Microsoft Also Provides Update for Failed 2010 Stuxnet Patch
By Mathew J. Schwartz, March 12, 2015.
Apple, Microsoft Issue Freak Flaw Fixes
Both Microsoft and Apple this week released patches to address the so-called "Freak" flaw that affects Windows as well as Apple's Mac OS X and mobile iOS operating systems. Microsoft also released a fix that addresses a failed patch for a vulnerability that was exploited by the Stuxnet malware.
See Also: Automate and Standardize your IAM to Radically Reduce Risk
The Freak - for "Factoring RSA-EXPORT Keys" - flaw could be abused by attackers to subvert secure Web connections by forcing crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher, which they could then crack and use to eavesdrop on SSL/TLS communications. "Once the attacker has the key she can eavesdrop on your communication and even modify it and redirect you to impostor sites," says Wolfgang Kandek, CTO of security firm Qualys, in a blog post.
The Freak flaw was discovered in January, but kept quiet by researchers until March 3 as they alerted vendors and organizations, working with Johns Hopkins cryptographer Matthew Green.
Numerous organizations have been shipping related patches. Notably, OpenSSL released a Freak-free update - OpenSSL 1.0.2 - on Jan. 22 to patch its related flaw, designated CVE-2015-0204.
This week, Apple patched its form of Freak - designated CVE-2015-1067 - via its Security Update 2015-002, which removes support "for ephemeral RSA keys." The update is for just the three latest versions of OS X: Yosemite (10.10.2), Mavericks (10.9.5), and Mountain Lion (10.8.5). Users of Lion (10.7) and older Mac OS X operating systems remain vulnerable to Freak attacks, although security experts say none have yet been seen in the wild.
Meanwhile, Microsoft this week also patched the Freak flaw by fixing a Secure Channel vulnerability in Windows, designated CVE-2015-1637.
Freak Fixes: What's Missing?
But according to the University of Michigan researchers who are running the Tracking the Freak Attack website, 9.5 percent of the 1 million most popular websites - as ranked by Amazon.com's Alexa subsidiary - are still vulnerable to the Freak flaw, although that's an improvement from the 12.2 percent of sites that were at risk as of March 3. Even so, the researchers warn that 26 percent of all HTTPS servers remain at risk from the Freak flaw. And they say that the flaw may also be present in mobile apps, embedded systems - such as industrial control applications - and any other software that uses TLS.
Until those get fixed, users are at risk, warn the researchers from French computer science lab INRIA, Spanish computer lab IMDEA and Microsoft Research who discovered the Freak vulnerability. "You are vulnerable if you use a buggy Web browser [detailed below] to connect, over an insecure network, to an HTTPS website that allows export ciphersuite," they say on their Smack TLS website. "If you use Chrome 41 or Firefox to connect to a site that only offers strong ciphers, you are probably not affected."
From a browser standpoint, the researchers have released this Freak-related guidance:
Chrome: All versions before 41, on various platforms, are vulnerable - upgrade;
Internet Explorer: All OS versions before March 9 are vulnerable - upgrade;
Safari: All OS versions before March 9 are vulnerable - upgrade;
Opera: All versions before 28 are vulnerable - upgrade;
Android Browser: Vulnerable, so the researchers recommend switching to Chrome 41;
Blackberry Browser: Vulnerable, no fix yet available.
The University of Michigan researchers have created a client-check tool that scans for Freak flaws. "Even if your browser is safe, certain third-party software, including some anti-virus products and adware programs, can expose you to the attack by intercepting TLS connections from the browser," they say. "If you are using a safe browser but our client test says you're vulnerable, this is a likely cause."
Windows Gets Numerous Fixes
In addition to patching the Freak flaw in Windows, Microsoft this week released 14 security bulletins for its operating systems, of which five are critical. Related patches address everything from RTF parser flaws in Microsoft Office, to font-based vulnerabilities in Microsoft Office that could be exploited via malicious Office or PDF documents, to a Windows Text Services flaw that could be exploited to run code on a target's PC.
But Kandek at Qualys says the highest-priority fix involves Internet Explorer - all versions from IE6 to IE11 - which gets a patch that fixes 12 vulnerabilities, of which 10 are rated as being "critical" in severity because they can be exploited to remotely run arbitrary code. "In a typical scenario an attacker would plant malicious HTML code on a website that is under her control and lure the target to the site, or hack a site that the target habitually browses to, and simply wait for the target to come to the site," he says.
2010 Stuxnet Fix: Take Two
One of those Microsoft patches was for an unexpected problem: a lingering zero-day vulnerability that had been exploited by Stuxnet, which was discovered in June 2010. The malware was allegedly built by a U.S.-Israeli cyberweapons program, code-named "Olympic Games," to cripple nuclear enrichment centrifuges in Iran.
But according to researchers at HP's Zero Day Initiative, which rewards security researchers for disclosing vulnerabilities, the vulnerability persisted. They say they were approached in early January 2015 by researcher Michael Heerklotz, who detailed the familiar Windows vulnerability, which allows an attacker to create malware that uses custom icons from .CPL, or Windows control panel files, to run arbitrary executable files. Such malware could be hidden on a USB key, so that when it was plugged into a Windows system, it could automatically exploit it.
"To prevent this attack, Microsoft put in an explicit whitelist check with MS10-046, released in early August 2010," ZDI says in a blog post. "Once that patch was applied, in theory only approved .CPL files should have been able to be used to load non-standard icons for links."
But the patch failed. "For more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment," ZDI says.
Kurt Baumgartner, a principal security researcher at Moscow-based anti-virus vendor Kaspersky Lab, says that information security researchers have now found that this flaw was exploited as early as 2008 by what it's dubbed the Equation Group, which some researchers suspect is the U.S. National Security Agency.
But it's not clear if information security researchers - at intelligence agencies or otherwise - knew that Microsoft's initial, 2010 fix for the flaw failed to block all such attacks. "We have not observed a different implementation of this newly [reported] LNK exploit in the wild - yet," Baumgartner says.
Numerous researchers are warning that this flaw could still be targeted in unpatched versions of Windows, for example by crimeware toolkits. "To exploit the vulnerability, an actor would either need to convince a user to visit a malicious website, which is not an uncommon tactic, or have physical access to a vulnerable system to insert a USB device containing a specially crafted shortcut," threat-intelligence firm iSight Partners says in a research note.
