![WONTFIX! The MS Office cryptofail that “isn’t a security flaw” [Audio + Text] – Naked Security](https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2022/10/pic-1200.png?w=775 "WONTFIX! The MS Office cryptofail that “isn’t a security flaw” [Audio + Text] – Naked Security")
DOUG. Breathtaking breaches, decryptable encryption, and patches galore.
All that extra on the Naked Security podcast.
[MUSICAL MODEM]
Welcome to the podcast, all people.
I’m Doug Aamoth; he’s Paul Ducklin.
Paul, how do you do at this time, Sir?
DUCK. Doug…I do know, since you informed me upfront, what’s coming in This Week in Tech History, and it’s GREAT!
DOUG. OK!
This week, on 18 October 1958, an oscilloscope and a pc constructed to simulate wind resistance have been paired with customized aluminum controllers, and the sport Tennis for Two was born.
Shown off at a three-day exhibition on the Brookhaven National Laboratory, Tennis for Two proved to be extraordinarily well-liked, particularly with highschool college students.
If you’re listening to this, you will need to go to Wikipedia and search for “Tennis for Two”.
There’s a video there for one thing that was in-built 1958…
…I believe you’ll agree with me, Paul, it was fairly unbelievable.
DUCK. I’d *love* to play it at this time!
And, like Asteroids and Battle Zone, and people specifically remembered video games of the Nineteen Eighties…
…as a result of it’s an oscilloscope: vector graphics!
No pixellation, no variations relying on whether or not a line is at 90 levels, or 30 levels, or 45 levels.
And the sound suggestions from the relays within the controllers… it’s nice!
It’s unbelievable that this was 1958.
Harking again to a earlier This Week in Tech History, it was on the cusp of the transistor revolution.
Apparently, the computational half was a mix of thermionic valves (vacuum tubes) and relays.
And the show circuitry was all transistor-based, Doug
So it was proper on the mixture of all applied sciences: relays, valves and transistors, multi functional groundbreaking online game.
DOUG. Very cool.
Check it out on Wikipedia: Tennis for Two.
Now let’s transfer on to our first story.
Paul, I do know you to be very adept at writing a fantastic poem…
…I’ve written a really brief poem to introduce this primary story, in the event you’ll indulge me.
DUCK. So that’ll be two strains then, will it? [LAUGHS]
DOUG. It goes a bit one thing like this.
Zoom for Mac/Don’t get hijacked.
[VERY LONG SILENCE]
End poem.
DUCK. Oh, sorry!
I assumed that was the title, and that you simply have been going to do the poem now.
DOUG. So, that’s the poem.
DUCK. OK.
[WITHOUT EMOTION] Lovely, Doug.
DOUG. [IRONIC] Thank you.
DUCK. The rhyme was spectacular!
But not all poems must rhyme….
DOUG. That’s true.
DUCK. We’ll simply name it free verse, lets?
DOUG. OK, please.
DUCK. Unfortunately, this was a free backdoor into Zoom for Mac.
[FEELING GUILTY] Sorry, that wasn’t an excellent segue, Doug.
[LAUGHS] You tread on another person’s turf, you usually come up brief…
DOUG. No, it’s good!
I used to be attempting out poems this week; you’re attempting out segues.
We’ve acquired to get out of our consolation zones each occasionally.
DUCK. I assume that this was code that was meant to be compiled out when the ultimate construct was achieved, however by accident acquired left in.
It’s just for the Zoom for Mac model, and it has been patched, so be sure to are updated.
Basically, below some circumstances, when a video stream would begin or the digital camera was activated by the app itself, it could inadvertently suppose that you simply may need to debug this system.
Because, hey, perhaps you have been a developer! [LAUGHS]
That’s not purported to occur in launch builds, clearly.
And that meant there was a TCP debugging port left open on the native community interface.
That meant that anyone who might move packets into that port, which may very well be presumably some other locally-connected consumer, so it wouldn’t have to be an administrator and even you… even a visitor consumer, that might be sufficient.
So, an attacker who had some form of proxy malware in your laptop that might obtain packets from outdoors and inject them into the native interface might principally concern instructions to the center of this system.
And the everyday issues that debugging interfaces enable embrace: dump some reminiscence; extract secrets and techniques; change the behaviour of this system; modify configuration settings with out going by way of the same old interface so the consumer can’t see it; seize all of the audio with out telling anyone, with out popping up the recording warning; all of that type of stuff.
