Safer Already

thaddeus t. grugq on 2016-11-01

Disclosure is a religion where everyone is in Hell

A Russian joke, (h/t Alex Gantman)

The various sects in the disclosure religious wars are having a bit of a squabble right now. Google’s security team captured a couple of 0day exploits being actively used in the wild. On October 21st, they informed the vendors, one of whom (Adobe) was able to release a patch in days, the other (Microsoft) was planning on rolling their patch out on Nov 8th (Patch Tuesday.) On Halloween, Google publicly released details about the exploits, or as we say in the biz — “dropped 0day.”

After a couple days, sufficient details have emerged that we can piece together what was actually going on behind all those “exploits being actively exploited in the wild” and other opaque statements.

Dropping The 0day

The Google post on October 31st was vague on the targeting and threat posed by the attackers, but detailed on the specifics of the exploit vector and mechanism.

we are today disclosing the existence of a …critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.

Embedded content at twitter.com

Here are the details on the exploit:

The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.

That should be enough to get it reengineered and into Metasploit before the patch is officially released. Everyone in infosec knows and loves/hates win32k.sys, the Microsoft kernel module which provides an unending stream of exploitable bugs.

Embedded content at twitter.com

Actively Exploited In The Wild

This sounds like a pretty terrifying and scary thing when an exploit for which there is no remediation (win32k.sys is required for Windows to function), and no patch, is being actively exploited in the wild. But, it really matters a great deal who is doing the exploiting and who they are targeting.

My Guess At What Happened

The GRU was conducting a spearphishing campaign (which means essentially, sending exploits via email attachments to targeted individuals.) This exploit bundle was probably an Office document with an embedded Flash object to get code execution, a win32k.sys local to migrate into the kernel, and then probably some malware payload for persistence. I suspect that some of the targeted users were using GMail accounts, and Google scanning and analysis of emails discovered these malicious attachments. The attribution to GRU was possibly done via the post exploitation malware payload.

Google’s security team do their in depth analysis and inform the vendors on the 21st. Adobe has an easy time rolling out a patch via their automated patch channels. Microsoft has a scheduled patch roll out scheduled in three weeks, and given the limited nature of the threat (local privilege escalation exploit; targeted attacks by GRU using email) they decide not to do an “out of band” patch. Microsoft’s huge fear is “wormable vulnerabilities,” (Remote Code Execution for the rest of us.) This vulnerability is not “wormable” (i.e. not RCE) so it would not be a CODE RED!!! level issue.

And then Google dropped the 0day.

Real Talk: Exploits, Risks, and You

The threat actor using the 0day bundle (Flash + win32k.sys) was a nation state intelligence service targeting nation state targets. Known variously as STRONTIUM, Sofacy, APT28, and ${Something} Bear, the group is (probably) the Russian military intelligence agency GRU (now known as GU, as if there weren’t enough confusing names already!).

Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign — Source

Were you at risk of this attack from Russian military intelligence?

STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes [Emphasis added]— Source

NO.

Unless you are in any of the above categories, then the answer is, almost certainly, “no.” If you are in the above categories, you should be aware and vigilant against attacks because intelligence agencies are not going to stop doing their job simply because some of their exploits were disclosed.

However, the problem now is that this vulnerability is no longer restricted to just Russian military intelligence — it is available to every single threat actor. This radically changes the threat assessment calculus. It is no longer simply a risk for targets of the GRU, but for everyone that could be targeted by any threat actor (including cyber criminals, other nation states, etc.) From a small pool of at risk individuals (GRU targets) the at risk population has now expanded to include everyone.

Was Disclosure The Right Decision?

The answer depends on your religious convictions about disclosure.

Some might suggest that this assessment overestimates the likelihood of reengineering and reusing the exploit in time, and underestimates the positive longterm aspects of this type of disclosure.

Personally, I think waiting an additional few days to allow Microsoft to roll out their scheduled patch wouldn’t have increased the potential risk significantly, not compared to the increased risk of having an 0day on the loose for a week. I don’t subscribe to the “tell other people what to do with their information” school of thought, so Google was absolutely within their rights to drop 0day.

Embedded content at twitter.com
Embedded content at twitter.com

UPDATE [2016–11–08]: I got the prediction wrong on Metasploit module before Patch Tuesday, probably because there was no compelling reason to rush out Yet Another WiN32.Sys (YAWNS) exploit into a public framework. However I believe my main point is still valid.

More interesting is this data:

Embedded content at twitter.com

The buggy code was available in the win2k source code leak. This code has been available in the wild for a long time (years) and I guess the win32k.sys vulnerability was exploitable even in win2k. That’s a decade or so of vulnerability with the source code available to any to review and find the bug. Source code access does not mean that bugs are found and fixed any sooner, is the only logical conclusion.