Category Archives: Survival tips

The most important questions to ask in a firewall rule assessment

25 June 2020

Regular firewall rule assessments are basic IT/OT security housekeeping procedures. Security staff challenges every rule after well-known industry best practice like ANY Computer or ANY Port rules, bi-directional rules, use of unsecure protocols like ftp, telnet, smb, not used rules, etc.

Nervennahrung for firewall assessment. Own work.

Picture 1: Nervennahrung for firewall rule assessments

Compliance to industry best practice can be achieved with a plain checklist. Thus the check can be automated to a far extent. The nerve-racking work starts afterwards, when each finding is discussed with the users.

But, in general, the security staff does not challenge the rule itself. Or it’s direction. Or the ports used.

These questions are asked after the rule has passed the best practice checks. No automation possible. They require in-depth knowledge of the services accessed through the firewall, and, they belong to the nerve-racking category. But it’s worth to ask these questions because

The best firewall rule is the one that not exists.

You must not care of such rules in the case of a security incident, no regular review required, no discussion with users. Entrepreneurs should be interested in cleaning up the rule base because it saves costs, and increases security.

More about this in the next post.


Picture credits

Picture 1: Vienna 2020. Own work

Australia Fights Sophisticated State-Backed Copy-Paste Attack with The Essential Eight!

20 June 2020

Reports on a wave of sophisticated nation state sponsored cyber-attacks against Australian government agencies and critical infrastructure operators spread like wild-fire through international media the day before yesterday.

From an IT security point of view, the access vector is really interesting. In Advisory 2020-008 (1) , the Australian Cyber Security Centre (ACSC) states that the actor leverages mainly a remote code execution vulnerability in unpatched versions of Telerik UI, a deserialization vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability, and the 2019 Citrix vulnerability.

The name Copy-Paste for the attacks comes from the actor’s “capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organizations.” (1)

The Essential Eight

The Essential Eight (Click to enlarge)

In the advisory the ACSC recommends some really basic preventive measures like patching or multi-factor authentication. These are two controls of “The Essential Eight”(2). I like the name “The Essential Eight”. It reminds me on the 1960 Western-film “The Magnificent Seven”, reinforced by Chuck Norris 😉

The Essential Eight focus on very basic strategies to reduce the likelihood and the impact of an attack. Without them, UEBA, SIEM, Threat Intelligence, Deep Packet Inspection, PAM, etc. make few sense.

Except of multi-factor authentication, The Essential Eight are part of the feature-rich Windows and Linux OS or already (backup solution) in place. So, only some internal effort and leadership is required to dramatically increase the resilience against cyber-attacks.

The Essential Eight are a prefect weekend reading. Have fun.


References

  1. Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks | Cyber.gov.au [Internet]. [cited 2020 Jun 19]. Available from: https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
  2. Australian Cyber Security Center. Essential Eight Explained | Cyber.gov.au [Internet]. Australian Signals Directorate. 2020 [cited 2020 Jun 19]. Available from: https://www.cyber.gov.au/publications/essential-eight-explained

An endless stream of SMB vulnerabilities …

11 June 2020

SMBleed, SMBLost, and SMBGhost/CoronaBlue are the vulnerabilities detected in the Microsoft SMB V3 protocol this year.

Critical SMB Vulnerabilities

Critical SMB Protocol Vulnerabilities

SMBleed/SMBGhost can be used to compromise a company network by attacking a system in the DMZ with port 445 open to the internet. Fortunately, SMBleed and SMBGhost impact only the latest Windows 10 versions. The number of Windows 10 systems directly accessible from the internet is still small.

Vulnerable Windows 10 1909 Pro Systems

Vulnerable Windows 10 1909 Pro Systems

Like EternalBlue, SMBLost impacts all Windows versions but is less critical because authentication (PR:L) is required.

The good news is that patches were available at the time the vulnerabilities were published. But it takes some weeks to implement them. During this time companies remain vulnerable against cyber-attacks.

