2. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
3. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
4. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit
5. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit
• January 22 – APSB14-02 for CVE-2015-0310 (no typo)
• Under attack in the wild (0-day)
• Mentions CVE-2015-0311 (sort of)
• Credits 3 Researchers, including @Kafeine
6. February Patches
• Adobe Flash under direct Attack in January/February
• Normal = 1 update per month. Current = 4
• January 13 – APSB14-01 – 9 critical vulnerabilities
• January 21 - @Kafeine detects 0-day CVE-2015-0311
• Angler Exploit Kit
• January 22 – APSB14-02 for CVE-2015-0310 (no typo)
• Under attack in the wild (0-day)
• Mentions CVE-2015-0311 (sort of)
• Credits 3 Researchers, including @Kafeine
• January 27 – APSB14-03 for CVE-2015-0311/12
• Credits 3 different Researchers, including @Kafeine
7. February Patches - 2
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313
8. February Patches - 3
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313
9. February Patches - 3
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day – CVE-2015-0313
10. February Patches - 2
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313
11. February Patches - 2
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313
• All versions of Windows attacked under IE and Firefox
12. February Patches - 2
• Flash Attack continues in February
• February 2 - Trend Micro detects 0-day
• February 5 – APSB14-04 – 18 critical vulnerabilities
• Including 0-day CVE-2015-0313
• All versions of Windows attacked under IE and Firefox
• Flash under Google Chrome not attacked
• Malwarebytes Anti Exploit neutralizes CVE-2014-310
• EMET prevents CVE-2015-0311
• Trend Micro Browser Exploit Prevention: CVE-2015-0313
13. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
14. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
15. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)
16. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)
• Priority 3: MS15-010 – Windows
• 1 publicly disclosed - Google Project Zero 90 day limit
17. February Patches - 3
• Microsoft February, 10: 9 bulletins – MS15-009-MS15-017
• IE, Windows, Office – 4 x Remote Code Execution
• 5 x Important, Privilege Escalation, DoS, SFP
• Priority 1: MS15-009 – Internet Explorer
• 41 vulnerabilities – January Rollup
• 1 publicly disclosed – ZDI 120 day limit
• Priority 2: MS15-012 – Office (Excel/Word)
• Priority 3: MS15-010 – Windows
• 1 publicly disclosed - Google Project Zero 90 day limit
• Interesting: MS15-011 - GPO
18. GHOST
• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit
19. GHOST
• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit
• GHOST similar to Heartbleed and Shellshock
• GHOST = GetHOSTbyname (vulnerable function)
• Newest glibc (2.18) not vulnerable, but not very common
• Ubuntu 14.04, Fedora 20/21, SUSE 12/13, Gentoo
• glibc 2.2-2.17 vulnerable in use in many distros
• RedHat 6/7 (CentOS 6/7), SUSE Enterprise, Ubuntu 12.04
20. GHOST
• January 27 - Qualys disclosed CVE-2015-0235 in Linux/glibc
• January 13 (first contact), January 18 (CVE)
• Critical vulnerability, about 2 months to find and exploit
• GHOST similar to Heartbleed and Shellshock
• GHOST = GetHOSTbyname (vulnerable function)
• Newest glibc (2.18) not vulnerable, but not very common
• Ubuntu 14.04, Fedora 20/21, SUSE 12/13, Gentoo
• glibc 2.2-2.17 vulnerable in use in many distros
• RedHat 6/7 (CentOS 6/7), SUSE Enterprise, Ubuntu 12.04
• Verification program, source in the advisory
• Vulnerability scanner
21. GHOST - Exploitablity
• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB
22. GHOST - Exploitablity
• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB
• Mitigations
• Hostname can only be 255 characters long (RFC1123)
• Gethostname deprecated
23. GHOST - Exploitablity
• Buffer Overflow in gethostbyname()
• Hostname
• Needs to be digits and dots
• Longer than 1 KB
• Mitigations
• Hostname can only be 255 characters long (RFC1123)
• Gethostname deprecated
• Examples:
• ping, arping, mtr, mount.nfs – not vulnerable
• clockdiff, procmail, pppd, exim – vulnerable
• exim – (remote!) exploit POC exists
27. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
28. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
29. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
30. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
31. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
32. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
• Sucuri – there is a problem in Wordpress/PHP - pingback
33. GHOST - Reality
• How exploitable is it really?
• Opinions vary
• Michael Zalewski – Yup, that is the real thing, nothing to add
• Robert Graham – Yes, but…
• Many – PR Stunt
• Sucuri – there is a problem in Wordpress/PHP – pingback
• Now a Metasploit check
• Veracode – there are problems in many enterprise apps
• 202 enterprise apps – 25% use gethostbyname
• 72% C/C++, 28% Java, .NET, PHP
• 64/32 bit are vulnerable – our exploit works against both 64
and 32 bit exim for example