Security Now Episode 858 Transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte (00:00:00):
It's time for Security Now this week, a new zero day in Chrome and apples OS and a recommendation from the federal government to fix it fast. Why it was a bad day on super bowl. Sunday for security experts who are still using an Adobe product and a new program from Steve that puts you in control of windows 10. It's all coming up next on Security Now, Podcasts you love
VO (00:00:31):
From people you trust.
VO (00:00:34):
This is TWiT.
Leo Laporte (00:00:38):
This is Security Now with Steve Gibson episode 858 recorded Tuesday, February 15th, 2022: InControl. Security Now listeners, our annual survey is on and going strong. It, it helps us understand you better helps us find advertisers who fit your interests. It's optional of course, but it sure helps us a lot. Twit.Tv/Survey22 is the address take it now before it closes in March it'll only take a couple of minutes and I really appreciate it. Twit.Tv/Survey22. Thank you. Security now is brought to you by thanks Canary. Detect attackers on your network while avoiding irritating, false alarms. Get the alerts that matter for 10% off and a 60 day money back guarantee. Go to canary.Tools/Twit and enter the code TWiT in the, how did you hear about a box and by new Relic, that next 3:00 AM call is just waiting to happen. Get new Relic before it does, and you can get access to the whole new Relic platform and 100 gigabytes of data free forever. No credit card required. Sign up at new relic.com/security now, and by Barracuda Barracuda has identified 13 types of email threats and house cyber criminals use 'em every day fishing conversation hacking ransomware plus 10 more tricks cyber criminals use to steal money from your company or personal information from your employees and customers. Get your free ebook at barracuda.com/Security Now it's time for Security Now the show we cover your and privacy online with this guy right here, Steve Gibson from grc.com. Hello Steve.
Steve Gibson (00:02:30):
Hey Leo. Great to be with you once again. For episode 858. Wow. This middle of February the short month of the year a bunch of stuff is happening, but there was no single huge event. So I ended up somewhat self-consciously naming the podcast after my most recent piece of freeware.
Leo Laporte (00:02:58):
I saw your tweet
Steve Gibson (00:03:00):
Called InControl. Yeah.
Leo Laporte (00:03:01):
And a big announcement.
Steve Gibson (00:03:02):
Yeah. So we'll just sort of I'll, I'll, I'll end, I'll announce it formally at the end of the podcast. Explain what it is. But we're gonna first take a look at a couple of new zero days in Chrome and in Apple's various products. I mean, again, common code base. It's good for the developers. It's a it's it does mean that when you got a problem it's everywhere. And as is the case here we also look at what the us CSA, you know, the C S a thinks of not only those zero days what, one of which it's saying thou must patch but of 15 other problems that our federal agencies seem to be a no big hurry to fix. We're gonna revisit last summer's serious, Sam vulnerability in windows which has remained serious and under attack.
Steve Gibson (00:04:00):
This being the third Tuesday of the month, we'll look back at last week's second Tuesday to see how that went. Also strangely Sunday saw a true emergency patch issued by Adobe that probably canceled some super bowl plan, because I mean, it was really an emergency. Hmm. Yeah. And we have an amazingly bad idea for a WordPress add on Google has published their 20, 21 bounty report. And, you know, boy, if you're looking for some spare change and their project zero has published stats on how things are going over there. We have Microsoft removing a popular and highly abused feature of windows. And, you know, they never take stuff out. They, they put a lot in, but it's rare that anything leaves anyway, it's gonna happen. And then, because as I said, nothing else in the past week commanded the podcast's title.
Steve Gibson (00:05:04):
Although I think I know what I'm gonna talk about next week, because I just, I ran across something. It was like, Ooh, it's too late to get it in. But there was a very effective, deliberate BGP hijack, which was leveraged into like it made money for the hijackers. And, you know, normally we talk about border gateway protocol mistakes. The threat is when they're not a mistake and one happened. So I think we'll talk about that next week. Anyway, as I said, I'll wind up by formally introducing GRCs latest piece of freeware, which puts its users firmly in control. Hmm.
Leo Laporte (00:05:41):
Good name. And I like it that you made it more than just windows 11. I mean, you've got other, other things too, you can do, right? Yeah. It's more than just blocking that, that annoying piece.
Steve Gibson (00:05:51):
Yeah. Well, in fact, you know, I'll explain my first name was stay put, which is
Leo Laporte (00:05:59):
Also a good name. All it, it sounds like it's involved with pets in some form of fashion,
Steve Gibson (00:06:04):
But, but okay. Windows now you just stay put, you just stay there. But, but what, what happened was the concept evolved and a couple of users said, well, what if I don't wanna just stay, put, I wanted to do this. I thought, yeah, that's a good point power. So we want, you wanna be in control
Leo Laporte (00:06:20):
Personal agency. Exactly. Right. Because
Steve Gibson (00:06:22):
As we know, it's out of control otherwise. So
Leo Laporte (00:06:26):
Windows has a mind of its own. Hey, I wanna talk a little bit about our sponsor before we get to the picture of the weekend. Of course. All of the security news. And we've talked about 'em so many times before I'm talking about my thanks, Canary. Yeah. It's just this little black box, but boy, this little black box just does a whole lot. It's a HPO that's. I mean, that describes it in a nutshell. If it, if there's anything that we know from all of the security news, you get listening to Security Now, the bad guys, these days, don't just break into your system and mess with it. They break into your system and they hang out. They hang out. In fact our own beloved San Francisco 49ers got hit by a ransomware attack. But before they did the group that attacked them said, well, we got a lot of financial data.
Leo Laporte (00:07:17):
We've down the loaded from the website. See, that's the problem. On average, it takes 191 days before a company realizes there's somebody in the network. There's been a data breach. And this is, this is the way to know if there's somebody browsing around your network. It is a honey pot, a device that doesn't look like a thing, Canary. It looks like something else. A SCD device network attached storage, a windows server, a Linux server. It can be lit up like a Christmas tree, or just have a few select services opened. But man, when somebody accesses this, whether they try to log in or a open a document attached to it when they browse active directory for file servers and explore fire shares, they'll be looking for documents. Maybe they'll be trying to open something called perhaps salary info, that kind of thing, contracts with your players, that kind of thing.
Leo Laporte (00:08:18):
Instead of that act, actually being a real document. It's a token that phones home instead of being a real network attached storage in this case, it's my Sonology NAS. It's not though. It looks just like it has a Mac address associated with Sonology in every respect, undetectable, it's indistinguishable from a Sonology NAS or a scattered a skated device or a windows server. But as soon as they trying to log in or it even just touch it, it gives me an actionable alert. And, and I know there's somebody else in the network. I think this is brilliant. You can enroll it in active directory. You can put fake files on it. You can make it a router, a switch, a server. I just think this is a brilliant idea. And with every Canary hardware device you can do as many Canary tokens. As you want, tiny little trip, wires files, you can put an all over the place that will also be useful.
Leo Laporte (00:09:13):
Now what's nice is get to configure how you get the alerts. You can have it via email by a text message. You get a console with every Canary, so you can have it there there's they support of course, web hooks. It supports CIS log. It even has an API. So you can have it slack. You, you know, I have a slack channel for our canaries. They can let you know data breaches are the number one threat right now. And the worst thing that can happen to you is an advanced, persistent threat. Somebody wandering your network, looking at your stuff, exfiltrating information Canary was created by people. Who've trained companies, militaries, and governments on how to be that bad guy. How to break into networks. They took the knowledge they've gained from that over the last couple of decades and built Canary canaries are deployed all over the world on all the continents.
Leo Laporte (00:10:05):
One of the best tools against data breaches. Here's the deal. Canary.tools/twit. That's the place to go. Canary.tools/twit. Some might have hundreds of them, a casino operation, backend, hundreds of them, a small business might have a few. But I'll give you an example. Now this is just an example. You get as many as you need, but let's say you wanted five canaries, which would be good for a kind of small to medium sized business, $7,500 a year. You get, as I mentioned that hosted console, get upgrades, support, and maintenance. You sit on the Canary. It's just a little device. Somebody steps on it. They'll send you a new one. It's part of the deal right away. I want you to do one thing for me and Steve though, use the offer code TWiT when you sign up. Okay. TWiT T w I T put that, how did you hear that?
Leo Laporte (00:10:55):
As box? You'll get 10% off, off the price of this and every Canary you buy for the rest of your life, that's a good deal. Offer code TWiT 10% off the price for life and incidentally, they have a very generous two month money back guarantee for a full refund. So if it doesn't serve, if it doesn't do what you think it, you need it to do. I think you're gonna be very happy. Think the reason they can offer this is cuz nobody ever does it. But you, you know, it's always good to know. Two months, money back guarantee, Canary C a N a R Y like a Canary in a coal mine. Get it. Your early warning system, canary.tools/twi offer code is TWiT put that. How did you hear us about as box for 10% off
Leo Laporte (00:11:38):
For life?
Steve Gibson (00:11:39):
So our picture of the week is not techy often. They are, but it was in my pile of images for the podcast. And I just got a kick out of it. For those who are not seeing the the video or the notes, we've got two guys sort of scraggly looking in, on an empty plane with a sun in the background and some Hills, but you know, like not a lot going on, there's no cars or anything because it's a lot long time ago. And one says to the other, I keep writing stone age instead of bronze age on all my checks.
