+44 (0)20 86848683

Perpetual IT

Category Archives: News

News

‘Zombie’ Windows win32k bug reanimated by researcher

by

In a rare find, a researcher has unveiled dozens of related bugs in a core Windows API that could enable attackers to elevate their privileges in the operating system.

A year ago, Gil Dabah promised that he would find over 15 bugs related to the Windows win32k component:

This week, he released a report detailing 25 of them:

The bugs take advantage of a long-understood problem with win32k, which is the user interface kernel component in Windows. This software originally ran in user mode, which is where regular Windows applications run. User mode is a less privileged part of the system that can’t access system hardware directly. Instead, it has to send that request to the kernel, which is part of the core OS that handles low-level operating system functions.

Microsoft eventually moved win32k to the kernel, but because thousands of pieces of software rely on it, it must often reach back into user mode to do its job. That bridge between kernel and user mode is potentially dangerous if something operating in user mode figures out a way to compromise the kernel mode component. They could gain low-level access to the system.

A common mistake among developers in the past was to forget to lock a kernel-mode object in memory before it used win32k to call back to user mode. The attacker could then destroy the calling object from user mode. When the program returns control to the kernel object, it isn’t there anymore. This created a use-after-free (UAF) error where the attacker could then exploit the empty memory spot.

Microsoft fixed a lot of bugs in that class, but Dabah discovered a new and related class of bug. An attacker can link a kernel object (like a window) to a child object that it creates (say, a child window). The attacker, working in user mode, asks Windows to destroy the parent window that’s running in kernel mode. Windows can’t do that until the parent window has finished everything it was doing in kernel mode, so instead it marks the parent for destruction when it’s ready. This turns it into what Windows programmers sometimes call a zombie object.

The bug uses a concept called zombie reloading to make changes to the zombie object before Windows removes it. This causes a UAF error on the child window that it created.

Dabah found numerous bugs in this class, he explained in the report, adding that he exploited 11 of them with proof of concept code (now up to 13 on his GitHub site). He had kind words for Microsoft, though, which has already begun fixing some of the bugs:

He added that the company is working on a wide mitigation to cover all bugs in this class which is currently in the Windows Insider Preview. Microsoft has also been busy patching these bugs on a one-off basis, and you can see it acknowledge Dabah and link to several CVEs in its February 2020 acknowledgements section.

Let’s not underestimate what’s involved in fixing decades-old code on which thousands of programs rely. This kind of technical debt is daunting. Who’d want to be a Microsoft developer handling this code change?

Latest Naked Security podcast

News, Phishing

Watch out for the new wave of COVID-19 scams, warns IRS

by

Fellow US taxpayers, are you eager to get your hands on the $1,200 bailout money you’ve been hearing about? … so eager you’re open to offers to help get it faster?

If you answered ‘Yes’, then please, take heed. Any offer to help you get your COVID-19 economic impact payment is coming from a scammer trying to get their hands on your personally identifying information (PII). That’s just one of a rash of coronavirus-themed tax fraud attacks the Internal Revenue Service (IRS) is seeing, it warned on Tuesday.

It’s tax season in the US: always prime time for criminals to get busy, be it phishing via email or robocalls or by grabbing checks out of unlocked mailboxes from people who aren’t getting refunds via direct deposit.

This year, the IRS is seeing the familiar, seasonal rise in tax-related attacks, but like every other genre of e-crime we’ve seen in recent weeks, it’s now coming with a COVID-19 twist.

These things scream “SCAM!”, the IRS warns:

  • When somebody’s emphasizing the words “Stimulus Check” or “Stimulus Payment.” The official term is economic impact payment.
  • When somebody asks you to sign over your economic impact payment check to them.
  • When somebody asks – be it by phone, email, text or social media – for verification of personal and/or banking information, saying that the information is needed to receive or speed up their economic impact payment.
  • When somebody says they can get a tax refund or economic impact payment faster by working on the taxpayer’s behalf. The IRS says that scam could be conducted by social media or even in person.
  • When a scammer sends a bogus check, perhaps in an odd amount, then tells the taxpayer to call a number or verify information online in order to cash it.