The excellent news is Zoom discovered it by themselves, and so they patched it fairly rapidly.
But it’s a nice reminder that as we are saying so usually, [LAUGHS] “There’s many a slip ‘twixt the cup and the lip.”
DOUG. All proper, superb.
Let us keep aboard the patch prepare, and pull into the subsequent station.
And this story… maybe essentially the most attention-grabbing a part of this story of the latest Patch Tuesday was what Microsoft *didn’t* embrace?
DUCK. Unfortunately, the patches that everyone was most likely anticipating – and we speculated in a current podcast, “Well, it looks as though Microsoft’s going to make us wait yet another week until Patch Tuesday, and not do an out-of-band “early release” are these two Exchange zero-days of current reminiscence.
What turned referred to as E00F, or Exchange Double Zero-day Flaw in my terminology, or ProxyNotShell because it’s maybe considerably confusingly identified within the Twittersphere.
So that was the large story on this month’s Patch Tuesday: these two bugs spectacularly didn’t get fastened.
And so we don’t know when that’s going to occur.
You have to just remember to have utilized any mitigations.
As I believe we’ve mentioned earlier than, Microsoft stored discovering that the earlier mitigations they advised… effectively, perhaps they weren’t fairly adequate, and so they stored altering their tune and adapting the story.
So, in the event you’re doubtful, you possibly can return to nakedsecurity.sophos.com, seek for the phrase ProxyNotShell (all one phrase), after which go and skim up on what we’ve acquired to say.
And you can too hyperlink to the newest model of Microsoft’s remediation…
…as a result of, of all of the issues in Patch Tuesday, that was essentially the most attention-grabbing, as you say: as a result of it was not there.
DOUG. OK, let’s now shift gears to a very irritating story.
This is a slap on the wrist for an enormous firm whose cybersecurity is so unhealthy that they didn’t even discover they’d been breached!
DUCK. Yes, it is a model that most individuals will most likely know as SHEIN (“she-in”), written as one phrase, all in capitals. (At the time of the breach, the corporate was referred to as Zoetop.)
And they’re what’s known as “fast fashion”.
You know, they pile it excessive and promote it low-cost, and never with out controversy about the place they get their designs from.
And, as a web-based retailer, you’ll maybe anticipate they’d the web retailing cybersecurity particulars down pat.
But, as you say, they didn’t!
And the workplace of the Attorney General of the State of New York within the USA determined that it was not proud of the way in which that New York residents had been handled who have been among the many victims of this breach.
So they took authorized motion in opposition to this firm… and it was an absolute litany of blunders, errors and finally coverups – in a phrase, Douglas, dishonesty.
They had this breach that they didn’t discover.
This, at the least up to now, was once disappointingly frequent: corporations wouldn’t realise they’d been breached till a bank card handler or a financial institution would contact them and say, “You know what, we’ve had an awful lot of complaints about fraud from customers this month.”
“And when we looked back at what they call the CPP, the common point of purchase, the one and only one merchant that every single victim seems to have bought something from is you. We reckon the leak came from you.”
And on this case, it was even worse.
Apparently one other cost processor got here alongside and mentioned, “Oh, by the way, we found a whole tranche of credit card numbers for sale, offered as stolen from you guys.”
So they’d clear proof that there had been both a breach in bulk, or a breach bit-by-bit.
DOUG. So certainly, when this firm was made conscious of this, they moved rapidly to rectify the state of affairs, proper?
DUCK. Well, that is determined by the way you… [LAUGHING] I shouldn’t chortle, Doug, as all the time.
That is determined by what you imply by “rectify”.
DOUG. [LAUGHING] Oh, god!
DUCK. So evidently they *did* take care of the issue… certainly, there have been elements of it that they lined up very well.
Apparently.
It appears that they abruptly determined, “Whoops, we’d better become PCI DSS compliant”.
Clearly they weren’t, as a result of they’d apparently been holding debug logs that had bank card particulars of failed transactions… all the pieces that you’re not supposed to write down to disk, they have been writing.
And then they realised that had occurred, however they couldn’t discover the place they left that information in their very own community!
So, clearly they knew they weren’t PCI DSS compliant.
