567312011-07-08T10:28:00.000-07:002011-07-08T10:28:48.486-07:00

File Planting: A Sample From Our Security Research It's been almost a year since we revealed our Binary Planting research project which identified 520+ remote execution vulnerabilities in almost all Windows applications. During this period, hundreds of binary planting vulnerabilities have been publicly reported and some have actually been fixed. While some in the security community still seem

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-32475063100614820552011-06-02T07:29:00.000-07:002011-09-19T03:47:08.749-07:00

[Update September 19, 2011: Windows update MS11-071 breaks this proof of concept by removing the deskpan.dll registry reference. It thus no longer works but can still be used as a learning reference.] For educational purposes we decided to publish a proof of concept (PoC) for the COM Server-Based Binary Planting attacks described in our previous post. We prepared both online and offline versions

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-76267527729107073072011-05-24T11:30:00.000-07:002011-06-02T07:31:55.652-07:00

[May 6, 2011 update: we published a proof of concept for this vulnerability.] Last week at the Hack In The Box conference in Amsterdam we presented some techniques for advanced exploitation of binary planting bugs. The stage was set by our previous blog post where we described how unsafely registered COM server DLLs, as well as safely registered COM server DLLs that make unsafe binary loading

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-76537820798733881892011-05-10T10:28:00.000-07:002011-09-16T05:32:23.098-07:00

Binary Planting's Multiple Identities When a new thing occurs or is invented, or when a previously obscure thing becomes popular, a need emerges to give it a name so we can talk and write about it. It was no different with binary planting, DLL hijacking, DLL preloading, insecure library loading, DLL load hijacking and DLL spoofing. Except that, unfortunately, these different names all describe 

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-63199891624333934852011-05-06T05:56:00.000-07:002011-05-24T11:32:08.986-07:00

Binary Planting Through COM Servers This blog post sets up the stage for our Hack in the box presentation in Amsterdam on May 19. [Update: Find the continuation of this blog post here.] Those familiar with Windows COM servers know that they come in two types, in-process and out-of-process. For this post, the former type is of interest: an in-process COM server is a dynamic link library (DLL)

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-38589325259963792632011-04-13T08:28:00.000-07:002011-04-13T08:28:56.501-07:00

That is, after making them vulnerable in the first place Last October our company reported that Microsoft Visual Studio 2010 and 2008 (we didn't test 2005) injected an easily exploitable binary planting vulnerability into every MFC (Microsoft Foundation Class) application built with these development environments - and also into any other application using the Visual C++ redistributable

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-57712018123197455432011-01-11T11:00:00.000-08:002011-01-12T16:00:54.154-08:00

And Whose Bug Is It, Anyway? Our company issued a security advisory today about a binary planting vulnerability in multiple F-Secure products, including F-Secure Internet Security 2011. F-Secure has issued automatically deployed fixes for this vulnerability last month, and all affected users can at this moment safely be presumed safe, so to speak. Before going any further, it has to be said that

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-55723063920594977372010-12-15T09:26:00.000-08:002010-12-15T09:27:15.285-08:00

Yesterday Microsoft issued a security update for the Windows Address Book binary planting vulnerability, which was used in our Online Binary Planting Exposure Test. Since the launch of this online test, thousands of Windows users worldwide used it to check their exposure to Internet-based binary planting attacks, and we're happy to see people using it for testing their countermeasures. Obviously

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-74760276148894814852010-11-23T16:38:00.000-08:002010-11-24T15:39:54.919-08:00

A Short Study on Security Reactiveness And Proactiveness Exactly 97 days after a new old vulnerability type called Binary Planting, DLL Hijacking, DLL Preloading and Insecure Library Loading has gained public attention, it is clear that: These bugs are ubiquitous and can be found in many widely-used as well as less known applications; Not just DLL loading, but also EXE loading is affected;

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-55614356410623113062010-11-10T05:03:00.000-08:002010-11-12T03:54:24.765-08:00

Keeping binary planting bugs out of 120 million lines of code In the course of the ongoing binary planting research, our company has discovered five binary planting bugs in Microsoft Office 2010: two in Word 2010, one in PowerPoint 2010 and one in Excel 2010. We notified Microsoft about the PowerPoint bug on July 20th (about 110 days ago), but subsequently this bug was also found and published

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-84557473439190450572010-10-27T07:06:00.000-07:002010-10-28T16:49:56.551-07:00

The curious case of Windows environment variables or how to re-hack fixed iTunes and Safari If you're a Windows developer trying to protect your applications from binary planting attacks, you have probably heard of the SetDllDirectory function. This function removes the current working directory from the search path when  loading DLLs and allows you to replace it with a (hopefully safe) location

