Hacking Team Dump: Windows Zero Day

Microsoft Patches Flaw That Was Pitched to Spyware Vendor
Hacking Team Dump: Windows Zero Day

After a bug seller approached Italian spyware vendor Hacking Team, proposing to sell it details of a zero-day exploit that could compromise a fully patched version of Internet Explorer 11 running on Windows 7 or Windows 8.1, the surveillance software vendor apparently declined to make the purchase.

See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry

But in the data dump that followed the hack of Hacking Team, researchers at security firm Vectra Networks say they found the emails between the spyware maker and the bug seller and were able to reverse-engineer the exploit and warn Microsoft.

Microsoft released a fix for the bug July 14 in in its monthly batch of security updates.

Vectra says it notified Microsoft about the flaw on July 9, then waited to release details of the flaw until a Windows fix had been released, just five days later. "They were able to work on this very quickly," threat researcher Wade Williamson, director of product marketing at Vectra Networks, tells Information Security Media Group.


Wade Williamson of Vectra Networks talks about finding details of a new zero-day Windows flaw in the Hacking Team dump.

The now-fixed flaw - CVE-2015-2425 - is a use-after-free vulnerability that could use JavaScript to allow an attacker to bypass some of the information security defenses - such as data execution prevention - that are built into Windows, Williamson says. The flaw is completely separate from the three Adobe Flash flaws and Oracle Java 8 flaws that were also found by researchers in the 400 GB of dumped Hacking Team information (see Zero-Day Exploit Alert: Flash, Java). Those flaws have also now been patched by Adobe and Oracle, and security experts have recommended that anyone using that software update it immediately, or else disable or uninstall it.

Hacking Team, which sells spyware to police and government surveillance agencies, appeared to not buy the zero-day flaw from the bug seller because of the amount of effort that would have been required to take the bug and turn it into a working exploit, or "weaponize" it. "It even looked like the folks who had found it didn't know how it fully worked," Williamson says. "So our team dove into this, and it's a really interesting, fairly complex bug. But after some digging, we definitely found that it is exploitable."

Exploiting the vulnerability would give an attacker full control over a Windows system, Trend Micro security researcher Peter Pi warns in a blog post. "Simply put, if an attacker successfully exploits the vulnerability, he can basically run any code on the system." But he says that Windows 7 is more at risk than Windows 8.1, for which "a successful attack would [also] require a separate privilege escalation vulnerability."

Patches: Adobe, Oracle, Microsoft

The fix for the IE11 use-after-free flaw is just one of a slew of updates that have been released this week: Adobe patched Flash, Acrobat/Reader and Shockwave Player; Oracle patched multiple products and more than 100 vulnerabilities, including a zero-day flaw in Java 8, plus bugs in Oracle Database, Solaris and MySQL; and Microsoft released 14 security bulletins, fixing a number of high-profile products.

One Microsoft update contains fixes for 28 flaws in Internet Explorer 19, which attackers could use to remotely exploit code on a vulnerable system and "take over the targeted machine simply by browsing to an malicious, or infected site," says Wolfgang Kandek, CTO of security firm Qualys, in a blog post.

Other "critical" July Microsoft updates offer patches for eight remote code execution vulnerabilities in Microsoft Office, one of which is currently being targeted by active attacks. Another now-fixed flaw in the Adobe Type Manager - CVE-2015-2387 - is likewise being actively exploited by in-the-wild attacks. The final critical fixes concern MS-SQL server, the remote access protocol RDP - for 32-bit Windows 7 or 8 - as well as Microsoft's virtualization technology Hyper-V. "Those running shared hosting on Microsoft Hyper-V should pay close attention to the deployment of this patch, as they will be the biggest targets until their systems are up to date," says Tyler Reguly, manager of security research and development for security firm Tripwire.

This month's security updates are the final updates or fixes that Microsoft will release for Windows Server 2003. Accordingly, numerous security experts are warning that no organization should still be using that software unless they have now purchased extended-support agreements from Microsoft (see Windows Server 2003: Mitigating Risks).

Going forward, any organization that uses an unsupported version of Windows Server 2003 will be at risk from attackers reverse-engineering patches for supported versions of Windows, which could then be used as zero-day exploits against Windows Server 2003. For example, nine of the 14 security bulletins issued in July by Microsoft affected Windows Server 2003, Qualys's Kandek says. "That is a clear indication that attackers will continue to find issues in Windows Server 2003 at roughly that rate," he says. "There are only two things to do to avoid that threat: migrate away from Server 2003 or pay Microsoft for the necessary patches through a special support contract."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network