Tuesday, January 6, 2015

2014 - the infosec year in review - part 9

This is part 9 of an n-part blog series, discussing the things I found to be game changers in Infosec in 2014.

Item:  CVE 2014-1776

What is (or was) it?  A new vulnerability in mshtml.dll that left versions 6-11 vulnerable to remote exploits.

Why it's significant? Microsoft said they weren't going to patch XP anymore, right?  Yeah, I remember that too.  But then they changed their tune when this vulnerability was discovered and said "okay, we were just kidding - we'll patch one more time."

This vulnerability was interesting for another reason too.  The flaw itself was exploitable through the use of VML.  If you don't know what VML is, don't feel bad - you're in the majority.  It's an antiquated standard that virtually nobody has used for the last decade.

Could it have been prevented? Yes, but all software has bugs.  This particular bug was exploitable  using an obscure standard that nobody uses, yet is enabled by default on all versions of Windows.  If you are writing software today, you owe it to your user base to only install the features that are actually needed - not everything and the whole kitchen sink.  Any CISSP can tell you to disable unneeded services - the problem here is that this was a feature of software that lots of people use (Internet Explorer) and was not easily disabled.

Stay tuned for more installments in the Infosec year in review.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.