Vulnerability management / priority patching is the standard approach to this kind of vulnerabilities. IT staff is kept busy, IT security solution and service providers make a good bargain, but the company’s resilience against cyber-attacks stays low. Companies can only hope that also the next SMB vulnerability is disclosed after a patch is available.

From an entrepreneurial point of view the obvious solution is to remove such systems from the internet. A risk assessment is imperative to evaluate the potential loss of sales and the costs of recovering from a cyber-attack. If the recovery costs exceed the potential loss of sales the system should be removed. This will slightly reduce IT costs but increase the resilience against such kind of cyber-attacks.

It is high time to evaluate IT[-security solutions] from an entrepreneurial point of view, in terms of Loss of Sales and Loss of EBIT.

Have a great weekend.

New study shows: Vulnerabilities in popular open source projects doubled in 2019. No need to panic!

9 June 2020

Catalin Cimpanu’s (1) post on the RiskSense study “The Dark Reality of Open Source” is well worth reading. Open source software is used everywhere. A critical vulnerability in an application that is based on open source software can lead to a data breach. But this holds also for commercial software. We can also expect that the number of flaws in open source and commercial software is roughly the same.

The main difference is that the number of open source software reviews is much higher than the number of commercial software reviews. So the results of the study are not really surprising.

In the case of TomCat, 7 of the 72 published vulnerabilities were weaponized. A quick check against the latest Coverity scan results for Apache TomCat (2) shows that the software has 987 defects, thereof 290 not yet fixed.

High impact defects are very valuable for attackers because their exploitation results in a full loss of integrity. The number of high impact defects in TomCat yet not fixed is 171. So we can expect that the number of vulnerabilities that can be weaponized is high.

In the case of Puppet, none of the 72 published vulnerabilities were weaponized. The latest Coverity scan for Puppet (3) shows no high impact vulnerabilities. So the result is not surprising.

What is the difference between Puppet and TomCat? Puppet is written in PHP/Python/Ruby with a defect density of 0.20. The defect density is the number of defects in 1000 LoC. TomCat is written in Java with a defect density of 1.19. Thus, software reviews will definitely detect more vulnerabilities in TomCat than in Puppet.

This has direct impact on your security strategy. If you use TomCat as middle-ware in the DMZ you should design your application to allow frequent patching, means, more robust against changes in the middle-ware. In addition, automated testing is required to ensure operability in the case a patch must be implemented. Finally, your operations team must be prepared to install patches within few hours upon release by the vendor.

Have you ever seen such details for commercial software? Like IIS?

Have a great week.


References

1. Cimpanu C. Vulnerabilities in popular open source projects doubled in 2019 [Internet]. ZDNet. 2020 [zitiert 8. Juni 2020]. Available at: https://www.zdnet.com/article/vulnerabilities-in-popular-open-source-projects-doubled-in-2019/

2. Synopsys. Coverity Scan – Static Analysis for Apache TomCat [Internet]. 2020 [zitiert 9. Juni 2020]. Available at: https://scan.coverity.com/projects/apache-tomcat

3. Synopsys. Coverity Scan – Static Analysis for Puppet [Internet]. [zitiert 9. Juni 2020]. Available at: https://scan.coverity.com/projects/puppetlabs-puppet

ComRAT V4 got an upgrade: On the value of Threat Intelligence

30 May 2020

Popular IT security media and threat intelligence services reported this week that the ComRAT V4 malware used by Turla APT got an upgrade. (1)(2)(3)

The big question for all businesses is: Do we have an increased risk resulting from this upgrade? Are the existing security controls still mitigating the risk stemmed from the ComRAT upgrade? Or do we have to upgrade our security controls as well.

The businesses in focus of the Turla APT should answer this question as soon as possible. Detailed information about the feature upgrade as well as the existing security controls are required to answer this question. This is nothing new. “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” says Tzu Sun in the “Art of War” about 500 BC.

