The February 2015 patch overview highlights a significant increase in updates for Adobe Flash due to multiple critical vulnerabilities, including 0-day exploits detected in January and February. Microsoft also released nine bulletins addressing vulnerabilities in Internet Explorer, Windows, and Office, prioritizing critical patches for remote code execution risks. The document discusses a critical vulnerability known as 'Ghost' in glibc, with potential exploits affecting various Linux distributions and other systems.

1. Patch Overview
February 2015
Wolfgang Kandek, Qualys, Inc
February 12, 2014

2. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities

3. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities

4. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit

5. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit
• January 22 – APSB14-02 for CVE-2015-0310 (no typo)
• Under attack in the wild (0-day)
• Mentions CVE-2015-0311 (sort of)
• Credits 3 Researchers, including @Kafeine

6. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit
• January 22 – APSB14-02 for CVE-2015-0310 (no typo)
• Under attack in the wild (0-day)
• Mentions CVE-2015-0311 (sort of)
• Credits 3 Researchers, including @Kafeine
• January 27 – APSB14-03 for CVE-2015-0311/12
• Credits 3 different Researchers, including @Kafeine

7. February Patches - 2
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313

8. February Patches - 3
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313

9. February Patches - 3
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313

10. February Patches - 2
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313

11. February Patches - 2
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313
• All versions of Windows attacked under IE and Firefox

12. February Patches - 2
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313
• All versions of Windows attacked under IE and Firefox
• Flash under Google Chrome not attacked
• Malwarebytes Anti Exploit neutralizes CVE-2014-310
• EMET prevents CVE-2015-0311
• Trend Micro Browser Exploit Prevention: CVE-2015-0313

13. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP

14. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit

15. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)

16. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)
• Priority 3: MS15-010 – Windows
• 1 publicly disclosed - Google Project Zero 90 day limit

17. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)
• Priority 3: MS15-010 – Windows
• 1 publicly disclosed - Google Project Zero 90 day limit
• Interesting: MS15-011 - GPO

18. GHOST
• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit

19. GHOST
• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit
• GHOST similar to Heartbleed and Shellshock
• GHOST = GetHOSTbyname (vulnerable function)
• Newest glibc (2.18) not vulnerable, but not very common
• Ubuntu 14.04, Fedora 20/21, SUSE 12/13, Gentoo
• glibc 2.2-2.17 vulnerable in use in many distros
• RedHat 6/7 (CentOS 6/7), SUSE Enterprise, Ubuntu 12.04

20. GHOST
• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit
• GHOST similar to Heartbleed and Shellshock
• GHOST = GetHOSTbyname (vulnerable function)
• Newest glibc (2.18) not vulnerable, but not very common
• Ubuntu 14.04, Fedora 20/21, SUSE 12/13, Gentoo
• glibc 2.2-2.17 vulnerable in use in many distros
• RedHat 6/7 (CentOS 6/7), SUSE Enterprise, Ubuntu 12.04
• Verification program, source in the advisory
• Vulnerability scanner

21. GHOST - Exploitablity
• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB

22. GHOST - Exploitablity
• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB
• Mitigations
• Hostname can only be 255 characters long (RFC1123)
• Gethostname deprecated

23. GHOST - Exploitablity
• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB
• Mitigations
• Hostname can only be 255 characters long (RFC1123)
• Gethostname deprecated
• Examples:
• ping, arping, mtr, mount.nfs – not vulnerable
• clockdiff, procmail, pppd, exim – vulnerable
• exim – (remote!) exploit POC exists

24. GHOST - Reality
• How exploitable is it really?

25. GHOST - Reality
• How exploitable is it really?
• Opinions vary

26. GHOST - Reality
• How exploitable is it really?
• Opinions vary

27. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add

28. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add

29. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…

30. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt

31. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt

32. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
• Sucuri – there is a problem in Wordpress/PHP - pingback

33. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
• Sucuri – there is a problem in Wordpress/PHP – pingback
• Now a Metasploit check
• Veracode – there are problems in many enterprise apps
• 202 enterprise apps – 25% use gethostbyname
• 72% C/C++, 28% Java, .NET, PHP
• 64/32 bit are vulnerable – our exploit works against both 64
and 32 bit exim for example

34. GHOST – beyond Linux
• Juniper

35. GHOST – beyond Linux
• Juniper

36. GHOST – beyond Linux
• Juniper
• Cisco

37. GHOST – beyond Linux
• Juniper
• Cisco

38. GHOST – beyond Linux
• Juniper
• Cisco

39. GHOST – beyond Linux
• Juniper
• Cisco
• NetApp
• McAfee
• F-Secure
• BlueCoat
• RiverBed
• …..

40. Resources
• Microsoft - https://technet.microsoft.com/library/security/ms15-feb
• Adobe - http://blogs.adobe.com/psirt
• GHOST - http://www.openwall.com/lists/oss-security/2015/01/27/9
• Sucuri - http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-
released.html
• VERACODE - https://www.sans.org/webcasts/99642?ref=174212
• Metasploit - https://github.com/rapid7/metasploit-
framework/blob/master/modules/auxiliary/scanner/http/wordpress_gh
ost_scanner.rb
• Juniper -
http://kb.juniper.net/InfoCenter/indexid=JSA10671&page=content

41. Resources 2
• Cisco –
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci
sco-sa-20150128-ghost
• McAfee-
https://kc.mcafee.com/corporate/index?page=content&id=SB10100
• NetApp -
https://kb.netapp.com/support/index?page=content&id=9010027
• F-Secure - https://www.f-secure.com/en/web/labs_global/fsc-2015-1
• Blue Coat - https://bto.bluecoat.com/security-advisory/sa90
• Riverbed -
https://supportkb.riverbed.com/support/index?page=content&id=S258
33

42. Thank You
Wolfgang Kandek
wkandek@qualys.com
http://laws.qualys.com