This Week In Security: Patch Monday Mysteries, CentOS 8 And CentOS Stream, Russian Surveillance, And CSRF

So first off this week is something of a mystery. Microsoft released an out-of-cycle patch for Internet Explorer. The exploitability assessment from Microsoft indicates that this bug is under active exploitation, but not many details are available. Let’s take a look at what information has been released, and see what we can learn.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.

It’s a remote code execution vulnerability, it affects Internet Explorer, it’s in the scripting engine, and it happens due to objects in memory being mishandled. We could take some guesses, but later in this document we’re given a few other clues. The workaround is to disable jscript.dll, and the impact is limited, as jscript9.dll is the default JavaScript engine. jscript.dll is apparently a legacy JavaScript engine that a website can request.

“Jscript” is what Microsoft called their shameless copy implementation of JavaScript. The older jscript.dll seems to be present in newer versions of Internet Explorer for compatibility reasons. So it’s a problem in how the older JavaScript library handles objects. Any website can request this legacy engine, so the attack vector is basically unlimited.

The urgency implied by the out-of-cycle patch, combined with the otherwise eery silence surrounding this patch, suggests this 0-day was possibly being used in a targeted attack. We hope the details will eventually be revealed.

CentOS 8 and CentOS Stream

CentOS 8 was released this week, the community repackage of Red Hat Enterprise Linux (RHEL) 8. In 2014, Red Hat announced that CentOS was officially becoming a Red Hat sponsored project. This week, CentOS Stream was also announced.

The Fedora distribution has long served as a test-bed for upcoming RHEL releases, with RHEL 8 being based on Fedora 28. CentOS Stream will serve as a “midstream” distribution, a rolling release that pulls updates from Fedora, and will eventually become future RHEL/CentOS releases. It remains to be seen exactly how far ahead of the main CentOS distribution Stream will stay. A long-standing problem with CentOS is that by the time a release hits end-of-life, some of the software versions are very old. Even though security fixes are quickly backported to these older versions, there are security issues that arise as a result. For example, CentOS 7 contains PHP 5.4 with no official path to installing a newer version of PHP. WordPress now requires PHP 5.6.20 as the oldest supported PHP version. Red Hat may backport fixes to PHP 5.4, but that doesn’t help the out-of-date installs of WordPress, running on otherwise up-to-date CentOS machines.

Hopefully CentOS Stream will provide the much needed middle-ground between the bleeding-edge pace of Fedora, and the frustratingly slow march of CentOS/RHEL.

Russian Surveillance

A Nokia employee accidentally backed up a company drive to his home storage device, which was unintentionally Internet accessible. The data contained on this drive was detailed information on Russia’s SORM (System for Operative Investigative Activities), the government’s wiretapping program. The amount of data revealed is staggering, 1.7 terabytes. Passwords, administrative URLs, and even precise physical locations were included. The breadth of information makes one wonder if it was actually an accident, or if this was intended to be another Snowden style data leak. Just an aside, it’s not clear that the revealed wiretapping effort is as broad or onerous as the one Snowden revealed.


Running PHPMyAdmin on one of your servers? You should probably go update it. Version 4.9.1 was released on Saturday the 21st, and contains a fix for CVE-2019-12922. This vulnerability is a Cross Site Request Forgery, or CSRF. A CSRF attack can be as simple as an image link on one site, that links to another site, and triggers an action on that second site. Let’s look at the PHPMyAdmin example:

img src="

A hidden image will actually trigger an HTTP GET request, which asks for the server’s page, and tries to remove the first entry. If a user is logged in to the PHPMyAdmin server that the link is targeting, the command will silently complete. This is one of the reasons that HTTP GET requests should never make state changes, and only ever retrieve information. An HTTP POST message is much harder to generate in this way, though not impossible.

