Information security is a subject in cyber-world which we can’t think away anymore. Data breaches can cost millions when sensitive information is leaked on the Internet. Zero-day exploits pop up for sale every day in deep web forums in return for Bitcoins. However, few exploits are disclosed in public domain once the vulnerability is patched by the vendor. This past year, we had over 6400 common vulnerabilities and exposures which were issued a CVE ID. There were few major bug fixes by the vendors serving backbone of the Internet.
Here is the list of top 10 security vulnerabilities which came to light this year.
1. Dirty Cow (CVE-2016-5195)
Discovered by Phil Oester, Dirty Cow, is a kernel vulnerability that allows any unprivileged existing user to escalate its privilege to root. Root is the highest privilege on any UNIX or LINUX system, which has access to all the files. This vulnerability is known as privilege escalation. COW (Change on Write) is a technique used by Linux to reduce duplication of memory objects. By utilizing Race condition, the under-privileged user can modify read-only objects, which in the ideal case should not happen. If you are a system administrator, you may want to update the kernel of your Linux server. This is by far, the top vulnerability discovered & disclosed in 2016.
2. PHPMailer RCE (CVE-2016-10033, CVE-2016-10045)
PHPMailer, one of the most widely used email sending libraries in PHP was vulnerable to Remote Code Execution. Any attacker can execute shell commands on the web server using this vulnerability. It happens because the E-Mail address header field “From: ” could be set by a user input but there is an absence of “sender” property. So, if a shell command is set by the user in “From: ” header then it will result into RCE. If you are using PHPMailer in your production web servers, then it’s time to upgrade it as soon as possible. This vulnerability was found by Dawid Golunski.
3. ImageTragick (CVE-2016-3714)
Discovered by Nikolay Ermishki, ImageTragick is considered to be one of the most impactive bugs of 2016. Insufficient filtering for filename passed to delegate’s command allows remote code execution during conversion of several file formats. This vulnerability was heavily exploited & many organizations were found vulnerable to ImageTragick vulnerability as shown in Hackerone’s public disclosure.
4. DROWN (CVE-2016-0800)
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) exploits a flaw in SSLv2 that lets an attacker decrypt communications that use TLS or SSL. It was categorized as a cross-protocol attack. If SSLv2 was enabled on the victim’s server, then it was vulnerable DROWN. 17% of all servers on the Internet were exposed to potential data theft. An advisory was published by OpenSSL.
5. Remote Code Execution in Apple OS X and iOS (CVE-2016-463)
Images, as we all know are harmless. However, have you ever thought that you could get pawned by viewing maliciously crafted images? This was the case with CVE-2016-4631 which was discovered by security researcher Tyler Bohan from Talos Security. This vulnerability poses a significant threat to Apple users. When rendered by applications that use the Image I/O API, a specially crafted TIFF Image can be used to create heap-based buffer overflow which can ultimately result in remote code execution.
6. Persistent code execution on Chrome OS (CVE-2016-5180)
Google released security fixes for Chrome OS in their Version 53.0.2785.143 m update of Google Chrome. Google paid $100,000 to an anonymous security researcher for finding and responsibly disclosing the bug. Google, in its advisory mentions, that “It is a chain of exploits that gains code execution in guest mode across reboots, delivered via a web page. We anticipate landing additional changes and hardening measures for these vulnerabilities in the near future.”
Ethical Hacking Training – Resources (InfoSec)
Founded by James Forshaw, this vulnerability could allow elevation of privilege if the Windows Secondary Logon Service fails to manage request handles in memory properly. In simple words, it is a bug that allows anyone to leak a handle opened in a privileged process into a lower privileged process. Windows 7 to Windows 10 as well as Windows Server 2008-2012 were found vulnerable.
8. Firefox SVG Animation Remote Code Execution (CVE-2016-9079)
Firefox published a security bulletin which described the vulnerability “A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.” That leaked true IP of your machine, even if you use Tor browser. It is believed that intelligence agencies, as well as black hats, may have used this vulnerability to snoop over people.
9. Adobe Flash remote code execution (CVE-2016-7892)
Adobe Flash has a long history of nasty security vulnerabilities. This month, Adobe patched 31 vulnerabilities. The most important one was the patch for an use-after-free vulnerability. It was spotted in the wild that, this exploit were used to target Internet Explorer users. Users were prompt to update any affected versions.
10. Symantec/Norton Antivirus ASPack Remote Heap/Pool Memory Corruption Vulnerability (CVE-2016-2208)
A remote code execution vulnerability in Symantec/ Norton Antivirus was found by Google’s project zero team. With the help of remote code execution, attackers can be able to execute malicious code and could take complete control over the system. This vulnerability could be exploited by sending an email or via a web browser to a user using Symantec AV Engine, resulting in kernel memory corruption. This is as bad as it can get. A patch was released by the vendor within a month.
Apart from these, there are many critical vulnerabilities which were discovered and patched in 2016. It is quite evident that anyone who can exploit using these 10 vulnerabilities can take over the World Wide Web. Security researchers are helping vendors to fix as well as mitigate vulnerabilities by participating in their responsible disclosure programs. Such responsible disclosure programs are known as Bug bounty program in which a white hat researcher reports a flaw to a vendor, and in return, the vendor pays them or acknowledge them as a token of appreciation.
The need of bug bounty program is increasing; Instead of selling exploits in an underground forum for huge stacks of money, hackers are motivated to disclose to the organization responsibly. The more we connect to the Internet, higher the risk of getting hacked. It is important to keep track of latest security vulnerabilities, updating your software and systems.