It’s a constant cat-and-mouse game – do attackers exploit acute security vulnerabilities more quickly or do manufacturers manage to quickly create and deliver updates? Does it even make sense to install updates quickly?
Current incidents show that things are not as clear as they seem. The incidents of the ASUS Supply Chain Attack and a CISCO router patch have only opened up two security gaps. Why updates make sense despite these negative examples!
Patch and go – the ASUS Supply Chain Attack
Hackers have managed to foist malware on the ASUS Live Update Utility unnoticed. The Live Update Utility is a preinstalled software in ASUS notebooks that ensures that current updates are securely installed in the background. The attackers succeeded in camouflaging malware in such a way that it was recognized as an update with the appropriate certificates and thus installed. This vulnerability was used between June and November 2018.
The aim of the attack was to download further malware from a fake website in the background. The virus checks the physical address (MAC address) of the infected device to determine whether it should be attacked further. A total of 600 MAC addresses were selected to download further malware.
Although the fake website was shut down in November 2018, there is still a residual risk for the devices that received the Live Update Utility software between June and November. The risk is that there is still malware on the device and the capabilities of the software have not yet been fully captured.
Affected? Now check if your own devices are infected!
To check whether your device is affected by this attack, you can perform the following steps:
- Make sure your MAC address was on the list of the attack: MAC addresses Check
- If your MAC addresses are not on the list, check if there is an .idx.ini file in the user directory .
If one of the two steps is negative (MAC address on the list or file exists), your system is infected. In all cases, protect yourself by keeping an anti-virus program on the latest version and keeping the ASUS Live Update Utility on version 3.6.8!
Another case – the CISCO Router Patch
Kaspersky Lab staff have discovered vulnerabilities in two Cisco routers. The routers RV320 and RV325 are affected. The vulnerability was that unauthorized users could execute commands that only an administrator should execute.
Kaspersky notified CISCO of these vulnerabilities – but instead of working on a permanent solution to the problem within the source code, CISCO released a quick patch. This patch only addresses the vulnerability in 3 lines. There only the User_agent was filtered. If it corresponded to this “curl”, it was blocked.
We were also quite surprised to find this /etc/nginx.conf in 184.108.40.206 pic.twitter.com/tvOj04Q7Ip
— RedTeam Pentesting (@RedTeamPT) March 27, 2019
CURL allows easy communication between different servers in URL syntax. This patch is only an interim solution. CISCO employees are currently working on a permanent solution. Hopefully also on one, which cannot be avoided simply, even for laymen.
Updates in 2019 mandatory?
Updates are the only way to keep your software permanently safe. Attackers discover new security vulnerabilities almost every day, which the operators of the software have to address. In order to keep this software secure against the new attack methods, the code must be rewritten. The best way to reach the end user is via an update.
The above examples are about updates that do not or only partially address a discovered problem. In the ASUS Supply Chain Attack, the update tool even directly represented the security gap. Nevertheless, it makes sense to keep all devices up to date, because updates usually close security gaps instead of opening them!
A possible improvement of the update process would be the separation of security and feature updates. So far, both have been rolled out together. The non-installation of updates is usually due to upcoming features which are not intended.