One Article Review
| Source |  SecurityWeek |
|---|---|
| Identifiant | 547357 |
| Date de publication | 2018-03-28 11:03:05 (vue: 2018-03-28 14:00:45) |
| Titre | Microsoft Patches for Meltdown Introduced Severe Flaw: Researcher (Recyclage) |
| Texte | Some of the Windows updates released by Microsoft to mitigate the Meltdown vulnerability introduce an even more severe security hole, a researcher has warned. Microsoft has released patches for the Meltdown and Spectre vulnerabilities every month since their disclosure in January. While at this point the updates should prevent these attacks, a researcher claims some of the fixes create a bigger problem. According to Ulf Frisk, the updates released by Microsoft in January and February for Windows 7 and Windows Server 2008 R2 patch Meltdown, but they allow an attacker to easily read from and write to memory. He noted that while Meltdown allows an attacker to read megabytes of data per second, the new vulnerability can be exploited to read gigabytes of data per second – in one of the tests he conducted, the expert managed to access the memory at speeds of over 4 Gbps. Moreover, the flaw also makes it possible to write to memory. Frisk says exploitation does not require any sophisticated exploits – standard read and write instructions will get the job done – as Windows 7 has already mapped the memory for each active process. “In short - the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself,” the researcher explained. “The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.” “Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization. All one have to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory,” he said. The researcher says anyone can reproduce the vulnerability using a direct memory access (DMA) attack tool he developed a few years ago. The attack works against devices running Windows 7 x64 or Windows Server 2008 R2 with the Microsoft patches from January or February installed. The issue did not exist before January and it appears to have been addressed by Microsoft with the March updates. Windows 10 and Windows 8.1 are not affected, Frisk said. SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds. Frisk previously discovered a macOS vulnerability that could have been exploited to obtain FileVault passwords, and demonstr |
| Notes | |
| Envoyé | Oui |
| Condensat | 2018 bay ciso conference cyber data flaw: forum half ics industry introduced links meltdown microsoft moon news oct patches protection register researcher security severe sponsored tags: usa vulnerabilities |
| Tags | |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | SecurityWeek |
|---|---|
| Identifiant | 516127 |
| Date de publication | 2018-03-15 13:22:01 (vue: 2018-03-15 13:22:01) |
| Titre | Hackers Can Abuse Text Editors for Privilege Escalation |
| Texte | Several popular text editors can be leveraged for privilege escalation and their developers do not plan on taking any action to prevent abuse, according to SafeBreach, a company that specializes in simulating attacks and breaches.
Some text editors allow users to run third-party code and extend the application's functionality through extensions. While this provides some benefits, an expert determined that it can also introduce security risks.
SafeBreach researcher Dor Azouri has analyzed the Sublime, Vim, Emacs, Gedit, pico and nano text editors, and found that only pico and its clone, nano, are not prone to abuse, mainly due to the fact that they offer only limited extensibility.
One part of the problem is that users - particularly on Linux servers - may often need to execute text editors with elevated privileges. If an attacker can plant malicious extensions in locations specific to the targeted text editor, their code will get executed with elevated privileges when the application is launched or when certain operations are performed.
For an attack to work, the attacker needs to somehow hijack a legitimate user account that has regular privileges, which can be achieved through phishing, social engineering and other methods. In the case of a malicious insider, the vulnerability found by SafeBreach can be useful for executing code with elevated privileges if their permissions have been restricted by the system administrator to certain files and commands.
Depending on the targeted editor, the attacker needs to create specially crafted scripts or package files, and place them in specific plugin directories. In some cases, the hacker may need to create additional files and enable extensions in order for the attack to work, but this should not be difficult if they have access to a less-privileged account.
In the case of Emacs, for example, attackers simply need to add one line of code to the “init.el” file in order to get their code executed on startup. Azouri noted that editing the init file does not require root permissions. A report published on Thursday by SafeBreach details how privilege escalation can be achieved through each of the tested editors.
While there are no reports of malicious attacks abusing text editors for privilege escalation, incidents involving abuse of extensibility are not unheard of. For instance, Kite, which offers Python code enhancements and suggestions for several popular editors via extensions, drew criticism last year after integrating promotional links into its users' coding apps.
SafeBreach also pointed to a couple of incidents related to npm packages that resulted in malicious code getting loaded and applications breaking. Azouri has described several possible scenarios involving post-exploitation techniques that |
| Notes | |
| Envoyé | Oui |
| Condensat | 2018 2018u abuse april bay can ciso columns conference cyber data editors eduard emerges energy escalation escalationedge fined firm forum from hacked hackers half ics incidentcloud industry kovacs:hackers links luminate management meltdown million moon more news oct over patches previous privilege pwn2own register releases risk safari security singapore spectre sponsored stealthmicrosoft tags: text usa virtualbox vulnerabilities |
| Tags | |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.