Are you prepared to answer this question? Your invest in threat intelligence is uneconomic if you cannot evaluate the threat details in the context of your environment.

What about ComRAT? The way command and control is performed changed. But the primary installation method has not changed: “ComRAT is typically installed via PowerStallion, a lightweight PowerShell backdoor used by Turla to install other backdoors.”(1)

PowerShell 5.0 Icon (5)

PowerShell 5.0 Icon. Picture Credits (5)

So, if you already implemented security controls, that deal with malware which uses PowerShell, your risk will not change. Otherwise, the publication “Securing PowerShell in the Enterprise” (4) of the Australian Cyber Security Center is a good starting point for a systematic approach to PowerShell security.

My advice: Disable PowerShell on all standard user computers. For administrative purposes, use hardened systems without email and internet access and implement PowerShell Endpoints.

Have a great Weekend.


References

  1. Lakshmanan R. New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data [Internet]. The Hacker News. 2020 [zitiert 28. Mai 2020]. Verfügbar unter: https://thehackernews.com/2020/05/gmail-malware-hacker.html

  2. Robinson T. Turla’s ComRAT v4 uses Gmail web UI to receive commands, steal data [Internet]. SC Media. 2020 [zitiert 30. Mai 2020]. Verfügbar unter: https://www.scmagazine.com/home/security-news/malware/turlas-comrat-v4-uses-gmail-web-ui-to-receive-commands-steal-data/

  3. Gatlan S. Russian cyberspies use Gmail to control updated ComRAT malware [Internet]. BleepingComputer. 2020 [zitiert 30. Mai 2020]. Verfügbar unter: https://www.bleepingcomputer.com/news/security/russian-cyberspies-use-gmail-to-control-updated-comrat-malware/

  4. Australian Cyber Security Center. Securing PowerShell in the Enterprise | Cyber.gov.au [Internet]. Australian Signals Directorate. 2019 [zitiert 6. März 2020]. Verfügbar unter: https://www.cyber.gov.au/publications/securing-powershell-in-the-enterprise

Picture credits

  1. PowerShell 5.0 Icon. Microsoft / Public domain. https://commons.wikimedia.org/wiki/File:PowerShell_5.0_icon.png

Windows malware Sarwent got an upgrade. Thou shalt not work with permanent administrative privileges!

23 May 2020

Catalin Cimpanu (1) reports in his post „Windows malware opens RDP ports on PCs for future remote access“ published on ZDNET that the Windows malware Sarwent got an upgrade: It is now capable of using the windows command line and PowerShell, adding users, and opening ports in the Windows firewall for RDP access from remote. Since the latter features require administrative privileges on the victims machine, it is very likely that the victims worked with permanent administrative privileges.

To mitigate the risk, the best approach is to revoke any administrative privileges from standard users. This will not reduce the likelihood of occurrence, but it will reduce the severity of impact of an infection with Sarwent. Furthermore, since the attacker is forced to download tools to fully compromise the victims computer, the likelihood of detectability is increased.

Revoking administrative privileges from standard users is a low-cost, high-impact means to enhance resiliency against cyber-attacks, thus should be part of each security strategy.

But it is hard to implement. Managers will face lots of discussions if users must give up beloved habits. It is very important to keep the number of exceptions as small as possible because every exception lowers the overall security level of the company.

Have a great weekend.


  1. Cimpanu C. Windows malware opens RDP ports on PCs for future remote access [Internet]. ZDNet. 2020 [zitiert 22. Mai 2020]. Verfügbar unter: https://www.zdnet.com/article/windows-malware-opens-rdp-ports-on-pcs-for-future-remote-access/

Thunderspy – Don‘t panic!

19 May 2020

Björn Ruytenberg‘s (1) publication about 7 vulnerabilities in Intel’s Thunderbolt interface justifiably attracts a lot of media attention. Ruytenberg writes in the summary:

“Thunderspy targets devices with a Thunderbolt port. If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep.”

