WME Security Briefing 21 October 2024

WME Cybersecurity Briefings No. 030

Google’s Transition to Rust Reduces Android Memory Vulnerabilities by Over 50%

Overview

Google has achieved great success improving the safety of Android by switching to the Rust programming language. The company attempts to follow a secure-by-design strategy, focusing on the necessity of having memory-safe programming languages in the system. As a result, over the past six years, the share of memory-related vulnerabilities in Android has decreased from 70+% to 20+%. Rust, known for “safety, speed, and concurrency,” has proven a practical approach to the existing memory safety weaknesses.

Impact

The move to Rust has led to a drastic reduction in the number of memory vulnerabilities in Android, plummeting from 200+ in 2019 to fewer than 60 in 2024. The reason behind this reduction is Google’s decision to focus on safe coding practices for new features. It is now also effectively scalable over time. The decrease in vulnerabilities is due to older code becoming obsolete while new memory-safe code grows faster than unsafe code.

Recommendation

For developers and organizations trying to enhance the security of their software, this Google experience of transitioning to Rust can be a guiding light. Memory-safe languages should be used and applied to new projects. Moreover, whenever possible, the existing codebases should also be rewritten.

This way, software designs can reduce the chances of vulnerability. You will also be less likely to lose possibilities such as scalability and guaranteeing future security.

That said, any software process can benefit from secure-design developments as they help discover vulnerabilities before they can be exploited. Instead of providing patches to the code, Google kind of “turned off the tap of new vulnerability this time.

Mozilla Faces Privacy Backlash Over New Firefox Tracking Feature

Overview

Vienna-based privacy organization noyb filed a complaint against Mozilla Firefox with the Austrian Data Protection Authority (DPA). The complaint was lodged following Mozilla’s introduction of a new Privacy-Preserving Attribution (PPA) feature in Firefox version 128. The feature is active by default without a user’s permission, so noyb argues that there is a violation of the Union’s General Data Protection Regulation (GDPR).

However, it is essential to note that PPA is redesigned software to determine the performance of advertisements that drive downloads. Mozilla’s rationale for the PPA was that advertisers could measure ad performance without tracking concerns, such as those raised by third-party cookies.

Impact

Noyb alleges that PPA allows Mozilla to oversee user tracking in the Firefox browser. While this feature is supposed to be an alternative to cross-site tracking that is completely privacy-invasive, it simply moves complete control of websites to the controlling entity, Firefox. This way, PPA is very similar to Google’s Privacy Sandbox, which was supposed to create a cookie-free environment for slicing user data.

Sandbox did not rely on cookies at all and was supposed to be a more privacy-oriented alternative to third-party cookies. However, critics pointed out that Google could track user data regardless of the SandBox implementation. So, the case of PPA and Mozilla is similar to that Sandbox event.

Mozilla has enabled PPA by default, not requiring a user’s agreement or presence to be turned on. Noyb declares this decision illegal under GDPR rights, as users should have more control. On the other hand, Mozilla’s position is that users cannot make a careful and informed decision regarding the addon.

Recommendation

WME would advise users and admins to be cautious with the settings in Firefox version 128.

Check the PPA status: If consent is not given explicitly, ensure the feature is disabled in the browser settings.

Review the browser settings from time to time: Make it a habit to check both the default and hidden ones to ensure there are no features you are unaware of.

Pay attention to updates: Follow any news from Mozilla and privacy-oriented organizations such as noyb, as any new feature or change may impact privacy.

Discovery of New Rust-Based Splinter Post-Exploitation Tool

Overview

Cybersecurity researchers recently spotted a new Rust-based post-exploitation tool called Splinter. During the investigations, it was found on multiple systems. Even though the discovered tool is currently less sophisticated than its widely known counterpart, Cobalt Strike, it can pose a huge danger if misused.

Though ethical hackers primarily use Red teaming to determine the client system’s weaknesses, it can also be a perfect weapon in the hands of malefactors.

Impact

While Splinter was not observed in any known threat actor activity, its mere presence is alarming due to its capabilities and configuration. The tool is delivered with a command-and-control setup to empower remote control of the subject using simple HTTPS requests.

