What have the white hat dug this year? Count the vulnerabilities that affect the world in 2015.

What have the white hat dug this year? Count the vulnerabilities that affect the world in 2015.

2015 is a year of cyber security: countless critical vulnerabilities are discovered, repaired, or exploited... Fortunately, with the efforts of White Hat hackers around the world, many fatal vulnerabilities have been fixed by the vendor before the attackers find them.

From the CVE-2015-0002 that let Google and Microsoft split the station and fight against each other, to the iOS XcodeGhost that threatens hundreds of millions of Chinese people, the list of discovered vulnerabilities in 2015 is not only as long as ever, and the level of excellence is also not bad. In this article, we will extract 10 vulnerabilities with the widest impact, the highest visibility, and the worst consequences from the vulnerability long list over the past 15 years, and introduce them in detail.

CVE-2015-0002, a vulnerability-caused giant battle

In early 2015, Google's Project Zero security team disclosed a Windows 8.1 security vulnerability and details. The key issue is that, at this time, Microsoft has not fixed the vulnerability, and hackers can still use the vulnerability details to attack Windows users.


Google also has a good reason to disclose the vulnerability details before the vendor fixes the vulnerability, that is, Microsoft's inaction. Google released an ultimatum as early as 90 days ago, but Microsoft has not released any updates yet. As a result, Google announced details of the vulnerability on the seventh day as promised.

The real threat of this vulnerability is not big enough, but it has triggered an industry-wide discussion about vulnerability disclosure-whether it should be announced after the vendor fixes it, or if it is announced in advance, it will force the vendor to fix the vulnerability. Microsoft and Google are right or wrong, and every security practitioner has its own set of evaluation criteria.

Rowhammer: attack the notebook and gain control

The Rowhammer vulnerability also exists in the hands of Google's Project Zero security team, affecting all X86 architecture CPUs carrying DRAM memory. With this vulnerability, attackers can gain kernel permissions or even obtain code execution permissions through remote attacks.


The expression of the Rowhammer vulnerability is also unusual: when an attacker beats a specific row of Hammering memory, the memory units of other rows are flipped accordingly, implement "1 to 0, 0 to 1 ". A large number of laptops using the x86 architecture have been affected by the Rowhammer vulnerability.

IIS Remote DOS and Information Leakage vulnerability, making it easy to make blue screens for millions of servers

Microsoft fixed IIS Remote DOS and Information Leakage Vulnerability (CVE-2015-1635) in April this year. With this vulnerability, attackers can directly attack millions of Windows servers around the world and bring their blue screens offline with a single line of simple commands. About 30% of servers in China are affected by this vulnerability.

VENOM vulnerability, where tens of thousands of organizations and millions of end users lay down their guns

VENOM Vulnerability (CVE-2015-3456) is a vulnerability that affects QEMU floppy disk controller drivers (Open Source computer simulators used to manage virtual machines. Attackers can send commands and parameter data from the client system to the floppy disk controller, leading to data buffer overflow and arbitrary code execution in the host management program process environment.


This vulnerability has a huge impact on at least thousands of organizations and millions of end users. It is worth mentioning that as the venom vulnerability enters the public's field of view, more and more experts have begun to pay attention to virtualization security. Taking the special Team 360 Marvel Team set up this year as an example, they have mined several high-risk vulnerabilities from the virtualization field, such as CVE-2015-7504 and CVE-2015-6815.

Endless Flash vulnerabilities have become the gospel of fire dealers

Adobe Flash vulnerabilities have become a common topic in the security field. In 2015, Flash became another target: multiple Flash vulnerabilities were discovered for national APT, commercial espionage, and ransomware, these include the FLASH vulnerability that the Russian APT28 organization has attacked multinational corporations/Defense Organizations in the United States, the Flash Vulnerability leaked by the Hacking Team to monitor the target, and the Flash Vulnerability used for the Pawn Strom attack ......


