This Week In Security: Chrome Bugs And Non-bugs, Kr00k, And Letsencrypt

Google Chrome minted a new release to fix a trio of bugs on Monday, with exploit code already in the wild for one of them. The first two bugs don’t have much information published yet. They are an integer-overflow problem in Unicode internationalization, and a memory access issue in streams. The third issue, type confusion in V8, was also fixed quietly, but a team at Exodus Intel took the time to look at the patches and figure out what the problem was.

The actual vulnerability dives into some exotic Javascript techniques, but to put it simply, it’s possible to change a data-type without V8 noticing. This allows malicious code to write into the header area of the attacked variable. The stack, now corrupted, can be manipulated to the point of arbitrary code execution. The researchers make the point that even with Google’s fast-paced release schedule, a determined attacker could have several days of virtual zero-day exploitation of a bug mined from code changes. Story via The Register.

The Chrome Problem that Wasn’t

A second Chrome story came across my desk this week: Chrome 80 introduces a new feature, ScrollToTextFragment. This useful new feature allows you to embed a string of text in a URL, and when loading that address, Chrome will scroll the page to make that text visible. For certain use cases, this is an invaluable feature. Need to highlight a specific bit of text in a big document online?

The following bookmarklet code by [Paul Kinlan] is the easy way to start using this feature. Paste this code into the URL of a bookmark, put it on the bookmark bar, highlight some text in a webpage, and then run the bookmarklet. It should open a new tab with the new URL, ready to use or send to someone.

javascript:(function()%7Bconst%20selectedText%20%3D%20getSelection().toString()%3Bconst%20newUrl%20%3D%20new%20URL(location)%3BnewUrl.hash%20%3D%20%60%3A~%3Atext%3D%24%7BencodeURIComponent(selectedText)%7D%60%3Bwindow.open(newUrl)%7D)()

Since we’re talking about it in the security column, there must be more to the story. A privacy guru at Brave, [Peter Snyder], raised concerns about privacy implications of the feature. His argument has been repeated and misrepresented in a few places. What argument was he making? Simply put, that it’s not normal user behavior to immediately scroll to an exact position on the page. Because modern web pages and browsers do things like deferred loading of images, it could be possible to infer where in the page the link was pointing. He gives the example of a corporate network where DNS is monitored. This isn’t suggesting that the entire URL is leaked over DNS, but rather that DNS can indicate when individual components of a page are loaded, particularly when they are embedded images from other sites.

While this concern isn’t nonsensical, it seems to me to be a very weak argument that is being over-hyped in the press.

Whatsapp Groups Searchable on Google

It’s not new for search engines to index things that weren’t intended to be public. There is a bit of mystery surrounding how Google finds URLs to index, and StackExchange is full of plenty of examples of webadmins scratching their heads at their non-public folders showing up in a Google search.

That said, a story made the rounds in the last few days, that WhatsApp and Telegram group invites are being indexed by Google. So far, the official word is that all the indexed links must have been shared publicly, and Google simply picked them up from where they were publicly posted.

It appears that WhatsApp has begun marking chat invitation links as “noindex”, which is a polite way to ask search engines to ignore the link.

If it’s shown that links are getting indexed without being posted publicly online, then we have a much bigger story. Otherwise, everything is working as expected.

Letsencrypt Makes Attacks Harder

Letsencrypt has rolled out an invisible change to their validation process that makes a traffic redirection attack much harder. The new feature, Multi-Perspective Validation, means that when you verify your domain ownership, Letsencrypt will test that verification from multiple geographic regions. It might be possible to spoof ownership of a domain through a BGP attack, but that attack would be much harder to pull off against traffic originating from another country, or multiple countries simultaneously. Letsencrypt is currently using different regions of a single cloud, but plans to further diversify and use multiple cloud providers for even stronger validation.

Kr00k

Brought to us by the researchers at Eset, Krook (PDF) is a simple flaw in certain wireless chips. So far, the flaw seems to be limited to WPA2 traffic sent by Broadcom and Cypress chips. They discovered Kr00k while doing some followup research on KRACK.

