Microsoft Internet Explorer Zero Day Bug: key events

May 3, 2014 by Leave a Comment

Here is the timeline of the now fixed Microsoft Zero Day Bug:

ie bug

Copyright: bubblenews

April 9, 2014: Microsoft stops supporting Windows XP.

 April 26, 2014: Microsoft announces the bug, originally discovered by FireEye

 April 28, 2014: The U.S. government issued an advisory warning people not to use Microsoft’s browser.

April 30: 2014: Microsoft offers advisory to deal with the zero day bug.

May 02, 2014: Microsoft fixes the bug: It is believed that the CEO of Microsoft was involved in the decision making. This makes this bug extremely high profile and propels the importance of security to another level.

What was the bug about: A zero-day bug or attack takes advantage of a security vulnerability on the same day that the vulnerability becomes publicly known. There are “zero days” between the time the vulnerability is discovered and the first attack. This is one of the biggest zero day bug ever. According to Microsoft, the bug “may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.” Simply put, if the user is using particular versions of Windows XP and IE (versions 6 to 11) , attackers could lure the user to a malicious websites then run any code on the system, possibly taking complete control. The impact was huge as about a fourth of Windows users use the versions involved.

What it now means to XP and IE users: Most users need to do nothing as the fix will be downloaded automatically, next time they connect to the internet. But those who have disabled automatic updates need to apply the update manually.

Broader impact:  Earlier, Mashable’s Lance Ulanoff called on Microsoft CEO Satya Nadella to reverse course with “One Last Patch” for Windows XP. Such a move would make Nadella “the temporary hero of millions of hapless Windows XP users,” and if presented in the right way, would underscore the security risks associated with remaining on Windows XP, Ulanoff said. By those standards Nadella has rescued 25% of the world! However this goes on to show that a critical security issue can put a major corporation under pressure to work on patches an products which it had decided not to support.

 

References:
1. Time: Microsoft Fixes Internet Explorer Security Bug

2. venturebeat.com: U.S. government urges caution after Microsoft reveals dangerous Internet Explorer bug

Beginners guide to terms used:
Zero Day Attack

 

Twitt
Filed Under: Security News, Web Security

Heartbleed explained

April 21, 2014 by 3 Comments

 

heartbleed

heartbleed

OpenSSL is the most popular open source cryptographic library and SSL/TLS implementation used for encryption including for the traffic on the internet. OpenSSL has a module called heartbeat, which is responsible for the synchronization between two entities, say two servers on the internet. Heartbeat is the way for a computer to be sure the other is still up and running so that if there is no heartbeat, it does not communicate further with the dead/unavailable computer.
Since the vulnerability is found in the heartbeat module it got its name “Heartbleed”.  The problem is caused due to a very small piece of code:

memcpy(bp, pl, payload); //copy data of size payload from p1 to pb

bp is a place on the server computer, pl is where the actual data the client sent as a heartbeat is, and payload is a number that says how big pl is. It works unless payload value is maliciously lower than actual. If payload value is passed as 128 KB when it is really supposed to be 0 KB,  memcpy earmarks a 128 KB-sized memory at bp that contains some data, supposed to be overwritten and hence erased. But in this case none of the old data at bp gets overwritten, because there is nothing to replace it since pl is actually empty.  The  data was sitting in bp prior to the heartbeat, gets passed back to the client. This data could contain private keys, passwords or other sensitive information.

This is not the first such problem or breach, but the potential impact is huge, perhaps bigger and more widespread than any other similar vulnerability.  The heartbleed has exposed many private keys, the secrecy of which forms the very foundation of Asymmetric encryption used by SSL/TLS.

What it means to internet users – Google and Facebook have announced that their users and services were not impacted. Yet users were advised to change passwords as a precaution. Such vulnerabilities remind us that in security nothing can be taken for granted and any assumptions of fool proof security can be dangerous. What is secure today can and will be broken tomorrow.

References:
1. Heartbleed.com
2. Existentialize.com

Beginners guide to terms used:
OpenSSL
SSL/TLS

Twitt
Filed Under: Bugs and Attacks, Web Security