They set about making themselves PCI DSS compliant, apparently, one thing that they achieved by 2019. (The breach occurred in 2018.)
But after they have been informed they needed to undergo an audit, a forensic investigation…
…in line with the New York Attorney General, they fairly intentionally acquired in the way in which of the investigator.
They principally allowed the investigators to see the system because it was *after* they fastened it, and welded it, and polished it, and so they mentioned, “Oh no, you can’t see the backups,”which sounds fairly naughty to me.
DOUG. Uh-huh.
DUCK. And additionally the way in which they disclosed the breach to their prospects drew vital ire from the State of New York.
In specific, evidently it was fairly apparent that 39,000,000 customers’ particulars in a roundabout way had been made off with, together with very weakly hashed passwords: a two-digit salt, and one spherical of MD5.
Not adequate in 1998, not to mention 2018!
So they knew that there was an issue for this massive variety of customers, however apparently they solely set about contacting the 6,000,000 of these customers who had really used their accounts and positioned orders.
And then they mentioned, “Well, we’ve at least contacted all of those people.”
And *then* it turned out that they hadn’t really actually contacted all 6,000,000 million customers!
They had simply contacted these of the six million who occurred to reside in Canada, the United States, or Europe.
So, in the event you’re from anyplace else on the planet, unhealthy luck!
As you possibly can think about, that didn’t go down effectively with the authorities, with the regulator.
And, I have to admit… to my shock, Doug, they have been fined $1.9 million.
Which, for a corporation that large…
DOUG. Yes!
DUCK. …and making errors that egregious, after which not being solely respectable and sincere about what had occurred, and being upbraided for mendacity in regards to the breach, in these phrases, by the Attorney General of New York?
I used to be form of imagining they may have suffered a extra severe destiny.
Perhaps even together with one thing that couldn’t simply be paid off by arising with some cash.
Oh, and the opposite factor they did is that when it was apparent that there have been customers whose passwords have been in danger… as a result of they have been deeply crackable on account of the truth that it was a two-digit salt, which implies you could possibly construct 100 precomputed dictionaries…
DOUG. Is that frequent?
Just a two-digit salt appears actually low!
DUCK. No, you’ll usually need 128 bits (16 bytes), and even 32 bytes.
Loosely talking, it doesn’t make a big distinction to the cracking pace anyway, as a result of (relying on the block measurement of the hash) you’re solely including two further digits into the combo.
So it’s not even as if the precise computing of the hashes takes any longer.
As far again as 2016, folks utilizing computer systems of eight GPUs operating the “hashcat” program, I believe, might do 200 billion MD5s a second.
Back then! (That quantity is one thing like 5 or ten instances larger now.)
So very, very eminently crackable.
But fairly than really contacting folks and saying, “Your password is at risk because we leaked the hash, and it wasn’t a very good one, you should change it”, [LAUGHTER] they simply mentioned…
…they have been very weaselly phrases, weren’t they?
DOUG. “Your password has a low security level and maybe at risk. Please change your login password.”
And then they modified it to, “Your password has not been updated for more than 365 days. For your protection, please update it now.”
DUCK. Yes, “Your password has a low security level…”
DOUG. “BECAUSE OF US!”
DUCK. That’s not simply patronising, is it?
That’s at or over the border into sufferer blaming, in my eyes.
Anyway, this didn’t appear to me to be a really sturdy incentive to corporations that don’t need to do the suitable factor.
DOUG. All proper, hold forth within the feedback, we’d like to listen to what you suppose!
That article is known as: Fashion model SHEIN fined $1.9 Million for mendacity about information breach.
And on to a different irritating story…
..,one other day, one other cautionary story about processing untrusted enter!
DUCK. Aaargh, I do know what that’s going to be, Doug.
That’s the Apache Commons Text bug, isn’t it?
DOUG. It is!
DUCK. Just to be clear, that’s not the Apache Web Server.
Apache is a software program basis that has a complete raft of merchandise and free instruments… and so they’re very helpful certainly, and they’re open supply, and so they’re nice.
But we now have had, within the Java a part of their ecosystem (the Apache Web Server httpd shouldn’t be written in Java, so let’s ignore that for now – don’t combine up Apache with Apache Web Server)…
…within the final yr, we’ve had three related issues in Apache’s Java libraries.
