Threatpost editors Lindsey O’Donnell and Tom Spring discuss the biggest news of the week ended Feb. 22, including a report about flaws in password managers, and a 19-year-old flaw found in WinRAR.
The Threatpost team also discussed an upcoming webinar on Feb. 27 at 2 p.m. ET. Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout will join Threatpost senior editor Tara Seals to discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon.
Transcript below:
Lindsey O’Donnell: Welcome to the Threatpost news wrap for the week ended February 22, and you’ve got the Threatpost team here: myself, Lindsey O’Donnell, and editor-in-chief Tom spring. Tom, how’s it going?
Tom Spring: Pretty good, Lindsey, I just heard a little ding.
LO: Yes, the emails for RSA keep coming – can’t really get rid of that.
TS: Is that another RSA email in your inbox?
LO: Well, with RSA coming in two weeks, we’re really ramping up discussion with vendors and getting a lot of pitches for that.
TS: For sure. I’m actually really psyched about RSA and there’s some really awesome sessions and I’m really looking forward to meeting some of the contacts and some of my peers and it’s going to be a really fun show. But I agree the noise factor coming out of the RSA conference in March is just enormous. I have to put my computer on mute because I just get too many pings for requests to me, new research, everything. If the noise factor is any indication of what’s going to be going on at RSA, it should be pretty good, right?
LO: Yeah, I’m excited. I mean, it’s only a couple of days, but so much happens in those days, security wise, and there’s just such an opportunity to meet with researchers and really learn about new reports and what to look out for. So there’s definitely a lot to look forward to there.
But looking to the present, despite starting off with having President’s Day on Monday, we really had a pretty insane week, news-wise – Tom, what are you seeing from your end of the spectrum?
TS: Well, it’s kind of like you can’t cover it all and you sort of have to pick and choose.
We had some some really good strong stories this week. I was a little overwhelmed by the cavalcade of news that came pouring in over the past couple days, from keyloggers, Drupal core, critical remote-execution bugs – to new research on Microsoft Edge that shows it lets Facebook run Flash code behind users’ backs to reverse location search warrants. I mean, we really ran the gamut in terms of the news, which was just a waterfall of information that we sorted through. But you did a pretty good job. I mean, you covered a couple stories in between making RSA conference appointments with that 19-year-old bug that WinRAR plugged.
I love WinRAR, WinRAR is my go to media player and I was really alarmed that there was a bug that lasted so long. Tell me a little bit more about the bug.
LO: Yeah, I feel like the main point and the main takeaway there was that it was 19 years old. I was thinking back to what existed 19 years ago and you know I was basically a kid at that point. So for background, WinRAR, which as you mentioned is this popular Windows data compression tool, had and patched a serious code-execution flaw. The platform itself is amazingly popular. I think they said it had 500 million users. So the issue stemmed from a third-party dynamic link library within WinRAR, and because that dynamic link library hadn’t been updated since [2005], that allowed the researchers with Check Point who discovered this flaw to essentially extract malicious files in the tool.
So what could happen is a hacker could use spear-phishing or some sort of similar tactic to send an unknowing victim a disguised malicious file, and when the victim opens that file in WinRAR, that file would automatically extract in their startup folder and then malware could quickly be planted on their system. So that was patched, and I mean it’s a fairly easy to carry out a path-traversal flaw. And not only was it patched, but then when I reached out to WinRAR, they said that in terms of that third-party library I was talking about, because it hadn’t been updated for so long, and they didn’t have access to its source code even, they decided to drop that format support in order just to completely protect its user database.
TS: Yeah, the code-reuse in these repositories is notorious for creating these kind of vulnerabilities where a component is used by a developer and it hasn’t been updated, and the developer doesn’t do due diligence, and all of a sudden the component becomes an exploit or a vulnerability is found in the component, and the component is never updated. And then the repository file never gets updated and the code goes out the door. Veracode does a lot of really interesting work, they have a lot of interesting studies on code-reuse and it’s pretty alarming how many software programs really have these types of problems where they’re relying on third-party libraries to basically do basic functions in their software where you have these glitches. But there’s not much of a pass you can give WinRAR for a 19 year old bug like that, I mean that’s a different story.
LO: Right and especially given the fact that the specific library hadn’t been updated since 2005 or 2006 or whatever it was, but it is kind of hard to, as you said, keep track of those types of things as well. And another point is that when I was looking on social media for some of the reaction to this and talking to different researchers, looking at a different side of the story is that as far as we can tell there hasn’t been any sort of exploit of this vulnerability. So while it has existed for 19 years, it hasn’t been found by the bad guys for 19 years – so at least there’s that.
TS: Well I’ve gotta say, I’ve always wondered whether or not these exploits have actually really been discovered. I mean if you’re a criminal and you find an exploit or you find a vulnerability and it’s working for you, you’re not going to jump up and down and say, ‘hey look what I found.’ You’re going to quietly exploit it until your moneymaker, so to speak, dries up. So good for WinRAR, I gotta tell you it warms my heart to hear that they’re fixing their software and next time I launch the media player and it asks me to update I definitely will.
