[BreachExchange] How much are vendor security assurances worth after the CIA leaks?

[Audrey McNeil]

http://www.pcworld.com/article/3180055/security/how-
much-are-vendor-security-assurances-worth-after-the-cia-leaks.html

Following the recent revelations about the U.S. Central Intelligence
Agency's cyberespionage arsenal, software vendors reiterated their
commitments to fix vulnerabilities in a timely manner and told users that
many of the flaws described in the agency's leaked documents have been
fixed.

While these assurances are understandable from a public relations
perspective, they don't really change anything, especially for companies
and users that are the target of state-sponsored hackers. The software they
use is not less safe, nor better protected, than it was before WikiLeaks
published the 8,700-plus CIA documents last Tuesday.

The leaked files describe malware tools and exploits used by the CIA's
cyber divisions to hack into all major desktop and mobile operating
systems, as well as into networking gear and embedded devices like smart
TVs. The documents don't contain the actual code of those tools and some of
the supposedly more telling descriptions have been redacted.

WikiLeaks founder Julian Assange said that his organization will share
unpublished details with software vendors so that the vulnerabilities can
be patched. But even if WikiLeaks does that, it's important to realize that
the information only represents a snapshot in time.

The most recent date string in the documents is from early March 2016,
potentially indicating when the files were copied from the CIA's systems.
Some of the exploit listings suggest the same.

For example, the page describing exploits for Apple's iOS contains a table
that has them arranged by iOS version. That table stops at iOS 9.2, which
was released in December 2015. The next significant update, iOS 9.3, was
released in late March 2016.

One kernel exploit, codenamed Nandao, which was obtained from the U.K.'s
GCHQ, is listed as working for iOS versions 8.0 to 9.2. Does that mean that
it doesn't work on iOS 9.3 or even more recent versions of the operating
system? Not necessarily. It's more likely that the table stops at 9.2
because that was the latest version of iOS when the CIA files were copied.

Moreover, it's highly unlikely that Apple can tell if this and other
exploits have been patched or not without additional details. The only
description for "Nandao" is that it's a heap overflow memory corruption
vulnerability, and there's no indication for which kernel component it's
actually located in.

"Unless Apple obtained full details and/or the exploits as well as
performed a thorough root cause analysis, Apple can't be sure that newer
versions aren't affected," Carsten Eiram, chief research officer at
vulnerability intelligence firm Risk Based Security, said via email.

That's also the case for flaws affecting other software. Eiram's company
was able to confirm that some have been patched, but some still work in the
latest versions of the programs they affect, like a DLL hijacking flaw in
the Prezi Desktop presentation software.

"Users shouldn't just presume newer versions aren't affected simply because
they're not mentioned in the dumps," Eiram said.

And even if all these flaws eventually will be disclosed to vendors and
patched, it doesn't mean that the CIA doesn't have newer zero-day exploits.
Its exploit acquisition efforts haven't stopped in March 2016.

The agency had exploits for unpatched vulnerabilities when its internal
documents were leaked and it's very likely that it has similar exploits for
the latest versions of popular programs and operating systems at this
moment.

It's important to realize that there are always zero-day exploits out
there, and not just in the hands of intelligence agencies. A similar leak
in 2015 from Hacking Team, an Italian company that makes surveillance
software for law enforcement, revealed that the firm was regularly buying
zero-day exploits from hackers.

Numerous hacker groups have used zero-day exploits in their attacks over
the years, some so frequently that they probably have large stockpiles of
unpatched flaws. There are also private brokers that pay huge sums of money
to acquire such exploits and then resell them to their customers, which
includes law enforcement and intelligence agencies.

"This leak is mostly just confirming suspicions about the capabilities of
such agencies more than surprising us," Eiram said.

According to Eiram, the software industry can better prevent developers
from introducing vulnerabilities in their code and can build features to
make exploitation harder and reduce risks. But there's no magic wand for
getting rid of all vulnerabilities in the foreseeable future. If anything,
annual statistics show that the number of software vulnerabilities is
actually on the rise.

"For that reason, it is always good for users to keep in mind -- without
developing full-blown paranoia -- that when navigating the digital world
there is always someone out there who can compromise your system if they
really wanted to," Eiram said. "A bit of logic, skepticism, and security
awareness goes a long way, both in the physical and the digital world."

Users and companies who are likely to be the target of cyberespionage
attacks should take a multilayered approach to defense that goes well
beyond applying vendor patches and takes the existence of zero-day exploits
into consideration.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170313/fe1d1a46/attachment.html>