Announcement

Collapse
No announcement yet.

ZeroDay exploit

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    ZeroDay exploit

    https://www.fireeye.com/blog/threat-...te-finspy.html
    From Slashdot
    An anonymous reader quotes a report from Motherboard:
    Government hackers were using a previously-unknown vulnerability in Microsoft's .NET Framework, a development platform for building apps, to hack targets and infect them with spyware, according to security firm FireEye. The firm revealed the espionage campaign on Tuesday, on the same day Microsoft patched the vulnerability. According to FireEye, the bug, which until today was a zero-day, was being used by a customer of FinFisher, a company that sells surveillance and hacking technologies to governments around the world. The hackers sent a malicious Word RTF document to a "Russian speaker," according to Ben Read, FireEye's manager of cyber espionage research. The document was programmed to take advantage of the recently-patched vulnerability to install FinSpy, spyware designed by FinFisher. The spyware masqueraded as an image file called "left.jpg," according to FireEye.
    Interestingly:
    The document was programmed to take advantage of the recently-patched vulnerability to install FinSpy, spyware designed by FinFisher.
    So, hackers are using security holes introduced in patched vulnerabilities to further infect Windows systems. Code by the lowest paid programmer?

    In times past Linux developers were/are famous for finding a virus, analyzing it, and releasing a patch for it ON THE SAME DAY. This was the initial meaning of a "ZeroDay patch". There were zero days between the discovery, announcement and posting of a patch.

    Microsoft, on the other hand, began threatening developers, who found and released notices to the public of security holes or virus attacks in Microsoft software, with legal action if they told anyone but Microsoft about the security hole. So, in typical fashion, Microsoft would hold the knowledge of the virus attack vector secret until such time as it suited their economic or political interest to notify the public and then release the patch, all on the same day, and then claim zero days had passed since the announcement of the bug and its patch. Very disingenuous and unethical, if not outright dishonest. Why? Because it became known that while they kept knowledge of the security holes secret from Joe and Sally Sixpack, they did inform their fortune 500 companies of such holes ASAP, to avoid obvious lawsuits from companies with armies of lawyers. Joe and Sally where left hanging in the wind, twisting in the breezes of adversity as IP packets rolled through their computer.

    From FireEye
    FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.


    FireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch to address the vulnerability and security guidance, which can be found here.
    Now, ZeroDay is standard practice, but most people do not see between the lines: "coordinating public disclosure timed with the release of a patch". How long has Microsoft known about this vulnerability without telling its not so rich customers? Why keep the general public in the dark? The bad guys already knew about the vulnerability, they discovered it and were using it. The "timing" is to forestall any public outcry or questions as to HOW LONG the public was kept in the dark. How long was Joe and Sally's system exposed to this vulnerability? And, why weren't they informed along with the Fortune 500 so that Joe and Sally could take protective action themselves? Actions like not running a particular piece of software from Microsoft, or using similar software from other vendors? Because it would affect Microsoft's revenue stream. That's why.

    I switched to Linux in May of 1998. Viruses and vulnerabilities weren't big thing at the time in the Windows world of which I was a part as a software developer. I made the switch to Linux because my brand new Sony VAIO desktop, purchased on Dec 27th, 1997, could not run Win95 more than 30 minutes at a time without crashing. I was clicking the save button on my source code every minute or so. When I installed RH5, looking for some relief from the crashing, the Sony VAIO never crashed again and RH5 was rock sold stable.

    Having used Win3.11WFW I was familiar with the DrDobbs Journal article that uncovered Microsoft's attempt to block the installation of Win3.11 on systems that were running Dr-DOS. But it wasn't until RH5 showed that the Sony was stable as a rock, as was RH5, that I began focusing on Microsoft's software as the cause of the problem. Trying to learn all I could about my newly adopted OS, I visited Linux forums and was pointed to articles like ESR's "The Cathederal and the Bazaar", and the "Halloween Documents". I found the German "F***Microsoft.com" website and was stunned to see how Microsoft sat on security holes for years at a time, never fixing some, and how they created secret folders into which they stored all your browsing and computer use activity, uploading it regularly to their servers, clearing out the secret folders and starting over. When that website showed how to block Microsoft from doing that Microsoft moved the secret folders into their recovery partition and stored the purloined data there until it was uploaded.

    Now, except for articles like this, which correctly describe the collusion between Microsoft and security firms to conceal Microsoft's vulnerabilities for economic reasons, I ignore Microsoft. I have long since deleted my XP VM, and I currently use WINE to run one graphical PCL dev tool, IQUAN written for XP, in case I am called upon by a client and good friend of 33 years to use it. But, I doubt I ever will.

    I do get concerned, however, when I observe some "Open Source" companies concealing security holes in their software, for economic reasons as well, by keeping knowledge of their software's vulnerability as secret at they can until they "zeroday" the patch.
    Last edited by GreyGeek; Sep 13, 2017, 11:59 AM.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.
Working...
X