According to the latest report, eight of the top 10 vulnerabilities exploited by hackers (EK) Target Adobe Flash Player. It can be said that Adobe provides a lot of "ammunition" for the cyber war ". Despite the increasing call for giving up Flash in the industry, Adobe still launched a new beta version of Flash Player 20. The path to exploiting Flash vulnerabilities must continue.

Win32k kernel driver/font Driver Vulnerability, triggering World War of Network

Because the sandbox mechanism is widely used in modern browsers, browser vulnerability attacks require Kernel Vulnerability support. Since the beginning of this year, several win32k. sys Kernel Vulnerability is used for real APT attacks. At the same time, entering the kernel through the Font Vulnerability has become a common case, the vulnerabilities include the two font kernels exposed in the hacking team incident and a large number of font kernels discovered by Google researcher J00ru.

In addition, the Russian APT28 organization to attack the United States transnational state-owned enterprises/defense units kernel privilege elevation (CVE-2015-1702), Duqu2.0 organization to attack Kaspersky laboratory kernel vulnerabilities, etc, the Windows 32 K Kernel Driver Vulnerability is also used. The Win32k kernel driver/font Driver Vulnerability has become the most common weapon in the cyber war, with countless countries and organizations under attack.

CVE-2015-1745, the strongest defense condition, IE is still broken

On a 64-bit IE browser, attackers can use uninitialized CVE-2015-1745 vulnerabilities and bypass CFG/EMET and other protection measures as well as the defense of the PEM sandbox to complete the acquisition of control permissions.


It is worth mentioning that, at the Pwn2Own challenge held on April 9, 360, the Vulcan Team from China relied on this vulnerability, in one fell swoop, it broke the most challenging and demanding IE11 browser ever. Although the IE11 browser has enhanced sandbox protection and enabled 64-bit processes and EMET defense, it is still cracked by the Chinese team in 17 seconds due to this vulnerability.

IOS XcodeGhost and Baidu WormHole vulnerabilities, turning apps into traps

IOS XcodeGhost and Baidu WormHole vulnerabilities are mainly exploited in China. The two affected hundreds of apps. Attackers can exploit this vulnerability to gain almost all control of their mobile phones. This is the most influential vulnerability in China in 2015.

IOS AirDrop vulnerability breaks down the myth of no vulnerability in iOS 9

The iOS AirDrop vulnerability is the first vulnerability on iOS 9. This vulnerability can be used to push and install malicious applications to devices without the consent of the user. The AirDrop vulnerability broke the benefits of iOS 9. Apple immediately fixed the vulnerability in the latest iOS 9.

The stagefright vulnerability allows one MMS Message to control 95% of Android phones worldwide

At the same time, Android phones are not alone. Zimperium, an Israeli mobile information security company, has detected multiple security vulnerabilities in the Stagefright, a core component of the Android system, affecting about 95% of Android devices. Hackers can send a MMS Message to completely control the user's mobile phone, regardless of whether the user has read the SMS.


While searching for vulnerabilities, Google has encountered problems in fixing vulnerabilities. It is reported that Google's first patch for Android cannot completely fix the Stagefright vulnerability, and Google had to fix it for the second time.
......

In 2015, more than 10 vulnerabilities were affected. However, due to limited space, only 10 of the most prominent vulnerabilities were introduced.

Vulnerabilities have always been called weapons in the cyber war. Many malicious elements want to exploit these vulnerabilities to obtain data or crack competitors. Therefore, in the "arms" market in the online world, high-price vulnerability rewards are not uncommon. Zerodium, a vulnerability-based asset security company, announced a maximum of $0.5 million for iOS vulnerabilities. Android, Windows, and IE vulnerabilities were also marked as $0.1 million and $80 thousand respectively.

Like guns, once such vulnerabilities are obtained by criminals, they may pose a huge security threat to users. The upcoming 2016 s will also make us grateful to all the security staff and white-Hat hackers for their continued race against criminals, in exchange for our network security.
FreeBuf hosts the "2015 Internet Security annual selection" WitAwards vote in progress. The winners of 12 Annual Security Events, annual security vulnerabilities, and top-rated Security Vulnerabilities, the answer will be announced at next year's FIT Internet Security innovation conference.