Moreover, the C2 contains several peripheral functions and methods to provide a more generic capability, including: executing Windows commands; uploading and downloading files from the subject machine; dumping account information from various web service accounts of the subject machine; and cleaning itself from the infected payload.

The most particular trait of Splinter is its size, approximately 7 MB, due to the 60+ Rust crates presently included in the code base. This can make Splinter a considerable blind spot for many security products. More so, tasks given to the C2 and requested by the Splinter instance adhere to a proper task-based model, as does any other post-exploitation framework.

Recommendation

Splinter’s proliferation can be avoided if organizations concentrate on upgrading their detection and response possibilities. The most feasible finger-out steps to avoid potential exploitation are here:

  • Implement Network Monitoring: You can avoid this brand of post-exploitation tools if your organization knows what is happening within its network through robust traffic monitoring systems.
  • Update Security Protocols: Malware is continually developing and changing its deployment strategies. Thus, end-point security solutions should become more susceptible to novel viruses, rootkits, and similar tools.
  • Patch Management: As with any post-exploitation tool, Splinter exploits the weakness of outdated software versions. So, regular patches are required.

ChatGPT macOS Security Flaw Exploited to Inject Persistent Spyware

Overview

A recently found vulnerability in the macOS ChatGPT app allowed long-term spyware to be introduced into the tool’s memory. Known as “SpAIware,” this breach was created by exploiting the features of ChatGPT’s memory function, which has been available since February 2024. Later, it was extended to all versions: Free, Plus, Team, and Enterprise.

Impact

The vulnerability can allow for continuous exfiltration of user data. It includes all the information typed into ChatGPT and its responses – both past and future chat sessions.

The exploit may take advantage of the tool’s nature, which saves certain types of information across chats. Even if a user decides to delete a specific conversation, the typed data typically remains in ChatGPT’s memory, and it is not typically treated as explicitly deleted.

The technique could inject malicious instructions into ChatGPT’s memory through indirect prompt injection. It can then lead to persistent instructions that could indefinitely send data to an attacker’s server. This method allows the attacker to manipulate the tool to affect subsequent conversations ultimately.

Recommendation

To lower the threat, upgrading to ChatGPT version 1.2024.247 is important. This version addresses this particular security vulnerability by destroying the exfiltration vector and presumably updating the memory storage UI.

One important lesson to prevent ChatGPT from behaving maliciously is to ensure no unauthorized or suspicious data is retained. In addition, it is necessary to be careful with permissions for both familiar and unfamiliar websites and document references to prevent malicious commands from being put into ChatGPT’s memory.

Critical Ivanti vTM Vulnerability Actively Exploited: CISA Issues Alert

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified a significant security vulnerability in the Ivanti Virtual Traffic Manager (vTM) in September 2024.

CVE-2024-7593 has a severity rating of 9.8 on the CVSS scale. This vulnerability allows remote, unauthenticated attackers to bypass the authentication process in the admin panel and create unauthorized administrative accounts.

Impact

Exploiting the vulnerability may result in severe adverse effects, such as perpetrators gaining unauthorized access and control over vulnerable systems. Although CISA did not provide specific details on actively exploiting the vulnerability, Ivanti stated that a proof-of-concept could enable the threat actors to target exposed instances.

The particular flaw is only one of the problems impacting the vendor’s devices, with past exploits, such as CVE-2024-8190 and CVE-2024-8963, frequently used by malicious actors. That said, CISA’s alert orders the Federal Civilian Executive Branch agencies to mitigate the flaw by October 15, 2024. According to reports, about 2000+ exposed Ivanti Cloud Service Appliance instances are currently available online, and a majority of them is located in the U.S. However, It remains unclear how many of these are susceptible to the CVE-2024-7593 exploit.

Recommendation

CISA highly encourages system admins to upgrade their Ivanti vTM software to the latest patched versions, including the 2024-08 ones: 22.2R1, 22.3R3, 22.5R2, 22.6R2, and 22.7R2. Federal departments and other users should verify their systems are not running exposed versions and have applied the patches provided by Ivanti immediately.

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=