WME Security Briefing 21 October 2024
Windows Management Experts, Inc. (WME)
Helping the B2B mid-market and enterprise technology sector scale with Microsoft Project, IT staffing & Managed Services
Google’s Transition to Rust Reduces Android Memory Vulnerabilities by Over 50%
Overview
Google has achieved great success improving the safety of Android by switching to the Rust programming language. The company attempts to follow a secure-by-design strategy, focusing on the necessity of having memory-safe programming languages in the system. As a result, over the past six years, the share of memory-related vulnerabilities in Android has decreased from 70+% to 20+%. Rust, known for?“safety, speed, and concurrency,”?has proven a practical approach to the existing memory safety weaknesses.
Impact
The move to Rust has led to a drastic reduction in the number of memory vulnerabilities in Android,?plummeting from 200+ in 2019 to fewer than 60 in 2024.?The reason behind this reduction is Google’s decision to focus on safe coding practices for new features. It is now also effectively scalable over time. The decrease in vulnerabilities is due to older code becoming obsolete while new memory-safe code grows faster than unsafe code.
Recommendation
For developers and organizations trying to enhance the security of their software, this Google experience of transitioning to Rust can be a guiding light. Memory-safe languages should be used and applied to new projects. Moreover, whenever possible, the existing codebases should also be rewritten.
This way, software designs can reduce the chances of vulnerability. You will also be less likely to lose possibilities such as scalability and guaranteeing future security.
That said, any software process can benefit from secure-design developments as they help discover vulnerabilities before they can be exploited. Instead of providing patches to the code, Google kind of “turned off the tap of new vulnerability this time.
Mozilla Faces Privacy Backlash Over New Firefox Tracking Feature
Overview
Vienna-based privacy organization?noyb?filed a complaint against Mozilla Firefox with the Austrian Data Protection Authority (DPA). The complaint was lodged following Mozilla’s introduction of a new Privacy-Preserving Attribution (PPA) feature in?Firefox version 128. The feature is active by default without a user’s permission, so?noyb?argues that there is a violation of the?Union’s General Data Protection Regulation (GDPR).
However, it is essential to note that PPA is redesigned software to determine the performance of advertisements that drive downloads. Mozilla’s rationale for the PPA was that advertisers could measure ad performance without tracking concerns, such as those raised by third-party cookies.
Impact
Noyb?alleges that PPA allows Mozilla to oversee user tracking in the Firefox browser. While this feature is supposed to be an alternative to cross-site tracking that is completely privacy-invasive, it simply moves complete control of websites to the controlling entity, Firefox. This way, PPA is very similar to Google’s Privacy Sandbox, which was supposed to create a cookie-free environment for slicing user data.
Sandbox did not rely on cookies at all and was supposed to be a more privacy-oriented alternative to third-party cookies. However, critics pointed out that Google could track user data regardless of the SandBox implementation. So, the case of PPA and Mozilla is similar to that Sandbox event.
Mozilla has enabled PPA by default, not requiring a user’s agreement or presence to be turned on.?Noyb?declares this decision illegal under GDPR rights, as users should have more control. On the other hand, Mozilla’s position is that users cannot make a careful and informed decision regarding the addon.
Recommendation
WME would advise users and admins to be cautious with the settings in Firefox version 128.
Check the PPA status:?If consent is not given explicitly, ensure the feature is disabled in the browser settings.
Review the browser settings from time to time:?Make it a habit to check both the default and hidden ones to ensure there are no features you are unaware of.
Pay attention to updates:?Follow any news from Mozilla and privacy-oriented organizations such as?noyb, as any new feature or change may impact privacy.
Discovery of New Rust-Based Splinter Post-Exploitation Tool
领英推荐
Overview
Cybersecurity researchers recently spotted a new Rust-based post-exploitation tool called Splinter. During the investigations, it was found on multiple systems. Even though the discovered tool is currently less sophisticated than its widely known counterpart, Cobalt Strike, it can pose a huge danger if misused.
Though?ethical?hackers primarily use Red teaming to determine the client system’s weaknesses, it can also be a perfect weapon in the hands of malefactors.
Impact
While Splinter was not observed in any known threat actor activity, its mere presence is alarming due to its capabilities and configuration. The tool is delivered with a command-and-control setup to empower remote control of the subject using simple HTTPS requests.
Moreover, the C2 contains several peripheral functions and methods to provide a more generic capability, including:?executing Windows commands; uploading and downloading files from the subject machine; dumping account information from various web service accounts of the subject machine; and cleaning itself from the infected payload.
The most particular trait of Splinter is its size, approximately 7 MB, due to the 60+ Rust crates presently included in the code base. This can make Splinter a considerable blind spot for many security products. More so, tasks given to the C2 and requested by the Splinter instance adhere to a proper task-based model, as does any other post-exploitation framework.
Recommendation
Splinter’s proliferation can be avoided if organizations concentrate on upgrading their detection and response possibilities. The most feasible finger-out steps to avoid potential exploitation are here:
ChatGPT macOS Security Flaw Exploited to Inject Persistent Spyware
Overview
A recently found vulnerability in the?macOS ChatGPT app?allowed long-term spyware to be introduced into the tool’s memory. Known as “SpAIware,” this breach was created by exploiting the features of ChatGPT’s memory function, which has been available since February 2024. Later, it was extended to all versions: Free, Plus, Team, and Enterprise.
Impact
The vulnerability can allow for continuous exfiltration of user data. It includes all the information typed into ChatGPT and its responses – both past and future chat sessions.
The exploit may take advantage of the tool’s nature, which saves certain types of information across chats. Even if a user decides to delete a specific conversation, the typed data typically remains in ChatGPT’s memory, and it is not typically treated as explicitly deleted.
The technique could inject malicious instructions into ChatGPT’s memory through indirect prompt injection. It can then lead to persistent instructions that could indefinitely send data to an attacker’s server. This method allows the attacker to manipulate the tool to affect subsequent conversations ultimately.
Recommendation
To lower the threat, upgrading to?ChatGPT?version 1.2024.247 is important. This version addresses this particular security vulnerability by destroying the exfiltration vector and presumably updating the memory storage UI.
One important lesson to prevent ChatGPT from behaving maliciously is to ensure no unauthorized or suspicious data is retained. In addition, it is necessary to be careful with permissions for both familiar and unfamiliar websites and document references to prevent malicious commands from being put into ChatGPT’s memory.