Category Archives: News

Mozilla patches Wednesday’s Pwn2Own double-exploit… on Friday!

Just a short note to let you know that we were wrong about Firefox and Pwn2Own in our latest podcast…

…but we were right about how Mozilla would react in our latest podcast promotional video:

In the video, we said (our own emphasis below):

In the podcast, we speculated, “Was this [recent Firefox fix] pushed out just in time for Pwn2Own, in the hope that it would prevent the attack working?” If that was the reason, it didn’t work. […] But we do know that Mozilla will be rushing to fix this one as soon as they get the details out of the Pwn2Own competition.

To explain.

In an article last weekend, after our Linux distro had received an apparently-hurried out-of-band Firefox patch but the update still hadn’t shown on on Firefox’s website, we found ourselves wondering, “Is there some kind of cybersecurity scramble on here?”

This update added a sandbox security feature known as Win32k Lockdown that had been months, if not years, in the making, but had just missed schedlued release 100.0.

Accordingly, we speculated that Firefox 100.0.1, a mere point-release in which a brand new Windows security feature had suddenly been activated, was wrangled out specially, just in time for this year’s Pwn2Own hacking competition in Vancouver, Canada.

Why not wait?

We were surprised that Mozilla didn’t simply wait until the next scheduled release, 101.0, to turn the new feature on and announce it as a feature, rather than as a “security fix”, givem that it wasn’t there to stop a clear and specific attack that was already known.

Usually, point releases come out to deal with urgent issues that genuinely can’t wait, such as new features that flop, or zero-day bugs that suddenly show up in the wild and need dealing with before the next four-weekly major update deadline rolls around.

But with Pwn2Own taking place this very week, and with Firefox in the firing line from experienced and successful bug hunter Manfred Paul, maybe Mozilla figured that it was worth squeezing out 100.0.1 in time for the contest?

Just in case the new sandbox feature might throw an unexpected spanner into Paul’s otherwise-certain-to-succeed hacking session, and save the day?

On Wednesday, Paul’s session started with 30’00” on the clock, counting downwards (a hard upper bound of 30 minutes is imposed for each entrant).

After a brief pause, the adjudicator reached out and clicked a button to initiate the hacking attempt by visting a URL that was ready to unleash Paul’s double-exploit remotely. (The server was remote in network terms; physically it was on the same table as the client under attack.)

Loosely speaking, Paul planned to break into Firefox, earning $50,000 in bug bounty for remote code execution, and then to break back out of it, earning another $50,000 for a full sandbox escape.

About seven elapsed seconds later, with a fist pump of acknowledgment from the adjudicator (Pwn2Own is exciting for everyone, not just the hackers), and with an unsurprisingly happy smile from Manfred Paul, now $100,000 better off, the clock stopped, having just flipped over to show 29’52”.

If Win32k Lockdown was supposed to stop the Pwn2Own attack, it didn’t, although we don’t doubt that the new sandbox protection will make plenty of future exploits harder to find and less reliable to use.

To claim a Pwn2Own prize, the deal is that you have to “show your working”, in complete explanatory detail, to the maker of the system you just cracked, and give them first dibs at fixing it.

All proper bug bounties work this way, of course, but Pwn2Own isn’t just about spotting possible bugs and calling them in with a crash log, it’s about researching and writing up the bug and its dangers with careful and repeatable details, up to and including a working exploit.

Well done to everyone involved

Well, that seven-second spectacular pwnage happened on Wednesday 2022-05-18.

And on Friday 2022-05-20, about an hour before midnight UK time, Firefox popped up to tell us, “An update is available to 100.0.2”.

Here are the associated security notes, from Mozilla Security Advisory 2022-19:

* CVE-2022-1802: Prototype pollution in Top-Level Await implementation. Reporter: Manfred Paul via Trend Micro's Zero Day Initiative Impact: Critical Description: If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. * CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution. Reporter: Manfred Paul via Trend Micro's Zero Day Initiative Impact: Critical Description: An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.

What to do?

We’ve patched already – how about you?