Leo Laporte (00:12:22):
Don't you hate it. Don't you hate it when that happens,
Steve Gibson (00:12:25):
The age changes and you just keep thinking, you're where you were. Of course
Leo Laporte (00:12:30):
We're in the information age. You don't have checks anymore. But we remember those days. It's funny. I don't think I've written a check this year at all.
Steve Gibson (00:12:38):
I haven't. And although I, I have a, you know, a suit is, is my, my bookkeeper person. So she does all that
Leo Laporte (00:12:45):
For it probably is printed and checks all the time. But, and
Steve Gibson (00:12:48):
I think what happened clearly was once upon a time we were, I mean, you had to like, like more checkbooks, right? You'd like run out checks and you had to get more.
Leo Laporte (00:12:57):
Yeah, I
Steve Gibson (00:12:57):
Remember those days more printed. Yeah. So you, you, you like, you know, 1995 you were just like writing blah, blah, blah, 19 95, 19 95, like over and over and over and over so that it just became muscle memory. And then new year's happens and you still gotta write some checks and your hands just automatically write 1995 because you know, you've done it 300 times, honestly,
Leo Laporte (00:13:21):
You know, the problem these days is remembering how to hand write. I just, I can't, oh,
Steve Gibson (00:13:28):
I, I gave that up in high school. It's like, what, what,
Leo Laporte (00:13:31):
What's my signature again? I
Steve Gibson (00:13:33):
Just started printing because as I printing is safer,
Leo Laporte (00:13:36):
I asked my son to autograph. He gave me a knife for Christmas. I said, oh, autograph the box. So I can auction it when you're famous, which he's getting very close to being. And and he signed it. I said, that's your signature. I can't even, I don't know what that is. It's just, mm. Could you just write your name under there? So at least somebody will know this is, he said, yeah, I know because he never learned that, that his generation, what do they
Steve Gibson (00:13:58):
Need? That's really a, that's really a good point. I mean, you know, I, you just, it, isn't a skill that you have
Leo Laporte (00:14:05):
To have. I said, you gotta practice your autograph dude to get ready
Steve Gibson (00:14:08):
Actually is gonna get, get kinda lost. Isn't
Leo Laporte (00:14:10):
It over. And, and then he said, nobody does autographs anymore. Dad, they do selfies. And I went, oh, you're right. Yeah. Nevermind.
Steve Gibson (00:14:17):
Oh, Leo.
Leo Laporte (00:14:19):
So I took a selfie with him.
Steve Gibson (00:14:22):
Okay. So we have a high severity zero day in Chrome, just yesterday, Google moved Chrome for the desktop up to 98.0 point 47, 58 0.102 to eliminate a high severity, zero day vulnerability. That was spotted being used in attacks. And as usual, Google is closed mouth about details saying only that they're aware of reports that an exploit for and it's was assigned CVE 2022 wow. A low number 0 6 0 9. And not surprisingly, it's a use after free error, which is what the predominance of errors seem to be these days in Google's Chrome support for animation and yes, exploits exist in the wild while they were at it, they also fixed seven other security problems all but one of which were classified as being severity. So apparently not zero days, but yes, high you know, and so it goes since exploits for today's vulnerabilities are considered highly valuable by those who have them only until they're known.
Steve Gibson (00:15:48):
And since, you know, in it's a marketplace, right, they may have paid a hefty price from the likes of erodium for it. So they're never used in widespread indiscriminate attacks only against targeted individuals or entities of some kind. So, you know, it's unlikely in the extreme that any of us will be a target specifically of any of these problems that get fixed. But keeping our browsers updated is, you know, so quick and easy and automatic for most of us I, for whatever reason, they are generally rolling these things out. And I seemed to always be at the end of the list, but when I looked, it said, oh, oh, oh yeah, we have an update for you just re you know, restart your browser and you'll be good. It's like, okay, fine. So here we are in mid February the 15th with the first of the 2022 Chrome, zero days patched.
Steve Gibson (00:16:52):
And as we know last year, Google addressed 16 zero day vulnerabilities. The first one was on February 4th and the second one was on March 2nd. So we're kind of like right in the middle of where the first two happened. So this year starting out a little bit better than last, and we'll see how it goes. Apple also updated against another zero day. This was last Thursday and I did notice a couple of my eye devices that, oh, you're gonna put your, you know, log back in again, manually. We, we don't trust your face. So that, you know, they had to restart iOS, iPad, OS Mac OS, and safari. So across the board due to a flaw in web kit, that was believed also to be actively exploited in the wild. So far this year, apple is having a bit of a rougher time of it than Google you know, with Google and Chrome, since this will be Apple's third, zero day, that it is patched so far.
Steve Gibson (00:18:00):
So, you know, the NSO group sure has been giving apple a run for their money. It does tell you that our software is incredibly complex. There are problems lurking in software, and when there is enough incentive, and we're gonna be talking a lot about patching incentives later on, cause we're gonna be talking about bug Boies and, and so forth when there's enough incentive to get into people's devices. So are, there's a way, much like Chrome and like so many of the flaws we've been encountering recently the problem is, again, another use after free vulnerability, which grants its attacker arbitrary code execution and much like Google apple is not saying much beyond apple is aware of a report that this issue may have been actively exploited. They'd credited an anonymous researcher for discovering and reporting the flaw. So anyway, updates are available for all apple devices that are receiving them. And my phone wasn't up to speed. I went there, looked under settings you know, general and then settings and then updates. And it wanted to install. It wanted permission to install 15.3 0.1, which it was ready to do. So anyway, if you're worried about your devices, if by some chance you're a, a high target person, then yeah. You'll wanna update and close this latest problem.
Steve Gibson (00:19:37):
The CSA, you know, CSA, CSA the us cyber security and infrastructure security agency, which boy I, we have to live with that one for a long time has added that apple zero day. We were just talking about to its shortlist, catalog of vulnerabilities, being exploited in the wild and for what, for some reason, they, they lit a fire under this one. Or as I was thinking about this, maybe it's just because it's just not a big deal to update it. You know, you could argue that, okay. If, if if there is vulnerability that is arduous for some reason to patch well, okay, then you give people a little more time, but you know, this, this is just say yes to apple and, you know, and let it restart your device. So don't wait. And apparently, you know, maybe they have some information about where these attacks are being aimed.
Steve Gibson (00:20:31):
They may notice something that Apple's not saying according to the CSA binding operational directive. And of course everything is acronyms with these guys. So this is B O D 22 dash zero one, I guess, is the first binding operational directive of the year. Federal agencies are now required to patch their systems against this actively exploited vulnerability impacting I, as I said, iOS, iPad OS and Mac OS devices. CISA said that all federal civilian executive branch agencies, and yes, there's an acronym for that have until February 25th, 2022. What, what, what's the 25th that's a week from next or yeah, a week from this coming Friday. So the 25th. So, you know, a week and a half to fully patch against this vulnerability. And again, it must be that they're saying do it now, because it's just not difficult to restart your device. CISA said, quote, these types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and post significant risk to the federal enterprise.
Steve Gibson (00:21:45):
And they added that. Although B O D 22 dash zero one only applies to F C E B. Okay. So that's the federal civilian executive branch agencies. CISA strongly urges all organizations to reduce their exposure to cyber tax by prioritizing timely remediation of catalog as they call. We'll talk about that in a minute, catalog vulnerabilities as part of their vulnerability management practice. And what's interesting is that this CSA catalog is a short list. It contains only 16 vulnerabilities for which, for like of all the patches that are out there, they've chosen 16. And that's because they are known to still be actively exploited in the wild. Anyways. I said, we'll get back to that in a second. But one of them, the serious Sam vulnerability as it was called last summer, when we first talked about last Thursday CSA also asked all federal civilian executive branch agencies to patch, okay, this is a CVE 2021, because as I said from last year 36,000 9 34, which is the Microsoft windows security accounts manager, that is the Sam security account manager bug that allows privilege escalation and credential theft.
Steve Gibson (00:23:17):
And for this one, they gave a February 24th patch deadline. In other words, two weeks from last Thursday, you know, again, get this done. And in fact you'll was last Thursday that they made the announcement. So at announcement time, their deadline was two weeks from today. And the, the reason being that this thing's been around since last summer, we talked about sir, Sam, when the news of it broke as its name suggests it's serious, it's an elevation of privileged vulnerability, which was introduced into all windows, client and server editions released since October of 2018. And then up until July of 2021. Okay. So I meant it started with windows 10, 18 0 9 and the matching server version, which was 2019. And the vulnerability was irresponsibly disclosed via a tweet. So despite not being exploited at the time you know, as we know, Microsoft designates things that surprise them as zero days.
Steve Gibson (00:24:31):
So they called this a zero day because it was an unwelcome surprise to them when they read about it, when they all have Twitter, what it's hysterical. So, yeah, the problem morose due to an overly permissive access control list, you know, ACLS, which were present on multiple security, critical system files. So that was an oopsie, which somehow crept into windows, you know, like windows 10, not the first windows 10, but they'd had a few before the, that and that included the security accounts manager database. And you don't want anybody looking at that. That's not supposed to be like anyone other than the Colonel. So an attacker who successfully exploits this vulnerability could have full run of the system, able to run our arbitrary code with system privileges, which of course allows such an attacker to install programs, view, change, delete data, and create new accounts with any rights they choose typically all.
