Group Problemcy | TechSNAP 201

Group Problemcy | TechSNAP 201

A 20 year old design flaw in Windows has just been patched & it requires some major re-working of the software. Attackers compromise & why Facebook’s new ThreatExchange platform could be a great idea.

Plus a great batch of feedback, our answers & much much more!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


— Show Notes: —

Critical Microsoft Vulnerabilities

  • “In this month’s Patch Tuesday, Microsoft has released nine security bulletins to address 56 unique vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software.”
  • The two higher priority fixes are MS15-011 (dubbed JASBUG) and MS15-014
  • What makes these vulnerabilities special, is that they are not the usual problem with the “implementation” of a protocol or feature. They are actually a design flaw in windows, that required Microsoft to invent entirely new features to solve. These new features needed to be tested against all supported versions and configurations of windows, and a process had to be developed and documented for deploying the new feature
  • Most corporate network security features in Windows are deployed via “Group Policies”
  • One of those group policies, is SMB signing, which makes a client verify the identity of a remote server before trusted it
  • The MS15-014 bug allows an attacker to interfere with the application of the group policy, leaving the SMB signing feature off
  • Then when a user tries to run a trusted program from a network server, they instead connect to the malactors server and run a malicious program
  • MS15-011 is related, and is actually a catch-22
  • During the process where the windows client downloads the group policy from the domain controller, authentication is not enforced (as this is set via the group policy, which needs to be downloaded first)
  • As part of the group policy download, the client also runs a series of scripts from the domain controller (login.cmd, login.bat, etc)
  • This means a malactor could use a man-in-the-middle position to replace the group policy with one that reduces the security of the machine, and cause the users’ system to run any commands they want
  • To solve this issue, Microsoft has introduced a new feature to require “Mutual Authentication
  • This feature is enabled by… you guessed it, Group Policy
  • So clients must make one last insecure connection to the domain controller, at which point they will verify the identity of the domain controller before accepting any future group policy from anyone
  • It is unclear if fresh installs of windows will be vulnerable the first time they connect to the domain
  • Microsoft is not patching Windows XP, Windows 2000, nor Windows Server 2000 and 2003
  • MS15-011 was found by JAS Global Advisors which “found the bug while working on a project for ICANN looking into security issues surrounding the release of new generic Top Level Domains and Top Level Domains. The Group Policy issue was discovered during the research phase of this project, but is unrelated to new gTLDs or TLDs”
  • “It certainly doesn’t work universally and it depends on some funky misconfigurations and happenstance. But it works frequently enough to be of concern,” the JAS advisory said. “We will release the specifics of the other attack scenarios we’re aware of at some future point, but for now it’s important that folks patch and not become complacent because of a perceived on-LAN requirement. It’s not a strict requirement. Go patch.”
  • “Not only are Windows clients too trusting of the responses they get back from DNS, they can also be fairly easily tricked into downgrading to unauthenticated and unencrypted transit protocols (like WebDav over http)”
  • Microsoft rolled out a new feature to address the vulnerabilities called UNC Hardened Access, which ensures the right authentication and in-transit encryption is carried out.
  • “Instead of being subject to the OS “trying too hard” to make communication work, the UNC infrastructure within Windows now allows the higher layer resource requestor to specify whether Mutual Authentication, Integrity, and/or Privacy are required for the communication,” Schmidt said. “This is the right, general-purpose solution to this problem.”
  • “Schmidt said there is an outstanding issue that Microsoft has not addressed wherein Active Directory clients could leak DNS requests to the open Internet. The Internet’s DNS infrastructure, he said, will try to resolve those queries as it would any other and provide pointers to the right sources, rather than a result from the local AD controller for an enterprise domain, for example. He said during JAS’ research, more than 200,000 AD reached out to JAS via a series of customized DNS registrations”
  • Additional Coverage: Krebs on Security
  • Additional Coverage: Threat Post
  • Additional Coverage: Naked Security

Attackers compromise and uses IE and Flash zero days

  • “A Chinese APT group was able to chain together two zero day vulnerabilities, one against Adobe’s Flash Player and one against Microsoft’s Internet Explorer 9, to compromise a popular news site late last year“
  • “The group’s aim was to gain access to computers at several U.S. defense and financial firms by setting up a watering hole attack on the site that would go on to drop a malicious .DLL”
  • It is not clear how the site was actually compromised
  • The flash powered “thought of the day” widget was changed to redirect to a malicious .swf flash file, which would exploit an Adobe Flash 0-day to take control of the visitors system
  • The flaw also optionally used an IE9+ ASLR bypass to ensure it could infect the machine even if it had additional attack mitigation features enabled
  • “While the Adobe bug, a buffer overflow (CVE-2014-9163) was patched back on Dec. 9, the ASLR mitigation bypass (CVE-2015-0071) was one of many patched yesterday in Microsoft’s monthly Patch Tuesday round of patches, an update that was especially heavy on Internet Explorer fixes.”
  • The release of the details was timed to coincide with Microsoft’s release of a patch for the IE9 ASLR bypass
  • Researcher Post – Invincea
  • Researcher Post – iSightPartners

Facebook launches ThreatExchange

  • Facebook has launched a new information sharing platform to allow IT companies to share details and signatures of the evolving attacks they see against their networks and users
  • Some early members of the platform include: Pinterest, Yahoo, Tumblr, Twitter, Bitly and Dropbox
  • “The cost is free, and most of the heavy lifting is done by Facebook’s infrastructure. The platform developers were also cognizant of some of the concerns enterprises have about sharing threat data, from both a competitive and risk management standpoint. Privacy controls are built in to ThreatExchange that not only sanitize information provided by members, but also allows contributors to share data with all of the exchange’s members, or only particular subsets. In addition to threat information shared by contributors, open source threat intelligence feeds are pulled into the platform”
  • “Facebook hopes the initial partner list grows to include other technology companies with a large Internet footprint. Microsoft, for example, has developed its own information sharing platform called Interflow, while the FBI announced last winter that it was releasing an unclassified version of its malware repository in the hopes of spurring public-private sharing of threat data”
  • “If some reasonably large Internet properties cooperate on attacks they’ve seen and responded to, the vast majority of the Internet will be safer,” Hammell said. “We want to bring in more companies like that and eventually broaden it beyond big companies to smaller web properties and researchers. We want to create a forum where we can share attack and threat information in an easy way and share it with as many who want to receive it”
  • “The classic example is an attack you’re investigating where only you and a few companies are targeted,” Hammell explained. “They can collaborate together on that particular attack and share data, but perhaps they don’t feel it’s appropriate to go wider because it may tip their hand and alert the attacker, or it would not be beneficial to the investigation if others started poking at the infrastructure and possibly disrupt the work they’re doing. It’s an important scenario to get right.”


Round Up:

Question? Comments? Contact us here!