Saturday, 16 January 2016

2015 Vulnerabilities - Android VS IOS (iPhone OS)

This is the second post on from http://security.morganstorey.com/2016/01/2015-vulnerabilities-windows7-vs-macosx.html

I was sent this interesting article; http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/

So I hate Apple, but in the last analysis I did I found that OSX wasn't actually that bad compared to Microsofts most popular OS at the moment Windows7, I would have to say on par, go to the link at the top to read this. This time I am similarly analysing Google's Android and Apple's iPhone OS(IOS).
Now to precursor this, I am almost an Android fanboi, I have android tablets (4 at last count, 3 from dx.com that all died), and my although my first smartphone was Symbian, all since have been Android. My kids do have iPads and my wife does have an iPhone though, but this is more for the apps available. There are things on both platforms that I wish the other would do, but Android is far and away more flexible, but like last time... don't get me started on my Apple-hate.

Now onto the Andorid/IOS analysis, as I started with MS last time, I'll start with Android this time.

Google's Android (as opposed the Motorola version that is listed at CVEDetails) had 130 vulnerabilities in 2015. With an average across those vulnerabilities of 8.37 (seems a bit high), standard deviation was 2.23. If we then round all the scores (down if they are .4 and below, up if they are .5 and above we get the below);




This shows there are an awful lot of vulnerabilities ranked at the ominous CVSS score of 10. Not many of these are going to be third party vendors as they don't really allow third party code to hook into the OS like desktop OS's.
But I did find the almost obligatory Adobe Flash vulnerabilities in there. 21 of the 61 CVSS 10's were flash, good thing Google dropped it from their 4.1 (KitKat) release of the OS... an OS released 4 and a half years ago. So I don't think these should be included, still an awful lot of CVSS score 10's lets look at some.

In case you didn't know this is the decade where security researchers learned some marketing, and started to brand their discoveries with cool names and logos like heartbleed. Well Stagefright was a bug of this ilk that was actually a big deal on Android. Patched no less than 38 times, of these 49

With words like libstagefright (where the bug got its name), MPEG4Extractor, Skia, Sonivox and mediaserver these are all related to stagefright, in fact of the CVSS 10 bugs remaining after Adobe and Stagefright there seems to be only one CVE-2015-1474.
Here are two examples of some obscurely described but Stagefright related bugs;

CVE-2015-6609
libutils in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted audio file, aka internal bug 22953624.

CVE-2015-3836
The Parse_wave function in arm-wt-22k/lib_src/eas_mdls.c in the Sonivox DLS-to-EAS converter in Android before 5.1.1 LMY48I does not reject a negative value for a certain size field, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via crafted XMF data, aka internal bug 21132860.

Interestingly three CVE-2014's (7915, 7916 and 7917) exist on this list, all related to stagefright. I believe these CVE id's were allocated prior to the bugs disclosure.

So the only non-Adobe, non-stagefright bug was;
CVE-2015-1474
Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of (1) file descriptors or (2) integer values.A pretty nasty one, allows a malicious app to escalate its privileges via the graphic buffer, though not remote exploitation. Essentially if a user installs a dodgy app they could give a bad guy access to more than they should.

Pretty sure all those Adobe bugs shouldn't be in there to be fair. And they probably should have fixed the stagefright bug in one go, but I guess it was a pervasive library, hence all the issues found and fixed.
Stagefright was pretty bad, it essentially meant with the right media file (audio on a webpage for example or the proof of concept MMS attachment), it could get your phone to run a command. So it is remote code execution, the ultimate vulnerability for any OS. But it was specific, you needed to know the app the user was opening your media file in, to be sure it used the library. I think it does deserve the CVSS score of 10, not sure about the adobe ones though seeing as most androids don't run it anymore.

******************************************
On to iPhone OS (IOS)

IOS had a whopping 375 vulnerabilities last year. With a much lower average than Andorids at 6.13 (versus Android 8.37). It's standard deviation was also smaller at 1.82. This is probably due to the 61 CVSS 10's that android had. Lets have a look at the graph;



Interestingly there are a tonne of CVSS 7's there, a lot of those were a vulnerability in Webkit (Apple Safari) that allowed a remote attacker to crash the app with a specially crafted website. I am sure this probably allows the attacker to run code too, so it should probably be higher... Most denial of services if done right end in compromise, but anyway.

I'll have a look at some of the more interesting CVSS 10 rated vulnerabilities.