Steve Gibson (00:25:39):
Okay. Now all that said, what might jog your memory, cuz it did mine about this one in particular, is that simply correcting that the overly permissive access control lists does not eliminate it fully after installing, installing the patch. It's necessary that to then manually delete all volume shadow copies of, of system files, including the Sam database, since the trouble is with their default permissions, which would be restored along with the files, excuse me, if those backup files with their permissive permissions could be restored too. So we talked out this at the time, which is why I suggested it might jog people's memory that yes, not only had, did you need to fix the permissions on the files that are now in use in your system, but windows is actively maintaining backups as it makes changes, which is how it's able to roll mistakes back and like, you know, fix things that it tries and then it doesn't and, and don't work.
Steve Gibson (00:26:54):
So, so it's definitely necessary to do that. Otherwise the bad guys could, could still access the archived files that have the weak permissions. So that has to all be done. Okay. So all of that happened when we talked about it last July, believe it or not, here we are eight months later and the us CSA is finally having to lower a boom on federal civilian executive branch agencies now. And, you know they did that with log for Jay, right? Like a couple weeks before Christmas trying to cancel Christmas that didn't work either. So I'm not, I'm not sure what it means for the assist to say, you know shout update by February 24th because you know, that may or may not happen, you know you know, it's a week from next to from next Thursday to get this all resolved, you know, and you wonder how it can possibly be that a serious vulnerability which received an emergency patch.
Steve Gibson (00:28:08):
There was, this was an out of cycle emergency on that hit on July 20th of last summer. How has that not yet been fixed every windows update since then would've incorporated the fix for it. So it possibly be that there are us federal civilian, executive branch agencies that have not applied any updates to windows since last summer. You know, if so I hesitate to say they, they deserve what they get, but really at some point, okay, so this top 16 list, I think it's worth taking a look at that list of things that CISA says really must be fixed by those agencies over which it apparently exercises some jurisdiction, even if it's not able to cancel Christmas as we can see in the table on the next page. And I'll explain what's there for those who can't see, we've got a mixture of old and new vulnerabilities, actually sort of a ladder of vulnerabilities through time.
Steve Gibson (00:29:19):
And they're recognizable to people who've been following along some oldies, but goodies given their CVE day eights, which start at 2014. We have one from then 20 14, 3 from 20 15, 1 from 20 16 7. That was a busy year from 20 17, 1 from 2018, somehow 2019 sneaked past without any, then one from 2020. And of course the serious Sam vulnerability from last summer. Interestingly you know, all of our old friends are there. We've got the, the oldest pair from 2014 and 15, our apple OS 10 vulnerabilities. We've got that HTTP dosis remote code execution from 2015, as well as that delink D IR 6 45 router remote code execution. That's been around forever. And apparently, I mean, the point is these are things that are still being attacked. There, there are machines still out there E expressing some vulnerability to them. 2017 had that SMB version one, you know, the, the, the windows file and printer sharing version one remote code execut that we talked about, what four or five years ago now there's a remote code execution in office.
Steve Gibson (00:30:49):
And then there was that raft of win 32 K privileged escalation vulnerabilities. Remember when we had a whole spade of those that was from that polar bear, hacker girl, remember her sandbox Escaper and she had that really cool one person tent thing, kind of a kayak that you got into and zipped over yourself and hoped that there weren't any actual polar bears around. And you know, she kept annoying Microsoft with, you know, her, her tweets of just like, oh yeah, here's another one. Here's another one I'm bored. Here's another one. And they ended up hiring her. So that was good. There was also, I remember you and I, Leo talked about this in 2017, a windows dot L N K a a a, a shortcut link file, remote execute, remote code execution. And, and it was like, what are it's 2017?
Steve Gibson (00:31:49):
We're still having problems with, with, you know, shortcuts. Wow. Apache Strutz had that improper input validation problem at the end of 2017. And then the, there was the version and three of the SMB server messes blocks. As I said, when I talked last week about like how many problems there are in these legacy protocols? Well, yeah. You know, more of them in 2020 anyway, all of our old friends are still there. And what's astonishing is that CSA them all selected out and listed in this must fix by a deadline chart. Because as I keep saying this, these things are still being exploited. They're the most exploited vulnerabilities today. Ciss says, if these were to get patched, things would get much better. And in the far right column is the patch deadline. Aside from that one at the top, which is, you know, the, the next Thursday deadline, the, the, this is giving everybody until August 10th.
Steve Gibson (00:33:03):
And I, when I was looking at that, I was thinking August 10th, that's a Wednesday. What, you know, what's that the only thing I can think of is that it must have been some integer number of months from the date, this commandment chart first dropped upon these federal agencies. Probably what nine months, I guess maybe who, who knows when, but in any event everybody has to have all these fixed by Wednesday, August 10th, which really, you know, patches are available for all of them. So, so especially apple, OS 10, there can't be any machines that have not been, you know, rebooted and updated since then, but CIS says, that's what people are looking for. So let's hope that happens. And speaking of patching patch Tuesday which has really become an industrywide monthly patching extravaganza and this month, Microsoft did not disappoint.
Steve Gibson (00:34:12):
They fixed 51 vulnerabilities occurring in windows, office teams, Azure data Explorer, visual studio code, and various windows kernel components among the 51 defects resolved. 50 of those are rated important, and one is rated moderate. And if you're thinking to yourself, wait 51 50, are I, and one is moderate were none critical. No, no zero days nothing was critical. And of course you'd be correct to be surprised by that observation last week was a rare patch Tuesday. Microsoft also fixed an additional 19 flaws in their Ching am based edge web browser. None of the security vulnerabilities are known to be actively exploited though one of the flaws fixed is again, what Microsoft calls a zero day in, as much as it was publicly disclosed, even though it wasn't yet exploited, you know? So yeah, they, so someone just said, Hey, this and Microsoft said, oh, okay, we're, we're gonna fix that.
Steve Gibson (00:35:27):
It's a privileged escalation bug in the windows kernel. So it's potentially important. There were also a handful of remote code execution vulnerabilities. So always good, good to have those gone and also good that nobody had discovered them before they were all being patched. One was in Microsoft's DNS server that ha that earned itself a CVSs of 8.8 SharePoint server also had an RCE of 8.8 windows hyper V had an RCE that scored 5.3. And that H E VC video extensions had three of its own remote code execution vulnerabilities with CVSs as of 7.8. And again, you, you, we talked about how this happens in something like a, a co deck. Those are difficult to secure. They are very complicated interpreters, which are interpreting compressed tokenized data. And the, the inherent assumption on the you know, being aid by the people who are writing the decompressors, is that it, the, what, what they're being given was written by an authentic compressor very hard to, you know, catch that the flaw in that thinking as your data Explorer contained a spoofing vulnerability earning itself a, a CVSs of 8.1 outlook contained a security bypass vulnerability, 5.3 as did one drive for Android also with actually it was a little easier to exploit.
Steve Gibson (00:37:10):
So that got a five point nine.net and teams both had denial of service vulnerabilities, meaning, you know, you can crash them with CVSs of 7.5 and the world is not yet done with Microsoft's print spooler, which saw four elevation of privilege flaws fixed as well as one in the win 32 K driver, which got a CVSs of 7.8. And that one that win 32 K elevation of privilege was tagged as being more likely to be exploited because last month, a very similar vulnerability in the same place, the win 32 K driver did come under attack shortly after it was patched. So again, go know the bad guys, as we've said, they look at what gets fixed. They know there's a window between Microsoft's release of these and, you know, everything we were just talking about with CISA says that. So in some cases that window's open for a long time still, they know that that there is a, an opportunity during which they're able to attack something just patched.
Steve Gibson (00:38:23):
So patches are analyzed, they are reverse engineered. The problem fixed is found then an exploited designed and somebody tries to take advantage of it. So Microsoft is suggesting that this one is likely to be exploited quickly, too. And again, though, you know, these are not affecting most of us, you know, these little, you know, high value vulnerabilities are gonna be exploited only in targeted attacks. I mentioned at the top, the APA Tuesday has evolved over the years to become an industrywide event besides Microsoft security updates were also released last Tuesday by in alphabetical order, Adobe. Although again, remember we're, we're gonna get to the Sunday surprise the super bowl. So Hyundai surprise that Adobe dropped after they released all of their patches on patch Tuesday, also Android, Cisco, Citrix, Intel, the various Linux distributions from Oracle red hat and Susi. Microsoft's Firefox SAP, Schneider electric, and Siemens all said, Hey, let's put our patches out on, on the same day and you gotta wonder how it folks, you know, get anything done on these second Tuesdays and the days immediately following. I imagine they actually don't. They just probably, you know, and, and this is why we've sort of established this as an industrywide patch Fest is that they're able to say, you know, like cancel lunch and, you know, not have any like, you know, away meetings and things, and basically just do nothing but analyze and decide what's safe to do and, and get that done as quickly as possible. Because you know, these days we know that the bad guys are gonna jump on them immediately and try to take advantage of 'em
Steve Gibson (00:40:24):
And Leo, I'm gonna jump on my water bottle.