Let’s talk about WPA2 for a moment. WPA2 has a 4-way handshake process that securely confirms that both parties have the shared key, and then establishes a shared Temporal Key, also known as a session key. This key is private between the two devices that performed the handshake, meaning that other devices on the same wireless network can’t sniff traffic sent by other devices.

When a device disconnects, or disassociates, that session key is reset to all 0s, and no packets should be sent until another handshake is performed. Here’s the bug: The packets already in the output buffer are still sent, but are encrypted with the zeroed key, making them trivially decrypted. As it’s simple to trigger deauthentication events, an attacker can get a sampling of in-the-clear packets. The ubiquity of TLS is a saving grace here, but any unencrypted traffic is vulnerable. Eset informed vendors about the flaw in 2019, and at least some devices have been patched.

Exchange

Microsoft Exchange got a security patch this past Tuesday that addressed a pair of bugs that together resulted in a remote code execution vulnerability. The first bug was an encryption key that is generated on Exchange server installation. That generation seemed to lack a good source of entropy, as apparently every Exchange install uses the the exact same key.

The second half of this bug is a de-serialization problem, where an encrypted payload can contain a command to run. Because the encryption key is known, any user can access the vulnerable endpoint. The process of exploitation is so trivial, be sure to patch your server right away.

TODO: Remove Vulnerabilities

This one is just humorous. An Intel virtualization feature appears to have been pushed into the Linux kernel before it was finished. Know what unfinished code tends to contain? Bugs and vulnerabilities. CVE-2020-2732, in this case. It’s unclear how exactly an exploit would work, but the essence is that a virtual guest is allowed to manipulate system state in unintended ways.

20 thoughts on “This Week In Security: Chrome Bugs And Non-bugs, Kr00k, And Letsencrypt

  1. We humans have been making the same coding errors over and over again for decades, apparently learning nothing in the process. It is good solid proof that humans are bad engineers, they cannot be trusted to make good decisions.

    This is the fatal flaw with all nuclear power projects: they have human beings involved with the process, and these humans have been proven over and over again to make poor decisions when it comes to nuclear safety. For example, we teach small children to wipe their feet when they step in something, but nuclear plant workers cannot be bothered with this, and so they track nuclear waste out of the building, and into the parking lot, where it gets washed into the groundwater. Stupid humans can’t be trusted.

    1. “For example, we teach small children to wipe their feet when they step in something, but nuclear plant workers cannot be bothered with this, and so they track nuclear waste out of the building, and into the parking lot, where it gets washed into the groundwater.”

      Wha? Reference, please? (No, The Simpsons is not a reference, nor is it a documentary)

      1. Delusional people be delusional. I knew a person who thought that nuclear power plants worked by grinding down pieces of uranium and passing the dust along to the cooling water. I also knew a guy who thought that the cooling towers and smoke stacks in a nuclear reactor were meant for blowing out neutrons into the sky, and the neutrons would spiral up and cause all sorts of different things from cancer to global warming.

        A fault in the head doesn’t have to be great to make for significant trouble.

        1. I wouldn’t expect those delusional people to be anywhere near a plant, let alone work in one, which I assume they didn’t?

          As for people walking in nuclear waste and tracking it out, would this be in Pripyat per chance?

    2. In reality, nuclear plant workers are subjected to stricter radiation safety rules than the general public. They actually have radiation monitors on their clothes and if they were dragging radioactive waste in their shoes to the parking lot, the radiation tags on their clothes would be singing holy ghost and everyone in the plant would be evacuated.

      Meanwhile, the public can be exposed to 5 times the level of radiation exposure without anyone taking notice, and nobody being the wiser because it’s really not that dangerous. It only shows up in the statistics – mostly if you are a smoker (lung cancer).

      1. This. When I worked in a synchrotron lab, we would get in trouble if we wore our badges out to lunch. A couple of hours of normal mid-day background radiation would show up on a monthly badge.

        With a summer spent underground, I probably saved up enough radiation credit for a dental X-ray!

