Microsoft Bounties & Edge Security, Strategic Bounty Programs, HTTP Desync Attacks – ASW #208
Microsoft fixes an old bounty from 2019, rewards almost $14M on bounties in the past year, and releases a security layer for Edge; Black Hat talks on bounties and desync attacks, Google's bounties for the Linux kernel, modifying browser behavior, and the Excel championships.
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
- 1. Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited - The underlying vuln here is an arbitrary code execution by taking advantage of path traversal (woohoo!) and PowerShell within the Microsoft Support Diagnostic Tool (MSDT). When the flaw was initially reported to Microsoft in 2019 they rejected it as not having traits that can be addressed -- it didn't cross a security boundary and it essentially boiled down to, "Convince a user to execute a command within the privileges of their account." Over two years later the flaw is now fixed due to more concern about threat actors abusing it and that perhaps there was a security context that the flaw weakened. Windows tags files downloaded through a browser with a "Mark of the Web", adding a flag that indicates the file should be treated with suspicion and a warning presented to users upon first access. MSDT apparently ignored this tag and didn't warn users about potentially unsafe files being executed. For me, the larger and more important discussion point is around phishing. This attack vector didn't target or trick users into divulging passwords, to which my standard response is invest in FIDO2 and WebAuthn login flows. But it did touch on the scenarios of users downloading and executing arbitrary files, which is where the discussion can turn towards (dramatic pause...) zero trust and how to isolate users' end points from sensitive systems. This post has a good details on the technical background of the vuln, https://blog.0patch.com/2022/06/free-micropatches-for-follina-microsoft.html
- 2. Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards - Add this article to the list of companies marketing their budgets for BugOps -- chasing individual vulns through a bounty program. I'll repeat my new reaction to these articles: What was the cost of fixing the vulns? It's useful to know that a vuln might cost $5,000 to identify (even though that's the risk-based award and not a measure of effort). I'm very curious how that translates to fixing the flaw as well. Is it another $5,000 or something orders of magnitude higher or lower? And, finally, given a $13M annual budget, what would you have spent it on instead?
- 3. Financial Modeling and Excel Competitions - This episode already has a major theme of Microsoft and I couldn't resist including a competition based on using Microsoft Excel -- covered on ESPN2 no less. What's the appsec angle? Aside from disabling macros for security? Find out as I pit the ASW co-hosts against Excel-based challenges like calculating a CVSSv3 environmental score, modeling an appsec budget, and creating a port scanner.
- 5. #BHUSA: Bug Bounty Botox – Why You Need a Security Process First - We'll dive more into last week's BlackHat and DEF CON presentations. This quick note about Katie Moussouris' talk about bug bounties ties in well with the other article on Microsoft's $13M spend and the one about Google's increased stakes in Linux kernel security. But those are also two companies with high security budgets and mature programs. What does a strategic approach to bug bounties look like for small companies?
- 6. Google wants to make Linux kernel flaws harder to exploit - This is an example of escalating the stakes in a bug bounty program to test mitigations for a class of attacks. Here, Google is focused on Linux kernel hardening. It's a healthy evolution of using bug bounty programs that avoids the anti-pattern of BugOps -- just finding and fixing bugs as they come in -- and focuses instead on creating better architectures and mitigations that make introducing flaws or exploiting them far more difficult. The Google Security Blog has more details at https://security.googleblog.com/2022/08/making-linux-kernel-exploit-cooking.html
- 8. Cloudflare was the target of a sophisticated phishing attack. Here’s why it didn’t work - Since I mentioned the Microsoft "DogWalk" article about social engineering attacks, I thought this was a nice parallel. The threat scenarios are slightly different, so it's not a perfect comparison (one is about downloading and executing code, this is about protecting login flows). But this is a good reminder that if you're working on supply chain security or CI/CD hardening, one of the most effective improvements you can do is require FIDO2-based tokens for all the workflows related to committing, building, and deploying code, as well as human access to production systems (even though that should be a rare event anyway).
- 9. Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling - New research from portswigger presented at this past week's Black Hat and DEF CON. It's a long write-up with great details on the intricacies of HTTP/1 and how implementation choices lead to exploitable flaws. In other words, the HTTP/1 standard has enough ambiguity in it to have surprising side effects and mistaken assumptions in its implementations. Fortunately, the rigor put into designing HTTP/2 seems to have mitigated most of these "desync" style attacks. This research is a good example of scrutinizing familiar protocols for subtle behaviors and identifying a new attack surface for something as ancient as HTTP/1.
- 1. Sloppy Software Patches are a “Disturbing Trend” - Interesting but disappointing situation: "The weaponization of failed patches in various vulnerabilities is absolutely being used in the wild right now"
- 2. GitHub now has dependabot alerts for GitHub actions
- 3. More vulnerabilities found in Intel’s SGX
- 4. AMD’s Zen family affected by SQUIP