Leo Laporte (00:40:28):
Don't jump too hard. You don't want I'm a little,
Steve Gibson (00:40:30):
I'm a little
Leo Laporte (00:40:30):
Scratchy. Okay. we'll take a little break. Come back with more of Security Now our sponsor for this hour is here to help you. If you are in charge of a network, if you're in charge of servers, if you are at a company where you get the call at 3:00 AM, for whatever reason you need to know about new Relic, you've been there, right? 3:00 AM tucked in nice and cozy, fast asleep phone rings. The alert comes in the slack buzzes at you, something's broken, and then you go, what the heck was it? Was it that update? I pushed last night? Is it the back end? Is the front end? Is it the server? Is it global? Is it local? You know, there's a lot of questions. You gotta figure out what's going on so you can fix it. And now you got your whole team's score rambling. They're moving from tool to tool, scratching their heads, messaging. Everybody saying, what's going on. It's the worst thing in the world at 3:00 AM. And we've all been through it
Steve Gibson (00:41:29):
Unless
Leo Laporte (00:41:31):
You've got network observability. Have you heard that term, new Relic did a report in which they found only half of all organizations are implementing observability for their networks and systems. That means half haven't. And by a large margin, those who are using are looking into network observability are using new Relic, new Relic. You know that I know you know the name, but did you know new Relic now combines 16 different monitoring products under one umbrella, one install you'd normally you'd buy 'em all separately. You'd try to figure out how each works. You'd be jumping back and forth. Now in one, you know, single that you get application monitoring APM, which is unified application monitoring for your apps, but also for your microservices. This it's so smart. It has the symbol table, right? You do. It's part, it's integrated into what you're doing. So you'll get an alert that says line 43, get in.
Leo Laporte (00:42:31):
It's like a, you know, like a debugging command, like an error command while you're compiling. But, but this tells you exactly what's going on and you can fix it to use Kubernetes. You'll love pixie. You must know about pixie instant Kubernetes of observability. They've got distributed tracing. So you can see all your tracs without management, headaches, fine and fixed issues. Fast, complete network, performance monitoring. So you don't have to guess where the, you know, hitch in your giddy up is you can ditch those data silos. Now you've got a systemwide correlated view. You don't have to go one Z, two Z, and that's just four of the 16. I mean, these are tools you need. And you know, I usually leave this to the end of the ad. I'm not gonna leave it to the end of the ad. You can use it free the whole new Relic platform hundred gigs of data free forever, no credit card needed or anything quick.
Leo Laporte (00:43:28):
Now, before the next 3:00 AM call go to new relic.com/Security Now you'll be able to pay point issues down to the line of code. So you know exactly why the problem happened and fix it. Devops teams at DoorDash, GitHub, epic games, developers, and network admins, more than 14,000 other companies all use new Relic to debug and improve their software. You gotta have this thing, whether you run a cloud native startup or a fortune 500 company, it'll take you five minutes to set up new Relic. And because you don't need a credit card, you don't, you can just do it, do it right now before you get that next 3:00 AM. Call new Relic, get the whole platform, a hundred gigs of data free forever, no credit card required. New relic.com/Security Now, why are they giving it away? Cuz they know, they know you're gonna love it. You're gonna need it. You're gonna want it. And you're gonna become a customer eventually. But even if you don't, it's free right now, new relic.com/Security Now I'd take advantage of it. If I were you N E w R E L I c.com/Security Now developers love new Relic and now, you know, why new relic.com/Security Now you, you need this thing. Oh, all right. Now, back to the fully hydrated, Steve Gibson and more, Hey, I wanted to ask you one thing, you said you, you use the term release after free. That's a common, you know, after buffer overflows, right?
Steve Gibson (00:45:07):
Yeah. Use after
Leo Laporte (00:45:08):
Are use after free that's that's using a set of memory that is no longer in use. Basically. That's a pointer that's been released. It's kind of like buffer overflow
Steve Gibson (00:45:19):
It's yeah. So that in, in a, in a system that dynamically manages memory, you, you, the idea is that the system figures out when you're no, when no longer have any references to something right. And garbages
Leo Laporte (00:45:35):
Garbage collection, it's, it's garbage collect garbage
Steve Gibson (00:45:37):
Collection. Exactly. And, and so, so it re it, it releases that it should invalidate any pointers, right. To that memory. Yeah. But in some cases, if, if code holds on a pointer, the pointers no longer valid, but it's still
Leo Laporte (00:45:55):
Pointing some way. So that's my question, cuz it, the there's different ways of doing garbage collection of course count by reference is very common. Yep. How would you still have that pointer? It shouldn't be releasing the memory. If you still have the pointer, is that an error in the garbage collection? It must be right?
Steve Gibson (00:46:11):
Yes. Yes. A yeah, exactly. The, the, it it's the, you know, the, the so-called automatic language is too automatic. Yeah. So it has, it, it, it has worked in a fashion that has, has created the vulnerability. Got it. And so when, when it's getting fixed, that's what they're fixing is that, you know, they, they, they, they, they just said, okay we, we don't want to put memory management responsibility on the programmer, besides it's, it's dumb. Right. We can do a better job. Well, it's, you know, pro programs have branches and they've got iterations and they've got, you know, and nothing keeps a program from making a copy of a pointer that it, you know, for, or some purpose that the, that, that the code doesn't track it correctly. So I mean, it, the, the fact is it's very difficult to do a perfect job of automatically ma man managing memory. It's sort of the holy grail in, in some sense, it's
Leo Laporte (00:47:08):
Still better than using Malik and remembering to free it. And all of that, I would imagine maybe not, you're a, you're an old school guy. You really, you I'm, you use and release your own memory.
Steve Gibson (00:47:20):
I do. And the, and, and the, the thing to remember also is that when a process is running the OS tags, all the all allocations as belonging to that process, right? So when the process terminates all it, it's not that there's like memory leakage in a properly functioning system. The operating system will also release all the memory that that process had allocated. In fact, that's one of the advantages of, of the old school Unix approach is by, you know, they would launch a process like every time you, you, as a client connected to a server, you got, you spawned a copy of that server for your use. And it really didn't matter if there were memory leaks, you know, in some of the things the server did, cuz it's good. But as soon as you were disconnected, that process was terminated as were all of the allocations that it had made. So it was sort of a self cleaning system Microsoft, by comparison, in their model, for example, my IIS code running on, on windows server, I've got no memory leaks despite the fact that, that I'm doing a whole bunch of stuff all the time, but it's sort of a badge of honor to have a server running for five years. Yeah. And having it consuming,
Leo Laporte (00:48:40):
No memory, single
Steve Gibson (00:48:41):
Book, no memory more because what you would normally see is over time, it
Leo Laporte (00:48:46):
Would dwindle.
Steve Gibson (00:48:47):
No. What you exactly would slowly upwards. It's like, what's what did I forget? What am I not releasing? Right. Because the server is never restarting. It's just running without ever shutting down. So
Leo Laporte (00:49:00):
Right. And, and you know, C and C plus plus don't have built in garbage collection. Correct. What I did not know is that a lot of C plus plus tooling includes a third party, garbage library. I bet you that's where the errors are. And then languages like Python, Pearl they all have built in garbage collection. That's part of their
Steve Gibson (00:49:19):
Yes. And it's those things that are being done for you. I mean, the programmers not even capable of being aware. Right. Because it's just like, oh, it's
Leo Laporte (00:49:27):
Built in, you don't have to care about it. Yeah. Yeah.
Steve Gibson (00:49:30):
But, and
Leo Laporte (00:49:30):
You, so you're an advocate for manual allocation and de allocation of memory, I guess. You know, if you wrote the program, problem is you get these big teams now it's easy for you. You wrote the program, you know, everything the program does. Yes. Cause you got a thousand people working on an operating system, you can't count on them. Yes.
Steve Gibson (00:49:47):
To know. And also the, the things I do are not massive. Right. You know, like probably the biggest thing I've done is the DNS spoof ability system, because it's got all kinds of stuff going on. I mean, it's sending out queries, you know, pseudo, DNS queries. It, it, it's having to send queries to each of the DNS servers that responds to, to like, I mean, it's, it's massively multi-tasking. Yeah. but you know, you know, you know, in control that I wrote last week is like, eh,
Leo Laporte (00:50:22):
You know, it's, you know,
Steve Gibson (00:50:23):
80,
Leo Laporte (00:50:24):
You know, what's going on.
Steve Gibson (00:50:25):
Yeah. 82 K. And it's just like, you know, you can
Leo Laporte (00:50:28):
Actually browse the source code if you're worried and look for Malica statement or you don't have mal well,
Steve Gibson (00:50:33):
I can, how do
Leo Laporte (00:50:34):
You allocate memory in? Yeah. Yeah. It's all in your mind.
Steve Gibson (00:50:36):
It, yeah, I can. The entire thing is in my head.
