Security Week 21: a hole in Whatsapp, a new vulnerability in Intel processors, Zero-Day in Windows

Security Week 21: a hole in Whatsapp, a new vulnerability in Intel processors, Zero-Day in Windows


Last week, three interesting information security events took place: the exploited vulnerability in Whatsapp was closed, for critical vulnerabilities in Windows, patches were released even for unsupported OS versions, and Intel found another Specter-like problem. Let's start with a vulnerability in the Remote Desktop Services component ( news , post in the Microsoft blog). Technical details of the vulnerability are not disclosed, but it is known that the bug allows you to gain control over the system using the RDP protocol without authorization.


Vulnerabilities are affected by Windows 7 and Windows 2008 Server, as well as unsupported Windows XP and Windows 2003 Server. The article by Brian Krebs specifies the similarity of the vulnerability with the bug EternalBlue in the SMB protocol, which in 2017 led to a large-scale Trojan epidemic coder WannaCry. In this case, the attacker can gain access to any unpatched system accessible via the RDP protocol and, through it, extend the attack to other computers on the local network. Despite the prompt release of the patch, we will most likely hear about the consequences of exploiting this bug.

To reduce the likelihood of a large-scale attack, Microsoft released patches for Windows XP and 2003 Server, which are not officially supported by the company. On May 14, Microsoft closed several other vulnerabilities, including a critical bug CVE-2019 -0863 on Windows Error Reporting. Unlike the problem in RDP, this vulnerability affects modern versions of the OS up to Windows 10 and can be used to escalate privileges. This vulnerability is actively exploited by hackers.

The most discussed incident of last week was a message about a serious vulnerability in Whatsapp messenger ( news ). The CVE-2019-3568 vulnerability has been closed by the Whatsapp update for Android and iOS May 13 . Interestingly, in the announcement of the new version for Android, the main change does not indicate a patch at all, but “display stickers on full screen”:


In the discussion, it was noted that ordinary users would rather update the client because of the stickers, but few people think about security yet. Check Point Software analyzed patch and discovered a couple of new checks The size of the SRTCP protocol packets used for Internet telephony. Apparently, the absence of these checks caused a buffer overflow.But what happened next - no one knows, we can only assume getting control over the application and exfiltration of data. But there was a lot of talk about the source of the exploit.


According to the Financial Times, active exploitation of the exploit was noticed at the same time on Facebook (the current owner of the messenger) and in the human rights organization Citizen Lab. At last, a British lawyer contacted who received several video calls from unknown numbers on an Apple phone with an installed messenger. To exploit the vulnerability, you need to send a specially prepared data packet to the addressee that the WhatsApp client perceives as a video call. Answer the call is not required. According to the Financial Times, the vulnerability was found by the NSO Group, which specializes in selling exploits to government agencies and special services. Identify the developer failed by metadata.

An interesting development of the history was the post of Telegram founder Pavlo Durov ( the original , translation in Habré) entitled "Why WhatsApp will never be safe." How safe Telegram itself is also a subject for discussion, both technical and emotional. But this is not the case: Durov's post is an example of how security becomes an advertising tool. An advantage (real or imaginary) that a significant part of the target audience considers important. This is good news: if the market players somehow have to advertise their services as protected from hacking, sooner or later you will have to really do something in this direction .

We’ll finish the news with four new attacks from third-party channels ( news ). Corresponding vulnerabilities were found in Intel processors, they were discovered during internal checks at the company itself (for a detailed article, please visit Intel ), as well as researchers from the Technical University of Graz in Austria (mini-website with a" talking "URL cpu .fail ).


Independent researchers identified four attack vectors, and each set a realistic scenario for obtaining any data of interest to the attacker. In the case of an attack, Zombieload is the browsing history of the browser. The RIDL attack allows you to pull out secrets from applications or virtual machines running on the system. The Fallout attack can only strengthen other attacks, obtaining information about the reading of data previously recorded in the memory by the operating system. Finally, the Store-to-leak Forwarding method can theoretically be used to bypass the ASLR.

Intel is trying not to adopt creative (and slightly frightening) names of attacks and call them a complex micro-architectural data sampling.The MDS technique allows the local process to read inaccessible data from memory using the same method of attacks on third-party channels as the previously discovered Specter family. Intel promises to close vulnerabilities in the following revisions of processors, and 8th and 9th generation CPUs are not partially affected by this attack. For the rest of the processors, a microcode update will be released, and for additional security from (yet theoretical) threats, as usual, you will have to pay performance drop .


According to Intel, this is a few percent, but the very fact of determining the price of security, which we all will have to pay, is interesting here.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with a healthy skepticism.

Source text: Security Week 21: a hole in Whatsapp, a new vulnerability in Intel processors, Zero-Day in Windows