In Nazmus Sakib’s (2) post in the Microsoft Security Blog this sounds more dramatically:

“An attacker with physical access to a system can use Thunderspy to read and copy data even from systems that have encryption with password protection enabled.”

For the record: Full Disk Encryption (FDE) like BitLocker or LUKS only protects against theft if the computer is in shutdown or hibernation mode. In these cases, the system asks for the passphrase to encrypt the device. If the computer is booted or in sleep mode full disk encryption is useless.

This also holds for Thunderspy. The facts in brief. Thunderspy is a classic “evil maid DMA” attack. The attacker has to flash the Thunderbolt firmware with malicious code and wait for the victim to boot his computer. Once the computer is left unattended the attacker plugs in a specially crafted Thunderbolt device and copies data from the disk.

This is nothing new. The bad news is that all Thunderbolt-equipped computers built between 2011 and 2020 are affected. And that the vulnerabilities cannot be fixed; a hardware redesign is required.

So, everyone with a Thunderbolt-equipped computer should be concerned? No, absolutely not.

Risk for Consumers
The risk for consumers is unchanged because, in general, these devices are not secured, neither with a BIOS password nor with FDE, thus easy to compromise, e.g., with a Linux Live System, if left unattended.

Risk for Business people
The risk for business people is slightly increased. Business computers in general are secured with FDE, so the attacker must wait until the computer is left unattended to plug in the malicious device. Mitigation in this case requires a change in our habits: Put the computer in hibernation mode, instead in sleep mode, if you leave you workplace. The other important rule, “Don’t attach unknown devices to your computer” is already followed in the business domain.

Risk for Executives
The risk for business executives, military, government officials, etc. is unchanged. This group is always under attack, thus hopefully well protected.

Picture credit: Setreset (1)

Picture credit: Setreset (1)

Dan Goodin (3) sums it up:

“Readers who are left wondering how big a threat Thunderspy poses should remember that the high bar of this attack makes it highly unlikely it will ever be actively used in real-world settings, except, perhaps, for the highest-value targets coveted by secretive spy agencies. Whichever camp has a better case, nothing will change that reality.”

Don’t panic!


References

  1. Ruytenberg B. Thunderspy – When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security [Internet]. Thunderspy. 2020 [zitiert 18. Mai 2020]. Verfügbar unter: https://thunderspy.io/
  2. Sakib N. Secured-core PCs help customers stay ahead of advanced data theft [Internet]. Microsoft Security Blog. 2020 [zitiert 18. Mai 2020]. Verfügbar unter: https://www.microsoft.com/security/blog/2020/05/13/secured-core-pcs-help-customers-stay-ahead-of-advanced-data-theft/
  3. Goodin D. Thunderspy: What it is, why it’s not scary, and what to do about it [Internet]. Ars Technica. 2020 [zitiert 13. Mai 2020]. Verfügbar unter: https://arstechnica.com/information-technology/2020/05/thunderspy-what-is-is-why-its-not-scary-and-what-to-do-about-it/

PIcture credit

  1. Setreset / CC BY-SA (https://creativecommons.org/licenses/by-sa/3.0), https://commons.wikimedia.org/wiki/File:Spy_silhouette.svg

Have you patched these top 10 routinely exploited vulnerabilities?

16 May 2020

On Tuesday, CISA published the alert (AA20-133A) on the „Top 10 Routinely Exploited Vulnerabilities“(1). A day later, Zeljka Zorz raised the absolutely legitimate question „Have you patched these top 10 routinely exploited vulnerabilities?“(2) on HELPNETSECURITY.

A query against the NIST NVD and the Exploit-DB shows a gloomy picture:

Top 10 Exploited Vulnerabilities

Top 10 Exploited Vulnerabilities

For the red highlighted vulnerabilities the exploit was available at the day of publication in the NVD. For the green highlighted vulnerabilities the exploit was published shortly after the vulnerability. So, the question should be:

How fast did you patch these top 10 routinely exploited vulnerabilities?

