Security Bits – 16 May 2019

Security Medium 1 — The WhatsApp Vulnerability 🧯

The Financial Times were first to report that a vulnerability existed in the WhatsApp app for iOS & Android, and that it was being actively but very selectively exploited against high-value targets, probably by governments. Facebook confirmed that the vulnerability existed, and that it is patched in the latest version of the app. Facebook also recommended all users update ASAP.

The facts in this story are hard to come by, so we don’t know as much about the vulnerability as I’d like.

What we do know is that the vulnerability was being exploited by customers of NSO Group, an Israeli grey-hat security company that sell weaponised malware to governments. The vulnerability was being used to install NSO Group’s Pegasus spyware. This spyware product apparently jail breaks phones, giving it full system/root access, and allowing it access to all data.

A spyware tool like Pegasus can’t be installed onto a phone without exploiting one or more vulnerabilities in the OS and/or apps running on the device. Given how many layers of security iOS & Android put in place, we’re almost certainly talking about some kind of exploit chain. The chain would need to start with a vulnerability in an app with some kind of exposed attack surface — perhaps an app that processes files fo a given type which could be triggered by emailing an attachment, or an app that somehow interacts with the internet. That would give the attacker the ability to hijack the affected app, but they would still be stuck in that app’s sandbox. They would then need to use some other OS-level vulnerability to break out of that. Even then they may find other protections like Address Space Layout Randomisation (SALR) blocking their attempts to jailbreak the device, so they may well need to add even more exploits into their attack.

We don’t know exactly what was going on here, but it seems that there was a bug in the VOIP component of WhatsApp that allowed remote code execution simply by initiating a WhatsApp voice call to the target device. The call did not have to be answered, and if the attack succeeded, logs could be cleared afterward, making the attack much harder to notice. This WhatsApp vulnerability would not be enough to get Pegasus installed, but it would be the starting point of an exploit chain. What we don’t know is what came after WhatsApp in the chain. Did the attackers rely on users not keeping their version of iOS or Android up to date? Maybe this would only work if you were not quite fully patched? I haven’t been able to find enough information to answer that question.

There is no need for regular folks to panic about this. For attacks like this to be valuable to governments they need to be kept secret for as long as possible, so the incentive is to use them extremely sparingly, and only to attack high-value targets that are worth the risk of having the bug discovered and fixed. This is why reports that the number of victims of this vulnerability is tiny make sense to me. I think it’s very unlikely any NosillaCastaways have had their phones hacked via this vulnerability.

What should we do? Patch WhatsApp ASAP!

Links:

Security Medium 2 — Microarchitectural Data Sampling, AKA ZombieLoad (More Speculative Execution Problems for Intel)

Problems around the Speculative Execution feature in modern Intel chips first came to light early last year with the release of the Spectre & Meltdown bugs. At the time we strongly suspected there would be many more similar problems found, and that has very much proven to be the case!

This week we’ve learned about yet another new grouping of very closely related speculative execution flaws. Because these flaws were discovered by a number of different groups, they go by a number of different names, specifically RIDL, Fallout, ZombieLoad, and Microarchitectural Data Sampling. That last really boring-sounding one is Intel’s official name for these flaws. Unsurprisingly, that’s not the name that has caught the public imagination! The one I’m seeing and hearing most often used online and in podcasts is ZombieLoad.

Note that unlike some of the other speculative execution problems, these new issues only affect Intel chips, not AMD or ARM chips.

As with all the other related bugs, the problem here is data leaking between processes running on the same computer. To be specific, data can leak between threads executing on the same core at the same time (hyperthreading). On a home computer that’s not good, but it’s not catastrophic. It means one processes running on your PC can see into other processes running on your PC. If one of those processes is malware, you have much bigger problems than this kind of data leakage! This is why there has not been any need for any of us to set our hair on fire over most of these bugs. (The notable exception was Specter which could be exploited via JavaScript running in a web page, but that was addressed with browser patches.)

Where bugs like this really matter is on servers shared between multiple customers. In that case, if one of the customers you share hardware with is hacked, or worse still, an attacker, then the ability to see into other users processes is a very big deal indeed. This is why the only people who have really needed to lose sleep over these bugs have been people sysadmining cloud environments. Thankfully, the same is true here, so again, no need to set your hair on fire! 🧯

As with previous speculative execution bugs, the simplest and most effective defence is to disable hyper threading. This is the approach some versions of BSD have taken, as indeed have some cloud providers. This obviously has a massive performance hit, but it is a very effective mitigation, and it mitigates against both the vulnerabilities we already know about and, against all similar vulnerabilities not yet discovered!

But in this case there’s even less need to set your hair on fire because there are already patches available. Intel have released microcode updates for all the affected CPUs, and they say the expected performance hit is only about 3%.

As with previous microcode updates, the easiest way to get them loaded into the CPU is by the OS at boot-time, so it’s important that both Microsoft and Apple have included these microkernel updates in the latest security updates for Windows 10 and macOS. The reason this was possible is that the bug was responsibly disclosed to Intel last year. Intel then worked on a fix and coordinated with the OS vendors to get the patches out before the security researchers shared the details of what they’d found with the world.

For those who want to really nip all these problems in the bud, and who are happy to accept the performance hit, Apple released instructions for disabling hyperthreading on Macs (How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities — support.apple.com/…).