Leo Laporte (00:50:39):
It's amazing. How do you, so memory allocation in the assembly, does it call a Biotine or say I'm gonna use this area to this area or
Steve Gibson (00:50:50):
So, so that's the other thing is that
Steve Gibson (00:50:53):
Coding in a windows app in assembler is basically scripting the windows API. Right. You call it API. Exactly. And so there's alloc. And so that's right. Say, you know, I, I need a K so Allo K and I get back a pointer to the beginning of the allocation and it's yes. I have to be careful not to do something outside of the allocation. It's entirely my responsibility not to go further, but, but, but there is an arena around the allocation. And so when, when I attempt to free it windows will check to make sure that the, the, the end of it is still intact. The, the, that there was no override at the end. And if so, it crashes spectacularly, and then I go figure out what it is that I
Leo Laporte (00:51:41):
Did wrong. At least your crashes are spectacular and they happen, oh, while you're around.
Steve Gibson (00:51:49):
And in fact, if you were ever, if you were, if there was like a, if you were a fly on the wall, you would sometimes hear me go,
Leo Laporte (00:51:55):
Boom,
Steve Gibson (00:51:58):
Make, you know,
Leo Laporte (00:52:00):
It's like an amateur chemist in his basement. There's never any question. If something crashes, it's like, wow,
Steve Gibson (00:52:07):
Okay.
Leo Laporte (00:52:09):
What
Steve Gibson (00:52:09):
Ha now
Leo Laporte (00:52:10):
That's, I'm ready to the screen buffer and it's not looking good. Yeah. Gobo boom. Yeah.
Steve Gibson (00:52:17):
Okay. So speaking of Kaboom,
Steve Gibson (00:52:21):
I would imagine that a bunch of people had their super bowl. Sunday plans ruined some because buck stopped with them for the creation and release of an emergency five alarms CVSs 9.8 patch of a zero day remote code execution bug in the magni two slash Adobe eCommerce platforms, which was being actively exploited in the wild and on the receiving end of the patch news, the screaming need was to immediately apply this patch that Adobe's engineers had pushed out on super bowl Sunday, like, like within hours. It like all the warning were because it was that crucial to e-commerce sites that would've otherwise been compromised, you know, before halftime. So to set the stage a bit, Since we've never talked about the magni O e-commerce platform, it's open source and written in PHP, it employs multiple other PHP frameworks, such as the laminate framework and symphony the magni O source code is distributed under open source, the open software license OSL version 3.0 and after bouncing around and changing hands a few times, magni was most recently acquired four years ago by Adobe back in may of 2018 for a cool 1.6, 8 billion, not a bad price for some volunteer developed open source software that can be freely downloaded.
Leo Laporte (00:54:20):
Wow.
Steve Gibson (00:54:21):
Yeah. And Magnis stats are impressive as of 2019 more. That's that's the most recent numbers I could find more than 100,000 online stores have been created using the magni platform. The platform code has been downloaded more than two and a half million times. Unfortunately, many of those MIS Koreans who are scouring the source code, looking for ways in
Leo Laporte (00:54:51):
Those MIS Koreans MIS Koreans misre
Steve Gibson (00:54:57):
And 155 billion worth of goods have been sold through magni based systems. Just the year 2019 alone Magni accounts for approximately one third of all eCommerce happening on the web today, San sec, a affirm, which focuses upon e-commerce security titled yesterday's announced or well titled titled the event on Sunday. When they blog about it yesterday, they titled they, they titled it magni to critical vulnerability CVE 20 22, 24, 0 86. And they explained this Sunday, February 13th, Adobe released an emergency patch for a critical vulnerability in magni. Oh two, it allows unauthenticated remote code a minute execution,
Leo Laporte (00:55:59):
Wait minute, you've been writing magni, but I'm looking at this quote and this does make more sense. It's
Steve Gibson (00:56:05):
Megento,
Leo Laporte (00:56:05):
It's Magento. Oh, magni is a villain in the X-Men series.
Steve Gibson (00:56:12):
And you know, it's not the fir it's not the first time I've done that.
Leo Laporte (00:56:16):
You look at it, it looks like magni. I completely understand. And until I saw the quote in your notes, I didn't realize you're talking about Magento
Steve Gibson (00:56:24):
Magento. So if anyone for the last half hour has been scratching their head, what is Gibson talking about?
Leo Laporte (00:56:32):
Okay. It's Adobe Magento. Yeah, yeah, yeah, yeah, yeah.
Steve Gibson (00:56:36):
Okay. Now everybody knows what I've been trying to say. Wow. Get me down, get me in the wrong groove. And I stay there. Well,
Leo Laporte (00:56:45):
You wrote it magni in the show notes at first. So I believe I was just following along.
Steve Gibson (00:56:50):
Yeah.
Leo Laporte (00:56:51):
Until I saw the quote and I went, oh,
Steve Gibson (00:56:53):
Well, thank you very much. It's Magento. Yes, That's right. I did. I, it is Magna
Leo Laporte (00:57:00):
It's magni.
Steve Gibson (00:57:01):
So I wrote, I read it correctly. I just wrote it wrong. Yeah. And then I was faithful to my writing. Okay. Yeah. Thank you, mag Magento.
Leo Laporte (00:57:10):
Okay. It's easier to say magni, frankly, and much more
Steve Gibson (00:57:13):
Interesting. So Magento,
Leo Laporte (00:57:15):
Magento
Steve Gibson (00:57:16):
That's yeah. Seems much more electrifying. Anyway, it allows unauthenticated remote code execution. That is this flaw, which of course is bad. Or as they, the sand guy said the worst possible type. They said actual, actual abuse has already been reported. Adobe. Now here's the gotcha. I mean, I don't understand this. They wrote, Adobe has been aware of the issue at least January 27th, two and a half weeks prior, but decided to issue a patch UN bowl Sunday, the, I, I said super bowl. They didn't, which they said is highly unusual sand. They wrote expects that mass scanning and exploitation will happen within the next 72 hours. I saw elsewhere people saying within a couple hours under implications in their posting, they wrote this vulnerability has a similar severity as the Magento shoplift vulner from 2015. At that time, nearly all unpatched Magento stores globally were compromised in the days after the exploits publication.
Steve Gibson (00:58:40):
And remember, this is PHP, it's a few lines of pH P so it's not gonna take a high end, reverse engineering, rocket scientist, hacker to figure out what got patched. And since the cats already out of the bag, sand sex saw no need not to show the full patch in their announcement, which they did. It's just a RA. I looked at it, it's a regular expression in a loop string replacement, presumably to sanitize some dangerous user controlled input to make it end dangerous. The patching advice itself is sort of interesting. First of all, the trouble affects versions. 2.3 0.7, hyphen P two and earlier, and 2.4 0.3 hyphen P one. And earlier of both the Magento and Adobe e-commerce platforms, they're the same thing. And essentially apparently Adobe paid 1.6, 8 billion to put their name on it. And according to sec, who clearly understand what's going on? Sans said sites running Magento 2.3 or 2.4 should install the custom patch from Adobe ASAP. Ideally within the next few hours sites running that's that's
Leo Laporte (01:00:09):
ASAP. All
Steve Gibson (01:00:10):
Right. Yeah. Holy cow. During the game, you I'd like, like stop, you know, turn off the TV. You've got like no time to get this in. They said, sites running a version of Magento two between 2.3 0.3 and 2.3 0.7 should be able to manually apply the patch. As it only concerns a few lines of PHP source. And they said, and sites running Magento 2.3 0.3 or below are not vulnerable. So this was introduced after 2.3, but between two 2.3 0.3 and 2.3 point later, however, sand sex still recommends. They wrote manually implementing the given patch, you know, and why not just do what Adobe wants you to, although you could probably safely, oh, although you, apparently I said this, you can probably safely watch the big game first. Okay. So
Leo Laporte (01:01:12):
On the measure now of how much of a crisis is it is yeah, you can watch it.
Steve Gibson (01:01:18):
Can I finish this episode or do I have to just stop right now? Do I have to hit pause or can I just wait? So online eCommerce sites and VO and vulnerabilities of course are particularly high value targets with credit card skimming being the primary goal. That's what they're always doing. These guys are installing skimmers, which capture credit card credentials on the fly when people make their purchase. The most active nefarious group in this space is known as the maj cart, M a G E C a R T maj cart group, which specializes in targeting unpatched versions of Magento by any other name in particular, looking for a way to plant credit card skimmers on the checkout pages of eCommerce websites, the ma card group, which is actually a consortium of many different card. Harvesting subgroups consistently evolves its skimers to be more effective and efficient at evasion. And this has been going on for years. I mean, as long as there's been e-commerce code, they've been at it. For example, in November, it added an extra browser process that uses the WebGL JavaScript API to check a user's machine to ensure it's not running on a virtual machine, which helps it to evade researcher detection.
Steve Gibson (01:02:51):
And last month in January an attack on segue, actually I saw that it almost made the, the, but there wasn't anything like super standout about it. An tag on segway, you know, the, the people who make the rolling things planted a skimer by using a Faye icon that traditional security systems wouldn't inspect. So these guys are sneaky now, Adobe, who is' working to downplay the apparent sudden severity of the issue after having sat on it for more than two weeks, because that's when the, the the, the CVSs was, I mean, the CVE was issued.
