Tag Archives: Zero-Day

Why Hoarding Zero Days Is Bad Public Policy

This week Microsoft patched a zero day bug that affected Microsoft Word users.  Microsoft was alerted to the bug by the FireEye security firm several months ago.

What we did not know until today is that this bug was being exploited for at least several months.  WHO was exploiting it is less clear because hackers don’t always sign their names to the work, but it appears that both hackers and governments may have been exploiting the bug.

FireEye is saying that perhaps the hacker who discovered the flaw sold it to both other hackers and government actors.  Rarely is there any agreement from hackers to only sell a hack to one party, so if they did that, it is not really surprising.

It is also possible that two different people independently discovered the bug at around the same time.  That doesn’t seem as likely to me.

Hackers used different Word documents to entice folks to open the email attachments.  One was a military manual written in Russian, another was a document referencing the Russian Ministry of Defense and the third was a document that promised to reveal “top 7 hacker chicks”.  Seriously.

If people fell for it and opened the document they would get infected with the malware FinSpy made by the hacking firm FinFisher.  It is certainly possible that FinFisher, who makes spy tools and sells them to governments (and likely “others” for the right price) also bought the zero day.

As a testament to the international flavor of hacking, some of the servers hosting this delicious treat were in Italy while others were in Romania.

What is less clear is when our government became aware of this zero day.  Assuming they became aware of it, say, a year ago and decided to keep it secret, that is within the operating parameters of DoJ rules.

IF – and we don’t know if this is true – the government – our government – was keeping this zero day secret and hackers were, at the same time, using this hack against our businesses, that seems like a problem.

But that is a challenge the intelligence community and law enforcement face every day.

Do we tell?  Do we keep it secret?  Do we even know what is happening?  Do we want to watch the bad guys because we do know what is happening?  Do we not want to let the bad guys know we are watching them?  Life is not simple.  It would be nice if it were a little more simple, but it is not.

What does seem clear is that we can’t COUNT on the government to spill the beans, even if American businesses are being compromised by hackers.   Just warning you.

Information for this post came from Motherboard.

U.S. Discloses Zero-Day Exploitation Practices

The U.S. government acknowledged that it uses zero-day bugs not only for espionage and intelligence gathering, but also for law enforcement.  What else it uses them for is still unknown.

Last November, the government released a document titled Vulnerabilities Equities Process.  This policy describes the policy, dating back to 2010, that allows agencies to decide whether to tell vendors about bugs they know about or use them as they see fit.

The document was redacted as the government claimed that confirming what everyone already knows – that they don’t always report bugs that they know about – would damage national security.  Not sure how that could possibly be, but that is what they claimed.

The government has removed some of those redactions and thereby confirmed what everyone already knew – that the government uses zero-day exploits so that the FBI and other agencies can hack into U.S. citizen’s computers, hopefully with appropriate oversight – although the oversight process, if it exists, is still unknown.

The document says that there is a group within the government that reviews zero-days and decides how they will be handled and to whom they will be distributed.  The NSA, not surprisingly, is in charge of this group.

Before we beat up the U.S. government too much, likely every other government on the planet does the same thing – likely with similar rules of engagement.

Still, this release of information does eliminate the question about whether “We’re from the government, we’re here to help you.”

Not always.

Adobe Releases Emergency Patch For Flash

Yet again Flash is the means of attack by a Chinese hacking group that Fireeye has labelled APT3.

The attack IS in the wild, although limited in use.

The attack looks like a phishing email offering discounts on Apple computers.

You can find out what version of flash you are running at http://www.adobe.com/software/flash/about/ and download the newest update at https://get.adobe.com/flashplayer/ .

Even though I have updates enabled on this computer, the version of Flash that I was running was 34 versions old.  Of course, Adobe may not have released any or all of those intermediate versions.

You may remember that Steve Jobs was not a big fan of Flash – to be very polite.  This is just one of the reasons why.

Yet Another Adobe Flash Bug

Trend Micro is reporting (see here) yet another Adobe Flash zero-day attack in the wild.  Yes, this is a new one.  No, this is not one I reported about last week.  I had to read the article three times to convince myself this was not the exploit I wrote about last week.  And,  Trend Micro has already caught about 3,300 instances of this attack among their user base.  Given their user base is huge, 3,300 is a small number, but there is not a fix for this yet.  Adobe is promising one this week.

To say that 2015 has not started out well for Adobe would be kind.  They released their normal Flash update in January that fixed 9 critical flaws.  Then 9 days later, they released an out-of-band patch to fix a critical flaw that was being exploited.  Last Saturday, they released another patch to fix a critical flaw and now they are saying they are going to release another patch this week.  That would be 5 patch releases in the first 5 weeks of the year.  Out-of-band patches are a huge pain for both developers and users, so software vendors like Adobe reserve them for critical problems.

This flaw is particularly nasty because, Trend Micro says, it is showing up in ads appearing on web pages and IT DOES NOT REQUIRE THE USER TO CLICK ON THE AD TO WORK.

Some people are suggesting you disable Flash, but that would make many web sites look like a blank page.  I would suggest, at a minimum, that you make sure that you are using a highly rated anti virus product (apparently Trend Micro does catch this and it is pretty cheap – I saw a version of Trend the other day on Amazon for $25/year for 3 PCs or $8 a PC a year).

And, yes, watch for yet another Flash update this week on a computer near you.