The number of zero-day exploits rose throughout 2013, affecting a wide swathe of individuals and organizations. Moreover, the impending end of official support for Microsoft Windows XP has broadened the conversation about addressing systemic IT weaknesses, whether through upgrades, patching or additional security software, to ward off similar would-be zero-day incidents.
While infinite Windows XP zero-days is still only a prospect at this point (especially now that Microsoft will issue malware fixes until 2015), the implications of such vulnerabilities can already be gleaned from the fallout of breaches of vBulletin-powered forums. MacRumors and the official page for the OpenSUSE Linux distribution were compromised by attackers taking advantage of a potential zero-day flaw in the popular forumware. Although recently patched, these sites had little recourse against tactics that bypassed security to scrape passwords and email addresses.
What can be done to address the rise in zero-day campaigns? The stakes for answering this question are high – just look at the number of ATMs that still run Windows XP, despite the aging operating system’s approaching obsolescence. Preventing damage from future zero-days will require a proactive approach that addresses common weak points in IT security, including the reliance on outdated software, lack of knowledge about cost-effective alternatives such as virtualization and slow implementation of patches.
By definition, zero-day exploits are difficult to address because attackers have already found the weakness and security teams are playing catch-up. Still, zero-days don’t materialize out of thin air and go after random targets – typical attack magnets such as Windows XP, Internet Explorer and vBulletin are widely used, built on relatively old yet frequently updated technology and often insufficiently patched by their users. Staying safe need not be a strictly reactive process that simply tries to undo the damage of an attack – with the right focus, potential attack surfaces for zero-days can be minimized.
Attacks on openSUSE page, MacRumors may have been result of vBulletin zero-day
Several pages at forums.opensuse.org were replaced after an attacker used a zero-day exploit to access the site’s databases. He used a PHP shell backdoor, targeting vBulletin, to gain read and write permissions to openSUSE servers.
However, access credentials were not compromised since openSUSE had implemented an external single sign-on solution, demonstrating one of the many precautions that organizations can take to prepare for zero-day breaches. At the same time, the attacker acquired email addresses that had been stored in a local database for convenience
The openSUSE breach wasn’t just a matter of someone finding another zero-day fault in vBulletin. The email storage practices, along with the site’s patch implementation, may have enhanced the incident’s impact. Although site administrators stated that having deployed the most recent patch (openSUSE was one patch behind) would not have protected the site, it’s important to note that small oversights and delays can pile up, creating a broader attack surface.
More specifically, the 4.x branch of vBulletin used by openSUSE includes a vulnerable third-party component, called uploader.swf, that is part of the Yahoo User Interface library. Yahoo does not plan to fix this item since it is only used in older, unsupported versions of YUI. Instead, 4.x users are advised to replace the file with a dummy equivalent and instead fall back on a JavaScript uploader.
To its credit, openSUSE quickly removed uploader.swf, which could have enabled cross-site scripting attacks in which arbitrary JavaScript is injected into a page. It’s unclear if this particular vulnerability was decisive, but it could have been used in conjunction with social engineering tactics to take over an admin account and gain access to the database.
OpenSUSE wasn’t the largest target of vBulletin exploit. MacRumors, which has 867,000 registered members, and the still larger UbuntuForums were hit by similar attacks. In the case of MacRumors, email addresses, usernames and hashed passwords were exposed, and the site owner advised everyone to reset their passwords and not reuse one from a separate site.
Windows XP and ATMs: The real stakes of taking proactive measures against zero-days
These forum hacks demonstrate how popular platforms can attract enough attention to make them worthwhile targets for attackers. What’s more, seemingly minor oversights, such as relying on older software or not implementing the latest patch, can magnify the damage of such exploits.
The long life of Windows XP, and its approaching change in support, have made it more important than ever for organizations to learn from the aftermath of the vBulletin breaches and harden their systems. The issue extends beyond the IT department – Windows XP runs in the background of 95 percent of the 420,00 ATMs in the U.S, and banks have been slow to make the upgrade to Windows 7. Updating can be a costly and even risky process, but the alternative is fending off zero-day threats on their own, without official patches or support.
It could be a few years before all ATMs are upgraded to versions of Windows with mainstream support. Until then, organizations may have to deal with threats such as robbery via USB key or a botnet that could pool the resources of the 29 percent of PCs that still run XP. The OS was listed as an affected product in 45 Microsoft security bulletins issued between July 2012 and July 2013.
In Europe, an ATM was compromised after it booted from an infected USB key, demonstrating that many different endpoints are at risk from the prospect of infinite Windows XP zero-day vulnerabilities. Organizations will need to upgrade software and hardware, not only to receive official support but to reduce the number of attack surfaces.
OpenSUSE has already hinted at plans to possibly migrate to a different forum software, stating that the recent exploit confirmed its concern about issues with vBulletin. However, staying safe from zero-day exploits isn’t just a matter of picking the right platform – it also depends on following best practices such as training users to recognize social engineering tactics and issuing patches quickly.