These are telling examples and they are not isolated:

Exploit Publication Date relative to CVE Publication Date

Exploit Publication Date relative to CVE Publication Date

The data from 2013 – 2019 for critical vulnerabilities show:

  • 41% of exploits were published before or at the same day the CVE was published, and
  • 43% of Exploits were published in the range between 10 days before and 10 days after the CVE.

Time is crucial in cyber space operations. In high risk domains, critical vulnerabilities should be patched at least 24 hours after the patch is available. If a vendor cannot provide a patch in time mitigting measures should be applied, in the worst case, systems must be removed from the internet.

Remind the Equifax case (CVE-2017-5638) from 2017.

Have a good weekend.


References

  1. CISA. Top 10 Routinely Exploited Vulnerabilities [Internet]. National Cyber Awareness System. 2020 [zitiert 16. Mai 2020]. Verfügbar unter: https://www.us-cert.gov/ncas/alerts/aa20-133a

  2. Zorz Z. Have you patched these top 10 routinely exploited vulnerabilities? [Internet]. Help Net Security. 2020 [zitiert 14. Mai 2020]. Verfügbar unter: https://www.helpnetsecurity.com/2020/05/13/routinely-exploited-vulnerabilities/

ZDF: Behörde schlägt Alarm – Sicherheitslücken in Mail-App von Apple. Grund zur Panik?

26. April 2020

Sicherheitslücken in Apps müssen schon gravierend sein, wenn ZDF(1) und DLF(2) darüber berichten. In der Regel basieren solche Berichte auf Warnungen des BSI und sind entsprechend ernst zu nehmen. Das ist auch hier der Fall. In einer Pressemitteilung(3) vom 23.4.2020 warnte das BSI vor Einsatz von iOS-App “Mail”.

Das BSI stützt seine Warnung auf eine Untersuchung des Cyber Security Startups ZecOps, die am 20.4.2020 unter dem Titel „You’ve Got (0-click) Mail!“ im ZecOps Blog(4) veröffentlichte wurde.

Das BSI schätzt die Schwachstellen „besonders kritisch“ ein und empfiehlt das „Löschen der App “Mail” oder Abschaltung der Synchronisation“(3), solange kein Patch verfügbar ist.

In der NIST NVD Schwachstellendatenbank sind noch keine Details zu den beiden von ZecOps veröffentlichten Schwachstellen verfügbar. Der ZecOps Report ist somit die einzige Quelle für die Bewertung der BSI Warnung.

Um welchen Typ von Schwachstellen handelt es sich?

ZecOps hat eine “Out-Of-Bounds Write” und eine “Remote Heap Overflow” Schwachstelle in der iOS Mail App entdeckt. Diese „Buffer Overflow“ Schwachstellen bilden die Grundlage für die sogenannten Remote Code Execution Schwachstellen, die in der Regel als „kritisch“ eingestuft werden, da sie das Einschleusen von fremden Code in ein Programm erleichtern. Damit führt das Programm nicht mehr die beabsichtigten Anweisungen durch, sondern diejenigen, die der Cyberangreifer vorgibt. Soweit ist die Einschätzung des BSI korrekt.

Wer ist im Fokus der Angreifer?

ZecOps macht zu Beginn des Reports eine sehr interessante Aussage:

“Based on ZecOps Research and Threat Intelligence, we surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s).”

ZecOps vermutet mit hoher Sicherheit, das die Schwachstellen in großem Umfang in gezielten Angriffen ausgenutzt werden, und zwar von staatlichen Cyber-Akteuren oder von staatlich finanzierten Cyber-Akteuren. Seltsamerweise ist der Hinweis auf die „advanced threat operators“ (APTs) nicht fett markiert; damit ist das re-blog und re-tweet gesichert.