That’s not how the IRS rolls

Bona fide IRS agents wouldn’t do any of those things, IRS Commissioner Chuck Rettig said. That’s not how it communicates with taxpayers. So please, be wary of such attempts to rip off your tax refund or economic impact payment, he said:

We urge people to take extra care during this period. The IRS isn’t going to call you asking to verify or provide your financial information so you can get an economic impact payment or your refund faster.

That also applies to surprise emails that appear to be coming from the IRS. Remember, don’t open them or click on attachments or links. Go to IRS.gov for the most up-to-date information.

IRS Criminal Investigation Chief Don Fort said that it’s no surprise that criminals are exploiting the current state of uncertainty. The IRS Criminal Investigation Division is working hard to find these scammers and shut them down, he said, but in the meantime, we all have to remain vigilant:

While you are waiting to hear about your economic impact payment, criminals are working hard to trick you into getting their hands on it.

History has shown that criminals take every opportunity to perpetrate a fraud on unsuspecting victims, especially when a group of people is vulnerable or in a state of need.

Heads-up for those without direct deposit

Taxpayers who don’t have their refunds direct-deposited should beware of what the IRS and its Criminal Investigation Division say is a wave of new and evolving phishing schemes that target them in particular. It’s setting up a newly designed, secure portal on IRS.gov in mid-April so that people can provide that direct deposit information. If the IRS doesn’t have your direct deposit information, it will be sending a check to the address they have on file.

Don’t fall for it if somebody you don’t know offers to input your direct deposit or other banking information into the secure portal on your behalf. They’re likely trying to commit financial fraud.

Note: Retirees to get checks automatically

Not only are the elderly at higher risk of death if they get COVID-19. They’re also favorite targets of tax shysters, just as they are with tech-support scammers or other types of e-crooks.

Retirees, keep this in mind: you don’t have to do a thing to get your $1,200 economic impact payment. Nobody from the IRS will be reaching out to retirees – including recipients of Forms SSA-1099 and RRB-1099 – by phone, email, mail or in person asking for any kind of information to complete their economic impact payment, which is also sometimes referred to as rebates or stimulus payments.

The IRS is sending those $1,200 payments automatically to retirees. You don’t have to lift a finger to receive yours.

Report these tax-swindling carpetbaggers

Too often, we’re too embarrassed to speak up when we get swindled. Please don’t be: it’s not your fault. These crooks are experts at milking money out of us.

The IRS is asking those who receive unsolicited emails, text messages or social media attempts that appear to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System (EFTPS), to please forward any information they have to phishing@irs.gov.

It’s also encouraging taxpayers not to egg on potential scammers, be they coming at you online or on the phone. Just get off the phone or the email and report the attempt. You can find out more about reporting suspected scams at the Report Phishing and Online Scams page on IRS.gov.

The agency is also asking us all to go to the original source to get the latest news on tax and economic impact payments. Namely, for official IRS information about the COVID-19 pandemic and economic impact payments, head to the Coronavirus Tax Relief page on IRS.gov. The IRS promises that the page is updated quickly as new information becomes available.

Finally, please check out our report about how to stay on top of coronavirus scams – on top of all the others, too. Stay safe, be well, and get your news from reliable sources instead of scammers!

Latest Naked Security podcast

News

Don’t get locked out of your own website – update this WordPress plugin now!

by

Researchers at WordFence, a company that provides cybersecurity services for WordPress users, has warned of two security problems in a popular WordPress plugin called Rank Math.

That’s “math” as in “calculations relating to” and “rank” as in “search engine rating”, not “rank math” as in a real stinker of a calculus problem.

The creators of Rank Math, it seems, had neglected to put security checks on some of the remote commands that the plugin supports.

