Back to qualys.com
Juan C. Perez

Intel Makes Spectre Patch Progress, while Adobe Grapples with Latest Flash Bug

It’s been a busy week in InfoSec land, as Intel released a new Spectre patch, iOS source code was leaked online, and a zero-day Flash bug got exploited in the wild.

Also making noise these past few days: A major security hole in the Grammarly web app, WordPress updates tripping over each other, and a data breach at a Swiss telecom company.

As has been the case these past few weeks, we’ll lead off with the latest on Meltdown and Spectre, the hardware vulnerabilities whose disclosure on Jan. 3 sent shockwaves through the IT industry due to their scope and severity, and which are expected to remain an issue for years.

Intel mitigates Spectre vulnerability with Skylake update

For a change, the latest Meltdown / Spectre development is encouraging: On Wednesday, Intel announced some progress in its ongoing and often erratic attempts to update the firmware of a variety of its CPUs impacted by the vulnerabilities.

Specifically, Intel delivered to its OEM customers and industry partners production microcode updates to mitigate Spectre’s Variant 2 vulnerability (CVE 2017-5715) on several Skylake-based platforms, and promised “to do the same for more platforms in the coming days.”

“We also continue to release beta microcode updates so that customers and partners have the opportunity to conduct extensive testing before we move them into production,” Navin Shenoy, executive VP and GM of Intel’s Data Center Group, said in a blog post.

Those efforts include the glitchy Broadwell and Haswell microcode updates for this Spectre variant, the branch target injection vulnerability. Intel had to pull those updates because they created a variety of problems, including frequent and random system reboots, and data loss and corruption.

Saying that its current and future CPUs fixes will be made available to end customers in most cases through OEM firmware updates, Shenoy stressed the importance for system owners to always keep them up to date.

Shenoy also acknowledged that Intel has a lot of work ahead, as he provided a link to a document listing impacted Intel platforms and the status of their fixes.

Qualys has been on top of the Meltdown / Spectre issue from the very start, dispensing advice and insight publicly in blog posts, news articles and webcasts, as the industry scrambles to deal with these vulnerabilities, which affect most Intel CPUs released in the past 20 years, as well as a smaller quantity of ARM and AMD CPUs.

Meltdown (CVE-2017-5754) provides access to all physical memory, including kernel memory, via a user mode, ring 3 process, so that “any process running in the system can access all the contents of physical memory,” Qualys Product Management Director Jimmy Graham said recently during a webcast.

Attackers could steal passwords, grab private keys and do whatever necessary to escalate their system privileges to administrator levels. “Anything that can be stored in memory can be accessed through Meltdown,” Graham said.

Meanwhile, Spectre (CVE-2017-5753, CVE-2017-5715) impacts Intel, AMD, and ARM CPUs by abusing branch prediction and speculative execution, resulting in data leakage from compromised processes.

Another Flash crash

Adobe warned late last week about a critical vulnerability in its Flash Player that can allow an attacker to take control of the affected system.

In a security advisory, Adobe said that the vulnerability (CVE-2018-4878) affects Flash Player 28.0.0.137 and earlier versions, and that it was aware of an exploit in the wild “being used in limited, targeted attacks against Windows users.”

“These attacks leverage Office documents with embedded malicious Flash content distributed via email,” the advisory reads.

On Wednesday, Adobe released patches for the affected Flash Player versions for Windows, Macintosh, Linux and Chrome OS, ahead of its next scheduled patch release on Tuesday April 13.

“This is surely yet another reason for Adobe Flash’s still large number of users to consider whether it’s time to call an end to what can charitably be called a rocky relationship,” independent security analyst Graham Cluley wrote on his blog.

He recommends either removing Flash from computers altogether, or at least enabling the “click to play” option as an extra protection layer.

“It doesn’t take Nostradamus to predict that this isn’t going to be the last discovery of a remotely exploitable vulnerability in Flash. Chances are that there is another zero-day vulnerability in Adobe Flash just around the corner,” he wrote.

Over at Sophos’ Naked Security blog, Paul Ducklin reminded readers that “turning off Flash in your browser isn’t enough.” That prevents Flash files embedded in web pages from rendering inside browsers, “but doesn’t remove the Flash playing software from your computer as a whole.”