For the fourth time in the past week, we’re going to say: Patch early, patch often.

With a response time like this, it would be rude not to!

Oh, and a vey big “well done and thanks” to everyone at every stage of this bug finding-and-fixing process.

US Government says: Patch VMware right now, or get off our network

On Wednesday this week, virtualisation behemoth VMWare published a security advisory describing two just-patched security holes in its products.

Virtualisation in general, and VMWare’s product set in particular, is widely used to turn individual physical computers into several “virtual computers” that share the same physical hardware.

These virtual computers, known in the jargon as VMs (short for virtual machines), realistically pretend to be independent computers in their own right, each one booting and running an operating system of its own, as a physical computer would.

This means that one physical server, located in an on-site server room or in a cloud data centre, can flexibly be divvied up amongst multiple different users, who could come from separate departments in one organisation, or even from different companies.

Each user gets access to what looks like, feels like, and runs like a computer of all their own, with an operating system and application stack of their own choice.

Each VM, known in the jargon as a guest, has its own virtual hard disks, stored as a regular files on the physical server, known as the host.

This means you can not only divide up one physical disk array into a variety of differently-sized guest disks, to suit the varying needs of the various guest users, but also easily snapshot and archive entire VMs by copying their virtual disk files.

You can even clone an existing VM, and migrate the files that store its content to another physical server, in order to adapt quickly to rising demand for service or to recover from regional outages.

Risks and challenges

As you can imagine, however, this flexibility comes with some significant risks and challenges.

Firstly, the virtualisation software needs to stop guest VMs on the same physical computer from interfering with each other (or, worse, from interfering with the host operating system itself), given that they all share and compete for the same physical RAM and peripherals.

Secondly, given that some networks may have tens of thousands of VMs or more running in data centres across the world at ay moment, the control software that manages this ocean of VMs needs to be especially resilient against attack by unauthorised users.

Ransomware crooks, in particular, love to get access to VM control panels, not least because:

  • If they can inject their malware into thousands of VMs in one go, they can scramble all your VMs “from inside” at the same time, possibly with one button-click from a central console.
  • If they can simultaneously halt all the VMs on a physical server, then the VM virtual disk files in the host operating system will no longer be locked for use by the virtualisation software, so any ransomware launched on the host will simply scramble the virtual disks along with everything else.

Indeed, when the infamous REvil ransomware crime gang put up $1,000,000 in Bitcoin in 2020 as an enticement to attract new network hacking “affiliates” to its underworld business, knowledge of Hyper-V (Microsoft’s virtualisation software) was explicitly listed amonst the necessary “experience and skills”.

Other necessary skills for a “job” with REvil, in case you’re wondering, included experience with backup devices such as NAS and tape, representing another part of your network infrastructure that ransomware criminals like to attack before they launch their file-scrambling denouement. With your VMs disrupted along with all your regular computers, the attackers aim to increase the extent to which they derail your business. With your backups disrupted, ransomware attackers aim to decrease your ability to recover on your own, so that they can squeeze you harder with their blackmail demands for decrypting your scrambled files.

The latest bugs

The latest VMware updates close off two security vulnerabilities in the VM control and management tools that the company provides:

  • CVE-2022-22972. Authentication bypass. Products affected: VMware Workspace ONE Access, Identity Manager and vRealize Automation.

    A cybercriminal who already had a foothold on your network, even if they were only a regular user with limited security entitlements, could launch and access the above management tools as an adminstrative user. Although this wouldn’t give the attacker sysadmin equivalence on the physical network, it could put them instantly in charge of your entire fleet of virtual servers.

  • CVE-2022-22973. Elevation of Privilege (EoP). Products affected: VMware Workspace ONE Access and Identity Manager.

    While the first bug means that an invader could level up to your own sysadmins inside the VM management tools, this bug means that the invader could abuse the VM tools to level up to your sysadmins on the computer where they have their foothold.

Ironically, therefore, these VMware security holes could be combined to give an intruder a leg-up to both physical and virtual root-level powers at the same time.

What the government says

Note that neither of these bugs can be abused from outside your network for what’s known as RCE, short for remote code execution.