CVE-2015-6988
The kernel in Apple iOS before 9.1 and OS X before 10.11.1 does not initialize an unspecified data structure, which allows remote attackers to execute arbitrary code via vectors involving an unknown network-connectivity requirement.
This one looks particularity nasty, and also affected OSX and I mentioned it in the other post. Definitely worthy of its 10 score. On a mobile this could be very bad if the "unknown network-connectivity" included something sent over say the GSM cellular network.

CVE-2014-4495
The kernel in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not enforce the read-only attribute of a shared memory segment during use of a custom cache mode, which allows attackers to bypass intended access restrictions via a crafted app.

This one I didn't mention in the other post, but it isn't that bad. It essentially allows an application already on the phone or Mac to read memory it shouldn't be able to, this could allow this app to escalate permissions or disable some other security measure. I'd give this a solid 9, but 10 seems high.

CVE-2014-4480
Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.
This one seems to be IOS/AppleTV only, which is interesting. Accessing locations just by creating a symlink is pretty cool. Not remotely exploitable, but could help out a bad guy already on a system. Again I don't think it is a 9, perhaps marked too harsh.

Conclusion
As with the other post, even though IOS has more bugs than Android, it isn't the number of bugs that matter so much, it is type and quality. Android has a higher average and a lot more rated 10's, with this all in account it is a pretty even match.
Yes Safari is insecure, stagefright was a big stuff up, flash and reader are terrible, but the OS's themselves seem to be pretty much on par.

Thanks to CVEdetails for their site and access to the list of vulnerabilities. The compiled spreadsheet is here, under fair use.

Friday, 15 January 2016

2015 Vulnerabilities - Windows7 VS MacOSX

I was sent this interesting article; http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/

Yes it does appeal to an existing bias I have; APPLE BAD, everything else (except adobe) good. I really hate Apple, but don't get me started.


I had a look at this article and like it on the outset, but thinking about it I don't agree with it for a few reasons. There is likely a lot of crossover between OSX and the iPhoneOS, between AIR SDK and AIR itself (it is odd that they list the Air SDK & Compiler separately).
There is also the issue of simply counting vulnerabilities as a measure of badness. One vulnerability doesn't equal another, if one of those vulnerabilities allows a bad guy to remotely take control of your computer and the other simply allows them to crash your browser, then the first is much worse.

So I thought I would do a more detailed analysis to see what is up and maybe confirm my hatred that Apple is terrible.

The CVEdetails site gives each vulnerability a score (CVSS), from 0 being minor/non-existent issue to 10 being a critical issue. I decided to show a different side of that article. One that would show the scores more importantly and thus give us the OS with the worse security score. I will focus on OSX and Windows7 to narrow the field. I'll do Android and iPhone OS in the next blog post.

Microsoft had 147 vulnerabilities last year all up for Windows 7, with an average across those vulnerabilities of a score of 6.84. If we then round all the scores (down if they are .4 and below, up if they are .5 and above we get the below);



Let's look at these vulnerabilities that scored 10.

CVE-2015-0014

Buffer overflow in the Telnet service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows Telnet Service Buffer Overflow Vulnerability."
An interesting vulnerability, but not many people should be running telnet on their windows7 PC, let alone then exposing this to the internet.

CVE-2015-1635
Was a bad one, that allowed you to crash a webserver, though the IIS on windows 7 doesn't run as a service and is connection limited at windows XP's IIS and Windows Vista IIS was.

CVE-2015-2373
Essentially allows an attacker to execute code on your machine via a vulnerability in remote desktop, not likely that this is enabled through your router, but it is an issue for a malicious insider as it is enabled by default to some extent in corporate environments.

I don't think these vulnerabilities should all be 10 (say 9.x?). Yes they allow a remote attacker to take control, but they require a kind of perfect storm. They require the Windows7 machine to have these services enabled (Telnet and IIS are not installed by default, RDP is installed but disabled), and if the attacker is on the internet these also need to be open on the victims router/firewall, or an attack chained to include attacking the UPNP natting that some home routers do.

****************************************

Now lets look at Apple's MACOSX.

OSX had 384 vulnerabilities in 2015, with a lower average than Microsoft at 6.76. This is likely due to their being more vulnerabilities reported. It could also be that Microsoft seemingly score and report their own vulnerabilities and thus are harsher on themselves. There is also the issue that a lot of the OSX vulnerabilities are due to included open source software and thus these libraries etc get reported by their maintainers (ag Apache, PHP etc). Some of the higher rated vulns I noticed where Apple only, and only reported on their support pages or lists.
If we do the same breakdown as before we get the below;


Looking at that we can see there are simply so many more 7, 4 and 5 rated vulnerabilities, which is what brought the average down. I had a look at the standard deviations using the excel STDEV and the full population STDEVP functions, and they are pretty close. MS at 2.43 and OSX at 2.04.