As a result, someone who hadn’t logged in could have triggered two related bugs.

In the first bug, a regular user could have promoted themselves to an administrator without logging in first.

That’s a sneaky sort of bug for a discontented user to have at their disposal because it means they could acquire admin privileges without leaving anything in the logs that tied the modification directly to them.

That might give them plausible deniability for how they “accidentally” found themselves in the Captain’s chair.

Also, this bug allows a privilege change in general, not just a privilege elevation in particular.

So an attacker without an existing account to promote could demote the site’s real administrator instead, potentially locking them out of their own website altogether.

The second bug was caused by the same programming omission, and related not to user privileges but to URL redirections.

Redirections are where a web server diverts you from one link to another, for example to update an old article to take you to an updated one; to let you access a regular link via a shortened or easy-to-type link instead; or to move some content off one server onto another while keeping old links alive.

In other words, redirections are both usual and useful, and many web properties make use of them. (As far as we know, this feature is not activated by default in Rank Math, but we suspect that at least some users will have turned it on.)

Because of the redirect bug, an unauthenticated user, such as an attacker on the other side of the world, might be able to access and reconfigure Rank Math’s redirect database, thus causing existing web pages to divert visitors elsewhere, apparently even to a completely different website.

Simply put, a crook could as good as hack your site with bogus pages without actually modifying any of your content so that your site could end up looking completely different to visitors, but with the content management system in WordPress showing your stored articles untouched.

Alternatively, a crook could redirect some, many or all of your existing pages to URLs that don’t exist, thus presenting a very dishevelled look to your customers.

(One small silver lining, as Wordfence mentions in its analysis, is that crooks can’t redirect your home page, so even in the event of a determined attack, the main page on your site would stay live.)

Of course, you can imagine how attackers could combine these bugs: first mess up your content so that your site doesn’t obviously seem to have been hacked yet presents as unreliable, with key services inaccessible; then lock you out so you have big trouble repairing the damage.

How did the bugs arise?

When adding a remotely accessible feature to a WordPress plugin, the usual approach is to use a feature called REST, which is a lot easier to say and remember than what it stands for: representational state transfer.

Simply put, REST programming means you use a URL such as example.com/plugin/configure to access the functions you want, with the parameters you want to pass to the functions in the web requests you send.

The server uses the URL to identify the service you want, and the content of the request to tell it what you want to do.

Because the URL is typically accessible to anyone, even just by using a browser and working by hand, it’s important to make sure that REST functions – or endpoints, as they are known in the jargon – are protected by access controls to stop unauthenticated access to functions that reveal private data or permit changes to be made to the server.

In WordPress’s REST system, you can do this in your plugin code by adding what’s called a permission_callback to your REST endpoints that double-checks that only the right people are doing the right things.

Rank Math didn’t previously have permission checks on the affected REST endpoints, but they added them quickly, reacting very promptly to the WordFence report and putting out a patch within three days.

If you are a PHP coder and you want to see how Rank Math responded, you can download and compare the old and revised versions – it’s an interesting and informative thing to do.

The product ships as PHP source code, meaning that the crooks can look and learn from the patch itself, so you might as well do the same.

Below you can see some of the changes, highlighted automatically using a “diff” tool that detects and highlights changes between two versions of a file. (We used tkdiff; the colour green denotes lines added since last time.)

Example of code line added to enforce access control for the redirection feature.
The callback code added to enforce permission checks.

What to do?

If you use Rank Math, make sure you are patched – simple as that.

The version you want to fix these bugs is 1.0.41.0. (At the time of writing the version number is already 1.0.41.2 [2020-04-02T15:00Z], but anything before 1.0.41.0 still has these particular vulnerabilities.)

Latest Naked Security podcast

News

S2 Ep33: Ransomware on sale, dark web disaster, dead drops and pillow forts – Naked Security Podcast

by

This week we bring you the podcast from our makeshift home studios (pillow forts). We discuss Dharma ransomware, the tour guide who turned out to be a Chinese spy, and why thousands of dark web sites suddenly vanished.