Gatwick Drone Incident: Police Still Clueless

Quietly released and speedily buried by Parliamentary wrangles over Brexit is the news that Sussex Police have exhausted all lines of inquiry  into the widely publicised drone sighting reports that caused London’s Gatwick Airport to be closed for several days last December. The county’s rozzers have ruled out 96 ‘people of interest’ and combed through 129 separate reports of drone activity, but admit that they are no closer to feeling any miscreant collars. There is no mention of either their claims at the time to have found drone wreckage, their earlier admissions that sightings might have been of police drones, or even that there might have been no drone involved at all.

Regular readers will know that we have reported extensively the sorry saga of official reactions to drone incidents, because we believe that major failings in reporting and investigation will accumulate to have an adverse effect on those many people in our community who fly multi-rotors. In today’s BBC report for example there is the assertion that 109 of the drone sightings came from “‘credible witnesses’ including a pilot and airport police” which while it sounds reassuring is we believe a dangerous route to follow because it implies that the quality of evidence is less important than its source. It is crucial to understand that multi-rotors are still a technology with which the vast majority of the population are still unfamiliar, and simply because a witness is a police officer or a pilot does not make them a drone expert whose evidence is above scrutiny.

Whichever stand you take on the drone sightings at Gatwick and in other places it is clear that Sussex Police do not emerge from this smelling of roses and that their investigation has been chaotic and inept from the start. We believe that there should be a public inquiry into the whole mess, so that those embarrassing parts of it which they and other agencies are so anxious to quietly forget can be subjected to scrutiny. We do not however expect this to happen any time soon.

Keystone Kops header image: Mack Sennett Studios [Public domain].

LEDs Light The Way To This Backdoor

A curious trend for some years in the world of PC hardware has been that of attaching LEDs to all the constituent parts of a computer. The idea is that somehow a gaming rig that looks badass will somehow be just a little bit faster. As [Graham  Sutherland] discovered when he wanted to extinguish the LEDs on his new Gigabyte graphics card, these LEDs can present an unexpected security hazard.

The key to their insecurity comes in the Gigabyte driver. This is a piece of software that you would normally expect to be an abstraction layer with an interface visible to your user level privilege, and a safe decoupling between that and the considerably more security sensitive hardware layer from which the LED bus can be found. Instead of this, the Gigabyte driver is more of a wrapper that simply exposes the LED bus directly to the user level. It’s intended that user-level code can easily bit-bang WS2812 LEDs without hinderance, but its effect is to provide a gaping hole in the security layers intended to keep malicious code away from the hardware. The cherry on the cake is provided by the discovery of a PIC microcontroller on the bus which can be flashed with new code, providing an attacker with persistent storage unbeknownst to the operating system or CPU.

The entire Twitter thread is very much worth reading whether you are a PC infosec savant or a dilettante, because not only should we all know something about the mechanisms of PC backdoors we should also be aware that sometimes a component as innocuous as an LED can be a source of a security issue.

Thanks [Slurm] for the tip.

Gigabyte motherboard picture: Gani01 [Public domain].

Awesome Animation Channel Is An Educational Rabbit Hole

Once [Shabab] clued us in to the brilliant animations of [Jared Owen], we pretty much lost an afternoon exploring this incredible YouTube channel. Self-taught Blender wizard [Jared] combines fantastic animations with clear and concise explanations for the inner workings of everything from Nerf guns and Fisher-Price corn poppers to the International Space Station.

Space nerds and casuals alike should check out [Jared]’s crowning achievement: a three-video Apollo spacecraft series, which covers many details in a short amount of time. Want more Apollo? Here’s a deeper dive into the lunar module. [Jared] uses music to great effect in these videos, especially in the Apollo series.

Several videos are devoted to mechanisms, like the humble gumball machine, the grand piano, and the combination lock. In addition to all the great how-it-works videos, [Jared] explores various noteworthy buildings. You know there’s a bowling alley in the White House, right? [Jared]’s tour shows you exactly where it is.

We love the diversity of the videos, all of which [Jared] researches in great detail. He enjoys working from user suggestions, so let him know what you’re dying to see dissected in detail.

Thanks for the tip, [Shabab].