HP Security Research Blog
The HP Security Research blog provides a platform for security experts from across HP to discuss innovative research, industry observations, and updates on the threat landscape to help organizations proactively identify and manage risk.

Patch analysis of latest Microsoft Office vulnerability (CVE-2014-1761)

I wrote about a Microsoft Word vulnerability, which was at that point a zero day, a few weeks ago,. Microsoft released the update for this vulnerability with their April 2014 Patch Tuesday. There is some confusion in the industry about the nature of this vulnerability, so I analyzed the patch -- in the process, confirming my previous findings. This blog discusses my results, along with some additional interesting findings related to previous security updates of the RTF parser in Microsoft Office.

HP Security Research OSINT (OpenSource Intelligence) articles of interest--April 14, 2014

OSINT.jpgWelcome to the April 14th edition of the HP Security Research OSINT News Feed—a list of publically available articles that we find interesting in today’s security news.  

Labels: HP| security

Heartbleed causes heartache

The latest and scariest news in security is the “Heartbleed” bug. This evocative name comes from the fact that there is a buffer overread flaw in the implementation of the “heartbeat” extension to TLS that leaks information, potentially including usernames, passwords, secret keys and other communications. This serious flaw has been present in OpenSSL, a very popular open source implementation of the protocol used to secure the internet, for years.

Tags: OpenSSL

Advanced Persistent Threats and the rise of the app stores

For malware writers, the old days on the Internet were a volume business – infect as many computers as possible. Defenders responded with blacklisting. But modern Advanced Persistent Threat (APT) attacks are precisely tested and targeted. Will whitelisting – in the form of app stores – save us? And what will we lose if they do?

Technical Analysis of CVE-2014-1761 RTF Vulnerability

Recently, Microsoft announced that an RTF sample exploiting CVE-2014-1761 is in the wild. The sample has just become publicly known. I spent some time analyzing the vulnerability and this blog describes what I found. The sample I analyzed has a SHA1 value of 200f7930de8d44fc2b00516f79033408ca39d610. The main module that was used in my analysis is wwlib.dll with file version of 14.0.7113.5001 used in Microsoft Office 2010.

HP Security Research OSINT (OpenSource Intelligence) articles of interest--April 4, 2014

OSINT.jpgIt's time for the April 4th edition of the HP Security Research OSINT News Feed—a list of publically available articles that we find interesting in today’s security news.  

Labels: HP| security

HP Security Research Threat Intelligence Briefing episode 12 - The evolution of credit card crime

The recent Target attack reminds us that we are not safe in this world from credit card criminals. If you look at the last 10 years or so, you can see that the Target attack is actually nothing new. The trend for attacking card processing networks and POS machines has been occurring since the mid-2000s.

Four legs good: Recent advances in secure password generation

New research approaches to password generation utilize common household pets for more effective random string generation at minimal cost.

Tags: April Fools
Labels: April Fools

HPSR Software Security Content - 2014 Update 1

HP Security Research and the Software Security Research group are pleased to announce the immediate availability of updates to HP WebInspect SecureBase (available via SmartUpdate), the HP Fortify Secure Coding Rulepacks (English language, version 2014.1.0), HP ArcSight Application View, HP Fortify Runtime Application Protection, and Premium Content.

HP Security Research OSINT (OpenSource Intelligence) articles of interest--March 28, 2014

Welcome to the March 28th edition of the HP Security Research OSINT News Feed—a list of publically available articles that we find interesting in today’s security news.  

Labels: HP| HPSR| security

Reverse engineering NAND Flash for fun and profit

A few weeks ago, I had the chance to reverse-engineer a hardware device we bought from eBay. The purpose of our investigation was to penetration-test the device, but I had no idea how to approach it. I was locked out of the machine by a password and even the seller didn’t know what it was (I assumed the seller was just a sort of liquidation company). However, the machine was so cheap that we couldn’t complain about the deal – password or not. So to penetration-test this machine, we knew there’d have to be some level of hardware reverse engineering.

HP TippingPoint DVLabs – Zero-Day Filter Protection for the Win!

SPOILER ALERT!!  Highlight the text below for spoiler:

 

One of HP TIppingPoint's already shipping vulnerability filters fully covered a brand new exploit at the recent Pwn2Own contest!  Check out the post for more details!

Let’s see how protected you think you are.

Every day, thousands of malware files are sifted through automated systems built and deployed by AV companies. Some of these files, which cannot be processed automatically, are flagged and must be examined by a researcher. However, some just never get signed in time. Consider the following…

Pwn2Own 2014: A recap

Two record-setting days of payouts for zero-day vulnerabilities brought the 2014 Pwn2Own contest tantalizingly close to our first million-dollar competition, with $850,000 paid to eight entrants.