Host Anna Brading is joined by Sophos experts Mark Stockley, Greg Iddon, Peter Mackenzie and me.

Listen now!

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

News

Phone carriers must authenticate calls to fight robocalls, says FCC

by

The US Federal Communications Commission (FCC) on Tuesday unanimously passed new rules that require wireless carriers to implement a technology framework – by June 2021 – to filter out robocalls.

This one’s been kicking around for years: it’s called STIR/SHAKEN.

Short for Secure Telephone Identity Revisited and Signature-Based Handling of Asserted Information Using ToKENs, STIR/SHAKEN is a pair of network protocols that use digital certificates to verify that the number on caller ID is the number that actually placed the call, as opposed to one of the many flavors of robocalling scammers who’ve been pestering us like growing swarms of gnats.

What it doesn’t do: block spoofed numbers. The protocols don’t identify bad actors. Rather, they enable carriers to authenticate calls, after which consumers will be able to tell if a number is likely to be a robocall.

The FCC says STIR/SHAKEN should help to protect consumers against malicious caller ID spoofing, often used in robocall scams to trick us into answering our phones so telemarketers and/or scammers can bleat at us. You know their spiels: home improvement and remodeling services, robots rattling off messages in fast Chinese, or “apply for coronavirus testing here” scams, among so, so many more.

According to the FCC, spam robocalls cost $3 billion in wasted time and money each year. That doesn’t even take into account the fraud part: the Commission estimates that scammers use robocalls to milk an annual $10 billion from Americans. We’re drowning in these calls, receiving up to 200 million every day.

In November 2018, FCC Chairman Ajit Pai demanded that the phone carriers adopt SHAKEN/STIR to help solve the problem.

In a SHAKEN/STIR interaction, the originating caller’s phone sends an authentication request along with their phone number to a STIR authentication service (which would typically be operated by their carrier). The authentication server checks that the caller has the right to use that number, and signs a digital token that’s sent to the recipient’s STIR verification service. That service checks the authentication service’s repository of digital certificates to ensure that the invitation is legit. If the certificate matches, the call goes through to the recipient. If not, the carrier can drop it.

The industry didn’t exactly embrace Pai’s request. In November 2018,
Pai slammed carriers for dragging their feet on implementing SHAKEN/STIR.

The carriers had reservations about the protocols. Sprint, for one, told the FCC in October 2018 that the protocols will be helpful in fighting illegal robocalls, but it’s not a “complete solution.” Nor is it cheap.

Carriers have also complained that SHAKEN doesn’t tell them anything about the content of a call or whether it’s legal. Instead, all it does is authenticate the origination of the call path and the Caller ID information of individual calls.

Nor will it be useful without universal adoption, Sprint said, without which call authentication can’t be passed to the terminating carrier.

T-Mobile concurred, among other carriers.

Notwithstanding, in February 2019, Pai warned that if carriers didn’t step up, he’d introduce regulations to force them to block robocalls: regulations that he proposed last month (March 2020).

… Which brings us to Tuesday’s order

The order issued by the FCC on Tuesday requires all originating and terminating voice service providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by 30 June, 2021, a deadline that’s consistent with Congress’s direction in the recently enacted TRACED (Telephone Robocall Abuse Criminal Enforcement and Deterrence) Act. The TRACED Act was signed into law and signed by the president in December 2019, just before the new year.

Also on Tuesday, the FCC said it was looking for more public comment on expanding STIR/SHAKEN to cover the intermediate voice service providers between the originating and terminating ones, and it extended the implementation deadline by one year for the small providers that will have a tough time paying for their implementations. It’s also looking for input on requirements that would promote caller ID authentication on voice networks that don’t rely on IP technology.

Latest Naked Security podcast

Latest Blog

View All
go top