Having a look at a samples of the CVSS 10's there is a bit of a difference.


CVE-2015-7071
"The File Bookmark component in Apple OS X before 10.11.2 allows attackers to bypass a sandbox protection mechanism for app scoped bookmarks via a crafted pathname."
This one sounds worse than any of the vulnerabilities that scored 10 on windows, essentially allowing an attacker to bypass protections via a bookmark, bookmarks can be created by running some javascript on a site that the user visits, pretty bad.


CVE-2015-6988
The kernel in Apple iOS before 9.1 and OS X before 10.11.1 does not initialize an unspecified data structure, which allows remote attackers to execute arbitrary code via vectors involving an unknown network-connectivity requirement.
OK, this one is pretty bad too, allowing an attacker to execute code remotely.

CVE-2015-5887
This one is a TLS/SSL bug, probably a flow on from SSL bugs found in 2015 in open source libraries and in closed sourced ones such as the Windows bug CVE-2015-6112, and CVE-2015-1637. Though I note both these windows bugs had much lower CVSS scores of 5.8 and 4.3 respectively.


CVE-2015-1131
A bug in an Apple font library, essentially allowing remote code if the font is called in a specific way, say from a webpage. Similar to the much lower rated CVE-2015-0059 Windows 7 bug.

Then there are a few bugs in drivers for apple hardware, Bluetooth, IOAceelerator (seems to be a ram disk card not likely found in most macs), a couple pretty bad kernel bugs and some HID driver bugs.

But then, looking at the rest of the 10 rated bugs, a pattern emerges. 27 of the CVSS rated 10's are actually ADOBE bugs in Acrobat/PDF reader... yikes. See the below example;

CVE-2015-3074
Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to bypass intended restrictions on JavaScript API execution via unspecified vectors, a different vulnerability than CVE-2015-3060, CVE-2015-3061, CVE-2015-3062, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3071, CVE-2015-3072, and CVE-2015-3073.

I don't think it is fair that these Adobe bugs are rated 10 for Apple when they aren't even listed on the Windows7 list as they are a third party bug.
Some of the other 10 rated bugs also reference OSX's app store. Apps that install from their app store install into a permissions based Jail, essentially protecting the rest of the system from this app. The bugs that were found allowed these apps to break out of this jail... But Windows7 doesn't have this feature for their stores apps so an app installs in whatever context the user is running as (run everything as admin and the app you install can get admin privileges), so really although this is a bug, it is not as bad as simply not even having that protection.

MS has an appstore in Windows8 and above... and for a time it was so horrible that I would advise against using it for the foreseeable future.

Conclusion


As much as I hate to admit it, MacOSX having more bugs doesn't mean anything, it isn't the number but the quality. Macos had more, yes, but other than that one bookmark bug a lot of them were actually third party code or code that was not likely to be exploited. The Windows7 CVSS 10 bugs weren't that bad either, not too many will have these exposed to the internet, and inside networks all bar the RDP bug will likely not be installed on 99% of machines. I think we would find if Apple ditch support for natively updating Adobe and other third party software then their number of bugs would drop dramatically, account for their supporting directly all their hardware and you can count for the disparity on numbers of bugs.
There is more analysis that could be done here too (I will post the Spreadsheet I used in the next post), perhaps MacOSX had more bugs as more were reported, more were actioned and more were reported publicly to open source software library mailing lists were they would make their way to the media and Apple would be red-faced if they didn't jump on patching them. Perhaps MS was scoring their bugs harsher than they needed to be, and submitters of the open source software bugs in MacOSX were scoring their bugs softer due to their bias to support their own code.

Security wise I would say they are actually neck and neck, which is I suppose a good place to be for security at large. Not good for Apple-bashers like me, but I will admit when Apple does good things.

On to the CVSS scores, I don't think they are doing it right. They shouldn't be giving an optional disabled by default service like Telnet, or an obscure and I assume non-loaded driver like the IOAccelerator on Apple a score of 10. Sure it allowed remote exploitation, but how likely is it. They should probably put these at <9.5, then they are still critical, but this score doesn't black eye the vendor so much. Next they really shouldn't include third party software in one listing and not in the other, you can't compare the two this way it is an (ahem) Apples verse oranges issue.