    3. Don’t know what timestream you’re from but in this one we’ve solved that issue with the invention of the booty.

      Alan: Uh, well… uh, uh, you see Jake, um… In the Old West, uh, uh… cowboys, uh, could be out on the– the dusty range… uh, uh, for months… at a time, and, uh, they get mighty dirty. Um, so they’d, uh, they’d, uh, mosey into town, uh, with nothing but the– the clothes on their backs, uh, and th– they’d need to, to, to wash them. So what– what they’d do is, uh, they– they would go down to the– the, the… “crick”, uh, and, uh, strip down until they were wearing, uh, nothing but their boots.

      Charlie: Why’d they keep their boots on?

      Alan: Rattlesnakes. [to Jake]: Uh, anyway, um, in order to… to, to warn, uh, people who were swimming that, you know, a– a naked… cowboy was, uh, on his way, he would yell, or, uh, or, if you will, uh, call, uh, “Booty! Booty!” Ergo, the “booty call”.

      Kandi: Wow. Alan, you really make history fun.

      Alan: Well, thank you.

      Kandi: So when did it start meaning casual sex?

      Now, in this timestream, casual sex… well, probably not relevant.

    4. This is a delayed response but I feel compelled to reply.

      Nuclear is the safest, cleanest energy source yet developed.

      Fact: coal power plants emit more radiation into the environment than nuclear power plants producing the same amount of power. https://www.scientificamerican.com/article/coal-ash-is-more-radioactive-than-nuclear-waste/

      Hydro power affects environments in enormous ways and is limited in application. Wind is inefficient and produces tons of waste when windmills are retired. Solar is even worse. It takes years for the power produced by solar panels just to offset the greenhouse gas produced in manufacturing and installing them, and then at the end of their life they become an enormous amount of toxic garbage unsuitable even for landfills.

      On the other hand, nuclear power has always produced far less toxic waste than that, and newer reactor designs are capable of closing the nuclear fuel cycle.

      And to your statement that “humans are bad engineers” I thoroughly disagree. I think nuclear for one is a prime example that we learn from our mistakes. Nuclear has never been safer or cheaper than it is today (in North America; cannot speak for other places).

      1. Yawn.. Pyramids are still standing pristine, like the colloseum in rome. Never underestimate the stupidity of people. THAT is the problem with nuclear energy.
        And now to be on topic again: i love letsencrypt!

      2. Wasn’t going to bother to reply, but I your claims are false. While operating, and excluding all refining/enrichment and disposal problesm/issues, your assertion would be true. Add in those excluded processes, any your statement is not just wrong, but *vastly* wrong.

        1. Are you saying all of my claims are false or a subset?

          The first claim is twofold and very broad. I couldn’t prove it in a few sentences so I won’t try. But it is true, and I don’t think you can come up with an argument that disproves it.

          The second claim is a fact, and I provided a supporting reference.

          Then I talked about hydro, wind and solar. Do you disagree with any of those? I can support them with references if you think they are false.

          Specifically regarding the claim that nuclear produces less waste than solar, see my response to Martin below for supporting reference.

          Regarding safety, I am somewhat knowledgeable personally since I work in the nuclear power industry.

      3. Your statement about coal vs. nuclear is very true.
        But I can not leave your comment about solar stand here. What should be “toxic garbage unsuitable even for landfills” in PV panels. They are made of mostly glass, silicon and some metal frame. The only time toxic chemicals are used in their life cycle is during the production of silicon. But so is in every computer chip and this is manageable.

  2. >”There is a bit of mystery surrounding how Google finds URLs to index”

    Already forgotten that Chrome sends everything you type in the address bar to Google?

    The trick is that unless you start by writing “https…” the browser treats it not as a URL but a search request even if you’ve disabled all the spying options.

      1. Yeah… I mean, my first thought was “uh, Chrome” and my second thought was “also, Android?” My third thought was “I don’t think I’ll post that because people will assume I’m wearing a tinfoil hat.”

          1. The good thing about DoH is that it’ll encrypt your DNS requests, so that they will only be readable by the DoH provider. Strangely enough, Google is both well positioned to be the main provider of DoH lookups, and a big proponent of the system. Anyone want to bet that they log them and connect them with your profile?

            So it’s Google vs your ISP spying out your DNS searches. Yuck. Of course, with DoH, you can choose the DNS resolver, so that’s strictly good. But I can already choose to use an ISP that respects my privacy as well.

            All in all, the situation is crappy.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.