There is an even more fundamental reason not to panic though. Previous vulnerabilities involved reading data from caches, these vulnerabilities involve reading data from buffers. While it may not be easy, attackers do have some control over what gets cached, but they have no control over what gets buffered. This means that hypothetical attacks against these vulnerabilities would be purely opportunistic — keep reading the buffers over and over again until you happen to stumble across something sensitive/valuable! Intel’s updated firmware addresses the problem by purging buffers more aggressively.

Security Medium 3 — Android Q Security Enhancements

At last week’s Google Build developers conference more details were released about security improvements coming to Android with Android Q.

The TL;DR version is that Google are continuing to work to harden Android, and, to make more of the OS updatable directly from Google, bypassing the device manufacturers and carriers.

Some of the highlights include:

Mandatory disk encryption — all devices running Android Q will use disk encryption, regardless of whether they are phones, tablets, wearables, or automobiles!
Improved biometric support at the OS level so developers can leverage facial recognition, fingerprints etc in more robust ways from within their apps.
More parts of the OS have been modularised so they can be updated via Google Play Services. This has two advantages — firstly, these modules can be updated directly from Google, and secondly, they can be updated without needing to reboot the device. They’ll behave more like app updates than OS updates.
Lots of very nerdy low-level OS-hardening to spot and stomp on common classes of vulnerabilities.

These are all good improvements, and they are to be applauded.

However, none of this changes Google’s fundamental business model — they remain FreePI. Google’s CEO Sundar Pichai may have used the word privacy over and over again during his presentation, but that doesn’t change the fundamentals any more than Mark Zuckerberg’s constant use of the word in his Keynote the week before. In his remarks Pichai took a swipe at companies like Apple for making privacy a ‘luxury’, but that only works if you place zero value on personal information. Neither Google nor its competitors are charities, they all make money from their products and services, and the user always pays in some way. Apple & Microsoft prefer to get paid in money, while Google and Facebook prefer to get paid in personal information, but they all get paid! There are no free phones, and you only get free services from charitable foundations like the WikiMedia foundation and the Let’s Encrypt consortium!

Notable Security Updates

Google have released their May 2019 Android security update — nakedsecurity.sophos.com/…
Apple have patched just about everything: iOS 12.3, macOS 10.14.5 (and Security Update 2019-003 for High Sierra & Sierra), watchOS 5.2.1, tvOS 12.3 & Safari 12.1.1 — tidbits.com/…, tidbits.com/… & tidbits.com/…
This Tuesday was Patch Tuesday, and Microsoft and Adobe released the usual array of patches
- One of the Microsoft patches fixes a ‘potentially wormable’ vulnerability in older versions of Windows, and most unusually, the update has been released for Windows XP, Windows 7 & Windows Server 2003 — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
A remote code execution bug has been patched in an optional part of the Linux Kernel. If the bug can be exploited it gives a remote attacker arbitrary code execution with root privileges, which is about as bad as it gets! Thankfully the bug is very difficult to exploit, so the real-world danger is quite low, at least for now. Also, not all versions of Linux include the affected code. For example, none of the currently supported versions of RHEL are affected. If you run Linux, best to apply whatever patches your distro has because exploits only get better with time! — www.bleepingcomputer.com/… & nakedsecurity.sophos.com/…

Notable News

🧯 Evil Clippy is a new technique security researchers have discovered that currently succeeds in sneaking malicious Office macros past AV products. Now that the technique is known the AVs can be updated to close down this bypass, but by far the simplest defence is never to allow macros to run on documents you download or are not 100% sure are trustworthy — nakedsecurity.sophos.com/…
A lawsuit filed by Facebook shows that Rankwave are the next Cambridge Analytica. Facebook are suing the company for not complying with its terms of use and abusing the large amount of data it has collected through its apps (at least 30 of them) between 2010 and 2018 to micro-target people so as to be able to influence them effectively on behalf of their customers — www.forbes.com/… & nakedsecurity.sophos.com/…
Microsoft have achieved FIDO2 certification for WindowsHello, paving the way for using hardware security tokens instead of passwords on Windows 10 computers — nakedsecurity.sophos.com/…
Microsoft, Google, Amazon, Twitter & Facebook have teamed up to fight online extremism. The grouping has dubbed itself Christchurch Call in honour of the victims of the terrorist attacks in Christchurch NZ a month ago. As well as announcing their formation, the group also revealed a nine-point plan — www.imore.com/…
- A joint statement from the group laying out their plans — blogs.microsoft.com/… (PDF)
- Facebook have updated their policies around Facebook Live — www.macobserver.com/…

Palate Cleansers

🔈 A short but interesting look at the history of Spreadsheets, and an analysis of what they tell us about the complex relationship between humans and robots from the wonderful 50 things that made the modern economy podcast from the BBC World Service — overcast.fm/…
🔈 The BBC world service have just launched a new 12-part podcast series named “13 Minutes to the Moon” telling the story of the people behind the Apollo Moon landings in a new and original way. The fact that they got Hans Zimmer to do the soundtrack gives you some idea of just how professional a production this is! — www.bbc.co.uk/…

Note: When the textual description of a link is part of the link it is the title of the page being linked to when the text describing a link is not part of the link it is a description written by Bart.

Security Bits – 16 May 2019

Security Medium 1 — The WhatsApp Vulnerability 🧯

Security Medium 2 — Microarchitectural Data Sampling, AKA ZombieLoad (More Speculative Execution Problems for Intel)

Links

Security Medium 3 — Android Q Security Enhancements

Links

Notable Security Updates

Notable News

Suggested Reading

Palate Cleansers

1 thought on “Security Bits – 16 May 2019”

Leave a Reply