LO: Yes, but I feel like that wasn’t the only big news we had. In fact, you wrote a very big story about a research report that was written about different password managers and a flaw found in those managers, and that really kind of piqued the interest of the security world. Can you talk a little bit about that and what their reaction to that story has been so far this week?
TS: Well, you know, I think it was a big story for us. I don’t know how much it resonated throughout the internet or throughout the infosec community. I think it was a memory management issue with these password managers: 1password, DashLane, KeePass and Lastpass. These four password managers represent a huge, huge user base.
These researchers, independent security evaluators took a close look at them and they found that when the actual password managers were in use, that the way that it’s saved, the master password or individual credentials, was in an insecure memory within Windows 10 PCs. Now, this doesn’t impact any of the mobile applications. But it does impact the Windows PC ecosystem in a sense that the master keys could be plucked from memory in clear text.
Now, there are lots of caveats to that; the application needs to be in use. And also it would have to be from a local attacker, meaning the person would have to have access to your PC to exploit and to grab the passwords from memory. The other option would be if a remote attacker was able to have access to your system, which obviously presents a whole new host of problems that you have to contend with –nevermind them being able to pluck a password out of insecure memory.
But the story gets a little more interesting in a sense that these password manager companies said, ‘yeah, you know, we understand what the issue is here and there are trade offs and it’s an acceptable risk.’ Now I’m oversimplifying what they stated, but I really feel like they pushed back on the research and they said that the storage of the password in the memory was something that they were aware of and that they did not see it as a huge risk given the prerequisite for being able to [exploit this].
And they more or less can each came out with these statements saying, “the research is interesting, we understand the problem and here’s why you shouldn’t worry about the problem too much.” And I think one of them actually did update their their tool to make sure that they had some process memory protection built in. I think it was LastPass.
And then the researchers came back and said, “hey listen, you know you guys are not the only password managers on the block, and other password managers do protect the memory and it’s not an impossibility and you know … it’s not an acceptable risk.”
But importantly, they also said that these password managers are awesome. And you should keep on using them. They have their flaws. And if the trade-off is you don’t use a password manager, then shame on you. Because these do serve a purpose. And they’re better than nothing, essentially. And, you know, given the incredible amount of password reuse and the incredible amount of breaches and I think it does make sense to keep on using a password manager to make sure that you use the best password-management practices possible.
LO: Yeah, I mean, I think that this story is almost reminiscent if you remember that two-factor authentication report that we wrote about earlier this year. It’s almost reminiscent of that because there’s a lot of opinions about password managers and whether they’re kind of worth this specific security risk or whether it’s worth even discussing the risks if it causes people to stop using such an effective security tool. But you know for for ISE, the research firm that had written the report, at least they had, it was almost like a disclaimer that said that it’s better to have password managers than to not have password managers. So at least, you know, they took note of that. And at the same time were advocating for the password-manager firms in question to tighten up their application memory management. It’s definitely kind of a tricky balancing act there because you do want to promote the security tools but then you also, when there is a security issue with the security tool, that that raises a whole different question.
But what did what did the researcher say? Did you talk to the researcher in in response to what the password managers had said? Did he have anything else to add to that?
TS: Yeah, Adrian Bednarek, he was the lead researcher on this, he reached out to me, we connected via Twitter private message, and he was very vocal, and again I think I said it before, he said, “hey listen, you can use data sanitization in the context of memory and make sure that clear text passwords are not available for hackers.” And again he stressed the fact that these are great password managers, they are better than nothing and that you should still keep on using them, but he did stress the point that you can effectively fix this problem and the companies that said that it was an acceptable risk or it was a known vulnerability that they were not going to address is not acceptable. So he’s sort of, you know, responded to the criticisms that these guys said, doubling down on his assertion in this initial research saying, you could be doing better.
LO: Well, I’d be curious to see if 1password and DashLane and KeePass change their view at some point, their viewpoint of memory-management issues, looking at if this is an acceptable risk or if they, like LastPass, also decide to do some sort of patch. So it should be something to keep an eye on.
TS: Yeah, for sure. For sure.
LO: You know, those were kind of the big stories that we saw this week. I know looking forward to next week, we actually have (for those listeners of this podcast who don’t know) a big webinar coming up on Wednesday. And I’m actually going to attach a link to this podcast article where you can learn more and register. But it should be a really great discussion about enterprise mobile security and the top mobile threats that we’ll face in the future.
We’re talking with a panel of experts from Google, Gartner, Lookout — with our own editor, Tara Seals. So we’re excited about that. We’ve been preparing for that. And there’s actually been a whole lot of mobile-related news over the past month so I think it should be perfect timing to kind of discuss some of the bigger themes and implications of these these risks and threats.
TS: Yeah, no, it should be a pretty interesting webinar and I’m interested to see what comes out of it especially with such great speakers.
LO: Well, I think I better get back to my RSA emails and getting back to the the daily work.
TS: It’s been an interesting week and we’ll rest up and do it all over again on Monday.
LO: Sounds good, everyone tune in for the Threatpost news wrap next Friday and thanks for listening today.