Im Fokus von APTs sind Mitglieder in den Vorständen von Großkonzernen und Betreiber kritischer Infrastrukturen, hochrangige Mitglieder von staatlichen Organisationen, kritische Journalisten, etc. Der normale iPhone oder iPad Anwender eher nicht, wenn überhaupt, dann als Kollateralschaden.

Was sind die Auswirkungen eines erfolgreichen Angriffs?

ZecOps schreibt im Abschnitt Fragen und Antworten dazu:

“Q: What does the vulnerability allow?

A: The vulnerability allows to run remote code in the context of MobileMail (iOS 12) or maild (iOS 13). Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails.”

Nach einem erfolgreichen Angriff kann der Angreifer also E-Mails lesen, löschen, kopieren und verändern; E-Mails schreiben im Namen des Nutzers ist nicht beschrieben. Damit sind die Vertraulichkeit und die Integrität der Information zumindest teilweise nicht mehr gegeben.

Ist der Angriffs einfach ausführbar?

Im Abschnitt Q&A macht ZecOps dazu eine sehr bemerkenswerte Aussage:

Q: Does the vulnerability require additional information to succeed?

A: Yes, an attacker would need to leak an address from the memory in order to bypass ASLR. We did not focus on this vulnerability in our research.“

Damit der Schadcode vom Angreifer an die richtige Stelle im Adressraum eingeschleust werden kann, muss eine zusätzliche Schwachstelle vorhanden sein. ASLR (Adress Space Layout Randomization) ist eine in allen modernen Prozessoren eingebaute Technologie, die Angreifern das Einschleusen von Schadcode in den Speicher von Programmen erschweren soll. Wird der Schadcode an die falsche Stelle im Speicher eingefügt, führt dies zum Absturz des mit ASLR geschützen Programms. Mehr dazu von Paul Ducklin im Sophos Blog.(6)

In der Regel haben nur APTs die finanziellen Mittel solche Angriffe so zu vorzubereiten und auszuführen, dass die frühzeitige Entdeckung des Angreifers und der Schwachstelle verhindert wird.

Kann das Gerät vollständig übernommen werden?

Im Abschnitt Q&A macht ZecOps dazu folgenden Aussage:

„Q: Why are you disclosing these bugs before a full patch is available?

Answer: It’s important to understand the following:

These bugs alone cannot cause harm to iOS users – since the attackers would require an additional infoleak bug & a kernel bug afterwards for full control over the targeted device.

Für die vollständige Übernahme des Gerätes ist also eine weitere Schwachstelle im Betriebssystemkern erforderlich. Das kann nur eine bislang nicht veröffentlichte Schwachstelle sein (Zero-Day), da die Bekannten gepatcht sind.

Eine Cyberwaffe, die auf einer nicht veröffentlichten Schwachstelle basiert kann ein einziges Mal eingesetzt werden. Danach ist die Schwachstelle bekannt und wird binnen kurzer Zeit gepatcht; die Waffe wird wirkungslos. Hier stellt sich die Frage, welcher APT eine wertvolle Cyberwaffe für das Ausspähen normaler iPad- oder iPhone-Nutzer opfert? Mehr dazu findet man in der Analyse(5) von Thomas Reed im Malwarebyte Labs Blog.

Fazit: Kein Grund zur Panik!

Aus meiner Sicht stehen die Warnung des BSI und die Aufmerksamkeit in den Medien in keinem Verhältnis zur Gefährlichkeit der Schwachstelle. Oder mit Shakespeare: Viel Lärm um Nichts.

Personengruppen im Fokus von staatlichen oder staatlich finanzierten Cyber-Akteuren sollten die E-Mail Synchronisation deaktivieren, bis die Schwachstelle gepatcht ist. Gegebenenfalls können die Mail-Gateway Betreiber für diese Benutzergruppen Anhänge entfernen oder übergroße E-Mails blockieren, falls das Deaktivieren der Synchronisation aus organisatorischen Gründen nicht möglich ist.

