Breaking

Friday, 8 January 2021

This Week in Security: Android Bluetooth RCE, Windows VMs, and HTTPS Everywhere

Android has released it’s monthly round of security updates, and there is one patched bug in particular that’s very serious: CVE-2021-0316. Few further details are available, but a bit of sleuthing finds the code change that fixes this bug.

Fix potential OOB write in libbluetooth
Check event id if of register notification command from remote to avoid OOB write.

It’s another Bluetooth issue, quite reminiscent of BleedingTooth on Linux. In fact, in researching this bug, I realized that Google never released their promised deep-dive into Bleedingtooth. Why? This would usually mean that not all the fixes have been rolled out, or that a significant number of installations are unpatched. Either way, the details are withheld until the ramifications of releasing them are minimal. This similar Bluetooth bug in Android *might* be why the BleedingTooth details haven’t yet been released. Regardless, there are some serious vulnerabilities patched this in this Android update, so make sure to watch for the eventual rollout for your device.

HTTPS Everywhere

Google and Firefox are continuing their push toward a web based on HTTPS. Some of the changes, particularly by Google, have been viewed with some skepticism. However, this upcoming Chromium change looks like a welcome one. Put simply, when a user types in a URL without specifying HTTP or HTTPS, Chrome will try to load the website over HTTPS first. This change has been spotted in the Chromium source, and isn’t deployed by default anywhere — yet. The eventual implementation will probably feature a parallel lookup of web sites over HTTP and HTTPS, in order to avoid a large slowdown for HTTP only sites. If you live on the Firefox side of the fence, you’re still covered, as Firefox has an optional HTTPS everywhere mode as well.

Zyxel and the Hard-coded Credentials

[Niels Teusink] from EYE was doing some research on his Zyxel router, and came across an undocumented user account, zyfwp. Just looking at the username, I would guess it enables Zxel firmware updates of some sort — And yes, the account is to enable automatic firmware updates. It wasn’t supposed to be enabled for SSH login, though. Yes, a handful of Zyxel models had an unintentional backdoor. [Niels] believes he discovered the problem just weeks after the vulnerable firmware was released, so the impact of this one is minimal. Go check the list of products and firmware to see if your device was affected. One last note, while this sort of vulnerability is always facepalm-worthy, Zyxel absolutely owned up to the goof, responded quickly, and has absolutely done the right thing in fixing this.

Legal and Easy Windows VMs

There’s often a need for disposable Windows installs. Whether you’re looking at a file that is probably a virus, or want to check something out on a clean install, there’s a certain safety in knowing that if something goes wrong, you can just trash the VM and start over. Yes, it’s possible to manage all this manually, but when I came across [Rolando Anton]’s guide to automating the process, I had to make a mental bookmark and share it with you guys.

He first gives us the details on how to manually turn a fresh Windows install into a VM image, which is a useful howto in it’s own right. What comes next is impressive. If I understand what I’m seeing, he’s using Packer to run the whole process as a one-liner. He’s careful to point out that these images are legal for testing, research, and evaluation — not for production environments, as per Microsoft’s licensing.

Using Google to Defeat Google reCAPTCHA

And in a fun turn, it was pointed out to me this week, that you can use Google’s speech to text service to defeat Google’s reCAPTCHA service. ReCAPTCHA is widely considered one of the best CAPTCHA services, or “Completely Automated Public Turing test to tell Computers and Humans Apart”. One of the laudable things Google has done is include alternative ways to solve a CAPTCHA. A blind person, for instance, would be unable to complete a visual CAPTCHA test. One of the alternatives is to listen to a brief audio file, and transcribe what is being said. It just so happens that Google also has a really robust speech-to-text API. With a success rate of something like 91%, you can automatically pass reCAPTCHA using Google’s own service. Man bites dog.



No comments:

Post a Comment