Wednesday, 20 May 2015

Disrupting the paradigm

Not sure if I am quoting here, but be careful when someone says they are disrupting the paradigm, often when you look beneath the vale you will find an issue. The paradigm is usually there for a reason, cause it works.

I have discussed factorisation of authentication before here, this one will be a little more indepth;


To reiterate authentication currently works under a model of factors. Factors are simply classifications of things, in a cumulative manner. Things could be something you know (and preferably keep private), something you have, something you are, somewhere you are. This is 4 factors.

Something you know; Pin, password, passcode, passphrase, pictures in a certain order, last 4 digits of a credit card (even though this is something you have, it is a known never changing string).

Something you have; a key, a key-card, usb fob, Certificate, smart-card, rfid chip, SMS/Phone call receiving phone, Bluetooth paired phone or other device, laptop, tablet, phone itself.

Something you are; fingerprint, iris scan, voiceprint, DNA sequence.
I will rant on biometrics later, but you can't re-issue a fingerprint so if it gets compromised and copied by someone you are out of luck.

Somewhere you are; GPS location, IP-gelocation (thou as this would be in band checked on the connection you may be using to access the service the security doesn't increase), a landline or mobile phone could also be somewhere you are, eg you login to an app and it calls you on a separate phone at that same location to ensure you meant to.

Lets look at some examples.
  • You login to your computer with a username and password, this is 1 factor of authentication, just a password.
  • You login to your computer with a username and password, then onto a super-secret corporate system with a different username and password, this is still 1 factor of authentication. You only used a username and password.
  • You login to your PC using a swipe card only, this is still 1 factor of authentication.Yes you used something you have, but it was not cumulative on something you know.
  • You login to your PC using your username, password and Secure USB key, this is now 2 factors of authentication, something you know and something you have.
  • You login to your PC using your username, password, thumbprint and Secure USB key, this is now 3 factors of authentication; something you know, something you have and something you are.
  • You login to your netbanking via their app with username, password, fob token code, and your thumbprint on the home button. The app has rights to your phones GPS, it disallows transfers over $1000 from anywhere but inside your own home or registered place of work, if you go to transfer $1001 to another account and it then allows you due to the registered GPS, this could be considered 4 factors of authentication; something you know, have, are, and somewhere you are, all checked to ensure valid authorization.
Now comes the paradigm shifting. I wish it was me that thought of these.

Device profiling
This makes the device a factor, specifically a second factor.
This will do things like take the IP you are logging in from weighted with things like browser headers and put them in a database, if sees these to dramatically change it can deny you access.
A good example shoring the power of this hidden data that you send can be seen at the EFF's Panotoclick here; https://panopticlick.eff.org/
There are certain banking and social media apps that do this already, alerting you via email when you have logged in from a new device.


Risk based authentication
Awesome idea, basically the application has some smarts. Similar to the above device profiling it does some device profiling and then if you fail it, it either challenges you for more authentication or simply denies you access. It has risk scores that it assigns to things, so risk +1 if you are logging in at a different time, risk +9000 if you are logging in from a country with a bad reputation that you have never logged in from before. This still works in the factorising model, but doesn't force a user to enter every-factor every time, it is an extension of the paradigm.

Pingrid and their ilk
As I mentioned last time, these aren't two factor. They are a challenge, with a user response based on something they know. Interestingly I think they do increase security, but still not as much as a second factor. This really doesn't fit the factorised model. See there demo here; https://www.winfrasoftbank.com/MyAccounts/Default.aspx
You can see how due to the randomness of the numbers it does reduce the likelihood that the users "password" will ever be compromised by an over the shoulder or man in the middle attack, but again repeat enough views of the users login through a screen scraper and you have them. Still doesn't stop Man in the browser attacks (where malicious code waits for you to authenticate to your bank then distracts you and gives control of that tab to the remote bad guys to transfer out your cash).

That being said, I think they are probably making the authentication process more complicated than it needs to be and not more secure. Hard tokens that are transparent to the user like Ubi-key or smart cards are much, much more secure.

So uhh disrupting the paradigm, I thought I could make case that the above three did disrupt the paradigm, but they don't. I started this article all gung-ho to prove to myself they did, but they simply extend what we already have.
Device profiling and risk based authentication either work with existing factors of authentication, or make a sting of numbers unique to you and your device part of auth (just like a certificate or token, and thus are a second factor), and pingrid is simply an extension of single factor authentication.

Seeing as I mentioned Schneier last time I posted about auth, I had a look to see is he has discussed pingrid or others, he hasn't. But I did find the below, which is awesome;
http://www.schneierfacts.com/fact/vote/631