Steve Gibson (01:03:37):
They initially characterized the attacks as V very limited. Okay. Still 9.8, not good and, and issued, you know, issue the update on a Sunday. So on super bowl Sunday, but card skimmer activity is on the rise, and we know how long websites often take to update. And for example, completely separate from this last week, Sansun reported a wave of skimming attacks targeting more than 500 sites in particular, those using outdated and unsupported Magento, one implementations, which are old and data from source defense found as many as hundred thousand eCommerce sites that are still using past end of life, Magento version one. So, wow. A hundred thousand sites still using Magento one. Okay. Now, while we're on the of things written in PHP, and I'm already on record about how I feel about that yet, by the way, it has garbage collection. I just wanna point out.
Steve Gibson (01:04:53):
Yeah, yes it does. Yes, it does. You don't need to worry about that. We'll take care of that for you yet. Another WordPress add on this one called P H P everywhere, and Leo a better name has never been coined you know, and PHP everywhere really doesn't sound like a good idea. It was responsible for placing more than 30,000 additional WordPress sites at risk of remote code execution and trivial remote code execution. You know, and that's the worst. Now, the fact that Mitch GTO, which we were just talking about, which powers one third of the world's highly targeted e-commerce sites was also written in PHP, demonstrates that it is definitely possible for sufficiently skilled developers to all author secure website code in PHP. I'm not saying it's not, that's not the issue. The issue is that PHPs deliberately and seductively, easy to use design, which is what makes it so popular, encourages UNS developers to place their code online.
Steve Gibson (01:06:21):
You know if you had to write it in C sharp, which has got lots of little pointy, sharp bits on it, you know, you probably wouldn't right. So people don't, they use PHP cuz, oh look, I wrote a line and it worked ship it. In fact that pithy little slogan I coined a few weeks ago comes to mind. Most developers stop working the moment their code starts working. We know that there's a big gap between code, which works and code, which is also secure against attack and do to the online website environment where PHP typically finds itself that often leads to trouble. You know, I now have a bunch of stuff at GRC written by other people in PHP. And the only way I was ever gonna allow any of that near C's network was by putting all of it on its own physical server, located behind a physical firewall.
Steve Gibson (01:07:26):
I mean like with wires that almost completely cuts it off completely from the rest of GRCs network. If, I mean, I'm happy to have that stuff. The forums are great. And my, you know, g.sc, the little link shortener is something called UALS is a nice little bit of PHP. I picked up from someone, but it's all sequestered behind the firewall. So if something gets loose there, at least I have containment. Okay. So today we have PHP everywhere. Get a little to this. It's like meta bad. The, the WordPress plugin, this PHP everywhere as it's named has its name because it deli, I could hardly even say this. It deliberately allows site owners to execute PHP code anywhere on their site. According to the add-ons description, quote, this plugin enables PHP code everywhere in your WordPress installation. Using this plugin, you can use PHP in pages and posts, wait posts. You, you could put PHP in posts. Oh Lord, that's a terrible, what could, what could possibly go wrong, wrong? And also in the sidebar? Oh yeah, it just embedded what the hell? Yeah. It's description says everywhere and it goes on to boast. It says the plugin also supports different user restrictions and multiple PHP instances. So feel free to just in insert PHP in every part of your WordPress site.
Steve Gibson (01:09:24):
It's unbelievable example. And then he says examples of use, create custom contact forms and process any kind of data or upload generate user optimized content, customize every little detail of your WordPress installation. And then we add what could possibly go wrong. That's right. Create a handy dandy WordPress add on that encourages site operators who may barely be able to code to liberally litter P P everywhere around their site. And you two can earn not just one, but three of those Oso rare CVSs of 9.9 as this author did accompanied by three of your very own CVEs CVE, 20 22, 24, 6 63, 6 64 and 6 65 each with a CVSs score of nine point as it turned out, PHP everywhere's functionality, not surprisingly allowed the execution of PHP code snippets through WordPress short codes. Unfortunately WordPress allows any authentic users to execute short codes via the parse media short code AJAS action.
Steve Gibson (01:11:07):
And some plugins also allow unauthenticated short code execution as such. It was possible for any logged in user, even a user with no permissions, such as a subscriber or a customer to execute their own arbitrary PHP on a site that had pH P everywhere after all everywhere, by sending a request with a short code parameter set to they open a block so left square bracket, PHP underscore everywhere, close left bracket that invokes that add on then whatever PHP you want. And then you close the block with a back slash PHP underscore everywhere and not surprisingly executing arbitrary PHP on a site typically allows complete site takeover. Now we've been here before, right? Allowing users to execute their own code is reminiscent of all the persistent problems we used to have with SQL injection that inspired this classic XK C D cartoon four frames.
Steve Gibson (01:12:29):
We've got the first frame a mom is listening on the phone. She's picked up the phone a and we hear she hears over the phone. Hi, this is your son's school. We're having some computer trouble. And mom says, oh dear, did he break something? And the school replies in a way, and then asks mom, did you really name your son? Robert drop table students? And mom says, oh yes, little Bobby tables. We call him. And the school says, well, we've lost this year's student records. I hope you're happy. And mom replies. And I hope you've learned to sanitize your database inputs because of course drop drop table. Students is a command that SQL could execute and somebody typed it in to as the student name and Bleo so this is a perfect case in point here. This should have this pH P everywhere should obvious, never have been allowed to happen, but there's no oversight.
Steve Gibson (01:13:41):
And the deliberately created ecosystem surrounding WordPress encourages this sort of thing, right? It's like, oh, you know, we, you know, create add-ons for WordPress. They're great. And you know, since none of my is likely to change WordPress' approach one iota, I understand my only hope. And my purpose here is to adequately instill in our listeners, a sober appreciation for the dangers inherent in using third party. Add-Ons with WordPress, it's clear, as you've said, Leo, that the base WordPress system itself is mature, was professionally written and is being professionally maintained, just like Magento it's secure and Bulletproof, but that's security isn't necessarily pertained in any way to anything that's added to it. And so it's super critical that, that our listeners keep that in mind. That is, you know, just because the base word press is solid. Doesn't mean some whacko can't create PHP everywhere and gee isn't that convenient. People can put PHP in their posts. Yeah. Log for J anyone. Wow. Okay.
Steve Gibson (01:15:08):
Google's vulnerability reward program for 2021 last Thursday, Google shared the results of their vulnerability responsible reporting reward program for the previous year, 8.7 million handed out to people responsibly reporting problems to Google. There are a bunch of interesting facts and stats and dollar amounts and bug counts that I believe our in our listeners will be interested in. So I'm gonna share an edited down version of what Google wrote. They said last year was another record for our vulnerability reward program. That's those are vrrp. They said throughout 2021, we partnered with the security researcher community to identify and fix thousands of vulnerabilities, helping keep our users and the internet safe. Thanks to these incredible researchers, vulnerability reward programs across Google continued to grow. And we're excited to report that in 2021, we awarded a record break, $8,700,000 in vulnerability rewards with researchers donating over 300,000 of their rewards to charities of their choice.
Steve Gibson (01:16:32):
We also launch bug hunters.google.com. And that's the URL I wanted to be sure to share with our listeners who might be interested last year, bug hunters.google.com, a public researcher portal dedicated to keeping Google products and the internet safe and secure. This new platform brings all of our VRPs Google, Android abuse, Chrome, and Google play closer together and provides a single intake form making security bug submission easier than ever. We're excited about everything. The new bug hunters portal has to offer. Then they talk about some specifics for Android. The Android V R P doubled its 2020 total payouts last year 2021 with nearly $3 million in rewards and awarded the highest payout in Android V P history, an exploit chain discovered in Android receiving a reward of $157,000. Our industry leading prize of 1.5 million for a co of our Titan M security chip used in our pixel device remains unclaimed.
Steve Gibson (01:17:55):
Of course, that's good news. They don't wanna pay that out, but they wanna say, Hey, if you find something wrong, how about one and a half million bucks? They said for more information on this reward and Android exploit chain rewards, please visit our public rules page. They said the program also launched the Android chip set security reward program. A vulnerability reward program offered by Google and collaboration with manufacturers of certain popular Android chip sets. This private invite only program provides reward and recognition, contributions of security researchers who invest their time and effort into helping make Android devices more secure in 2021 that AC S R P paid out 296,000 for over 220 valid and unique security reports. So not high payout individually, but probably easier to get so some lower hanging fruit. They said, we'd also like to give a special shoutout to some of our top researchers who continued hard work whose continued hard work, keeps Androids safe and secure.
Steve Gibson (01:19:11):
Amman Pandy of the bugs mirror team, they said has skyrocketed to our top researcher last year, submitting 232 vulnerabilities in 2021 since submitting their first report in 2021, Amman has reported over 280 valid vulnerabilities to the Android V R P. And again, just 232 last year. So he's really accelerated his pace and has been a crucial part of making our program so successful. He probably made himself some nice money too. Uchen Lynn has been another phenomenal for the Android VRP submitting a whopping 128 valid reports to the program last year researcher. And then we just have a wacky Gmail email discovered a critical exploit chain in Android receiving the highest payout in Android V P history. Oh, he's the guy who got the $157,000 for an exploit chain for Chrome. They said this year, the Chrome V P also set some new records.