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-60599638107257385762010-10-18T09:34:00.000-07:002011-04-13T08:31:43.274-07:00

Creating a Binary Planting-Positive Application Without Writing a Single Line of Code As attendees of the Hack In The Box conference learned last week, Microsoft Visual Studio makes it possible to develop a binary planting-positive (i.e., vulnerable) application without you having to write a single line of code in just 34 seconds. Let's look at the video first. The video shows the process of

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-43701170609161584082010-10-08T09:37:00.000-07:002010-10-27T07:39:57.336-07:00

Re-Hacking Fixed iTunes and Creating a Binary Planting-Positive Application Without Writing a Single Line of Code As the Hack In The Box conference in Kuala Lumpur is just around the corner, we'd like to announce a couple of previously undisclosed candies the attendees of our Remote Binary Planting – An Overlooked Vulnerability Affair session will receive. Re-Hacking Fixed iTunes As you may

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-36095057052741387612010-10-07T09:32:00.000-07:002010-10-07T09:32:35.888-07:00

The Binary Planting web site is now providing guidelines for software developers who want to avoid introducing binary planting vulnerabilities in their products. These guidelines supplement Microsoft's guidelines. Guidelines: http://www.binaryplanting.com/guidelinesDevelopers.htm

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-263865414992067212010-09-27T11:08:00.000-07:002010-10-01T09:54:58.234-07:00

Binary Planting as Worm Propagation Method  Unsurprisingly, worm authors find binary planting a great method for their digital monsters to propagate from infected systems to new ones. Symantec's analysis of Stuxnet provides a good insight into one of this worm's methods for propagating among users of a particular software product, in this case Siemens SIMATIC STEP 7. Like many other

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-92084255812302098322010-09-20T08:16:00.000-07:002010-10-01T09:56:07.560-07:00

There's more than one way to skin a cat... or plant a binary, for that matter. There seem to be differing views among IT professionals on how easy or difficult it is to actually mount a binary planting attack. Microsoft's Jerry Bryant, for instance, was quoted saying: "Due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-51362700757829161902010-09-08T16:24:00.000-07:002010-10-05T08:23:14.725-07:00

Yesterday, Apple issued new versions of the Safari browser that fix a binary planting vulnerability our company has reported to them in March this year under our then-effective disclosure policy. (See Apple's and our own advisory.)In the last 20 days since the binary planting monster escaped to the wilderness, eager bug-hunters were focused on unsafe loading of libraries, and understandably so:

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-35683994805084521082010-08-31T09:03:00.000-07:002010-10-01T09:58:30.736-07:00

ACROS Security has prepared a free public Online Binary Planting Exposure Test for all corporate and home Windows users who wish to test their exposure to binary planting attacks originating from the Internet. We'll try to keep a working demo of at least one unpatched, publicly disclosed vulnerability here for as long as there are any available.This test is not an attack demonstration but

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-37690718044952732992010-08-30T08:45:00.000-07:002011-09-26T07:27:36.327-07:00

As much is being asked, reported and experimented about the binary planting bugs in all corners of the Net, we're noticing some misconceptions and misunderstandings flying around. In hope to set some of these straight, here are some explanations: Misconception #1: CWD-Addiction Implies Vulnerability If an application exhibits problems because of Microsoft's CWDIllegalInDllSearch hotfix, it

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-796952229323292652010-08-26T14:26:00.000-07:002010-09-14T06:42:39.535-07:00

We're releasing SHA-256 hashes of 396 DLL planting and 127 EXE planting vulnerabilities we found during our extensive binary planting research. After a long internal discussion we decided that - considering the public availability of detection tools and instructions that make it possible for everyone to search for (a subset of) binary planting issues - it would not be appropriate to publish such

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-15012278998787228132010-08-24T05:52:00.000-07:002010-09-14T06:42:19.969-07:00

Yesterday, Microsoft officially responded to the Binary Planting issues discussed all over the web in the past few days. They published a number of documents (Advisory, SRD blog, MSRC blog and MSDN article on Dynamic-Link Library Security) and issued an update which introduces new functionality to Windows for mitigating Binary Planting attacks.Now that these are out, let me present our story of

Mitja Kolseknoreply@blogger.comtag:blogger.com,1999:blog-5795426782030567570.post-33131637367291170612010-08-23T05:57:00.001-07:002010-09-14T06:41:37.983-07:00

As some of you may have noticed, the world of Windows applications is looking at some bumpy times. Six days ago, our company ACROS Security has published an iTunes security advisory, describing what we called a remote "Binary Planting" vulnerability. This vulnerability allows a remote attacker to place a (preferably hidden) malicious DLL on a network shared folder alongside a media file, and when

Mitja Kolseknoreply@blogger.com