Thunderbolts go wild in Vegas

The DefCon and BlackHat conferences are running in Las Vegas this week – so plenty of freshly announced vulnerabilities and hacking news to go around.

First, let’s do a quick follow up on the Android ‘StageFright’ that we wrote about last week. Whilst we’ve not yet seen any evidence of malicious MMS being sent in the wild; Google, Samsung and LG have, this week, setup a joint acting school for petrified mobiles everywhere.  OK, so in reality they’ve made an equally surprising but somewhat more welcome commitment to issue not just a one off patch for StageFright, but also ongoing monthly security updates, similar to Microsoft’s patch Tuesday, but for Android. Good news, notwithstanding it means enduring pointless cat video MMS’ again.

So, onto this week’s threats, and whilst we’d never stoop to calling Apple the new Microsoft, they’ve had a bit of a hard time of late with two quite nasty security holes making the news.

First is an OSX 0-day, being actively exploited, that provides attackers with ability to quietly run with root privileges (i.e. without the normal password prompt) on OSX 10.10 if they can trick a user into running a seemingly benign file. Whilst not remotely exploitable, the ‘DYLD_PRINT_TO_FILE vulnerability’ is notable not because it’s being used in a sophisticated attack but rather to push various types of persistent adware and junkware onto poor, unsuspecting Mac Users. There’s no patch as yet, so be extra vigilant with what you download and skip anything that looks dodgy. The guy with the Dell laptop to your left will be able to offer advice here if you’re unsure what to look for.

The second Apple vulnerability is really just proof of concept piece of research but worth a mention as it highlights an emerging threat vector that we can see causing enterprises some pain in the months and years to come. Called ‘Thunderstrike 2’, this exploit is, we think, the first to coin the name ‘firmworm’ – a piece of software which can silently overwrite the lowest level software component there is on a modern machine – the UEFI BIOS – and then also go onto infect other machines using Thunderbolt peripherals as the infection vector. Basically it can own your machine and persist even if you wipe the OS or replace the hard drive, ouch.

Don’t lose any sleep over this right now, but it is the third time this year we’ve seen this kind of BIOS level exploit go public (the Equation Group and Hacking Team’s tools being the other two). If you don’t already consider endpoint BIOS patching in your vulnerability management strategy we’d strongly recommend you start considering this now before it’s too late and this stuff gets packaged up into the ‘next-next-finish’ Script Kiddie malware exploit kit.

If you find keeping track of what needs to be patched harder than keeping track of the time in a Las Vegas Casino, you’re not alone. Vulnerability Management is just one of the many areas where ITC have considerable experience and expertise. If it’s something you want to talk to us about some more, then do get in touch via [email protected] or 02075173900.