Security Bits – 5 Jan 2018
Security Medium 1 — Password Managers as Trackers
Security researchers have found that less-reputable tracking firms have deployed JavaScript which uses invisible forms to trick password managers into entering information which can then be used as a kind of super-cookie that users cannot delete, and hence, track them around the web.
This problem affects all features that auto-fill usernames and passwords, whether or not they are native to the browser, or, provided by third-party plugins, so this affects everyone who saves passwords in their browser in any way.
The only thing users can theoretically do to block this kind of tracking for now is to use a plugin like NoScript or UBlockOrigin to block trackers, or, to stop using any saved password feature of any kind. The latter is utterly impractical if you follow best practice and avoid password re-use.
Remember, this is about tracking, not hacking, so my personal opinion is that the danger from password re-use massively out-weighs the danger from being tracked. I’m going to keep using my password manager!
In the medium term it will be up to browser and password manger manufacturers to deal with this by simply getting a little cleverer. A very simple change that could make a huge different would be to only auto-fill information into form fields that are visible to the user.
Links
- No boundaries for user identities: Web trackers exploit browser login managers — freedom-to-tinker.com/…
- Your web browser’s password manager is helping ad companies track you across the web — www.imore.com/…
- Ad scripts track users via browser password managers — nakedsecurity.sophos.com/…
Security Medium 2 — IOHIDeous, a macOS Privilege Escalation Zero-day Vulnerability
A security researcher poking around inside a part of the iOS and macOS kernels named IOHIDFamily
(HID as in Human Interface Device) found a privilege escalation bug that has been lurking in there un-noticed since at least 2002.
What this bug does is allow any process running on macOS/Mac OS X to gain admin (root
) privileges without a password. Since this only affects code running on the Mac itself, this bug is not directly exploitable remotely.
The fact that only code running on your computer can make use of this vulnerability to gain admin privileges means there’s no need to set your hair on fire — the immediate danger is minimal.
However, it’s still important that Apple fix this bug quickly, because this kind of bug becomes extremely powerful when combined with another bug or with social engineering attacks.
Hypothetically, should another vulnerability be found in macOS that allows arbitrary code execution, this vulnerability upgrades that hypothetical second vulnerability into arbitrary code execution with admin powers! An attack that relies on multiple vulnerabilities is known as a chained attack, and they are becoming ever more common as OS security gets ever tighter and more effective.
Similarly, this kind of vulnerability makes social engineering attacks much more potent. Normally, if a social engineering attack needs admin privileges it needs to trick you into running malicious code and entering your admin password, but with a vulnerability like this, they attacker only needs to trick you into running their code, they can use the vulnerability to silently gain admin rights.
Apple are aware of the vulnerability, and are working on a fix, so expect security updates in the near future.
Links
- The vulnerability’s home page — siguza.github.io/…
- macOS Zero Day Found That Was Present Since 2002 — www.macobserver.com/…
Security Medium 3 — Meltdown & Spectre – all CPUs have Dangerous Flaws
A pair of very similar and very much related vulnerabilities have been found in just about all modern CPUs, though Intel CPUs are particularly vulnerable.
The following summary from the homepage for the bugs explains the basics very well:
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.
All of these bugs involve exploitations of optimisations added to modern CPUs and operating systems to speed up our computers. Of particular importance is something called speculative execution — modern CPUs guess at the outcome of operations that will take time to complete, and go ahead with the next instruction assuming the guess was correct. If it turns out it was correct the changes made in the next instruction get committed, otherwise they get rolled back as if they never happened. The other major optimisation involved here happened at the OS level — it had been common practice maintain a single cache of the mappings between real and virtual memory that was shared by all processes on a system. The CPU vulnerabilities make abuses of this cache possible, so, the shared cache needs to be removed, and replaced with segregated caches, hence all the OS updates that have been released, and are about to be released.
The end-result of both of these bugs is that regular processes can access memory they should not have access to. That’s a major security breach. It’s bad on regular computers, but even worse on cloud computing infrastructure where it allows virtual machines to break out of their containers and read RAM belonging to the base OS or other VMs!