We had the notorious Log4Shell bug within the so-called Log4J (Logging for Java) library.
Then we had the same bug in, what was it?… Apache Commons Configuration, which is a toolkit for managing all types of configuration information, say INI information and XML information, all in a standardised manner.
And now in an excellent lower-level library known as Apache Commons Text.
The bug in within the factor that in Java is generally called “string interpolation”.
Programmers in different languages… in the event you use issues like PowerShell or Bash, you’ll realize it as “string substitution”.
It’s the place you possibly can magically make a sentence filled with characters flip right into a form of mini-program.
If you’ve ever used the Bash shell, you’ll know that in the event you sort the command echo USER, it’ll echo, or print out, the string USER and also you’ll see, on the display screen U-S-E-R.
But in the event you run the command echo $USER, then that doesn’t imply echo a greenback signal adopted by U-S-E-R.
What it means is, “Replace that magic string with the name of the currently logged in user, and print that instead.”
So on my laptop, in the event you echo USER, you get USER, however in the event you echo $USER, you get the phrase duck as an alternative.
And among the Java string substitutions go a lot, a lot, a lot additional than that… as anybody who suffered the enjoyment of fixing Log4Shell over Christmas 2021 will keep in mind!
There are all types of intelligent little mini-programs you could embed inside strings that you simply then course of with this string processing library.
So there’s the apparent one: to learn the username, you set ${env: (for “read the environment”) consumer}… you employ squiggly brackets.
It’s dollar-sign; squiggly bracket; some magic command; squiggly bracket that’s the magic half.
And sadly, on this library, there was uncontrolled default availability of magic instructions like: ${url:...}, which lets you trick the string processing library into reaching out on the web, downloading one thing, and printing out what it will get again from that net server as an alternative of the string ${url:...}.
So though that’s not fairly code injection, as a result of it’s simply uncooked HTML, it nonetheless means you possibly can put all types of rubbish and bizarre untrusted stuff into folks’s log information or their net pages.
There’s ${dns:...}, which implies you possibly can trick somebody’s server, which is perhaps a enterprise logic server contained in the community…
…you possibly can trick it into doing a DNS search for for a named server.
And in the event you personal that area, as a criminal, then you definitely additionally personal and function the DNS server that pertains to that area.
So, when the DNS search for occurs, guess what?
That search for terminates *at your server*, and may show you how to map out the innards of somebody’s enterprise community… not simply their net server, however stuff deeper within the community.
And lastly, and most worryingly, at the least with older variations of Java, there was… [LAUGHS] you realize what’s coming right here, Doug!
The command ${script:...}.
“Hey, let me provide you with some JavaScript and kindly run that for me.”
And you’re most likely pondering, “What?! Hang on, this is a bug in Java. What has JavaScript got to do with it?”
Well, till comparatively just lately… and keep in mind, many companies nonetheless use older, still-supported variations of the Java Development Kit.
Until just lately, Java… [LAUGHS] (once more, I shouldn’t chortle)… the Java Development Kit contained, inside itself, a full, working JavaScript engine, written in Java.
Now, there’s no relationship between Java and JavaScript besides the 4 letters “Java”, however you could possibly put ${script:javascript:...}and run code of your selection.
And, annoyingly, one of many issues that you are able to do within the JavaScript engine contained in the Java runtime is inform the JavaScript engine, “Hey, I want to run this thing via Java.”
So you may get Java to name *into* JavaScript, and JavaScript primarily to name *out* into Java.
And then, from Java, you possibly can go, “Hey, run this system command.”
And in the event you go to the Naked Security article, you will note me utilizing a suspect command to [COUGHS APOLOGETICALLY] pop a calc, Doug!
An HP RPN calculator, in fact, as a result of it’s I doing the calculator popping…
DOUG. It’s acquired to be, sure!
DUCK. …this one is an HP-10.
So though the chance shouldn’t be as nice as Log4Shell, you possibly can’t actually rule it out in the event you use this library.
We have some directions within the Naked Security article on learn how to discover out whether or not you could have the Commons Text library… and also you might need it, like many individuals did with Log4J, with out realising it, as a result of it could have come together with an app.
And we even have some pattern code there that you should utilize to check whether or not any mitigations that you simply’ve put in place have labored.
DOUG. All proper, head over to Naked Security.
