Saturday, June 07, 2014

New significant issues - IE and OpenSSL

One Extremely Important Patch Tuesday!
This coming patch Tuesday we'll have a patch (hopefully) for an IE bug that's been in the wild for about 6 months depending on the source.  A CDATA use after free flaw that apparently can be exploited by javascript and it affects a broad swath of Windows systems.  For once the details have been withheld as near as I can tell which is saying something.  Usually someone leaks the info and you have a bunch of bad actors using the code.  If it hasn't been leaked it would be a super-human triumph over our natural instinct to put ourselves above the security of others. Kudos to the researcher who apparently hung on for a very long time to a massive exploit that could have been running Godzilla-like through the computer world otherwise. Even though Microsoft was slow to put out a patch the researcher held out and did the right thing in my opinion.

Open SSL was cracked wide open again
If you believe that only poorly made products are vulnerable to security issues or if you're one of those who believe that only open software is exploit free then you might want to rethink your position.

Open SSL has been made much more "open" by a new CSS Injection bug. (here) This allows an attacker to force an Open SSL implementation of SSL/TLS to use weak key material and thereby allow a man-in-the-middle attacker to decrypt a session potentially.  But this is not the only issue... consider the DTLS recursion flaw, DTLS invalid fragment vulnerability, SSL mode release buffers null pointer deref, SSL mode release buffers session injection, and the anonymous ECDH denial of service.  Basically you have a recipe for disaster if you're a APT soldier for hire.

I believe that two forces are at work here on the sudden explosion of exploits against the underpinnings of our online world.  
A) the Snowden revelations 
I know it may seem far fetched but the reasoning is thus: if you know that there is an organization with the ability to deconstruct and observe much of what we do online you must also assume they have the means to do so.  If you believe they have the means to do so, you begin to open your mind to the possibility that encryption systems we rely on are more vulnerable than what we originally thought.  From there, it's logical to take a second look at these encryption systems.  When we begin to find that there are significant flaws we prove the supposition.  Once we prove the supposition true the cycle begins once more and we look deeper, finding more issues and so the cycle goes.

B) the Eye of Mordor principle
When the curiosity of the hacking world is focused on a fad or the exploit-du-jour we see a phenomenon which I call the "Eye of Mordor". Essentially the focus of the hacking world is collectively the "Eye of Mordor".  Once the eye focuses on a single product or company etc. then the bugs start to be ferreted out. A case in point was the focus of The Eye on Microsoft's operating system.  Now that Linux is represented on more desktops it begins to draw The Eye just like when Frodo put the ring on.  

What does that mean for the future?
I predict we'll see a lot more ground-breaking attacks on crypto and against the underpinnings of the systems that employ it.  We'll see the world begin to get more serious about staying secure from everyone and everything else. No product will take off without having strong encryption and bold marketing promises to keep data out of the hands of virtually everyone. Lastly, governments that like to skim data, in an effort to satisfy themselves that everyone is playing ball, will find other means of getting it... probably by new regulation.