With the generalities out of the way, let’s look at the specifics of the two vulnerabilities.
The Meltdown Bug — Primarily affects Intel Chip, Easy to Exploit, but also Easy to Mitigate
The first of the two vulnerabilities has been named Meltdown. This is the one that primarily affects Intel CPUs, but also some ARM CPUs.
Here’s a quick summary of the danger posed by this bug from the homepage for these bugs:
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
As best as I can tell from the most current reporting I’ve read, here’s how things stand:
- Intel CPUs are definitely affected, and exploitation is easy with well tested proof-of-concept code out there.
- There are no proof of concept attacks against ARM CPUs that I’ve seen reported, but, ARM say some of their chip designs are theoretically vulnerable, so their engineers have provided code updates to the Linux kernel to provide protection.
- AMD CPUs are probably not affected, the company say their architecture is different to Intel’s in this regard, so their chips can’t be attacked in this way, but I’m seeing some speculation from security researchers that variants of the attack that work against AMD CPUs might be found in the future.
Mitigating agianst this bug is straightforward, hence the flurry of OS updates coming out at the moment (Windows, Linux, macOS, iOS & tvOS).
The Spectre Bug — Affects all CPUs, Hard to Exploit, but also Difficult to Mitigate
The second of the two vulnerabilities has been named Spectre, and this one affects all CPUs.
Here’s a quick summary of the danger posed by Spectre from the homepage for the vulnerabilities:
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.
The good news is that generally speaking, successful exploitation of this vulnerability is currently very difficult. There is one notable caveat though — a technique has been found to exploit this bug via JavaScript, so our browsers are going to need updates.
Apple are working on an updated version of Safari, and FireFox released an updated today.
In general though, with the exception of the browser fixes that are being rolled out now, the real-world threat from this vulnerability is low.
The bad news is that there’s no easy to implement obvious general fix! Developers can make some low-level machine-language changes to security critical sections of their specific apps (to ensure CPUs disable the troublesome optimisation features while specific parts of specifics apps are executed), but that’s a very brittle solution. Ideally, there needs to be an OS-level solution like we have for Meltdown, but right now, no one seems to have a clue as to how that might even be possible.
This is a problem the industry will have to wrestle with over the next few years, and the end result is likely to be changes in CPU design, and perhaps also in OS design.
OS & Browser Updates
- Apple have already patched macOS, iOS & tvOS, and say watchOS is not vulnerable. There are further updates on the way, specifically for Safari.
- Note that only macOS High Sierra & iOS 11 have received these upates, they have not been back-ported to older OS versions
- Updated versions of the Linux kernel are out
- Google have released updates for Android & Chrome OS, and fixes for the Chrome browser are on the way (due out 23 Jan).
- Microsoft have released an updated version of Windows 10 with support for dual page tables, but with caveats
- Because there are known problems with some AV products, the update won’t be offered to users with AV products installed unless the installed AV has set a special registry key to indicate it’s been updated and is now compatible with dual page tables
- The dual page tables feature will not be enabled by default on the server version of Windows, but will need to be explicitly activated by a sysadmin
- Edge and IE have been patched
- FireFox has been patched
- Google are working on a patch for their Chrome browser, but it’s not ready yet
I Hear Everything Will be Slowed Down?
Removing optimisations is obviously going to slow things down at least a little, but there are some very wild numbers doing the rounds.
The biggest hit will come from the OS updates that remove the single unified memory mapping cache, but the effect of that change depends very strongly on the kind of app you look at.
What matters is how often the app hands off to the OS kernel, because its that handoff that’s been slowed down by these OS changes. Apps that interact with the kernel more will get slowed down more.
You’ll see frightening numbers like 30% slowdowns, but those numbers are being reported without their critical context — those are coming from artificial tests designed to set a worst-case baseline. Tests were done with an app that did nothing but interact with the kernel. This is utterly unrealistic!
Apple say their benchmarks show the changes they made to macOS, iOS & Safari are resulting in negligible performance hits of just a few percent at most.
