Transcripts

Security Now Episode 866 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show. 

Leo Laporte (00:00:00):
It's time for security now patch Tuesday edition. Steve Gibson is here. We're gonna talk about spring for shell. We talked about it as a concept last week. Well, the concept one week later is now a reality will also take a look at a problem. A zero day, perhaps in engine X, the most popular web server on the web, on the internet. And Microsoft's newly announced auto patch system. It's all coming up next on security. Now, Podcasts you love from

... (00:00:32):
People you trust

... (00:00:35):
This. Is TWiT.

Leo Laporte (00:00:38):
This is security. Now is Steve Gibson. Episode 866 recorded Tuesday, April 12th, 2022 spring4shell. This episode of security now is brought to you by ExpressVPN. Going online without ExpressVPN is like using the bathroom and not closing the door, secure your online activity by using expressvpn.com/securitynow, and get an extra three months free and a one year package. And by PlexTrac the proactive security management platform that helps you focus on winning the right security battles with PlexTrac, you'll streamline the full workflow from reporting to remediation. Visit plextrac.com/twit and claim your free month. And by ZipCruiter, according to research, 90% of employers plan to enhance their employee experience this year. And if you need to add more employees, there's ZipCruiter, ZipCruiters, technology finds qualified candidates for your job, and you can invite your top choices to apply. Try ZipCruiter for today at ziprecruiter.com/security.

Leo Laporte / Steve Gibson (00:01:46):
Now it's time for security. Now I know you've been waiting all week long. He's finally here, Steve Gibson of grc.com. He actually is in this TV all the time, but I slowly, yeah, in here all by himself, I've got, I got Blinky lights to keep me kind of entertained. I wait for something to happen every week that it turns on and I go, oh, hello. Hey, I'm on. No, not true. Steve is a very busy guy. In fact, we're very grateful that he takes the time to do this show every week. I hope I say that enough. Thank you. Yeah, very good thing for my life, Leo. I do not regret it for me too for the moment. Me too. I feel the same. So we're at episode 8 66 I think I've got the number correct on the show notes this week.

Leo Laporte / Steve Gibson (00:02:35):
It's I didn't get it. I didn't advance it last week. And then I, I always am. Re-Editing the same doc file. So, so after I stripped everything out of this single doc file LA last night, I thought, oh, I could have changed the number and made another PDF. And the show notes would be correct forever. Now they will be wrong forever, but I guess I could get some scotch tape or something. Anyway this is April 12th. It is patch Tuesday, which is apropo of the picture of the week, which we will show in a minute. We'll, we're actually gonna wrap up this week's podcast by revisiting the first topic of last week's podcast. That was when we mentioned what was at the time, a somewhat questionable itch. Now a week later, it's a full blown outbreak, deserving of the podcast title that is to say spring for shell is no longer just theoretical, but before I know it's just, it's amazing.

Leo Laporte / Steve Gibson (00:03:49):
Before we roll up our sleeves for that, we're gonna examine credible reports of a new zero day in the Internet's most pop web server platform. And that's, that's not where you wanna have a zero day. We're gonna take a look at Microsoft's newly announced auto patch system. And like, what is that all about? And the rapidly approaching end of security life for some windows 10 addition, we have another instance, a, of an, of an N PM protest where modification of a, in a highly used library. And I'm gonna share a bit of miscellaneous and listener feedback before we plow into taking a look at what one week has rot in this next spring for shell vulnerability. So a lot of interesting stuff for, to share with our listeners. It's gonna be another thrilling gripping edition as the announcer says of security. Now, very excited as always.

Leo Laporte / Steve Gibson (00:04:54):
Thank you, Steve. This show is brought to you this week by ExpressVPN really should be brought to you every by ExpressVPN. And if you like me use ExpressVPN, you might be actually using ExpressVPN right now to protect yourself online. When you use the bathroom, you close the door, right? People often say, oh, I have nothing to hide, right? Oh, I don't need security. I have nothing to hide. If you have nothing to hide, why do you close the bathroom door? Right? We want, it's not that we have something to hide. We just don't want random passers by looking in on us. That's the reason you use ExpressVPN using the internet without ExpressVPN would be like going to the bathroom and not closing the door. Whether you have something to hide or not, pride is a right, and you should be able to, you know, express that by getting ExpressVPN.

Leo Laporte / Steve Gibson (00:05:49):
For instance, I mean, there are many reasons to use a VPN there's security, there's privacy, there's eliminating geographic restrictions. I do all three. You ever wanna watch Dr. Who on Netflix? You can go to Netflix, UK. If you're already a Netflix prescriber in the us, press the button on your ExpressVPN. That's one of the things I like. They got that app for everything, smart TVs, iOS, Android, Mac windows, Linux, everything, even for your router, if you want, and on the apps, they've got an ice big button. You press that. Now, normally that's gonna pick the VPN server, nearest you and ExpressVPN as many, many servers to choose from. They're in over 94 countries, there's 160 servers all over the world. But if you wanna be in England to watch Dr who you press the one in London, I think it's the doc side or something like that.

Leo Laporte / Steve Gibson (00:06:35):
You press that. And now you're in England and you can watch all the doctor who you'd ever want on Netflix, UK. So you get that. You get the security of using a VPN. And now that we're all out and about, again, going to the coffee shops, traveling in hotels, using hotel internet, whether it's wifi, ethernet, you're in the same network as everybody else in that hotel. I'll never forget the time that I I fired up. This is back when you, you could use iTunes to share your music. And I would, I fired up iTunes. And on this list of everybody's music in the hotel, I could see what they, what music they had. I could listen to their music. That's when it hit me. You know, I probably should be using ExpressVPN. There is a great article on bleeping computer.

Leo Laporte / Steve Gibson (00:07:21):
I highly recommend about how ExpressVPNs, trusted server technology works. In short, they use a special version of Debbie and they created spins up the server in Ram only can't it sandbox. Can't write to the hard drive. That's what you're using when you're using express V VPN. So it can't track your visit in any way. And then when you're done, it's gone. And in fact, every day they refresh that server. It automatically wipes the entire drive, reinstalls, Debbie and reinstalls trusted server. There is no trace of you. So express BPM truly is security, privacy. It is the best way to protect yourself online. And you want a good, I'll tell you, there are many choices in the VPN world, but you want somebody, you don't want a free one, cuz there you have to pay for their servers somehow. And that usually means selling your information.

Leo Laporte / Steve Gibson (00:08:14):
You want somebody who really is committed. Steve said this before N completely zero logging, right? You don't want any logging ExpressVPN does that. They, in fact, even if they wanted to, if you had a malicious employee, there's no record of your visit. So there's no way anybody can intrude on your privacy. It's absolutely secure. So if you're online and believe your business is your business, it is even if you have nothing to hide, you wanna secure yourself. Visit expressvpn.com/securitynow today it's the only VPN I use and recommend express E X P R E S S vpn.com/securitynow. You'll get an extra three months free. When you sign up for a one year package, that's only about seven bucks a month. It's a very reasonable fee. And by the way, for seven bucks a month, you can use it 24 7, put it on your router.

Leo Laporte / Steve Gibson (00:09:08):
Your whole household is protected. They have, they invest in their bandwidth so you can watch HT video and everything is just you it's transparent, but you're protected. I think that's an incredible deal. Express, vpn.com/security. Now we thank them for their support of your security and Steve Gibson's, who also closes the bathroom door. I believe I, I would guess. Do I, even when I'm home, my it's the habit. It's like putting the lid down when you're done. It's just a good exactly. It's just good thing to do on we go your turn, Steve. Our, our picture of the week is, is it looks like somebody actually made this shirt. It looks like a photograph of an actual t-shirt. It's a black t-shirt. It's got the well recognizable windows logo, you know, the four different colored squares. And all it says on it is it got the windows logo and it says exploit Wednesday.