The world outside the room: Hackers, Pwn2Own, and charity

When ZDI pays big money for vulnerabilities and then hands them over to affected vendors for free, we’re making an investment in getting problems contained and fixed. What could be better than spreading the wealth to other organizations that do the same?

Pwn2Own results for Thursday (Day Two)

The second and final day of Pwn2Own 2014 saw successful attempts by seven entrants against five products, with $450,000 paid to researchers. This brings the two-day payout total to $850,000, not including charitable donations or the value of the laptops, ZDI points, and other prizes given to winning researchers.

Pwn2Own results for Wednesday (Day One)

The first day of Pwn2Own 2014 saw successful attempts by five entrants against five products, with payouts of $400,000 to researchers in the main competition and $82,500 to charity in the Pwn4Fun sponsors-only event.

Pwn2Own 2014: The lineup

The competition order for the 2014 Pwn2Own competition was assigned by random drawing in the Pwn2Own room on Wednesday morning. This year found eight contestants targeting six out of seven products in the competition, with some handling multiple challenges – thirteen competitions in all.

HP TippingPoint DV Labs and ZDI Collaborate at Pwn2Own 2014!

Wondering how ZDI and DV Labs collaborate on security research and customer protection?  Here's a sneak peak at the upcoming Pwn2Own contest and how we work with our stellar ZDI team to provide unrivaled protection against zero day vulnerabilities!

Remote code execution and XML Entity Expansion injection vulnerabilities in the Restlet framework

Restlet is a lightweight Java framework for building RESTful APIs. It comes in different flavors (Java SE, Java EE, Android, Google Web Toolkit and Google App Engine) and is composed of a core API and different extensions that provide additional functionality.

 

While adding support for the Restlet API to HP Fortify SCA, the Software Security Research group discovered that the XStream extension prior to 2.2 RC3 is susceptible to Remote Code Execution (RCE) via unsafe deserialization of XML messages. Also, versions prior to 2.1.7 and 2.2 RC1 contain APIs susceptible to XML Entity Expansion (XEE) injection, including the default extension to handle XML messages (JAXB).

Process Introspection with Python

Triggering vulnerabilities and design flaws found through static analysis and research is a difficult process, and it can get complicated when the vulnerability lies in a less-accessible part of the code. We’ve developed a Python-based technique for effective, fairly quick prototyping and testing of such vulnerabilities.    

Avoiding collisions: How we’ll handle (potential) duplications between Pwn2Own and Pwn4Fun

This year we introduced Pwn4Fun to give Google and ZDI the opportunity to give money to charity. 

Tags: pwn2own| pwn4fun
Labels: pwn2own| pwn4fun

Botnet Hunting with ZMap - Continuing the Hunt!

This is a follow up to our earlier article on mapping the entire available IPv4 address space for Zero Access trojan infections using ZMap and custom written probes.  See how the landscape for ZA has changed in just a couple months, and some of the possible driving forces around the changes.

HP Labs and HP TippingPoint collaborate to reveal previously undetected network attacks

HP Labs and HP TippingPoint announce a major enhancement to the RepDv service. dvlabs.gif

Labels: HP| security

Pwning for the lulz…and for charity

So ZDI can’t enter the pwn2own contest and neither can Google – we’re co-sponsors. However, nothing says we can’t get together early and have fun. Announcing Pwn4Fun, a sponsors-only event putting huge amounts of money of the line for charity.

Pwn2Own, Patch Tuesday, and the thrill of the unexpected

The Patch Tuesday tradition established by Microsoft and other software vendors has done a great deal to standardize security-updating practices across the industry. We celebrate that – even when it may well cause some uproar for our Pwn2Own competition.

Tags: pwn2own| ZDI

The Value of Low Priority Issues

The big news at the beginning of this week, just as we were all heading to the RSA conference, was a bug in the Apple implementation of SSL/TLS. I’ve been asked a few times whether HP Fortify SCA finds this issue – and it does. The interesting thing is how we identify it.

HP Grants $250,000 to Scholarship for Women Studying IT Security

HP announced that it will grant $250,000 to the Scholarship for Women Studying Information Security (SWSIS) program, and will work closely with academic institutions worldwide to develop course content to help students learn the fundamentals of IT security.

Labels: HP| security
Search
About the Author(s)
  • Twitter: @ohjeongwook .
  • Steve Povolny manages the Digital Vaccine team at HP TippingPoint. The team is composed of security researchers and filter/signature developers for the Intrusion Prevention System.
Follow Us
Twitter Stream


HP Blog

HP Software Solutions Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation