This Week In Security: Microsoft Patches, Typosquatting Continues, And Code Signing For All

The pair of Outlook vulnerabilities we’ve been tracking have finally been patched, along with another handful of fixes this Patch Tuesday, a total of six being 0-day exploits. The third vulnerability was also a 0-day, discovered by the Google Threat Analysis Group. This one resulted in arbitrary code execution when a Windows client connected to a malicious server.

A pair of escalation of privilege flaws were fixed, one being yet another print spooler issue, and the other part of a key handling service. The final zero-day fixed was a mark-of-the-web bypass, that being the tag that gets added to file metadata to indicate it’s a download from the internet. If you deliver malware inside an ISO or marked read-only in a zip file, it doesn’t show the warning when executing.

Will Typosquat For Bitcoin

A trend that doesn’t show signs of slowing down is Typosquatting, the simple malware distribution strategy of uploading tainted packages using misspelled variations of legitimate package names. The latest such scheme, discovered by researchers at Phylum, delivered a crypto-stealer in Python packages. These packages were hosted on PyPi, under names like baeutifulsoup4 and cryptograpyh. The packages install a JavaScript file that runs in the background of the browser, and monitors for a cryptocurrency address on the clipboard. When detected, the intended address is swapped for an attacker-controlled address.

Old Flaws

Speaking of clipboards, Google’s Project Zero let us in on a story from 2020, where Samsung devices were getting exploited by an exploit chain that starts on the clipboard. Samsung built a custom clipboard service that supported image files on the clipboard. An oversight allowed any app on the device to request a handle to any file. This was used to drop a stage 2 binary. A second app, Samsung’s Text to Speech system, is hijacked by overwriting a settings file, causing the malicious binary to be launched instead of a valid speech engine. This step escalates privilege because the speech engine gets launched as a system_app SELinux context.

The second vulnerability was an information leak, where the kernel log is copied to a file readable by the system_app context. Triggering a warning in the GPU driver led to address information getting logged to this file. Leak that a few times, and you have cracked Kernel Address Space Layout Randomization, not to mention a pointer value used in the third vulnerability.

This last one is a use-after-free in the DECON driver, Display and Enhancement Controller, part of the graphics stack. DECON opens a file descriptor and shares it with userspace. Userspace can free the descriptor, and the driver continues to treat it as valid. In between freeing and access, many malicious copies of the file descriptor are sprayed into memory, with the hope that one such copy will occupy the freed address. This bogus descriptor allows the malware to make the jump into kernel space, and elevate its userspace component to run as the vold context, AKA Volume Daemon. Malware that makes it to this level is king of the Android castle.

This exploit chain was found in the wild, and fixed in March of 2021, but it’s still a nifty look into how exploitation is done. In this case, it’s believed to be from a commercial vendor — NSO Group or a similar outfit.

Code Signing

Let’s Encrypt is great. You control a domain, you can generate a free SSL certificate for encrypting and verification of that domain for HTTPS traffic. You may have asked yourself at some point, could you use Let’s Encrypt to sign binaries? That would be useful, but sadly not an option. So very welcome this week is the news that Sigstore is now generally available, and Trail Of Bits has the story.

The key here is that you can get your code signed by a short-lived certificate, attested to an OpenID identity. Examples of useful OpenID services are Github, Google, and Microsoft accounts. So you can get a signature, tied to your public identity, and not have to worry about certificate management at all. Keep an eye on Sigstore, as it looks to have a bright future, as the Let’s Encrypt of code signing.

Pixel Lock Bypass

There was a simple-yet-critical bug in Android’s lock screen, discovered by [David Schütz] in June, and weirdly sat on by Google for months before finally getting fixed in the November security update. The discovery happened by accident, due to a forgotten SIM PIN. Did you know your SIM card has a PIN that you can use to lock the card? And if you do forget it, the documentation with the SIM contains a PUK, a Personal Unblocking Key.

Boot your phone with PIN-protected SIM, fail three times to unlock the card, and it goes into locked mode, requiring the PUK to unlock it. That process is handled by an Android security screen, and successfully unlocking the SIM via a PUK triggered a .dismiss() function call. The problem is that multiple security screens can be active at once, including your lock screen, and the .dismiss() call gets processed by the top of the stack. The SIM card gets unlocked, which changes the stack of screens, and the unlock screen often lands at the top of that stack, popping the phone open.

Now do note, that this exploit does not decrypt a phone. It does not work from a cold boot. But a booted phone that has been authenticated once, and merely locked could be unlocked in this way. It’s likely that the Google engineer that triaged the bug couldn’t quite replicate the problem, so it didn’t get handled as quickly as it should have. After demonstrating the issue in person, the wheels of change began to move, and the fix finally shipped out, and [David] earned a very nice $70,000 bounty. This is an AOSP problem as well, so downstream projects like LineageOS are pulling the patch and working on shipping the fix as well.

Bits and Bytes

Twenty-five different Lenovo laptops unintentionally shipped with development drivers that allowed manipulation of NVRAM variables from within the OS. Or put more simply, you could turn off secure boot from within Windows. Updates for the affected models fixed the firmware to disable the manipulation of such settings after boot.

A collection of malicious apps on the Google Play store has managed a million downloads. These apps delay any malicious activity for a few days after install, but eventually start loading phishing sites in new Chrome tabs. The really worrying part is that these apps made it onto the Play Store, and didn’t get flagged in any of Google’s app scanning. It makes one wonder what else might be lurking.

And some positive news, Open Bug Bounty has passed the milestone of fixing a million vulnerabilities. This alternative bug bounty system is designed for smaller sites and organizations to attract security talent to find problems with their infrastructure. And it seems to be working, congrats on the milestone!