Leo Laporte / Steve Gibson (00:10:11):
It's the day after page Tuesday. It's the day that follows page catch Tuesday. So it's the an, it's the answer to the question. What follows catch Tuesday? Well, exploit Wednesday. Nice, nice. And boy, you know, we, we just cover story after story, you know, concrete example after example of how that's exactly true. And we're gonna see a couple of those today. This first one scares me, cuz this is what I use. I'm it's what I use. Yeah. Yes. Everybody practically, for those who don't know, engine X is spelled N G I N X it's a web server N more. That's been steadily growing in popularity when I GRCs GitLab instance on a free BSD Unix box engine X was and is providing that platform's web services. Apache, which for like forever, for like decades was the leader is no longer. So engine X is now E facto web platform for new installations.

Leo Laporte / Steve Gibson (00:11:20):
And it's now the most commonly used web server on the internet. It's got a 33.2% share overall and of the top 1000 sites. It's just shy of half it's 45.2% share of the top thousand sites. And it can serve as a reverse proxy, a load balancer, a mail proxy, and an HTTP cash. So lots of different things it can do. And you know, over time, large projects tend to get pushed to do things they were not originally designed to do new chunks, get added onto them here and there. And what might have once started out as an elegant and straightforward architecture ends up becoming awkward riddled with special case exceptions. And it becomes increasingly difficult to maintain. And of course, as we know where security is important, you know, simplicity is really key. So in other words, these big projects almost inevitably begin to show their age.

Leo Laporte / Steve Gibson (00:12:27):
And one such example is open SSL. As we've covered here, it's become so cumbersome and creaky that various lean and streamlined alternatives have been built. It remains an amazing toolkit. I use it at the command line from time to time to do stuff with certificates that you just there's like no other way to do them conveniently. But if all one wanted now was a fast, clean and simple way of getting security, TLS connections open SL may no longer be the best choice. So what are web servers? I thought it was interesting that the official Apache doc org site claims that they, they said, quote, co-founder Brian, be Endorf first came up with the name Apache for the server. The name Apache was chosen out of reverence and appreciation for the people and tribes who refer to themselves as Apache. Okay, well, you know, I think that indigenous native Americans are a G rate and noble people, but those of us who have been around for a while will recall that that's not the case.

Leo Laporte / Steve Gibson (00:13:41):
The Apache web server got its name because literally it was Apache web server. And the internet archive doesn't lie question. I just, I tracked it down. Question number four on the Apache's FAQ from July 9th, 1997 asks why the name Apache? And it provides the answer. It said a cute name, which stuck Apache is Apache server. It was based on some existing code in a series of patch files. Okay. So my, my point is that, you know, it, it did get rewritten at one point when the world became aware of how important it was gonna be to have a strong, robust server, but it's getting a little bit long in the tooth. And we have a new kid in 10 down F five networks, which focuses upon web application security needed a platform. So just over three years ago, in March of 2019, they purchased engine X for 670 million, which again, we, we we've talked before about how interesting it is that you buy an open source thing for that much money.

Leo Laporte / Steve Gibson (00:15:05):
It's like okay. Anyway, as a result today, it is they who are investigating a credible appearing report of a zero day in engine X. And, and again, there are credible appearing reports, which we'll talk about in a second, including breach reports of successful breaches. You using a zero day in the, what is now the Internet's most popular web server and in use by nearly half of the top 1000 internet sites, a spokesperson asked by the press yesterday on Monday, said we are aware of reports of an issue within web server. We have prioritized investigating the matter and will provide more information as quickly as we can. Okay, that's good. Now the problem first surfaced on Saturday when a Twitter account connected to a us based group known as blue Hornet tweeted about an experimental exploit for engine X version 1.18, which is the current release, the group tweeted, they, they, they said quote, as we've been testing it, a handful of companies and corporations have fallen under it.

Leo Laporte / Steve Gibson (00:16:32):
I didn't respond to requests for further comment, but a different researcher shared a conversation they had with the people behind blue Hornet about this issue. The group explained that the exploit has two stages and starts with an L D a injection L D a is stands for light weight directory access protocol, and an L D a injection is an attack used to exploit web-based applications that construct L D a statements from whatever it is, the user supplies. And so if there's some tricky way of supplying some information that can, in some way abuse, what L D a is doing with that user supplied information, that's your way in blue Hornet said that they would share the issue with the engine X security team through hacker one, presumably for a bounty, which in this case seems fair. They've got a zero day on for engine X or through F five's internal platform.

Leo Laporte / Steve Gibson (00:17:40):
And blue Hornet later created a GitHub page where they explained in detail how they discovered the issue and how it works for anyone. Who's interested. Sounds an L D exploit though, right? I mean yes. Not, not necessarily a flaw in Ang X. You have to exploit LDAP first. I think that's the case. Yeah. so they wrote, we had been given this exploit by our sister group brazen Eagle who had been developing it. I know. Okay. That's not their real name for sure. Okay, go ahead. That's as bad as Apache. Okay, go ahead. Yes. Nor is it an Indian name? No. so, or they said, at least since spring for shell came out, although this bears no relation to that, you know, spring for shell will get to later, that's a, a Java problem. They said we're still in the early stages of usage and understanding it as we were working on another vendor vulnerability.

Leo Laporte / Steve Gibson (00:18:36):
So, you know, what are you gonna do? You just got too many vulnerabilities to handle it once. They said, get worm. And that's that other entity that shared some details get worm was allowed to share that informa with permission from our DMS, we were initially confused as L D doesn't does not interact much with engine X. However, there is an L DAP off demon used alongside engine X, which allows for this to be used. It primarily they wrote is used to gain access to private GitHub bit bucket J Jenkins and GitLab instances. They said further testing is required in due time. So that was how they opened their, their GitHub posting. Then they posted update. Number one, as some further analysis is ongoing. The module related to the L D off demon with engine X is affected greatly that we have a smiley face.

Leo Laporte / Steve Gibson (00:19:43):
They said anything that involves L D optional logins works as well. This includes Atlassian account, just working out. If we can bypass some common, they said, and they said Ws. So that's windows app or web application firewalls. They said, default, engine X configs seem to be the vulnerable type or common configs. We highly recommend disabling the, the L DAP demon dot enabled property. If you plan on setting it up, be sure to change the L DAP demon dot L DAP config properties flag with the correct information. And don't leave it on default. This can be changed until engine Xs respond to their email and DMS, and which is a bit of a story. They were having a bad problem, getting a hold, getting anyone to respond from F five, which you know, I don't understand that update two, been talking to some InfoSec people about this, some mixed responses, some are saying, it's a problem with L D a itself and not Ang X while L D a demon isn't always used.

Leo Laporte / Steve Gibson (00:20:59):
The exact quote is CI slash CD pipeline hardens. The instance, one of the steps is to completely strip out the LDAP module. And they said, this is partially correct. In fact, it's an option when compiling engine X, however, it could be a problem with L D a itself. The issue with this is that it only works with engine X instance using L DAP, such as any login portal, that supplies, that authentication method, it further analysis and testing is required. They said, again, looks to only be affecting this version. If it affects updated versions of the LDA protocol, then we'll see what comes of that update three, I, and then says pre as I'm still in a T w but I'm just, but, but I'm just the only one online said have forwarded our own questions. Community concerns, further testing questions to brazen Eagle, via email.