That article is known as: Dangerous gap in Apache Commons Text – like Log4Shell another time.
And we wrap up with a query: “What happens when encrypted messages are only kinda-sorta encrypted?”
DUCK. Ah, you’re referring to what was, I suppose, an official bug report filed by cybersecurity researchers on the Finnish firm WithSecure just lately…
…in regards to the built-in encryption that’s supplied in Microsoft Office, or extra exactly, a characteristic known as Office 365 Message Encryption or OME.
It’s fairly useful to have a bit characteristic like that constructed into the app.
DOUG. Yes, it sounds easy and handy!
DUCK. Yes, besides… oh, expensive!
It appears that the rationale for that is all all the way down to backwards compatibility, Doug…
…that Microsoft need this characteristic to work all the way in which again to people who find themselves nonetheless utilizing Office 2010, which has fairly old-school decryption talents constructed into it.
Basically, evidently this OME technique of encrypting the file makes use of AES, which is the newest and best NIST-standardised encryption algorithm.
But it makes use of AES within the flawed so-called encryption mode.
It makes use of what’s referred to as ECB, or digital codebook mode.
And that’s merely the way in which that you simply discuss with uncooked AES.
AES encrypts 16 bytes at a time… by the way in which, it encrypts 16 bytes whether or not you employ AES-128, AES-192, or AES-256.
Don’t combine up the block measurement and the important thing measurement – the block measurement, the variety of bytes that get churned up and encrypted every time you flip the crank deal with on the cryptographic engine, is all the time 128 bis, or 16 bytes.
Anyway, in digital codebook mode, you merely take 16 bytes of enter, flip the crank deal with round as soon as below a given encryption key, and take the output, uncooked and unreprocessed.
And the issue with that’s that each time you get the identical enter in a doc aligned on the identical 16-byte boundary…
…you get precisely the identical information within the output.
So, patterns within the enter are revealed within the output, similar to they’re in a Caesar cipher or a Vigenère cipher:
Now, it doesn’t imply you possibly can crack the cipher, since you’re nonetheless coping with chunks which can be 128 bits vast at a time.
The drawback with digital code e-book mode arises exactly as a result of it leaks patterns from the plaintext into the ciphertext.
Known-plaintext assaults are attainable when you realize {that a} specific enter string encrypts in a sure manner, and for repeated textual content in a doc (like a header or an organization title), these patterns are mirrored.
And though this was reported as a bug to Microsoft, apparently the corporate has determined it’s not going to repair it as a result of it “doesn’t meet the bar” for a safety repair.
And evidently the reason being, “Well, we would be doing a disservice to people who are still using Office 2010.”
DOUG. Oof!
DUCK. Yes!
DOUG. And on that notice, we now have a reader remark for this week on this story.
Naked Security Reader Bill feedback, partially:
This jogs my memory of the ‘cribs’ that the Bletchley Park codebreakers used in the course of the Second World War. The Nazis usually ended messages with the identical closing phrase, and thus the codebreakers might work again from this closing set of encrypted characters, realizing what they seemingly represented. It is disappointing that 80 years later, we appear to be repeating the identical errors.
DUCK. 80 years!
Yes, it’s disappointing certainly.
My understanding is that different cribs that Allied code breakers might use, significantly for Nazi-enciphered texts, additionally handled the *starting* of the doc.
I consider this was a factor for German climate studies… there was a non secular format that they adopted to ensure they gave the climate studies precisely.
And climate studies, as you possibly can think about, throughout a struggle that entails aerial bombing at night time, have been actually essential issues!
It appears that these adopted a really, very strict sample that might, occasionally, be used as what you may name a bit little bit of a cryptographic “loosener”, or a wedge that you could possibly use to interrupt in within the first place.
And that, as Bill factors out… that’s precisely why AES, or any cipher, in digital codebook mode shouldn’t be passable for encrypting total paperwork!
DOUG. All proper, thanks for sending that in, Bill.
If you could have an attention-grabbing story, remark or query you’d wish to submit, we’d like to learn it on the podcast.
You can electronic mail suggestions@sophos.com, you possibly can touch upon any one in every of our articles, or you possibly can hit us up on social: @nakedsecurity.
That’s our present for at this time; thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you till subsequent time to…
BOTH. Stay safe!