Rubbish software security patches responsible for a quarter of zero-days last year • The Register
ENIGMA To limit the impact of zero-day vulnerabilities, Google security researcher Maddie Stone would like those developing software fixes to stop delivering shoddy patches.
In a presentation at USENIX's Enigma 2021 virtual conference on Tuesday, Stone offered an overview of the zero-day exploits detected in 2020. A zero-day, she explained for attendees outside the infosec community, refers to an exploit targeting a previously unidentified vulnerability.
Zero-day flaws are a problem because they may be exploited for long periods of time before they're detected and dealt with. There were 24 of them in 2020, four more than in 2019, Stone said.
"Looking at them all together as a group, the number that stuck out the most to me was that six out of the 24 zero-days exploited in 2020 are variants of previously disclosed vulnerabilities," she said. "On top of that, three out of the 24 vulnerabilities were incompletely patched, meaning that with just a few tweaks, you could have an exploit that still works even after the patch was applied."
Stone argues that pushing partial patches makes life too easy for attackers.
"We're not requiring attackers to come up with all new bug classes, to develop brand new exploitation, to look at code that has never been researched before," she said. "We're allowing the reuse of lots of different vulnerabilities that we previously knew about."
To illustrate her point, Stone reviewed several zero-day exploits from 2020, including repeated attacks on Microsoft's legacy JScript engine in Internet Explorer.
In January 2018, she explained, a security researcher reported multiple Internet Explorer vulnerabilities to Microsoft. By December 2018, after exploitation of one of these was spotted in the wild, she said, Microsoft issued a fix for CVE-2018-8653. Another zero-day followed in September 2019, requiring further repairs to address CVE-2019-1367.
Illustration of a phone with a comedy bomb inside
Apple emits emergency iOS security updates while warning holes may have been exploited in wild by hackers
READ MORE
There was another zero-day in November 2019, resulting in CVE-2019-1429. And then another one in January 2020, with CVE-2020-0674. Finally, the bug appears to have been dealt with in April 2020, with the patch for CVE-2020-0968.
Stone said the same attacker, according to Google's threat analysis research, exploited all four of these vulnerabilities. "That attacker had four different chances to use these security vulnerabilities to exploit users," she said.
Looking in detail at the vulnerable code, Stone showed how closely related the vulnerabilities were. The common issue for these bugs, she explained, is that a JScript object is not tracked by the garbage collector and that failing to properly dispose of those objects leads to a use after free vulnerability. And that could be achieved by various similar bits of code.
Stone recounted another zero-day that exploited a type confusion bug in Google's V8 JavaScript engine. The exploit was possible because Google's code failed to handle a NaN (not a number) result from the addition of JavaScript values Negative Infinity and Positive Infinity when iterating over a list of integers.
In this instance, a report by security researchers led to CVE-2019-13764 and a patch. In February 2020, Sergei Glazunov, a Project Zero researcher, found that there was a zero-day exploiting CVE-2019-13764 despite the patch. So he analyzed the patch and found it was incomplete – it addressed one way of exploiting the bug but not another. So that led to CVE-2020-6883 and another patch. But that patch caused other problems, so an updated patch was issued.
Stone argues we need to make zero-days harder by not allowing attackers to use prior disclosures to craft their malware.
"We need correct and comprehensive patches for all vulnerabilities from our vendors," she said. "We can't be leaving things open once they're known about."
Stone also challenged security researchers to help by analyzing bugs and performing variant analysis so vulnerabilities can be reported thoroughly and comprehensively. And she urged end users to demand better patches from vendors.
"If we adopt this behavior for every single vulnerability that is found or reported to us, then we can definitely make it harder for attackers to use zero-day exploits," she said
In a presentation at USENIX's Enigma 2021 virtual conference on Tuesday, Stone offered an overview of the zero-day exploits detected in 2020. A zero-day, she explained for attendees outside the infosec community, refers to an exploit targeting a previously unidentified vulnerability.
Zero-day flaws are a problem because they may be exploited for long periods of time before they're detected and dealt with. There were 24 of them in 2020, four more than in 2019, Stone said.
"Looking at them all together as a group, the number that stuck out the most to me was that six out of the 24 zero-days exploited in 2020 are variants of previously disclosed vulnerabilities," she said. "On top of that, three out of the 24 vulnerabilities were incompletely patched, meaning that with just a few tweaks, you could have an exploit that still works even after the patch was applied."
Stone argues that pushing partial patches makes life too easy for attackers.
"We're not requiring attackers to come up with all new bug classes, to develop brand new exploitation, to look at code that has never been researched before," she said. "We're allowing the reuse of lots of different vulnerabilities that we previously knew about."
To illustrate her point, Stone reviewed several zero-day exploits from 2020, including repeated attacks on Microsoft's legacy JScript engine in Internet Explorer.
In January 2018, she explained, a security researcher reported multiple Internet Explorer vulnerabilities to Microsoft. By December 2018, after exploitation of one of these was spotted in the wild, she said, Microsoft issued a fix for CVE-2018-8653. Another zero-day followed in September 2019, requiring further repairs to address CVE-2019-1367.
Illustration of a phone with a comedy bomb inside
Apple emits emergency iOS security updates while warning holes may have been exploited in wild by hackers
READ MORE
There was another zero-day in November 2019, resulting in CVE-2019-1429. And then another one in January 2020, with CVE-2020-0674. Finally, the bug appears to have been dealt with in April 2020, with the patch for CVE-2020-0968.
Stone said the same attacker, according to Google's threat analysis research, exploited all four of these vulnerabilities. "That attacker had four different chances to use these security vulnerabilities to exploit users," she said.
Looking in detail at the vulnerable code, Stone showed how closely related the vulnerabilities were. The common issue for these bugs, she explained, is that a JScript object is not tracked by the garbage collector and that failing to properly dispose of those objects leads to a use after free vulnerability. And that could be achieved by various similar bits of code.
Stone recounted another zero-day that exploited a type confusion bug in Google's V8 JavaScript engine. The exploit was possible because Google's code failed to handle a NaN (not a number) result from the addition of JavaScript values Negative Infinity and Positive Infinity when iterating over a list of integers.
In this instance, a report by security researchers led to CVE-2019-13764 and a patch. In February 2020, Sergei Glazunov, a Project Zero researcher, found that there was a zero-day exploiting CVE-2019-13764 despite the patch. So he analyzed the patch and found it was incomplete – it addressed one way of exploiting the bug but not another. So that led to CVE-2020-6883 and another patch. But that patch caused other problems, so an updated patch was issued.
Stone argues we need to make zero-days harder by not allowing attackers to use prior disclosures to craft their malware.
"We need correct and comprehensive patches for all vulnerabilities from our vendors," she said. "We can't be leaving things open once they're known about."
Stone also challenged security researchers to help by analyzing bugs and performing variant analysis so vulnerabilities can be reported thoroughly and comprehensively. And she urged end users to demand better patches from vendors.
"If we adopt this behavior for every single vulnerability that is found or reported to us, then we can definitely make it harder for attackers to use zero-day exploits," she said