Recap from the October 1st, 2019 CISO/Security Vendor Relationship Podcast
by Lydia Pert
A lot of organizations have weaknesses that can be exploited — but what about those weaknesses that extend back for decades? It’s not comforting to think that trusted companies and products have had breachable weaknesses for years, but it is a reality that must be faced as more and more long-term vulnerabilities are brought to light. Some of these long-term vulnerabilities have recently been exposed in two major IT ecosystems: Microsoft and firmware.
Google’s Project Zero has found exploitable security flaws affecting all versions of Windows, going all the way back to Windows XP – which was released in 2001. As you can probably imagine, this revelation presents a logistical nightmare for administrators all around the world.
Tavis Ormandy is the security researcher who discovered the issue with CTF — a little-known Microsoft protocol used by all Windows operating system versions. Ormandy ultimately found that communications between CTF clients and the CTF servers aren't properly authenticated or secured. He explained, “hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole.”
Ormandy further explained that there is no access control in CTF. Any application or user can connect to any CTF session. Clients are expected to report their thread ID, process ID, and HWND — but there is no authentication involved and bad actors can simply lie. This means bad actors can connect to another user's active session and take over. Attackers can use this loophole to steal data or issue commands, and in some cases the bad actor can even take full control over someone else’s computer.
And according to Ormandy, any application or Windows process is vulnerable.
Firmware is also facing struggles of its own. A recent study examined firmware from 18 vendors (including NEATGEARm ASUS, D-link, Linksys, and others). Over 6,000 firmware versions were analyzed, covering millions of binaries created from 2003 to 2018. The study found that overall, device firmware security is extremely poor — and has not improved in any measurable way over the last decade, despite the ever increasing attacks on connected devices all around the world.
Sarah Zatko, Chief Scientist at the Cyber Independent Testing Lab, spoke recently at Red Hat and DEFCON about deficiencies in the security of firmware. “We found no consistency in a vendor or product line doing better or showing improvement. There was no evidence that anybody is making a concerted effort to address the safety hygiene of their products,” she said.
In Zatko’s words, in the software and firmware security process — nobody is trying.
As Steve Prentice explained in the Cloud Security Tip, there appears to be a major disconnect between the finders of these flaws, and companies that manufacture the software and firmware that contain them. Disconnects include long delays before reviewing discovered flaws, systemic failures in the manufacturing process, and the direct application of one set of design rules to a brand new product line such as Internet of Things.
A lot of companies out there have shown they simply don’t care about security — and there isn’t a whole lot anyone can do to make them care. But we can all learn from this, and understand that cybersecurity is ultimately up to the users. So be proactive, and make sure you are doing everything you can on your end to make sure you are safe.