Links
- The homepage for the bugs (surprisingly human-friendly) — meltdownattack.com/…
- The single best overview of this very confusing topic I’ve found to date — arstechnica.com/…
- Apple’s statement on the bugs — support.apple.com/…
- Google’s release notes for the Android update — source.android.com/…
- Google’s status page showing the current state of play for all their products — support.google.com/…
- The FireFox update to address Spectre — www.mozilla.org/…
- A great summary of the responses by all the major companies involved – the chip makers, the OS vendors, and the cloud providers — arstechnica.com/…
Notable Security Updates
- Mozilla Released a critical security update for Thunderbird — www.us-cert.gov/…
- Mozilla Released an un-scheduled FireFox update to patch a bug in the crash reporter that may have leaked data. They have also decided to delete all submitted crash report data because they can’t tell which crash reports were uploaded with user consent, and which were not (due to this bug) — nakedsecurity.sophos.com/…
Notable News
- As well as impressive computing power and a nice black case, the new iMac Pro also contains some novel security features that may hint at where Apple plans on taking the rest of the Mac lineup in the future — www.macobserver.com/… & www.imore.com/…
- Security researches find that Windows Hello can be spoofed with a still photo on many Windows devices. Only some devices are capable of enhanced anti-spoofing, and many devices that are capable of it have it turned off by default (editorial by Bart: it should not be possible to have the enhanced feature turned off on any device that supports it!) — nakedsecurity.sophos.com/…
- A number of games have been found to be using smart phone mics to monitor what people are watching on TV. Most of the affected games are in the Google Play store, but a few have been found in the iOS app store. The only silver lining is that apps have to ask for, and be granted, access to the mic to engage in this kind of spying — www.nytimes.com/…
- Spotify users are warned that they need to set a long and secure password on their accounts because there is a brute-force attack tool in the wild, and because of poor systems designs by Spotify, that tool is free to keep guessing passwords un-hindered by such basic protections as rate-limiting, CAPTCHAs, and 2FA — nakedsecurity.sophos.com/…
Suggested Reading
- PSAs, Tips & Advice
- News
- Propellor Beanie Teritory
- Researchers demonstrate how Android apps can use data from sensors considered non-critical from a security point of view can be used to guess PINs with very impressive levels of accuracy (83.7% of all possible 4-digit PINs within 20 tries). Previous research has shown that JavaScript could be used for these kinds of attacks, but in response FireFox and Safari limited JavaScript’s access to smart phone sensors to tabs that are in front and being displayed to the user. Google will need to update their OS to stop apps reading sensors when the lock screen is active — nakedsecurity.sophos.com/…
Palate Cleansers
- XKCD meets Meltdown & Spectre — xkcd.com/…
It seems important to note that as of late afternoon Friday, January 5, 2018 Apple has provided a “Meltdown” patch ONLY for “High Sierra.”
Quoting from “About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan”
Not putting in the link because Allison’s blog seems to a have issues with them.
Searching for CVE-2017-5754 (Meltdown) in “About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan” at https://support.apple.com/en-us/HT208331 yields only one reference to a patch for CVE-2017-5754 (Meltdown), and it is specific to High Sierra ONLY:
Kernel
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to read kernel memory
Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology
Entry updated January 5, 2018
There is no reference that CVE-2017-5754 (Meltdown) is patched in Sierra or El Capitan.
Now that’s a surprise. The link embedded in text was accepted.
I personally am not worried about the password manager as a tracker. I’ve never used the built in version and over set Lastpass to never autofill. The girls are only ever filled in when I explicitly click on the LP plugin and tell it to fill in. This should be an option in all password managers.
Bloody autocorrect!
The fields are only ever filled in when I explicitly click on the LP plugin.
Well Apple.com is trusted because it’s apple.com, so it makes sense. HTML, however is not, and I found that out when I tried to suggest a sort of markdown in the comments. Here’s some HTML:
testing
I just typed testing in bold and it should block it.
Oh wait did Allison add it or did I fool it.