{"id":9637,"date":"2015-08-24T10:00:31","date_gmt":"2015-08-24T14:00:31","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=9637"},"modified":"2019-11-15T22:57:42","modified_gmt":"2019-11-15T11:57:42","slug":"security-week-34","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/security-week-34\/9637\/","title":{"rendered":"Security Week 34: One cannot simply patch\u2026"},"content":{"rendered":"

What a dreadful week this one has been for the infosec industry, my friends. Following an amusing week of discovering bugs<\/a>, zero-days and other researcher-coveted curios<\/a>, here comes the painful hangover of seeing all of this infiltrate into the vulnerable software. This is important, but often boredom inducing. Every time our news blog, Threatpost<\/a>, feeds me the freshly baked digest of infosec news with three headlining articles telling stuff about patching, this digest is pretty hard to digest.<\/p>\n

Well \u2013 anyway, this stuff is important! One cannot simply find a vulnerability, they say, but what is more difficult is patching it without wrecking it all. One can find a number of reasons why this very bug cannot be patched right now, or this quarter, or, like, ever. Yet, the problem has to be solved.<\/p>\n

Today\u2019s hit parade features three stories covering bugs which remain woefully unpatched. Once, again, the rules of the road: every week Threatpost\u2019s team hand-picks three important news which I would restlessly comment. All previous editions can be found here<\/a>.<\/p>\n

Another Android bug, now in Google Admin<\/h3>\n

The Threatpost story<\/a>. Research<\/a> by MWR.<\/p>\n

What was found?<\/em><\/p>\n

Have you ever noticed those love letters from bugs are delivered in piles lately? Gee, a car got hacked<\/a>? Let\u2019s find a dozen more holes in cars<\/a>! The same pattern is easily noticeable with regard to the latest news around Android. First Stagefright, then a couple of smaller bugs, now this Google Admin and Shawshank redemption<\/del> an escape from sandbox.<\/p>\n

\"Security<\/a><\/p>\n

Google Admin, one of Android\u2019s system-level apps, may accept URLs from other apps and, as it turned to be, any URLs would be fine, even those starting with \u2018file:\/\/\u2019. As a result, a simple networking stuff like downloading web pages starts to evolve into a whole file manager kind of thing. Aren\u2019t all Android apps isolated from each other? Heck no, Google Admin enjoys higher privileges, and by luring it into reading some rogue URL, an app can escape sandbox and access private data.<\/p>\n

How was that patched?<\/em><\/p>\n

First, allow me to brief you on the way independent researched disclosed the vulnerability. It was discovered as far back as March, with a corresponding report submitted to Goggle. Five months later, the researchers once again checked out what was going on only to find the bug remained unpatched. On the 13th of August the information on the bug was publicly disclosed, prompting Google to finally issue the patch.<\/p>\n

By the way, Google does have an in-house research team that devotes time and effort to hunting bugs everywhere, not limited to its own software. Google Project Zero<\/a> usually allows for 90 days before going public with the bug, which makes one wonder whether Google is able to patch itself in 90-days\u2019 time, after all.<\/p>\n

But with Google Admin, something went terribly wrong: first, something, indeed, was definitely wrong; second, we all know that patching would not necessarily solve the issue on all vulnerable Android devices. Monthly security updates<\/a>, you say? How about working on a patch for half-year, heh? Hear, hear.<\/p>\n

\"Security<\/a><\/p>\n

Open vulnerability in Schneider Electric\u2019s SCADA<\/h3>\n

The Threatpost story<\/a>. ICS-CERT Advisory<\/a>.<\/p>\n

Welcome to the fascinating world of critical infrastructure! Please be seated, make yourself comfortable, don\u2019t touch that scary red switch and hands off those wires weirdly sticking out of that thing. Yes, they are meant to stick out. That\u2019s fine. Yep. They\u2019ve been like that for ages. Once you touch them, we are all screwed.<\/p>\n

SCADA systems are a part of critical infrastructures that are responsible for handling important stuff like boilers in your apartment building or even nuclear plants. Such systems are not meant to be tampered with, switched off, or reset. Don\u2019t horse around with any parameters, simply, don\u2019t you touch anything!<\/p>\n

#Security Week 34: new unpatched #vulnerabilities in #Android, Mac #OSX, Schneider Electric #SCADA and more<\/p>Tweet<\/a><\/blockquote>\n

Should you have questions, God forbid to try it on your own, better read our article on this topic<\/a>. Meanwhile, let us just admit that, despite of those systems being uber-critical, quite frequently are they deployed on regular PCs running good old Windows. Unlike typical enterprises, which update or replace their hardware and software at least once in five years or so, some industrial facility robot or centrifuge that serves to keep some deadly chemicals apart, might operate 24\/7 for decades on the same hardware.<\/p>\n

What was found?<\/em><\/p>\n

Well, a pile of bugs was found in one of such systems \u2014 Schneider Electric\u2019s Modicon M340<\/a> (ah, so romantic!) PLC Station P34 CPU. In a nutshell, this series of vulnerabilities would allow an outsider to gain control over\u2026 well, basically, anything the system would be governing. A quite mainstream flaw was found there (by the way, it is frequently found in a number of routers and IoT stuff), which we call hard-coder credentials.<\/p>\n

\n

Risky Schneider Electric SCADA Vulnerabilities Remain Unpatched https:\/\/t.co\/2oGDTbr7qE<\/a> via @threatpost<\/a> pic.twitter.com\/eyPAY6Aikn<\/a><\/p>\n

\u2014 Kaspersky (@kaspersky) August 17, 2015<\/a><\/p><\/blockquote>\n