As the name suggests, RCE bugs are especially dangerous because they often provide a way for criminals to inject malware into your network in the first place, as the launching point for an intrusion.

Nevertheless, the US government thinks that CVE-2022-22972 and CVE-2022-22973 are sufficiently serious, given their potential for abuse by attackers, that it has issued Emergency Directive 22-03: Mitigate VMware Vulnerabilities.

This document doesn’t just talk about the risks, as we have above, or advise government agencies to get busy with their patching.

If you strip out the offialese and the bureaucratic boilerplace from this Directive, you are left with these very simple but uncompromising instructions:

  • FIND all unpatched copies of all affected products on your network;
  • PATCH them if you can, without delay, or
  • REMOVE them from the network at once if you can’t patch, and do it
  • NOW (deadline 2022-05-23T20:59Z, i.e. before 5pm EDT/2pm PDT next Monday).

And then:

  • REPORT what you did to comply with the first 3 steps (deadline 2022-05-24T15:59Z, i.e. before noon EDT/9am PDT next Tuesday).

In three words: discover, remediate, report.

Or, as we like to say on Naked Security: Don’t delay – do it today!

Not enough time or staff? Learn more about Sophos Managed Threat Response:
Sophos MTR – Expert Led Response  ▶
24/7 threat hunting, detection, and response  ▶

S3 Ep83: Cracking passwords, patching Firefox, and Apple vulns [Podcast]


Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

  • [00’22”] Fun Fact. What does the word “non-commensurate” mean?
  • [01’41”] When is cracking passwords legal?
  • [11’08”] Why did Firefox get patched?
  • [15’20”] This Week in Tech. Which computer needed dropping onto the desk?
  • [17’56”] Why wasn’t this 0-day listed in every Apple update?
  • [23’50”] Oh! No! Did Duck get spammed, or was it actually a troll?

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

Listen on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.
Or simply drop the URL of our RSS feed into your podcatcher.

Pwn2Own hacking schedule released – Windows and Linux are top targets

The 2022 edition of the famous (or infamous, depending on your viewpoint) Pwn2Own competition kicks off later today in Vancouver, British Columbia.

(Actually, it’s a so-called “hybrid” event this year, so that entrants who can’t or don’t want to travel, whether for coronavirus or environmental reasons, can participate remotely.)

Numerous vendors have put forward monetary prizes for hacking various of their products, with this year’s potential targets being:

  • Virtualisation: Oracle VirtualBox, VMware Workstation, VMware ESXi, Microsoft Hyper-V Client.
  • Browsers: Google Chrome, Microsoft Edge, Apple Safari, Mozilla Firefox.
  • Enterprise Apps: Adobe Reader, Office 365 ProPlus.
  • Servers: Microsoft RDP/RDS, Exchange, SharePoint, Samba.
  • Endpoint OSes: Ubuntu Desktop, Windows 11. (Elevation of Privilege only)
  • Enterprise Communications: Zoom, Microsoft Teams.
  • Automotive: a range of categories based on Tesla 3 vehicles.

Intriguingly, the Servers and Enterprise Apps categories attracted exactly zero hackers each this year.

Browsers and Virtualisation were considered similarly unintersting, it seems, with just one entrant each taking on Firefox and Safari, and a solitary hacker having a go at VirtualBox.

Windows 11 and Ubuntu Linux attracted seven and five entries repesectively; four contestants will take a pop at Teams; and two will have a go at various aspects of the Tesla 3.

A hacking lottery

The rules of Pwn2Own are somewhat strange, given that some entrants may end up not actually competing at all.

The Tesla hackers (two different categories), plus the browser and virtualisation entrants, will all definitely get a turn, because they’re the only competitors in their categories.

Either they’ll succeed in their designated half-hour slot, and claim their prizes, or they’ll fail and go home empty handed.

Everyone else’s participation depends on what’s already happened.

Pwn2Own isn’t like, say, a time-trial sporting event (think downhill skiiing), where even if the first entrant beats the current world record and seems to have set an invincible time, they still have to wait until the very last competitor finishes to find out if their early time was good enough.