Leo Laporte / Steve Gibson (00:21:59):
They have yet to respond as they are us based. Hopefully they can provide some further answers. They said, while I'm still skeptical on the Kings of this issue, it would explain the companies that were breached in under an hour during testing by brazen Eagle. They stated that they had passed this exploit to us as they were working on more lucrative exploits. What that means. I'm not sure this person, some few individuals were clearly told about this being in the work some months ago, via telegram chats, which may be perhaps some Twitter InfoSec, people were talking about it at, at w update four briefly says regarding what people have been suggesting on Twitter and on the issues page about this only being an L DAP issue. The problem with this is during testing phases. It's only working on engine X, not on Apache or other web servers.

Leo Laporte / Steve Gibson (00:22:58):
Also engine X, engine X have still not reply. Oh yeah. Also engine X have still not replied. They really meant F five anyway, DMS or email, we've emailed some come companies that are affected that we've not breached since that's. They said heavily against our ideals for support on the matter regarding security around this exploit, the fifth update. So we've been followed by an employee of engine X on Twitter, through them, DM asking about the situation, no response yet. We've been working on another exploit for Mongo DB and another database management framework. Looking to have the proof of concept out in a, in a week's time video as well, we'll be working on it with, and then w with this get worm guy on Twitter, and then finally update six. We got a DM from engine X on Twitter regarding the issue. And I grabbed a screenshot of this Twitter dialogue.

Leo Laporte / Steve Gibson (00:24:00):
They originally said, hello, does it engine X have a vulnerability disclosure program or a bug bounty program? The reply back was please report any security related issues concerning engine X to, and then they have mail to colon security, hyphen alert@enginex.org. And they, and then are the hackers replied to that. DM already have done. Did you get the email? Is there a template you wish us to follow? So, and then lastly, engine X tweeted, addressing security weaknesses in the engine X, L D re implementation, and their tweet had include included a Bitly link. And so the, the end of this GitHub stream is the eighth update reading as engine X have now released a blog post about the public releases of information. We've emailed them with a description, some familiarities of the issue that they highlighted over and assets affected. However, people are quick to jump on the, this is fake or this isn't anything bandwagon as we got no answer to.

Leo Laporte / Steve Gibson (00:25:22):
If there is any bounty offered by engine X for the findings, we've not shared any deeper information about this. If there's no bounty or even reward, we've looked@otheroptionsthatwouldbetoselltheexploitoneitherbreached.co exploit dot I N or other sites. See that does make me suspicious. That's kind of blackmail almost right now. They're saying. Yeah. Well, and I know I said that apparently is not against their ethics. Yeah. Although they're saying that using it directly is, and then they said we've been offered about 200 K in XMR, which is Monero for the exploit. And then they finish. If you are thinking that we're only interested in money, then they said, yes, what do you expect? We're a threat group LOL. So, okay. Take that for what it's worth as for their part, engine X is playing this as though they don't think that this is much of a threat they're posting about this is titled, as I mentioned, addressing security weaknesses in the engine X, L D reference implementation.

Leo Laporte / Steve Gibson (00:26:29):
And it starts out saying on nine April, 2022 security vulnerabilities in the engine X LDAP reference implementation were publicly shared. We have determined that only the reference implementation is affected engine X open source and engine X plus are not themselves affected just as you suggested Leo and no corrective action is necessary. If you do not use, is the reference implementation, what is the, is the re do they mean the config file? What do they mean by re reference? Well, but know, I got a kick out of this cuz you know, in other words you, you weren't dumb enough to actually use the sample code of the way this could be used. That would be a bit who would do that. I mean, come on and you know, we've seen this over and over, right? The classic example from early in this podcast was when Intel published a reference implementation for up P and P, which all router vendors naturally copied and pasted into their code.

Leo Laporte / Steve Gibson (00:27:42):
Then when it was later found to be horribly defective, Intel said, well, we didn't mean for you to actually use it. We just offered it as a reference. Right? Okay. So, so they, so they, so they engine X said the engine X, L D Reed implementation uses L DAP to authenticate users of applications being proxied by engine X. Okay. Right. It is published as a Python, demon and related engine X configuration at, and then they have a link and it's purpose and configuration our describing detail on our and another link. And, and the blog is engine X plus authenticate users. They said deployments of the L D reference implementation are affected by the vulnerabilities. If any of the fall, any of the following through three conditions apply below. We further discuss, discuss the conditions and how to mitigate them. So the three conditions are command line parameters are used to configure the Python demon, which is what they do in the reference implementation.

Leo Laporte / Steve Gibson (00:29:03):
Or there are unu used optional configuration parameters as there are in the reference implementation or L D authentication depends on specific group membership. So then they finish note, the L D reference implementation is published as a reference implementation and describes the mechanics of how the integration works. And all of the components required to verify the integration. It is not a production grade, L D a solution. For example, there is no encryption of the username and password used for the sample login page and security notices, call this out. So, okay. At this point, we'll have to see how this all plays out. And X has a corporate interest in to some degree. I mean, they have to take responsibility, but they would like to downplay it and they appear to be sliding the responsibility for this mess onto the shoulders of those who actually implemented their reference implementation.

Leo Laporte / Steve Gibson (00:30:21):
But for all of us here, you know, there's a larger takeaway lesson, I think, to be learned. It's the, it's a sort of a variation on the tyranny of the default, right? And that is never for the sake of simplicity or clarity offer an insecure example or reference implementation that you are not prepared to have pretty much everyone use for real, exactly as it is offered without modification in a real production environment. Right. Because that's exactly what's gonna happen. Everyone's in a hurry. No, one's as much in love with your stuff as you are. No one else knows it as well as you do. They don't wanna make a career out of setting it up. They just wanna get it going and, you know, install it. Okay. Fine. It works good. And then move on to the next thing. So it's necessary to assume that that all of the default settings are gonna be left as is including any code or examples that are provided as samples of this is how you set it up because that's, what's gonna happen.

Leo Laporte / Steve Gibson (00:31:37):
Yeah. I mean, that's when I set it up, that's exactly what I did. I, yes. I use their con for their example, con I'm. Sure. Yes. Yeah. And I, I, I followed a recipe when I put GitLab, when I set up GitLab, you know, and Leo, this thing, I, I justs shutter when I think of what's going on, it's got so many moving pieces. I'm just, I'm typing. It's like, it's like, you know, you're the sourcers apprentice and you're, you're casting spells no idea what you're doing into the console. Yeah. Yeah. You know, and, and you dare, you don't even dare type them yourself. So you, you copy it out of the recipe and paste it over here and you hit enter. And then the screen scrolls. I'm glad to know that I feel that way too. Cause it's like, I just assumed that I'm an idiot.

Leo Laporte / Steve Gibson (00:32:23):
And that I just don't know what I'm doing. Oh, nobody knows. Yeah. No, no. Yeah, no. And like, and like when I, when I compile stuff, this, you just see like the compiler is just called, oh, look at the make files who even knows what all those settings, all those parameters mean. I have no idea. No, I, this is why windows doesn't really work anymore is that's how, you know, they just say they press build and they just stand back. It's like, okay. You know? And then like, does notepad run? Okay, thank God. So on Sunday, the hacking group claimed that they had tested the zero day on the Royal bank of Canada. But didn't explain whether the bank had actually been breached it later, said it did breach the systems of the Chinese branch of UBS securities. Neither those institu responded to requests for comment from the press.

Leo Laporte / Steve Gibson (00:33:22):
But none of us should be surprised if we learn in the coming weeks or maybe it'll be the, maybe it'll be the title for next week's podcast. Right. You know, of sites breached by leveraging this newly uncovered zero day in engine, X's reference implementation of L DAP based authentication. Clearly some people have just used it the way engine X said, here it is, you know, don't use it, but, but, well, if it's here, why should we not use it? So, you know, that's how the world got up P and P from the beginning, remember back then in the beginning of the podcast, Leo, when it turned out that Intel, oh yeah. You know, posted something that you should not use and don't use this. It was in, it was an every router. This is how you don't wanna do it. Our reference implementation, well, you don't to do it. Wow. let's take a break. I'm gonna wet my throat. And then we're gonna talk about Microsoft's new auto patch system and have some more fun with that.

