LAS VEGAS–Complexity is the enemy of security, but prompt patching is its strongest ally.
Security professionals have made those points for years, but two presentations at the Black Hat USA conference here provided fresh arguments for them–and signs companies are getting snappier at fixing vulnerabilities.
What that means for you: When your computer, phone or tablet says it has an update available, install it. Don’t wait to benefit from the tighter focus of an Apple, Google or Microsoft on security issues.
Support for that came in one Black Hat briefing covering a “vuln” in Apple’s device-management system that lets organizations configure Macs from afar.
Jesse Endahl, chief security officer at the device-management firm Fleetsmith, and Max Bélanger, staff engineer with the cloud-storage company Dropbox, explained how they exploited the Mac operating system’s failure to double-check the identity of some sites in these remote-setup scenarios.
“This is a really complex system on macOS with a lot of moving parts,” Bélanger said onstage. “What that means is vulnerabilities or bugs can appear at the borders.”
That let them force a new Mac into a scripted configuration process that installed a hostile app without the user’s permission.
It’s not an easy tactic. As Endahl said during the talk, “this can’t be done without a lot of resources.” The attacker would need to get a developer certificate from Apple under false pretenses, then tamper with a Mac’s Internet connection to redirect it to a hostile site.
But as Bélanger explained in a conversation afterwards, countries that censor Internet access and resent press coverage would have the motivation and means to attack foreign journalists this way.
The two presenters saved their good news for last: They reported the bug to Apple on April 28, and on July 9 Apple shipped an update fixing it.
Four other Black Hat presenters shared a similar story Wednesday afternoon. Israeli security researcher Amichai Shulman, KZen Networks co-founder Tal Be’ery, and Israel Institute of Technology students Ron Marcovich and Yuval Ron showed how Windows 10’s Cortana voice-driven digital assistant could be exploited from the lock screen to reveal files and push malware.
Be’ery joked onstage: “Come on, lock screen, you had one job!”
In another, they demonstrated how a “skill” for Cortana–as with Amazon’s Alexa, these formulas let the digital assistant tackle specific tasks–could make the PC’s browser go to a hostile site or open an infected Microsoft Office document.
Both attacks play into what security professionals call the evil maid scenario: You leave the computer in your hotel room, leaving an attacker time to try to get in without your computer password.
But neither will work on a patched Win 10 PC. Microsoft fixed the first vulnerability June 12, just under three months after the researchers reported it April 16. It fixed the second one almost as fast–although because that patch came in Microsoft’s cloud services, no formal announcement came.
In the keynote opening Black Hat, Google engineering director Parisa Tabriz voiced her optimism about the state of security, thanks in part to faster patch cycles.
Tabriz said Google’s Project Zero bug-finding effort, which challenges vendors to fix discovered vulnerabilities within 90 days of reporting, has yielded measurable improvements: 98 percent of exploits Project Zero finds now get fixed within 90 days.
She summed up: “We’re seeing more security patches, faster response times and users getting updates faster.”