Wednesday, November 19, 2014

Project Zero Patch Tuesday roundup, November 2014

Posted by Chris Evans, Registrar of Bugs

It’s been about a week since Patch Tuesday, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Project Zero reports mentioned in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various advisories are now public. We won’t always be writing a Patch Tuesday roundup, but we often will when we believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a sufficiently varied and interesting array of bugs to study. This month is such a month. Separately to this summary, we expect to write more in-depth posts for some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most interesting individual vulnerabilities.

Internet Explorer sandbox escapes
Project Zero member James Forshaw has been busy looking for sandbox escapes on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows platform, resulting in a mention in two Microsoft bulletins. Sandbox escapes remain a focus of Project Zero because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are a more tractable attack surface to lock down than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 typically large applications that run inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

This bug is worth highlighting. It’s a permissions issue leading to an interesting attack: gain writeable access to some important settings and use that to turn off Protected Mode (aka. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sandbox)! Finding and fixing permissions issues is important because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can be very quickly, easily and reliably exploited.

This permissions issue is also of note. It permits read-only access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 memory of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 medium integrity (unsandboxed) process. At first glance, this doesn’t sound like a sandbox escape. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re’s a trick that leverages this to leak a secret which leads to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to take over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process. This will be fully covered in an upcoming blog post.

Microsoft Office memory corruption vulnerabilities
Project Zero member Ben Hawkes found three vulnerabilities in Microsoft Office, leading to this bulletin. We’ve seen cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 occasional 0-day triggerable by opening Office files, which is one factor we balance when considering where to help.

These three bugs are now public in our tracker. You can see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PoC files and see how in some cases, we were able to minimize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PoC down to just a single bit flip from an original input document. You can also see how triaging exploitability of crashes -- particularly where you only have binaries -- can be surprisingly involved! It’s easy to see why simple automated approaches like !exploitable have a lot of false negatives.

Flash Player bytecode verification logic errors
Project Zero member Ian Beer focused in on an interesting area of research: logic errors in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bytecode verifier. The Flash bytecode security model is to verify certain properties of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bytecode once, up front, leading to various simplifications and optimization opportunities later. Any errors in verification can lead to serious runtime errors later. To pick a specific example, this bug tells cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story of an incorrect assumption leading to a type confusion at runtime and a nice PoC which faults at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker-specified address 0x414243 while attempting to load a function pointer.

Flash Player memory corruption vulnerabilities
Project Zero members Tavis Ormandy and Chris Evans and Project Zero affiliate Natalie Silvanovich reported miscellaneous memory corruption vulnerabilities. To briefly highlight a couple of issues, this bug is a type confusion that triggers in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 legacy ActionScript 2 APIs and cannot be readily reached unless you use an old-style .as compiler. As always, putting in effort to test legacy code often bears fruit. And this bug raises eyebrows because even though it is a wild memcpy() of approximate length -1, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are signs of exploitability. Sometimes during testing, it isn’t cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 memcpy() thread that crashes, but anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r thread that happened to be doing some busy work in parallel.

OS X sandbox escape
All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bugs mentioned so far were fixed well within Project Zero’s 90-day disclosure deadline, representing a solid security response by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Adobe Flash, Microsoft Office, Internet Explorer and Microsoft Windows product teams. In addition to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se bugs, this OS X sandbox escape is also now publicly viewable on account of exceeding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 deadline. We calibrate our deadline to balance two important factors: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right of end users to know about a risk versus giving vendors a fair chance to cleanly fix a bug under a reasonable embargo. Given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ratio of deadline hits to misses, we think we’ve calibrated correctly for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current state of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry but we do hope to tighten cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 deadline in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future.

This sandbox escape doesn’t give direct access to a highly privileged context (such as ring0) but it does provide an avenue to escape a sandbox policy, which is a useful escalation. For example, this bug could be chained with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r bugs such as kernel NULL pointer dereferences.

No comments:

Post a Comment