Leo Laporte / Steve Gibson (00:34:34):
You know, no one can understand everything that they're doing and, you know, there are some risky things that everybody does. Whenever I, you know, what you don't wanna probably do is copy and paste a curl command from a website to install their software. But you know, a lot of software you feel like, well, I know this site, I'm sure it's okay. It's executing a shells script with, with often admin and privileges on your machine. We do that. I look at make files. There are hundreds of lines long you're supposed to, when you're updating in Linux, when you're updating from the user repositories, you're supposed to read the scripts ahead of time to make sure they're not doing anything malicious. Ain't nobody got time for that. Come on. So, no, it's really true. And, and when you think about it, I mean, this podcast is getting to me, I have to say, because I'm like, I'll be looking for some utility somewhere, something that does something.

Leo Laporte / Steve Gibson (00:35:37):
And I find it and it, it looks good, but do you dare use it? Exactly. You know, I want it, I I'm, I don't have time to write it by my, you know, myself so well, you know, yeah's why I like source. Cause then somebody else can be looking at it. I, I find that I'm I find that I am dragging and dropping more things on virus total these days. Yeah. I'll get something I'll just go. That's probably a good idea. Think at least do that. If it lights up like a Christmas tree, oops. Maybe not. We do the best we can, but honestly, it's such a complex world. It's it's really escaped. Everyone's control. Yeah. Yeah. But you're right. This show does make you a little bit paranoid. That's that's the beauty of it. And that's why PlexTrac is here. Sponsoring this segment of security.

Leo Laporte / Steve Gibson (00:36:29):
Now they are the purple teaming platform, a proactive cybersecurity management platform. If you're on a red team or a blue team, you want PlexTrac, trust me. It was just cause it make your life easier. You know? Maybe you've heard the term purple teaming. Maybe you you're interested in, in, in doing that, but you don't know how to get started, or maybe you're working to mature your security posture, but you you're having trouble getting the teams to collaborate. You want to improve the efficiency of your pen testing, that kind of thing. Plextrac was made for you. It is a very powerful, but easy to use. Very simple security platform, centralizes all your security assessments, all your pen, test reports, all your audit findings, all your vulnerability tracking into one simple platform makes it very easy to, to do reports. You can drag and drop stuff from all of your various tools.

Leo Laporte / Steve Gibson (00:37:24):
You can generate visualizations, you can use templates. So if you find yourself and who doesn't, you know, if you're on a red team typing the same assessment a hundred times over, you can have templates to do this. Plextrac transforms the risk management cycle, lets security teams generate better reports, do it faster with less busy work you can aggregate and visualize analytics. And I think really most importantly, you can collaborate on remediation with your, with your blue team in real time. So there are a number of modules I'll, I'll tell you about a few of them. There's the reports module risk reports are really, really important. This is a very easy, nice way. Just if this were just PlexTrac alone, you would want this you could put in code samples, screenshots videos into your findings and import them from all the major scanning tools.

Leo Laporte / Steve Gibson (00:38:17):
You can have custom templates. So you have a kind of a standardized look to all your reports and the visualizations are fantastic. Actually there's an analytics module that is really sweet. Lets you visualize your security posture so you can assess and prioritize, get a much more effective workflow. And it maps risks to frameworks like MI attack you're already using. So you can create a risk register. Do you do tabletop exercises? Do you do red team engagements, that kind of thing. You'll love the runbooks module. It's great facilitates those breach and attack simulations, teaming activities. It improves collaboration and cooperation between teams. It really upgrades your program's capabilities and makes the most of every team member and every tool. It is such a nice thing to have. And it generates reports that you know, if you have to report to your boss, the CISO, the board, the other C levels, it's really nice to have these very visual graphic reports that they can completely understand what the issues are and what you've done to fix it.

Leo Laporte / Steve Gibson (00:39:27):
It'll streamline your pen tests, your security assessment, your incident response reports. It'll keep red and blue teams focused on getting the real job done instead of a lot typing with PlexTrac, you're gonna gain precious time back in your day, you're gonna improve employee morale. Just visit the site. Lots of testimonials there, like somebody who's at Jacob's engineering enterprise customer. He said deploying PlexTrac allowed our team to cut the reporting cycle by 65%. That's phenomenal makes you so much more effective book a demo today. See how the PlexTrac platform can save your team. You can even try it free for a month. See how it can improve the efficiency of your security exercises. Go to PlexTrac P L E X T R a C PlexTrac.com/e w I T to get that free month plextrac.com/twit. We thank of so much for supporting security.

Leo Laporte / Steve Gibson (00:40:25):
Now just use that address. Plextrac.Com/Twit. I know it doesn't say security. Now. This is the only place they're advertising. They know it's from security. Now. It really helps Steve plus extract.com/twi. It's gonna help you too. You're I, I really think you're gonna love it back to Mr. Gibson. Okay. Okay. All right. A bunch of the, the tech press covered the news of Microsoft's new auto patch system and some noted that it was gonna make patch Tuesdays, much less exciting because you know, it's excitement that you're hoping for whenever Microsoft updates your system, like where did all my desktop icons go? Okay. No one ever said that using windows was boring. That's not something you hear often Leor Bella, a senior product marketing manager at Microsoft explained, he said, this service will keep windows and office software on enrolled endpoints up to date automatically at no additional cost.

Leo Laporte / Steve Gibson (00:41:42):
The second, this is still him. The second Tuesday of every month will be just another Tuesday. Yeah. Right? Like the Pandora's box that it's been recently or other than unlike the Pandora's box that it's been recently. So, okay. What is this? It's gonna be interesting to see how this goes. Microsoft explained cuz I, you know, I thought we already had automatic updates, right? Auto patch. Okay. He, my Microsoft explained that quote window is auto patch manages all aspects of deployment groups for windows 10 and 11 quality and feature updates, drivers, firmware, and Microsoft 365 apps for enterprise updates. It moves the update orchestration from organizations to Microsoft, with the burden of planning, the update process, including rollout and sequencing no longer on the organization's it teams.

Leo Laporte / Steve Gibson (00:42:49):
Okay. But anyone who's been like around in the industry knows that the whole point of giving control to it teams was to allow them to carefully roll out windows updates to enterprise machines only after first like vetting those changes to make sure they didn't break anything mission critical. And yes, it's a big pain in the butt, but it's proven to be necessary over time. Since windows updates have established such a track record of breaking things, you know like, like, you know, you roll up an, an, an update and now nobody in the organization can print anymore. That might your problem. So, okay. What's auto patch. How does it work? What does it do? Microsoft plans to automate the process that it teams have been performing for themselves in house, the service automatically divides and organizations, entire population of windows machines into four groups known as testing rings.

Leo Laporte / Steve Gibson (00:44:05):
Microsoft likes their rings. So we got, we have more rings. Now we have the test ring, the first ring, the fast ring and the broad, the broad ring. Oh really? I'm not kidding you. Oh man. I wanna be in the broad ring, whatever that is. I want the broad, yeah. That if it's last, that's where I want to be. Yeah. So, so he got test first, fast and broad. The test ring will contain a minimum number of devices. The first ring will contain about 1% of all endpoints that need to be kept up to date. The fast ring will have around 9% and the broad ring will have the remaining 90% of all devices. So a few in the test ring, 1%, 9% and 90% Lee Orella said that. He said the population of these rings is managed automatic. So as devices come and go, the rings maintain their representative samples.