“We’re assuming that the crooks chose to embed their booby-trapped Flash file inside an Office document to bypass your browser, where many users have already blocked Flash from playing, or only activate it for specific websites,” Ducklin wrote.

iOS source code leaked

Apple also blipped in the cyber security news radar when Motherboard reported on Wednesday that a key portion of iOS source code had gotten posted anonymously on GitHub. The source code element in question was for iBoot, one of the most critical iOS programs, and was taken from iOS 9.

Apple scrambled to file a DMCA takedown notice, so the code was removed, but it’s safe to assume it was available long enough for it to have been copied multiple times.

Apple downplayed the importance of the leak, saying that it came from an old iOS version and that multiple security safeguards exist to protect users.

“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code,” Apple said in a statement, as reported by Macworld.

“There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections,” the statement reads.

Still, Motherboard pointed out that portions of the leaked source code likely still exist in iOS’ current version, and that Apple had security reasons to keep this software confidential.

“Apple has traditionally been very reluctant to release code to the public, though it has made certain parts of iOS and MacOS open source in recent years. But it has taken particular care to keep iBoot secure and its code private,” the Motherboard article reads, noting that boot process bugs carry the highest value when reported through Apple’s bounty program: reportedly up to $200,000.

Jonathan Levin, author of books on iOS and Mac OSX, told Motherboard that access to the iBoot source code gives iOS security researchers a better chance to find vulnerabilities that could lead to compromising or jailbreaking the device.

It could also make it easier for hackers to find flaws that could allow them to crack or decrypt an iPhone, Levin said, adding that the leak could allow advanced programmers to emulate iOS on non-Apple platforms.

In other security news …

Update that WordPress update, chop chop

On Monday, WordPress released a run-of-the-mill maintenance update (4.9.3) that fixed 34 bugs but that also inadvertently broke the blog publishing platform’s automatic update functionality.

As a result, the next day WordPress issued another update (4.9.4) that fixes the “severe bug” introduced on Monday, which causes “sites that support automatic background updates to fail to update automatically.”

The catch? WordPress admins have to install the latest update manually, of course.

If you’re interested in the technical details of what went wrong with Monday’s update, read this WordPress post.

Massive security hole found in Grammarly grammar checker

Google security researcher Tavis Ormandy found a major security flaw in the Grammarly browser extension that exposed its auth tokens to all websites, making it possible for unauthorized parties to access users’ documents.

The researcher gave props to Grammarly for fixing the issue and releasing an update to the Chrome Web Store within hours, calling the turnaround “a really impressive response time.” The bug was fixed in Grammarly’s extensions for both Firefox and Chrome. The Chrome extension is used by about 22 million people, according to Ormandy.

On its Twitter account, Grammarly said it has no evidence that any user information was compromised, and specified that the bug potentially affected text saved in the Grammarly Editor, but not the Grammarly Keyboard, the Grammarly Microsoft Office add-in, “or any text typed on websites while using the browser extension.”

Swisscom customer data stolen using partner’s credentials

Switzerland’s Swisscom telecom disclosed on Wednesday that in last year’s fourth quarter, the “non-sensitive” contact details of about 800,000 of its customers — representing about 10% of the country’s population — were accessed without authorization, including names, addresses, telephone numbers and dates of birth

The interesting twist to this story is that the unknown cyber criminals snatched the data using legitimate login credentials that Swisscom had granted to a trusted sales partner, a classic case of so-called vendor risk.

Swisscom said it immediately blocked the unnamed partner’s system access, and also took steps to “better protect access to such non-sensitive personal data by third-party companies.”

The changes include adopting “tighter controls” for partner access, and the automatic triggering of an alarm if unusual activity is detected. It will also be impossible to run high-volume queries for all customer information in the systems. And two-factor authentication will be introduced this year for all data access required by sales partners.

“Swisscom stresses that the system was not hacked and no sensitive data, such as passwords, conversation or payment data, was affected by the incident,” reads the company’s statement.

Ilia Kolochenko, CEO of High-Tech Bridge, told Info Security Magazine that vendor risk remains widely unacknowledged. “Cyber-criminals won’t assault the castle, but will instead find a weak supplier with legitimate access to the crown jewels,” he said.

Leave a Reply