Phones, tablets, smart watches, computers, TVs, medical devices, wearables and other internet-of-things devices could be in danger of getting hacked because of vulnerabilities in the Bluetooth implementations of major operating systems. The attack vector has been dubbed BlueBorne.
Researchers from an IoT security firm called Armis have found critical vulnerabilities in the Bluetooth stacks used in Android, Windows, Linux and iOS. With the exception of Windows, on all other operating systems the flaws can lead to remote code execution and complete device compromises. Armis estimates that 5.3 billion devices could be affected by these flaws.
The vulnerability found in the Windows Bluetooth implementation allows attackers to remotely create a rogue network interface on affected systems that redirects all of their network traffic through a Bluetooth connection. This creates a man-in-the-middle situation in which attackers can intercept and snoop on unencrypted traffic coming from compromised computers.
The flaw affects all Windows versions since Vista and was patched by Microsoft in July, although the patch details have been kept secret until today. It’s worth noting that Windows Vista has reached end of support in April so it hasn’t received a fix for this vulnerability.
The remote code execution flaws found in the Bluetooth stacks in Android, iOS and Linux — including Samsung’s Tizen OS for consumer electronics — enable automated and silent attacks that don’t require any user interaction, except for Bluetooth being enabled. There’s also no authentication or device pairing required to exploit the flaw, so it can be used to create worm-like attacks where devices infect each other over their Bluetooth connections.
“This is especially scary for IoT devices,” said Lamar Bailey, director of security research and development at Tripwire, via email. “Many of the vendors will not have patches either because they do not know they are vulnerable, will not know how to patch the issue, or will consider the products out of support and just release new versions.”
That will also be the case for many Android devices, especially since all versions of the mobile OS are affected. Google has provided patches for the flaws, but many device manufacturers won’t release firmware updates for older phone models that are no longer supported.
The Bluetooth implementation in Apple’s iOS and Apple TV also contained a vulnerability that allowed for remote code execution in the context of the high-privileged Bluetooth process. The vulnerability was fixed in iOS 10 and Apple TV version 7.2.2 and above.
With all the keyboards, mice, headsets and other peripherals that use Bluetooth, it will be hard to ask people not to enable Bluetooth on their phones or computers. This could pose a serious danger to companies because any visitors or employees could bring an infected device on their premises that would attack and compromise other systems using BlueBorne.
“In situations where non-employees are within 40 feet of systems, like banks at teller windows, it is best to use wired input devices and not rely on Bluetooth,” Bailey said.
Microsoft and Adobe Release Their Monthly Patches
Microsoft and Adobe Systems released their monthly security updates on Tuesday. Microsoft fixed 81 vulnerabilities in Windows, Internet Explorer, Microsoft Edge, Office, Skype for Business, .NET Framework and Microsoft Exchange Server and Adobe fixed 8 vulnerabilities in Flash Player, RoboHelp and ColdFusion.
Of the flaws patched by Microsoft, 39 can result in remote code execution (RCE) and 27 are rated critical.
“Top priority for patching should go to CVE-2017-0161, an RCE vulnerability in NetBIOS that impacts both servers and workstations,” Jimmy Graham, director of product management at security firm Qualys, said in a blog post. “For users of Microsoft’s DHCP server, priority should also be given to CVE-2017-8686, especially if using failover mode, due to another potential RCE.”
Administrators should also prioritize the .NET Framework updates because they fix a zero-day remote code execution vulnerability. An exploit for the vulnerability was found by security firm FireEye while investigating a cyber espionage attack.
On the Adobe side, the Flash Player updates fix two memory corruption vulnerabilities rated as critical that can lead to remote code execution. The ColdFusion patches also address two RCE vulnerabilities that result from deserialization of untrusted data and two information disclosure flaws.
ColdFusion, an application server for running interactive web applications that use the CFML scripting language is popular in the enterprise space and has been targeted by hackers in the past.
The security update for RoboHelp fixes a cross-site scripting attack rated as important and an open redirect issue rated as moderate.
The Windows Subsystem for Linux Can Hide Malware from Security Products
Security researchers from Check Point Software Technologies have developed an automated technique that can make known Windows malware invisible to many endpoint security products on Windows 10. Named Bashware, after the Linux Bash shell, the technique abuses the Windows Subsystem for Linux (WSL), a feature that allows users to run native Linux applications directly in Windows 10 without virtualization.
WSL has been present in Windows 10 as a beta feature since the Anniversary Update and will become fully supported in the upcoming Fall Creators update. While WSL is not currently turned on by default, Check Point’s Bashware attack can be used to enable it without user interaction and to execute malware in the Linux userspace environment that it creates.
Bashware can be used to run known Windows malware under WSL through Wine, a special program that allows running Windows programs on Linux. This will cause those malicious programs to appear in Windows as special “pico processes” that many antivirus programs don’t yet have the capability to detect.
The fact that many antivirus vendors haven’t added the capability to monitor this new type of processes to their products is worrying, especially since Microsoft provides special Windows application programming interfaces (APIs) for this. The possibility of using WSL to hide malware has also been known for over a year, Windows kernel expert Alex Ionescu warning about this threat at the Black Hat USA conference in 2016.