Leo Laporte / Steve Gibson (00:45:19):
Samples. Since every organization is unique though, he said the ability to move specific devices from one ring to another is by enterprise it admins, even though he started off by saying the population of these rings is managed automatically. So I guess that means automatically unless someone moves something somewhere, cuz they don't want it in that ring. Okay. Once these testing rings are set up up, updates will be deployed progressively beginning with the test ring and moving. Presumably if it doesn't melt down and moving to larger sets of devices, following a validation period through which device performance is monitored and paired to pre update metrics, which, you know, there's some corporate speak for you. So I was like, huh, all I'm getting now is a blue screen. I don't think this compares favorably to my predate metrics. What do you think? So anyway, micro micro Microsoft announced that this new windows auto patch service will be released this summer in July either way.

Leo Laporte / Steve Gibson (00:46:43):
The good news is it won't bother non-enterprise end users. Like hopefully most of us, since it will be a new managed service offered for, for three to all Microsoft customers who already have a windows 10 and 11 enterprise E three or above license, whatever that is. If you have one, you probably know, okay, now the good news is auto patch includes halt. And I wanted to say halt and catch fire, but no halt and rollback features that will automatically block updates from being applied to higher test rings or rolled back automatically. Okay, that's good. But listen to this one, the product manager said something I, that I had to decode. He said, quote, whenever issues arise with any auto patch update, the remediation gets incorporated and apply to future deployments, affording a level of proactive service that no, it admin team could easily replicate as auto patch serves more updates. It only gets better.

Leo Laporte / Steve Gibson (00:48:07):
Okay. Okay. What I think he said was that when auto patch breaks something, it learns about that breakage and does do it again. You know, what, on that one machine or on any of that enterprises, other machines or on similar machines, glow believe, you know, this is beginning to feel like more of that. We don't know for sure where windows 11 will run. Hoku Pocus, you know, like where did all of the actual computer science go? It sounds like Microsoft is using their telemetry feedback. And the fact that updating their operating system has become so problematic that they're gonna turn all of the machines owned by all of their enterprise customers into a gigantic neural network of let's try this and see what happens anyway. I've never felt so to be a lowly end user. This is gonna be interesting and I'll be listening to windows weekly to see what Paul and Mary Jo think about this because wow.

Leo Laporte / Steve Gibson (00:49:23):
I, I, you know, I, I could, I guess if you have sort of a midsize enterprise that didn't have the excess revenue to staff, this kind of it admin team that you now need as evidenced by this, I mean, this is responding to need, right? So, you know, like where every, every second Tuesday of the month, they, this team stops what their, their regular business in order to figure out what this month's updates will do to their enterprise. And so they've got a set of representative machines, you know, endpoints, running their corporate stuff. And so they first install the up dates there and then like, see if everything works like, oh, did this break it in? Can we still print? Can we log in? Does our app go? And, and if so, then I'm sure they hold their breath and they say, okay, let's, you know, roll this out to the fourth floor and, and see if, if it survives and if so, then they, they continue.

Leo Laporte / Steve Gibson (00:50:37):
And so it's interesting to me that Microsoft has decided, okay yeah, we're gonna do that now. Just, you know, auto patch, it ought be auto prayer. Anyway, we'll see. It'll be interesting to see what happens. As I mentioned, we have another instance of Russian protest that has appeared in JavaScripts open source pository on March 17th. So today's the 12th almost a month ago. The Russia based developer, Victor mu who's also known as yaffle. And since that's much easier will call him yaffle altered his popular PM library known as event source. Polyfill this change which was introduced in version 1.0 0.26 of event source polyfill will cause web applications built with this now latest version of the library. And it's still current, by the way, nearly a month later, this is still in place. It will cause web applications built with the, with this update to display anti-war messages, protesting the quote unreasonable invasion of Ukraine to Russia of based users, 15 seconds after a webpage, which incorporates this code is displayed.

Leo Laporte / Steve Gibson (00:52:19):
Okay, now polyfill packages. We might also call them backfill packages, but polyfills their, their official name implement sets of newer JavaScript features on web browsers that do not yet support them. In this case, the event source polyfill package, that's been deliberately polluted by its developer implements. The very useful JavaScript event source AP eye. This API allows a webpage to open a persistent connection back to an HTTP server, which then sends events to the browser. And the it's a one way connection, which remains open until it's explicitly closed by calling events, source dot close function. So what's interesting is why anyone would need to backfill this particular API since it's been present in all major browsers for quite a while, it was first adopted by Chrome and Firefox, get this in their respective version. Sixes. I didn't even, yeah, we're up hundred now. Yes. Firefox is at 98 and Chrome is at a hundred, but, but what's interesting.

Leo Laporte / Steve Gibson (00:53:45):
Leo is the chart showing the API's adoption profile had a single interesting and glaring exception, internet Explorer. And it is probably the case that Russia remains the surviving bastion of internet Explorer use. Oh, so, and by the, oh my God. And by the way, Leo, if you didn't see col bear last night. Oh goodness. He had something the, they re subtitled Putin talking to the camera. Oh, that'll be fun. It was I'll watch that. It was quite good. He was trying to raise money for Russia and was for example, offering a Bo a, a box puzzle of, and he said with only four pieces missing and oh, and that's just a tip of the iceberg. It's, you know, cold bear at and his writers at their finest. So anyway in order for Russia's inventory of IE, to be able to run web applications that rely upon the event source API, that support needs to be polyfill provided by this library, but given how pervasive the use of Y's event source polyfill package is, and given that it's only needed by IE since all other browsers have incorporated the API, the API natively for years.

Leo Laporte / Steve Gibson (00:55:20):
I mean, I, I didn't go back to figure out when version six of fire Fox and Chromer, but I mean, it is a while ago. I it must mostly be due to other developers not having yet proactively removed it from their own package dependencies, because get this, it is currently used by more than 130,000 GitHub repositories, 135,000 wow. Individual repositories. And it's being downloaded more than 600,000 times every week on NPM for incorporation into those other packages whenever they're rebuilt. Now of course, the bigger concern here is that, you know, it's the use of what should be a rigorously, politically neutral software API being repurposed to inject its author's political sentiment. You know, whether or not we agree with it. I happen to, but still, you know, into the use of their software package the users and, and think about this, the users who this sudden anti-war protest popup have no idea where it's coming from.

Leo Laporte / Steve Gibson (00:56:49):
They don't know that it was buried in some inter package API dependency and that it wasn't put up and reflective of the website or web app they're using. In fact, since everything else they see is coming from the website or web app they're using, that's exactly what they're gonna think. So it really seems wrong. It's the abuse of the implicit trust by the developers who have chosen to use and depend upon this package. That's the problem. And over time with repeated incidents like this, this is the third one recently, you know, that we know of that like deliberate alteration of the package for this purpose, the abuse of this trust is gonna weaken the entire ecosystem.

Leo Laporte / Steve Gibson (00:57:45):
And maybe that's not in a way such a bad outcome, perhaps it should be weakened. That is perhaps we need to revisit all of this. The very fact that a packages, author and maintainer was able to cause their package to behave in a way that its dependent users may well dis prove of should serve as further demonstration of just how rickety from a security standpoint, this entire package repository, you know, dependency tree ecosystem has become in the case of NPM and the brows that run this code, they're going to start needing to not trust the code. That's being sourced by the same origin server, not just sequester non same origin code or non same origin code, but you know, the, the stuff coming from the origin server and if that has to happen, that's a game changer. And of course, NPM is only one one instance from the world of open source, public repository, supply chains, there are many more, you know, ma Java's similar supply chain has, you know, is equally prone.