Für alle anderen Nutzer gilt: Patches installieren, sobald sie verfügbar sind. Wer glaubt, im Fokus staatlicher oder staatlich finanzierter Cyber-Akteure zu stehen, sollte die Mailsynchronisation deaktivieren, bis ein Patch verfügbar ist.


Referenzen

  1. zdf heute. Behörde schlägt Alarm: Sicherheitslücken in Mail-App [Internet]. zdf heute. 2020 [zitiert 24. April 2020]. Verfügbar unter: https://www.zdf.de/uri/cdb2ab06-ab06-4416-8a38-2a417e176cc1

  2. Römermann S. BSI warnt vor iOS – Schwachstellen bei Apple Mail-Programm [Internet]. Deutschlandfunk. 2020 [zitiert 25. April 2020]. Verfügbar unter: https://www.deutschlandfunk.de/bsi-warnt-vor-ios-schwachstellen-bei-apple-mail-programm.766.de.html?dram:article_id=475410

  3. Bundesamt für Sicherheit in der Informationstechnik. BSI – Presseinformationen des BSI – BSI warnt vor Einsatz von iOS-App „Mail“ [Internet]. BSI Presse. 2020 [zitiert 25. April 2020]. Verfügbar unter: https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/Warnung_iOS-Mail_230420.html

  4. zecOps. You’ve Got (0-click) Mail! [Internet]. ZecOps Blog. 2020 [zitiert 24. April 2020]. Verfügbar unter: https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/

  5. Reed T. iOS Mail bug allows remote zero-click attacks [Internet]. Malwarebytes Labs. 2020 [zitiert 24. April 2020]. Verfügbar unter: https://blog.malwarebytes.com/mac/2020/04/ios-mail-bug-allows-remote-zero-click-attacks/

  6. Ducklin P. iPhone zero day – don’t panic! Here’s what you need to know – Naked Security [Internet]. naked security by Sophos. 2020 [zitiert 24. April 2020]. Verfügbar unter: https://nakedsecurity.sophos.com/2020/04/23/iphone-zero-day-dont-panic-heres-what-you-need-to-know/

Two unpatched remote code execution flaws in Adobe Type Manager Library affect all Windows Versions. Keep the mitigations forever!

29 March 2020

Mohit Kumar‘s post (1) that was published past Monday on The Hacker News should instill fright to all users who haven’t migrated to Windows 10 yet.

The good news is that this vulnerability requires user interaction. Microsoft states in security advisory ADV200006 (2) that “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.” As always, user training is as crucial!

In addition, the impact on Windows 10 users is limited because the malicious code runs in an AppContainer which is destroyed once the preview is closed.

The bad news is that Microsoft recognized attacks where this vulnerability is leveraged (the vulnerability is in the Wild). And, a patch is not available yet.

In the meantime, Microsoft provides important mitigations in ADV200006. These mitigations must be kept on all pre-Windows 10 systems where no Extended Security Update (ESU) support is available.

The most interesting mitigation is to “Disable the Preview Pane and Details Pane in Windows Explorer”. I always disable preview features in Explorer and Outlook. Simply put, preview requires that documents are “executed”, so preview may also execute embedded malicious code.

My advice for all critical infrastructure operators is:

  • Deactivate all preview features in the Windows OS and in all applications.
  • Deactivate any kind of macros and scripting without notification.
  • Deactivate all trusted locations in all applications.
  • And, of course, the user should not be able to reverse this settings.

With this, the security baseline is raised at moderate effort.

Have a great week.


1. Kumar M. Warning — Two Unpatched Critical 0-Day RCE Flaws Affect All Windows Versions [Internet]. The Hacker News. 2020 [cited 2020 Mar 29]. Available from: https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html

2. MSRC. ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability [Internet]. Microsoft Security Response Center. 2020 [cited 2020 Mar 29]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006