Steve Gibson (01:20:23):
115 V R P researchers were rewarded 333 unique Chrome security bug reports submitted in 2021, totalling 3.3 million in V R P rewards. The contributions did not only help us to improve Chrome, but also the web at large by bolstering the security of all browsers based on chromium. And they call out some other leading researchers and that's, you know, pretty much it. So a huge thanks and congratulations to all Chrome V R P researchers help us make Chrome and Chrome OS more safe. So 8.7 million last year you know, bug hunting. We've talked about it a lot is not guaranteed income, but it might be an interesting way to spend some spare evenings when nothing else is going on. The more you look and poke around the more you'll learn as I've said before. And every time it's happened for me, it's been the case. There is really no better way to extend one's own coding skills than by reading and comprehending someone else's code. You just, you look at it and it's just, it's, you know, it's all, almost like somebody else wrote it, you learn things and you might have a well earned, might have a well earned payday.
Leo Laporte (01:21:56):
You also, you also learn a lot about coding by looking at other people's code it's valuable, right? Well, everybody's got different way to,
Steve Gibson (01:22:04):
And when you think about it, how do writers learn to write by reading?
Leo Laporte (01:22:09):
Yeah. Yeah. It's challenging at first, everybody has, it's a different way of coding.
Steve Gibson (01:22:14):
Yeah. oh, and finally, before we wrap, we have Google's project zero stats, which I thought were also interesting. Okay. So this is of course their zero day flaws, which were found across the industry their recently published data. The good news is reveals that the average period software vendors used to repair and issue security updates reported by project zero last year was 52 days, which was a significant reduction, despite no reduction in bug levels from 80 days, three years ago. So three years ago, 80 days average to fix things. Now we're down to 52 and again, not like there were fewer problems and now nearly all vendors are addressing their flaws within what has become an accepted industry deadline of 90 days. And then after that, just before lowering the boom, for some reason, there's a, an agreed upon grace period of two weeks.
Steve Gibson (01:23:28):
I, I don't quite understand that, but okay. The stats for the 2019 through 2021 period show a total of three hundred and seventy six zero day reports from project zero with 26 concerning Microsoft 20, I'm sorry, 26% concerning Microsoft, 23% apple and 16 Google. The sum of those three is 65%. So those three Microsoft, apple and Google constitute essentially two thirds of all of the pro zero reports. And it's not surprising that the largest commercial desktop OS and the vendors of the two biggest mobile OS vendors are, or, or the providers of the two biggest mobile OSS would be those top three Vernon. And who's in interested in a complete breakdown. I've got a chart in the show notes, which breaks the stats down by vendor. Oracle had the fewest project zero report of zero days. I mean, and really remarkably few at only seven seven in 2021, although they also took the longest to fix those seven with four of them exceeding both the 90 day fixed by deadline and the additional two week grace period.
Steve Gibson (01:24:56):
So, you know, as, I guess that's one advantage of having lots of problems is you end up building a team that's like awake all the time. Whereas Googles are Oracles for people probably like to have to, you know, be brought back in from vacation in order to, to, to fix the problem. And as the chart above shows, the three overall best patching performers by average days to fix and impressively were Linux at just 25 days, that they're the minimum average days to fix a problem Google with at 44 days and Mozilla at 46. At the other end, the worst performing was Oracle, as I said, at 109 days. But again, you know, they only had seven problems compared to apple who had 84 0 day. So then we have Microsoft who took an average of 83 days each and Samsung, who was a bit quicker at 73. And notably Microsoft also had the most fixes 15 of them, which occurred within that final two week grace period. So Microsoft was blowing through the their 90 days. And like, just, just before Google was like saying you know we're gonna tell everybody what's wrong here.
Leo Laporte (01:26:16):
That's how I do my homework. I wait till the very end and then, yeah, yeah,
Steve Gibson (01:26:20):
Exactly. And comparing the mobile OS terrain, iOS and Android are about tied with iOS, having an average time to fix of 70 days an Android taking 72 and on the web browser side, not surprisingly since we often observe, Google's quick response with Chrome, they beat everyone with an average time to fix of 29.9 days average. So like 30 and on the other end is Apple's web kit the longest at 72.7 days on average at the same time that was 40 bugs for Chrome and only 27 for web kit. So
Leo Laporte (01:27:04):
Look at a Firefox only eight.
Steve Gibson (01:27:06):
Yeah, yeah, yeah. Firefox did a really nice job last year. And again, as an industry overall, it seems clear that despite the appearance of an increasing rate of problems and, you know, it feels like an increase in problem severity since, you know, we're dragging an ever growing legacy behind us still those tasked with fixing problems much as we might wish they were even better, you know, they're managing to stay ahead keeping things under control and reducing our overall exposure. And, you know, the one thing I was to attempted to do was to multiply the number of days of a, of an outstanding problem by the number of problems, because that would kind of give you the, the, the, I don't know what you'd call it. The, you know, not really the area under the curve, but that's also sort of an, an interesting metric and like apple who took twice as long, had half as many problems. So the, like the, the problem exposure area was sort of the same. So anyway
Leo Laporte (01:28:18):
Our show by the way is brought to you by Barracuda. This section of course, brought to you by the company. Everybody knows and loves for keeping themselves safe in a recent email trend survey. 43% of respondents said they'd been 43% said they'd been victims of a spear fishing attack, but only 23% said they have dedicated spear fishing protection. Now, look, I, I know your employees are smart, right? I know they're savvy. I know they're sophisticated, but spear fishing is difficult because it, you know, it looks like it came from the boss. It's an urgent message. They're gonna want to act on it. It seems safe. It seems real. It seems genuine. It also carries a hefty cost. Barracuda has identified 13 types of email threats and how cyber criminals use 'em every day. There's Phish, of course, but there's other techniques you may not even know about.
Leo Laporte (01:29:19):
And your staff may know about like conversation hijacking there's ransomware, there's 10 more tricks. Cyber criminals used to steal money from your company or personal information from your employees and customers, which they can then use to steal money from them. Are you protected against all 13 types of email threats, email, cyber crime becoming more sophisticated. It attacks more difficult to prevent. They use all sorts of things, social engineering, and they often will, will get you going emotionally with urgency and fear. And that really works. It gets people jumping, social engineering attacks, including spear fishing and business, email compromise cost businesses. On average, a hundreds $30,000 an incident. Could you take that kind of a hit to your bottom line as demands for COVID 19 tests increased at the start of this year. Barracuda researchers saw of course, an increase in COVID 19 tests related phishing attacks.
Leo Laporte (01:30:17):
They went up by 521% between October and January of this year as public interest rises. For instance, in cryptocurrency, the opportunity for attacks becomes ripe the price of Bitcoin, very vulner up and down 400% between October of 2020 and April, 2021. I'm not gonna mention it cuz Steve would get upset bar doesn't make me happy either. How good news down 50% in the last three months, Barracuda research found that impersonation attacks around cryptocurrency grew 192% in the same period. These guys are opportunists and they're not dumb. They're clever. Maybe they're not smart, but they're clever right? In 2020, the internet crime compliance center, IC three received 19,369 business email compromise, email account compromise complaints, adjusted losses, 1.8 billion with a B billion dollars. I get emails all the time saying, Hey, thank you for your payment of usually it's around 300 bucks. If this is an error, call us, you know, I get that all the time.
Leo Laporte (01:31:30):
Would your accountant, your bookkeeper know that that's fake or would they call and say, wait a minute, that's an error. I'm gonna be good. I'm gonna be a good bookkeeper. I'm gonna call that's an error. Oh, I'm sorry. What's your credit card number. Let me verify this whoop cease. It's still important to leverage gateway security, of course, to pretend, prevent traditional attacks. We use that things like viruses and zero day ransomware and spam and other threats, but your gateway is defenseless against these kinds of targeted email attacks. You're have protection at the inbox level and it's gotta be smarter than the clever bad guys. That means AI and machine learning is necessary to detect and stop the most sophisticated threats, get a free copy of the Barracuda report. 13 email threat types to know about right now, information is power and it's free.
Leo Laporte (01:32:18):
You'll see how cyber criminals are getting more and more sophisticated every day. How you can build the best protection for your business data and people with Barracuda. Find out about the 13 email threat types you need to know about and how Barracuda can provide complete email protection for your teams, your customers, and your reputation. Get your free ebook. It's waiting for your barracuda.com/Security Now B a double R a C U D a. Yeah, like the fish with teeth, barracuda.com/Security Now it's free, no cost, no obligation. Just good information that you will need. I'm telling you barracuda.com/Security Now that's why you listen to the show, right? Barra your journey secured
Steve Gibson (01:33:03):
One last thing, byebye w M I C and yes, K E Y M O USC. Last week we talked about the practice of living off the land, where malware or Leo MIS Koreans take advantage of commands and features available at the local system where they find themselves. One of the more often abused features of windows, which we touched on last week is the massively capable windows management instrumentation WMI system, which is accessible through the command line executable w M I C not K Y but E XC. The fact that this useful command line access tool is so often abused has not escaped Microsoft's attention as a result, w M I C dot XY is going away. And if you know anything about Microsoft it's that they really, really, really, really, really, really strongly really dislike ever removing anything from windows, especially something like w M I C a system management tool that almost certainly figures actively into the management scripts being by their enterprise users, who they care about most among others.