Leo Laporte / Steve Gibson (00:59:07):
So what we've built is not robust in the face of an active adversary, and unfortunately our adversaries are becoming more active. I did wanna quickly note for anybody who might be hanging back that April 20, 22 next month. Oh no, we're in April now. Sorry. We're in April now. Next month may will be end of service life for windows 10 20 H two, and a different form of it for 1909. For for win 10 20 H two, which was also known as the October, 2020 update. It reaches end of service life for home pro pro education and pro for workstations you the enterprise education and IOT enterprise editions receive one additional year of support. So they will be reaching their end of life on May 9th, 2023. And this also means that next month, the already end of service or win 10, 19 0 9, which previously ended for home pro pro education and pro for workstation users will also finally be ending for their enterprise education and I O T enterprise editions next month.

Leo Laporte / Steve Gibson (01:00:37):
So next patch Tuesday May 10th will be the last round of updates for, for anyone still on windows 10 20 H two. Who's not using enterprise education or I O T. And so, you know, that means you get two months, basically 60 days from now until you would've receive an update, which you won't until you update. So just a heads up for anybody who may have been holding back and you know, for whatever reason, deciding that you wanted to, you know, stay where you are, you will stop being able to get security updates. And just a random little bit of miscellaneous. We have a neighbor whose son uses Coinbase to manage and retain all of his cryptocurrency, and he's been urging them to buy and hold some Bitcoin. Okay. Independent of the value of any cryptocurrency as a buy and hold asset, which Leo Ima dubious about as you are.

Leo Laporte / Steve Gibson (01:01:45):
I made a comment about the general invisibility yes, to them of leaving any sizable investment in crypto online, noting that many exchanges had been breached and that Coinbase had not escaped from that. They suffered a breach back in 2019 and exactly a year ago between March and may of 2021. They acknowledged that more than 6,000 of their customers were hacked in a large scale email phishing campaign, which tripped their customers into giving up the email addresses, passwords and phone numbers associated with their accounts. I explained to my neighbors that the only safe practice was to remove any especially large amount of crypto, put it on a hard drive well, and then stick it in the corner of your office.

Leo Laporte / Steve Gibson (01:02:43):
Well, and, and as we know, the only thing you really need to hold onto is your address. Yeah. Right. I mean, it's the wallet itself. If you look@thewallet.dad file in many wallets, it's just a long digit long co number. And that's your, that's your account number. So yeah, I'll hold, you I'll hold his password for him if he wants so well. And, and so I thought it was also interesting that these 6,000 customers a year ago were phished, right? Yeah. This discussion. Yes. This discussion made me a bit curious. So I went oh over to coinbase.com and attempted to sign in without an account. And I discovered in two seconds, here's the problem that they made one of the Cardinal mistakes of online security. And, you know, if it was, you know, a site that, where you log in to post about recipes or something fine, this is Coinbase.

Leo Laporte / Steve Gibson (01:03:47):
They show an attacker when they have guessed wrong about an accounts email. So I went to Coinbase and I put in bingo, hyphen zonk and Dingo. Oh, I have to try that in my password for my wallet. That's that's good. I like it. Bingo, Zo Dingo, bingo@gmail.com and what happened, Steve and I pressed the button and it lit up in red and it said, no coin account for this email, please check your spelling or create an account. Oh, that's the worst possible thing they could do. Yes. Because now it means that any, any group of attackers or bots can now guess email addresses and they will be told, you know, you know, it's, it's fine to take the email or account name first and separately, but never tell the user that their account is unknown because then I could just enter in emails until I get one that says, oh, that's not your password.

Leo Laporte / Steve Gibson (01:04:57):
Yes. And I know it's an address of an actual user. Yes. And now you begin the Phish campaign. Yeah. You know, so, so always ask for their password regardless of whether or not the account is known. Yes. Then tell the user that there's a problem logging in, please check their account, name and password. You know, now I understand from a customer service standpoint that it's much less confusing to a user to provide them with immediate feedback when they've, ented their email address or their username at the first stage. But the reason it's much less is exactly why it provides an advantage to any attacker. Who's now able to probe that service for its database of existing accounts. You know, in the case of Coinbase, an attacker might know someone's email address and wish to know whether they have an account on Coinbase, Coinbase them know immediately just, I, I just couldn't believe it.

Leo Laporte / Steve Gibson (01:06:01):
So hacked, you know, recently. Yeah. Guess why. Wow. Okay. Three bits of closing the loop. And then we will do our third sponsor and talk about what's happened with spring for shell. Meuth tweeted me at Meuth M E M E N T H. He said time based port knocking, oh, you have an authenticator app. And port knocker gets that and generates the ports to knock. And I thought that's kind of brilliant. I asked me whether he'd come up with this on his own, or may have seen it somewhere since I wanted to give him credit for a brilliant and clever solution. It solves and resolves the static knock replay attack, and the brute force knock guessing problems in the same that a one time password solves the same problems for passwords. Assuming that the client and server are able to both obtain an awareness of the time of day.

Leo Laporte / Steve Gibson (01:07:09):
So they're synchronized, the port listening server could be continuously receiving incoming port Knox, a ring buffer. And whenever it adds a knock to the buffer, it would scan the buffer for the current knock sequence, all coming from the same IP address. And if they're present you're in and something else occurred to me as I was writing this up, that I hadn't seen anywhere, what a nice bit of client controllable data, that's also logged in the typical firewall log. And that's, you know, for the IM for the implementations where you simply want to be watching the firewalls log and process the log on the fly, most firewalls log, not only the source IP E but also the source port and although ICMP based knocking doesn't have any port, both UDP and TCP do so manipulating the knocking packets source, port doubles, the number of entropy bits per packet from 16 to 32, without any other additional complexity, you don't have to worry about the content of the packet.

Leo Laporte / Steve Gibson (01:08:23):
It might just be sin packets, right. And so you can control the source port of the sin when, when you're generating it. So anyway, we got a lot of interesting feedback from people. It turns out that a bunch of our listeners had never heard of port knocking before, and they were grateful for the episode and also a bunch of implemented it in different ways. So I like the time based port knocks. That's a really isn't that idea. Cool. Yeah, yeah, yeah. Basically you take the, the one time password concept and, and employ it. I think it's very neat. Vira PE said re port knocking episode 8 65. He said I do something a little bit different, but I think it's just as cool. I have IP tables log all the packets, just above the drop. This is a little messy in the logs, but I have failed to ban watching the log.

Leo Laporte / Steve Gibson (01:09:23):
If someone is port knocking or scanning my host three failed attempts on any closed port, I block that IP for a week. The idea is the people I want to talk to my services on random ports, know what port they're on. So they have no reason to try other closed ports. So anyway, I thought that was an interesting approach too. And I did agree that a mature port knocking system ought to definitely have an IP, he based lockout just, you know, as an additional layer of security and finally someone who's using the moniker lay, the proud youer low. Wow. He, yes, he that's Shakespearean. Wow. Yeah. That's E haste stings. He said, dear Steve regarding spin, right. 6.1 and successors, is there any spot on your timeline for a version that is apple, Silicon native? He said before the new systems, I had hoped that there would be a Mac native release that would seem to be far off at best.

Leo Laporte / Steve Gibson (01:10:36):
What can you report? Thanks gene. And the bad news is no, I, I, I can pretty much assert with like absolutely that I will not be doing an arm based version for native apple, Silicon. We will, the next spin right. Will and on Intel max, you know for sure. That's definitely on the, on the short term timeline, but I just, you know, I'm still writing it largely in assembler and I, life is too short. It's not fun to hand code arm. It would also be really tricky because people who are using max almost always are using the Mac apple controller, which I'm sure is very closed and hidden. I mean there's USB drives and there's Thunderball drives. You could diagnose those, but they could just put those in a piece, but the drives internal to your Mac. Good luck. Good luck.