In Pwn2Own, in contrast, the first entrant to complete the course wins the prize and closes the category for everyone else – if it were downhill skiing, the first skiier wouldn’t have to break a record to win right away, they’d just need to get to the bottom without falling over or exceeding a pre-specified time limit.

Speed is not entirely unimportant in Pwn2Own. You have a maximum of three attempts to show that your hack actually works, each lasting a maximum of five minutes, and you’ve got 30 minutes in total to complete your three tries. In other words, you need to come fully prepared, with your research properly written up. Pwn2Own is very definitely not a movie-style “hack-it-live-and-see-what-happens” event. You don’t just need to break in, you need to know the intimate details of how and why your attack works, so that it can reliably be fixed. Ironically, the most dramatic entries aren’t those where the competitor finally and frenziedly hacks the system with seconds to spare, which is how it might typically happen in Hollwood. The hacks that get the biggest gasps typically involve spectacularly well-prepared entrants simply walking up to the system, launching their scrupulously well-researched attack with a single click or command, and succeeding right away, with no apparent drama at all.

The downside of popularity

The lottery that determines the order of competition makes a big difference to the competitors.

The seventh entrant drawn in the Windows 11 category, for example, can’t win simply by being the best, or the fastest, or by some other superlative achievement – they can only win if all the previous six entrants fail completely, and then their hack works.

Anyway, watch this space for the results, which will all be known by 14:00 Vancouver time (currently UTC-7) at the latest on Friday 2022-05-20.

The last day could, in fact, be a total washout, because only Teams, Windows and Linux are scheduled for hacking on Friday, and all those prizes may aleady be done and dusted by the end of today!

The order of hacks in Pwn2Own 2022 are as follows:

  • Later today: Teams, VBox, Teams, Firefox, Windows, Linux, Teams, Safari, Linux, Windows
  • Tomorrow: Tesla (infotainment), Windows, Linux, Tesla (diagnostics), Windows, Linux
  • Friday: Teams, Windows, Linux, Windows, Windows

What do you think?

As for this “winner takes it all and everyone else takes their exploits home” approach, what do you think?

Do hacking spectaculars of this sort improve the state of cybersecurity by promoting the discipline needed for complete and well-documented research, so that underlying problems are properly exposed, not merely papered over with patches?

Or do they work against cybersecurity in real life by potentially delaying the early disclosure of partial results that could have been fixed months earlier if only they hadn’t been kept back for competitive purposes?

Have your say in the comments below…

Apple patches zero-day kernel hole and much more – update now!

Apple’s latest security updates have arrived.

All still-supported flavours of macOS (Monterey, Big Sur and Catalina), as well as all current mobile devices (iPhones, iPads, Apple TVs and Apple Watches), get patches.

Additionally, programmers using Apple’s Xcode development system get an update too.

The details are below.

All the details and bulletin numbers

The bug fixes for iPhones and iPads include remote code execution flaws (RCEs) in components from the kernel itself to Apple’s image rendering library, graphics drivers, video processing modules and more. Several of these bugs warn that “a malicious application may be able to execute arbitrary code with kernel privileges”. That’s the sort of security hole that could lead to a complete device takeover – what’s known in the jargon as a “jailbreak“, because it escapes from Apple’s strict lockdown and app restrictions.

Kernel-level code execution holes could grant an attacker control over the entire system, including the parts that manage the security of the rest of the system.

Other notable bugs include: a flaw that could allow rogue apps to evade their sandbox restrictions (such as accessing files they’re not supposed to see, or using resources such as your camera or microphone that they shouldn’t have access to; a Safari bug that could allow you to be tracked even in Private Mode; and a hole in the Security subsystem that provides a way for sneakily modified apps to bypass the digital signature check by which the operating system is supposed to verify that they haven’t been tampered with.

Lastly, there’s a lock screen bug, whereby someone who picks up your iPhone while you’re not looking (or who steals it, of course) could access your photos without knowing the unlock code.

