While the world cheered at the prospect of Linux running on Windows, security experts were less sure and fear that it might have bought a new way to hack a Windows machine.
Alex Ionescu, chief architect at Crowdstrike told the assorted throngs at the Black Hat USA security conference that some problems he reported to Microsoft during the beta period have already been fixed, but the larger problem, though, is that there is now a new potential attack surface that organisations need to know about and risks that need to be mitigated.
“In some case, the Linux environment running in Windows is less secure because of compatibility issues, There are a number of ways that Windows applications could inject code, modify memory and add new threats to a Linux application running on Windows.”
The modified Linux code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated.
He said that Windows was now a “two-headed beast” that can do a little Linux and can also be used to attack the Windows side of the system.
Linux on Windows does not run inside of a Hyper-V hypervisor, which potentially could isolate the Linux processes. Instead Linux is running on the raw hardware, getting all the benefits of performance and system access, as well as expanding the potential attack surface, he said.
The Windows file system is also mapped to Linux, such that Linux will get access to the same files and directories.
The updating mechanism inside of Linux for Windows is also an area Ionescu looked at. There is a scheduled task that can be set in Windows to run the Apt-Get Linux command to update packages for the user mode that is enabled by Ubuntu. That said, Ionescu noted that Microsoft isn’t actually using an Ubuntu Linux kernel, just user-land tools and applications.
AppLocker, which is Microsoft’s whitelisting service for Windows applications, doesn’t work for Linux applications. As such, if an enterprise has enabled Linux on systems, Linux apps can potentially run without first checking with AppLocker.
The hacker’s favourite attack vector of choice , Adobe has announced that it will issue an emergency patch the week of August 16 to fix a critical flaw in its Reader and Acrobat software.
The flaw was spotted by insecurity expert Charlie Miller and shown off at last month’s Black Hat security conference.
Miller was using the open-source BitBlaze toolkit as a method to boost bug-hunting and has made a bit of a name for himself finding holes in Adobe’s PDF viewer.
According to a paper Miller published after the Black Hat conference, the bug is in Reader’s and Acrobat’s font parsing. It can be used to corrupt memory via a PDF file containing a specially-crafted TrueType font.
Today, Adobe announced it would release a rush security update during the week of August 16-20 instead of October 12.
Normally Adobe issues its quarterly security updates for Reader and Acrobat on Tuesdays so we are expecting to see the out-of-band patch on August 17.
It is looking like Adobe will include fixes for vulnerabilities other than the one Miller uncovered. The company also said it would still ship its next regularly-scheduled quarterly update on October 12.
It has been a bad year for Adobe. It has had to issue several out-of-band updates this year for Reader. There was one in June which bug hackers were already exploiting and it also rushed a Reader fix to customers in February.
It appears to have learnt its lesson. The next version of Adobe Reader 10, which should ship for Windows before the end of the year, is to include “sandboxing” technology to isolate malicious PDF documents.
The Black Hat Security Conference in Las Vegas majored on mobile apps security – or the virtual lack of it. Whatever mobile camp you belong to does not seem to matter. John Hering and Kevin Mahaffey of Lookout, a mobile phone security firm, introduced their App Genome Project which will highlight any security threats in smartphone apps.
On the face of it, it would seem that unmoderated Google Android apps would be riskier than those for Apple iPhones which are vetted before appearing on iTunes. According to the data from Lookout, it looks like a close run thing.
It appears that 29 percent of the free Android apps can access a user’s location, compared with 33 percent on the iPhone. Only eight percent of these Android apps can access user contacts but this almost doubles to 14 percent in Apple’s case.
The balance tips the other way when studying integrated third-party code in these programs. Almost half of the free Android apps include such code while the number is 23 percent on iPhones. There was also the horror story of Jackeey Wallpaper’s Chinese exploit. His One-Piece Wallpapers app allows the Android phone’s backdrop to be changed to My Little Pony or Star Wars (whatever floats your boat).
Meanwhile the app is busy collecting your phone number, subscriber identity and voicemail password ready for packing off to a server in Shenzhen, China. The only example of an iPhone exploit was one with its roots deep in the foundations of hackerdom and the phone phreakers of yore who believed that phone calls should be free.
A 15-year old app programmer managed to get rogue code past the iTunes’ scrutineers. In an innocuously boring app which turned the iPhone into a poor version of a torch (imaginatively called Handy Light), the programmer hid code that allowed the iPhone to be used as a 3G modem which could be linked to a computer to allow free internet access.
One day there will be an exploit that makes users sit up and maybe we’ll see a cheap data encryption app integrated in mobile phone operating systems.