Steve Gibson (01:34:48):
And despite this extreme reluctance, Microsoft is in the process of removing WM I C dot XE, starting with the latest windows 11 preview builds in the dev channel. They did announce last year that this was their intention and that they were in the process of deprecating the use of w M I C dot XE in windows server in favor of windows power shell, which provides, you know, a full, super set of WM I's capabilities, including the ability to query the windows management instrumentation system directly. Microsoft wrote quote, the w M I C tool is deprecated in windows 10, version one H one and the 21 H one general availability channel release of windows server. This tool is superseded. Okay. But whenever micro Microsoft supersedes something, they leave the other one alone, right? Still there. They said, this tool is supersed by windows power shell for WMI.
Steve Gibson (01:35:57):
This deprecation only applies to the command line management tool. WMI itself is not affected. Okay, so now Microsoft has been spotted removing w M I C from windows clients, starting with windows 11, preview builds in the dev channel. The guys at bleep computer did some sleuthing and confirmed that from at least build 22,523. The w M I C command is no longer available in dev channel clients. Although they noted that Microsoft may have removed it from earlier builds, which they didn't check Microsoft, maybe testing the waters to see whether they're able to pull it from windows or to gauge how much fur will fly if they do. They clearly want to. And you'll note that the only possible reason for deliberately yanking something from windows that's already there, and that many people are using is that many bad people are using it too. One thing that might happen, which wouldn't surprise me would be for them to make it available separately as an optional manual download that's something they've done before.
Steve Gibson (01:37:17):
It's certainly the case that 99.999. And you can just keep on going of with nines percent of wi of windows, client users have never typed the command w M I C and never will. So having it there only to ever be used by malware really makes sense, but leaving it as optionally available though, deprecated and not recommended minimizes the damage from, from, you know, pulling it from existence entirely. So it won't be present, but power users will be able to get it, or enterprise users could selectively get it. And, you know, Leo, this makes me question windows future. Like there, it is so loaded with that kind of thing that nobody who looks at the friendly candy coded surface of windows ever knows about, but it's there and it's being abused. You, you kind of wonder whether there might at some point be like a, a power tools where, you know, package that you could easily install, but where just generic windows won't have it because all the bad guys are ever gonna use it.
Steve Gibson (01:38:35):
Never the person sitting in front of, of the keyboard in any event for maximum compatibility. Everyone should take this as a heads up, if you or your enterprise are currently dependent in any way upon w M I C the dot XY you'd be well advised to move over to PowerShell back in 2016 everybody was upset over Microsoft pushing us to windows 10. So I created never 10 you know, pithy little name. I liked it. A lot, 3 million people have downloaded it. You kidding? Can Microsoft must hate you. Yeah. They're probably thinking what's he gonna do now? Oh my God. Yeah. and, and really they're, they're upsetting people right. By now what they're doing is, you know, like upgrading your windows without your people are complaining about it constantly. Yeah. And so, and you look at, at, at windows 11, well, you can't put the menu bar or the, the task bar on the side of the screen.
Steve Gibson (01:39:50):
You know, I've looked at it, Leo, I've got, I had to have a laptop running 11 in order to get this, this late latest piece of freeware done. I mean, it is, it is beautiful looking. I have to say, I mean, it's gorgeous, but I'm happy with windows 10 and yes, somebody somewhere saying when pigs fly, Steve is happy with windows 10, but it's true. Anyway, so first I've thought, okay it's, it really, isn't never 11 because people are also not wanting their versions or their feature releases of 10 to change. So, so people who are on 10 want basically people wanna stay put. And so that was like, ah, I'll call it, stay put. So then as I started talking in, in the news group with the, the, the gang who helped me over the past week to get this thing, all, all polished and honed and and working just the way we wanted someone said, well, that's good, but you know, it won't really work for me because I do wanna move windows 10 from 21 H one to 21 H two.
Steve Gibson (01:41:03):
So I'd like to do that. Well, as I looked deeper into Microsoft support for group policies, I realized that the way they had implemented the controls targeted at enter at enterprise users, but available to everyone was literally with a targeted release version in the registry. So that allows a user of windows to target windows, update, specific major version, like 10 or 11 or 12. And then the, the individual feature release within that major version, which of course is now what Microsoft is doing. And if you target at the one you're on now, well, then you get the advantage. You get the equivalent of put it, it will not go. And in fact, during my testing, I I had a machine, how did I run across this? I can't remember. Now I had a machine with like 1504 or something like from the Dawn of windows 10.
Steve Gibson (01:42:09):
And I, I put InControl on it. And boy was windows update, unhappy. I mean, it was like squirming around because it had gone outta support a long time ago, but it would not update it. And so, so this, this lock is powerful, but the advantage is it doesn't shut down windows update all your security updates, your, your, your, your, your monthly, you know, standard roll forward, continue. But, but it will keep you at where you are at, at, at the major version and the feature release E either where you are, if you just leave it set to its default, or if you wanted to say, yeah, I'm ready to go to windows, a 11, you, you literally, you can click the button to release control. There there's two fields in the lower left for a version and release. You could change the 10 to 11 and then and hit take control.
Steve Gibson (01:43:09):
And it would lock it, telling it wants windows update to take you to windows 11, as soon as it would. So anyway, it went, it went from, stay put to under control, to take control to InControl, which is where we are. And as I said before, 82 K of assembly language, just one of my little cute, you know, you don't have to set it up or install it or anything, you just run it. And the only thing I have left to finish is the documentation. I, I have the, as I did for never 10, I want to fully document the six registry keys. There are, there are six registry keys that it manages. And they don't, that's all it is. It's, it's simple, but it's, you know, there are, as I said, last week, there are sites that are telling people to disable windows update completely.
Leo Laporte (01:44:02):
No, no, yeah.
Steve Gibson (01:44:04):
I know it's like no bad, bad, bad, bad, bad, you know? So, so this gives people some control that they wouldn't otherwise have in a, you know, in a very friendly user interface. So good. That's it. And that's our podcast
Leo Laporte (01:44:19):
And that's the show ladies and gentlemen, every week, he comes up with something, not always a program, but that's, that's cool. It just changes the registry. And I presume if it see that key, it doesn't, it doesn't screw it or anything like doesn't create a key.
Steve Gibson (01:44:35):
Correct. And in fact, in fact some people have a few of the things already set, right? And so the other thing it can, it'll come up and say, well, you are partially in control that's and it will say you're missing three of the six registry keys required to law. So that's great. You know, does
Leo Laporte (01:44:53):
The whole thing very nicely done? Steve is@grc.com. There's lots of reasons to go there besides InControl, although that's a great reason. There's also of course, shields up his test for your router to make sure that you are properly set even more important these days than ever before. And his bread butt spin, right? The world's best, best storage, maintenance, and recovery utility currently version six is is out there. If you buy it, you'll get an automatic upgrade to the next version. You also get to participate in the development of that version, grc.com. You can leave feedback form there at grc.com/feedback, but can also go to Twitter and leave him some feedback. He is at SG, GRC and DMS are open now ready for ready for your call. While you're at the website, you might wanna check out his version of the podcast. He has two unique versions. One's we don't have 16 kilobit version, which is a little scratchy, but it is, is the smallest audio version available. And so if you've got limits on your bandwidth or you're at close to your bandwidth caps, that's a good choice. There's also even smaller and really useful the transcripts, which are done by a human, our transcripts are AI. He does it. He spends some money, gets somebody real to do it. And so they're very, very good. And I can't wait to see the transcript from this week
Leo Laporte (01:46:19):
Thanks to Elaine Ferris for doing those and thanks to Steve for paying for it. It's a, that's a really nice service all@grc.com. We have audio and video for the show at our website which is twit.tv/sn SN for Security Now, obviously you can get it there. You can also go to YouTube. There's a, a channel dedicated to security now with all the videos there that makes that's an easy way to share it with somebody else. And of course you can subscribe in your favorite podcast player get it the minute it's available. And if you would leave us a review, let the world know about Security Now I think that everybody needs to know about security now. Steve, we'll be back here Tuesday, about one 30 Pacific, four 30 Eastern, 2130 UTC for another gripping edition of security
Steve Gibson (01:47:09):
For the final episode of February. Yes. As we, because we got a short month this time
Leo Laporte (01:47:16):
As we mosey on through to a 9 99.
Steve Gibson (01:47:21):
Yeah, my nine.
Leo Laporte (01:47:23):
Hey, thank you, sir. Have a great week. We'll see you next time on security now.
Steve Gibson (01:47:26):
Thanks buddy.
Jason Howell (01:47:28):
Don't miss all about Android. Every week. We talk about the latest news hardware apps, and now all the developer goodness, happening in the Android ecosystem. I'm Jason Howell also joined by Ron Richards, Florence ion, and our newest co-host on the panel when to Dow who brings her developer chops, really great stuff. We also invite people from all over the end Android ecosystem to talk about this mobile platform. We love so much. Join us every Tuesday, all about Android on twit.tv
VO (01:47:58):
Security.
VO (01:47:5858