Leo Laporte / Steve Gibson (01:11:36):
Yeah. Yeah. That's not gonna be easy. And Steve, by the way, there's no truth to the rumor that he is going to rename his Twitter account pirates fall on every fo. But I think he Hastings it was a nice try anyway. Yeah. our show today brought to you by ZipCruiter. If you are hiring, Hey Bravo, I saw the unemployment now is as low as it's been in years. People are, people are, despite what you may have heard about the great resignation they're going to work. And one of the of reasons is employers are, are focusing on making it a better job. 90% of employers, according to a latest research plan to make enhancing the employee experience a top priority in 2022, we've gotta do something to keep people coming back to work. We started four day work weeks for our employees.

Leo Laporte / Steve Gibson (01:12:33):
I think they really like it. There are other things you can do to make your employees feel valued. Just, you know, getting their input on what you're up to making the company culture, something a little less toxic offer more learning opportunities. I think that's a really nice thing to do. Say, Hey, we'll pay for your education. You benefit as the employer, the employee benefits as a win for everybody. We do the more flexible work schedules. That's for sure. Connect show show a little empathy, always a good idea. And if you're ready to hire and you wanna find the right employees, you gotta go to ZipCruiter. They're matching technology helps you find the right people for your roles fast, fast, fast. Right now you could try to a recruiter for free ziprecruiter.com/security. Now ZipRecruiter uses very powerful matching technology to look at all the resumes it has on file to look at the, the requirements you have for your opening, and then matching those candidates up with the right candidates up your job.

Leo Laporte / Steve Gibson (01:13:36):
It proactively presents the best candidates to you. You can review the recommendations and invite your top choices to apply for your job. And evidence is very strong that when you invited somebody to apply to a job, they're much more likely to apply faster, come to the interview to take the job it's flattering. Isn't it to be asked, Hey, you know what? You look like. You'd be great for the it's. One of the many reasons ZipRecruiter is the number one rated hiring site in the us based on G2 ratings, we use ZipRecruiter, very happy number of our employees came to us through ZipRecruiter. One of the reasons we like it is that four out of five employers who post on ZipRecruiter get a quality candidate within the first day. Our experience has been within hours. I mean, it's, it's, it's, it's truly an amazing system. Find the right employees for your nice new shiny workplace.

Leo Laporte / Steve Gibson (01:14:26):
The one you've polished up to made, you know, really great. You want those best people coming in and working for you? Don't you ZipCruiters away. Try it for free. Our, our special address is ziprecruiter.com/security. Now please use that address. So they know you saw it here. Ziprecruiter.Com/Security. Now S E C U R I T Y N O w. It probably says it right now on your podcast app, ziprecruiter.com/security. Now ZipRecruiter is the smartest way to hire. We use you should too. Ziprecruiter.Com/Securitynow, okay. On we go with the show. So as I noted at the top of the podcast spring for shell is no longer theoretical attacks have a gun. Last week, we introduced the latest Java based flaw that has been found in VMware's spring.io web framework, which at the time was still only theoretical recall that there had been questioning even about just how bad this potential RCE, you know, remote code execution exploit would turn out to be flashpoint had said current inform current information suggests in order to exploit the vulnerability attackers will have to locate and identify app instances that actually use the Des serialization, tills, something already known by developers to be dangerous.

Leo Laporte / Steve Gibson (01:16:02):
And I was a little skeptical of that. Whether developers even know that I doubt it. And rapid seven said that despite the public avail of proof of concept exploits, it's currently unclear which real world applications use the vulnerable functionality. It's less unclear now. Ellen, they also said, and configuration and JRE version may also be significant factors in exploitability in the likelihood of widespread of adoption. I don't know why everybody was, you know, the security firms were downplaying this, but certs will Doman tweeted the quote. The spring for shell exploit in the wild appears to work against the stock handling form submission sample code from spring IO. And gee, do you think any, anybody would've taken that sample code and just modified it a little bit for their own purposes? Hmm. I don't know. Maybe it's a reference implementation. Maybe if the sample code is vulnerable, he said, then I suspect and will treat.

Leo Laporte / Steve Gibson (01:17:09):
He tweeted that there are indeed real world apps out there that are vulnerable to remote code execution. And recall that this one got a 9.8 on the CVSs scale. Now CSA is warning of active exploit of the critical it's now considered obviously at 9.8 as critical spring for shell vulnerability. So it appears that 9.8 was prescient and is being earned. CISA has, has added that it's added it the spring for shell shell vulnerability to its known exploited vulnerabilities catalog that's with capital K known exploited vulnerabilities catalog based on evidence of active exploitation Pretorian researchers, Anthony Weems, and Dallas Cayman noted that exploitation requires an endpoint with data binder enabled. In other words, an HTTP post request that decodes data from the request body automatically and depends heavily on the server container for the application. Okay. Now the automatic decoding of a post host fits in with will doorman's observation that spring dot iOS sample code for handling form submission is itself vulnerable.

Leo Laporte / Steve Gibson (01:18:41):
Although details of in the wild abuse are still a bit unclear. The information security company security scorecard said active scanning for this vulnerability has been observed coming from the usual suspects like Russian and Chinese IP space. And so I guess Russia's still connected to the internet anyway, spring for shell vulnerability, scanning activities have also been spotted by Akamai and Palo Alto networks, unit 42 with the attempts leading to the deployment of a web shell for backdoor access and to execute arbitrary commands on the server with a goal of delivering other malware or spreading within the target network. So no big surprise there spring for shell has created yet another new way of jimmying the front door lock in order to install a permanent back door checkpoint research said during the first four days after the vulnerability outbreak, again, first four days, this is why that t-shirt at the top of this show notes is so relevant, you know, exploit Wednesday.

Leo Laporte / Steve Gibson (01:19:57):
First four days after the vulnerability outbreak, 16%, 16% of organizations worldwide were impacted by exploitation attempts and they added that they had detected 37,000 spring for shell related attacks over the weekend. I have a graph of the explosion of the scanning for this vulnerability in the show notes showing on March 31st, the little tiny bar maybe 5,000, then the next day, April 1st, it jumps to 10,000 in that day on the second looks like it's around 13,000 and a on the third it's a little more than 14,000 per day. Microsoft 365 defender threat intelligence team chimed in stating it has been tracking a low volume of exploit attempts across our cloud services that is specifically Microsofts for spring cloud and spring core vulnerabilities. There are, by the way, a pair of spring vulnerabilities, both 9.8. And according to statistics released by Sonatype potentially vulnerable versions of the spring framework account for 81% of the total downloads from the Maven central repository. Since the issue came to light on March 31st, let me repeat that.

Leo Laporte / Steve Gibson (01:21:45):
Sonotype tracked vulnerable versions of the spring framework accounted for 81% of the total downloads from ma central repository since it came to light at the end of March. So since that time four out of five of all downloaded were potentially vulnerable. Cisco, which quickly jumped to investigate its own lineup to determine which of its products might be impacted, confirmed that three of its products are affected the Cisco Crosswork optimization engine, Cisco Crosswork zero touch provisioning and Cisco edge intelligence all or vulnerable. So if you know of you or your organization is using those, make sure that they're patched, cuz this thing is exploding in terms of its you know, bad guys looking to exploit it. Vmware spring iOS parent company has said that three of its products are vulnerable, their tan zoo application service for VMs, the Tansu operations manager and Tansu Kubernetes grid integrated edition.

Leo Laporte / Steve Gibson (01:22:57):
They've made patches and workarounds available as needed. Vmware said a malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system. Okay. Saying that the way they, they, they would say it, if it weren't VMware, you know, anybody on the internet who is able to access an unpatched or instance can gain full control of the target system. So that's not good. So again, look how quickly we moved from. There may be a problem here, but we're not sure to, oh crap, cancel Christmas. You know that the reality of today's world to flesh this out a bit further, security scorecard wrote that on Thursday, March 31st, a patch for a widely used Java framework called the spring framework was given the designation and then they list this the CVE it's 22,965 with a CVS score of 9.8.