Macs get patches for many of the same bugs listed above in the iPhone and iPad section. There are several “bonus bugs” that apply only to macOS, notably in laptop/desktop components such as AppleScript, a powerful system automation tool that allows you to launch and control apps, including entering keystrokes, clicking the mouse, configuring devices such as your microphone and webcam, and snapping screenshots.

There’s also a patch for CVE-2022-0778, a cryptographic bug in OpenSSL that was patched by the OpenSSL team nearly two months ago. You may remember that bug – it was what’s known in the jargon as a code smell, a poorly laid out and badly-programmed loop that didn’t check carefully enough whether it had exceeded the maximum time it was supposed to spend verifying a digital certificate.

Intriguingly, OpenBSD’s LibreSSL, a “security enhanced” replacement for OpenSSL that was introduced after the infamous Heartbleed flaw in the OpenSSL code, is listed as having been patched against exactly the same bug. This is a timely reminder not only that software projects with common origins may may share latent bugs for years after development diverges, but also that operating systems often have many different code libraries with similar or overlapping functionality.

Apple macOS, for example, includes at least LibreSSL, OpenSSL and Apple’s own proprietary cryptographic library known as Secure Transport.

Apple’s still-supported but previous version of macOS, Big Sur, includes patches for many of the same bugs as Monterey, with the notable addition of a video decoding bug that gives remote attackers a way to acquire kernel-level powers, presumably via booby-trapped files.

In this case, we say “gives attackers”, not “might or could give attackers”, because this bug, CVE-2022-22675 is what’s known as a zero-day. Cybercriminals found it first and are already exploiting it in the wild.

As we mentioned above, kernel-level remote code execution exploits are often enough for a complete system compromise, making them highly sought after amongst jailbeakers, cybercriminals and the creators of spyware and other surveillance tools.

Whatever you do, don’t miss this update!

Like Big Sur (but unlike iOS, even though tvOS has the same version number as iOS), the latest tvOS update fixes CVE-2022-22675, the in-the-wild kernel-level RCE bug described above.

Despite the significantly different version number from tvOS (8.6 instead of 15.5), Apple Watch users also get a patch for the zero-day video decoding bug CVE-2022-22675.

Catalina, the pre-previous version of macOS, and its oldest currently supported flavour, gets many of the same patches as Big Sur.

However, CVE-2022-22675, the zero-day hole that was fixed in Big Sur, tvOS and watchOS, doesn’t seem to be present here. We’re assuming that the bug was introduced after Catalina was released, thus leaving it immune.

This update fixes two RCE flaws that could be triggered simply by viewing booby-trapped content. Apple isn’t saying what sort of content, but given that the bug is in WebKit, the web rendering engine, rather than one of Apple’s multimedia libraries, we’re guessing the bug relates to the handling of web-specific data such as HTML, CSS or JavaScript.

Note that this update won’t be offered to you unless you have macOS Big Sur or macOS Catalina. In macOS Monterey and all of Apple’s mobile device platforms, these patches are included in the main system update.

Don’t forget, therefore, that if you are a Big Sur or a Catalina user, you will be installing two updates, not just one, with Safari updated separately from the rest of the operating system.

Programmers should get this update, especialy if they use the popular source code management system Git.

According to the brief report on CVE-2022-24765, “on multi-user machines Git users might find themselves unexpectedly in a Git worktree.” This sounds like an authentication bypass of sorts, as though while logged in as user X you might suddenly get access to source code belonging to user Y or to project Z that you’re not working on.

What to do?

Most Apple users have automatic updating turned on these days, and therefore expect to get the latest security fixes pushed to them anyway, without needing to keep track of when updates get published.

Nevertheless, we strongly recommend that you check for updates manually whenever you know that there are fixes on offer, especially if there are kernel-level flaws or zero-day bugs. (Or, as happened here, both at the same time!)

Why risk being behind when you could be ahead?

As the zero trust school of cybersecurity suggests: never assume; always verify, so:

  • On your iPhone or iPad: Settings > General > Software Update
  • On your Mac: Apple menu > About this Mac > Software Update…

Take care out there!

go top