Leo Laporte / Steve Gibson (01:24:08):
That's the bad news for they. They said for a lot of companies that make use of this framework for delivery of their web applications, services and APIs, they said, this is a remote code execution vulnerability. And the ease of exploitation is partly why it has earned a 9.8 out of 10 on the CVSs score. And they reminded us that way back in 2010, there was a remote code execution for the spring framework version 2.5, which fixed the vulnerability discovered then about unsafe class dot class URLs. That was where the problem was. This new remote code execution is related to that vulnerability. The fix 12 years ago was to forbid jumping from a class to class loader. And the fix this time is to forbid jumping from a class to a module. So basically one step up in the hierarchy that was, you know, we talked last week about the fact that, that there had been a problem 12 years ago and that the new exploit was a workaround of that problem.

Leo Laporte / Steve Gibson (01:25:22):
So the point is this has been present and vulnerable for 12 years. It's just that no one stumbled on it that, you know, they, they, they were blocked by the change that was made 12 years ago. So let's go up a level in the hierarchy and go in there. So the saving grace is that this only became aim present in JDK nine. And hence I actually saw some suggestions that if for, for some reason it was not possible for an enterprise to, to update their instance of Java. For some reason, they suggested if you recompiled around JDK eight and your app was compatible with JDK eight, that was another way of solving the problem since it did not have the bug. So if anyone's interested in much more detail, the, the, the deepest level of nitty gritty about this was in the security scorecard site.

Leo Laporte / Steve Gibson (01:26:29):
I've got a link in their show notes, but they said in their conclusion, they said, if this feels all too familiar and is reminding you of the Equifax hack that was due to an exploitation of the Apache stre two framework, then your instinct is spot on. This is the same kind of vulnerability. And on top of everything else, the spring for shell VO vulnerability is also now since the start of April being actively exploited by threat actors to execute the MIH botnet malware. And for some reason, focusing at the moment, at least within the Singapore region in their posting titled analyzing the exploitation of spring for shell vulnerability in weaponizing and executing the Morai botnet malware trend. Micro researchers said that the exploitation allows threat actors to download the MIH sample to the forward slash temp folder and execute them after making a permission change using ch mod, they wrote that they began seeing malicious activities at the start of April, and they also found the malware file server with other variance of the sample for differing CPU architectures.

Leo Laporte / Steve Gibson (01:27:57):
And of course that makes sense since Java is a multi architecture language, it's executed by its own JVM T trend Micro's writeup is by far the most in depth, even more so than a security scorecard and de and it's the most detailed analysis that I've encountered. So I've got a link in the show notes for anyone who's interested, and it makes sense that bot nets would be quick to jump on this, cuz it's gonna be to some degree, a time limited vulnerability. And it's not the first time we've seen this in December of last year, multiple botnets, including Mariah and Kinson were found to be leveraging the log for shell Java vulnerability, to breach susceptible servers on the internet. And as we know, MIH, which means future in Japanese is the name given to the Linux hosted malware, which is continued to target networked smart home devices, you know, IP cameras routers, and then link them into botnets primarily for D dossing Intel 4 71 researchers said last month that the Mariah code is so influential that even some of the malware offshoots are starting to have their own code versions released and co-opted by other cyber criminals.

Leo Laporte / Steve Gibson (01:29:21):
Remember that Mariah source code escaped and was then found in the wild. And some other offshoots of MIH were created in January. Crowdstrike noted that compared to 2020 malware targeting Linux based systems had increased by 35% during 2021. And Intel said that the primary purpose of these malware families is to comprise vulnerable inter is to compromise vulnerable internet connected devices and mask them into botnets and use them to perform distributed denial of service attacks. And of course we all know all too well, just how powerful and P and prevalent DDoS attacks had become today. So anyway, once again, we see, you know, there was a first item that we talked about last week was that, you know, someone had discovered a new way around a problem that had been patched 12 years before the, the security community was like, well, we're not sure.

Leo Laporte / Steve Gibson (01:30:25):
Maybe it depends upon the you know, the settings, but, but will, Doman said, you know, the default sample code it's vulnerable, what do you know? Yeah. The reference implementation it's vulnerable. You think that might be a problem. Wow. Wow. Wow. Wow. Wow. So yikes, 37,000 compromised attacks at this point, you kind of feel like you're, you're hearing news happen, you know, right in front of your eyes, you know, it's kind of amazing. Yeah. Yeah. That's why it's worth listening to curity. Now every Tuesday we do it around one 30 Pacific, four 30 Eastern, 2030 UTC. If you wanna watch or listen, live@livedottwi.tv if you're watching live chat live@ircdottwi.tv or join our club TWI, you could chat in the discord. Actually. That's just a small fraction of the things that happen in the discord is of very active place to go to talk about all kinds of geeky subjects.

Leo Laporte / Steve Gibson (01:31:28):
And you get ad free versions of all the shows and you get the TWI plus feed, which is full of stuff that doesn't didn't get on air or shows that were preparing for a future in the public, like the untitled Lennox show and Stacy's book club. And this weekend space recently came out of the TWI call club is now public all of that for seven bucks a month at twit TP slash club TWI, you can also get copies of the show after the fact from Steve, he's got two unique versions of the show, a 16 kilobit audio version for the bandwidth, and he also has a beautifully crafted human crafted versions of the transcript at his site, grc.com while you're there pick up a copy of spin, right? That's his daily bread, the world's finest mass storage, maintenance and recovery 6.0 is the current version.

Leo Laporte / Steve Gibson (01:32:20):
Soon to be 6.1, you'll get 6.1 for free if you buy today, but you'll also get to participate in the development of it. That's at grc.com along with shields up and all of his free stuff and lots of good information grc.com. You can leave Steve feedback there, grc.com/feedback, but it's even easier to do it on his account. He's SG GRC for Steve Gibson, GRC SG GRC, Steve Gibson, Gibson research corporation on the Twitter and his DMS are open. So slide on in, leave him a message. We have copies of the show 64 kilo audio and video at our website to, with TV slash S N for security. Now there's a dedicated YouTube channel, of course, as there is for all of our shows best way to do it though, as with any podcast is get a podcast client. There are very many and just subscribe to security.

Leo Laporte / Steve Gibson / Jason Howell (01:33:14):
Now that way you get it automatically, you don't have to think about it. You just know it's there of a Tuesday ready for your listening. Steve, have a great week. I'm gonna go back to version two of the Baba verse volume two. Oh, good. Yeah. Catching up. I'm I'm, I'm continuing to Wade through number four, just, I I'm at like 83% and it's like, okay, well I have to finish this, but there's no number five, right? Fours. The last one. Yeah. Is there's not, he's actually talking about threatening. I should say is a fifth one. Okay. But he's busy doing some other stuff. Okay. But the first I can vouch for the first two. They're great. Oh yeah. Leo. It is definitely fun. Yeah. They the trilogy is worthwhile. Yeah. Thanks, Steve. Have a great way. We'll see you next time on security now. Thanks. Bye. Don't miss all about Android. Every week, we talk about the latest news hardware apps, and now all the developer goodness, happening in the Android ecosystem. I'm Jason Howell also joined by Ron Richards, Florence ion, and our newest co-host on the panel. When to Dow, who brings her developer chops, really great stuff. We also invite people from all over the Android ecosystem to talk about this mobile platform. We love so much. Join us every Tuesday, all about Android on twi.tv

... (01:34:35):
Security.

... (01:34:36):
Now.

All Transcripts posts