Reflection – Crafted emoji cause WeChat application (for Android) service crash.

Preface: When mobile computing born, cyber attack (botnet attack) and data leakage rapidly growth. Do you think this is the destiny.

Observation: A proof of concept shown that a technical limitation occurs on TenCent WeChat 7.0.4 (android version). When a stranger send a craft emoji to WeChat user. The WeChat application will be crashed once open the emoji file. The security expert found the following reason:

vcodec2_hls_filter in in the WeChat application through 7.0.3 for Android allows attackers to cause a denial of service

Refer to attached diagram, the 1st phase of attack should get the IMEI. Perhaps the specify attack has per-requisite. So it let the people feeling that it is only an idea and therefore may not pay attention in high pioritty. But it is an alert signal to WeChat users. Why? Wechat’s plug-ins are encapsulated in jar files and so files in the / assets / preload directory (see attached diagram). Security expert found technical limitation on vcodec2_hls_filter in From technical point of view , attacker can be develop attack technique ride on this issue. Stay tuned.


Rampant cyber attacks – Is the healthcare industry suitable for using open source software?

Preface: In our world that is more and more vulnerable to hackers or data breaches.

Strategy Challenge: According to data privacy, security matters when choosing new software system today. Can we choose open source software deploy in medical or healthcare areas? If it is possible to use, which is Better for Open Source software?

Healthcare Cybersecurity Trends – 2019 – The National Association of County and City Health Officials say that healthcare breaches can cost up to $400 a patient. Apart of different country laws and regulations governance. A major reform in the European data protection framework establish GDPR. The GDPR introduces an obligation on data controllers to report breaches of patients’ health records to the data protection authority within 72 hours from becoming aware of the incident. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The maximum administrative fine contemplated by the GDPR is of 20 million (Euro). Or 4% of a company’s annual revenue. As the above regulations and penalties are mandatory. Whereby , for the data governance prospective. The related industry define a road map. The concept of idea shown as below:

Can I use open source software for healthcare operations?

Quote: Absolutely. All Open Source software can be used for commercial purpose; the Open Source Definition guarantees this. You can even sell Open Source software. However, note that commercial is not the same as proprietary. said

How about the vulnerability management? As a matter of fact, it is rare for healthcare industry make use of open source software directly. In some circumstances, 3rd party vendor will do a customization on their solution thus integrate the business function to open source software. Below example can provide the details.

OpenEMR is the most popular open source electronic health records and medical practice management solution. OpenEMR is an ONC Certified HIT 2014 Edition Complete EHR product. Although it is the open source software, but it is a computer products and it is hard to avoid vulnerability occurs. The vulnerabilities occurs in two different function (see below). Hacker can be exploit these vulnerabilities by SQL injection. Since this is a SQL injection and therefore it might involves data privacy. Follow up the response from vendor side. Found that the corrective action take place and do the remediation. Perhaps the rating of the response time not easy to judge because of Common Vulnerabilities and Exposures reporting criteria and procedure. However these limitation not limit to open source software vendor. Even though the vulnerability management do not have major difference. OpenEMR issue the remedy posted on Aug 2018.

OpenEMR has released software updates at the following link: OpenEMR 5.0.1 Patch 7

The moment of truth: A decade before , If you interview with enterprise firm CTO, are they willing to use open source software. We will receive a standard answer. It is not possible! But may be we are not aware. The open source software living with us for long time actually. PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

Summary: As a matter of fact, the cyber attack not merely based on a single element or component. In order to avoid the attack, even though you are not using open source software. You should have to enhance the detective and preventive control. Therefore if you would like to deploy the healthcare application system with opensource software. You have to fulfill below requirements.

Software and Patch Management
Log Management
Network Segmentation
Block Suspicious Activity
Credential Management
Establish a Baseline for Host and Network Activity
Organization-Wide IT Guidance and Policies

End of document.

Siemens security advisory – Multiple Vulnerabilities in SIMATIC WinCC, SIMATIC WinCC Runtime,SIMATIC PCS7,SIMATIC TIA Portal (May 2019)

Preface: DCOM is a proprietary Microsoft technology for communication between software components on networked computers.

Technical background: High-Level applications use the DCOM client to obtain object references and make ORPC calls on the object. The DCOM client uses the RPC Protocol Extensions to communicate with the object server.

Vulnerability details: An authenticated attacker with network access to the DCOM interface could execute arbitrary commands with SYSTEM privileges. The vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires authentication with a low-privileged user account and no user interaction. Do you heard Windows Net-NTLMv2 Reflection DCOM/RPC attack technique? The key element is CLSID string. With the CLSID of each DCOM application, the script attempts to activate each one to check if there is a MemberType Property or Method that indicates a possibility to execute code. So…..

Official announcement –

RSA security advisory: CVE-2019-3724 & CVe-2019-3725 – 9th May 2019

Preface: Gartner Reports give people direction, but sometime as a customer, you can select your appropriate product on your decision. For instance cyber security product

Technical background: SIEM software products provides real-time analysis of security alerts generated by applications and network hardware. Netwitness can investigate data capture and display the real scenario on screen.It is very important in IT world nowadays.

Synopsis: RSA security product pioneer go to the market more than decade. From 2011 acquire Netwitness and conduct a product integration. It was today naming convention security analytic. It contains SIEM, real time network activities data capture (Big data) and malware analysis (ECAT). From technical point of view, the GUI (Dashboard) and web access technology looks did not have any security enhancement.

Vulnerability details: Netwitness Platform versions prior to and RSA Security Analytics versions prior to are vulnerable to an Authorization Bypass vulnerability and command injection vulnerability. For more details please refer to the link below:

CVE-2019-12098 – Heimdal design limitation causes man-in-the-middle attack Vulnerability – 20th May 2019

Preface: Before Kerberos, Microsoft used an authentication technology called NTLM.

Technical background: The biggest difference between the two systems is the third-party verification and stronger encryption capability in Kerberos. Kerberos version 4 was targeted at Project Athena in 80s. Neuman and Kohl published version 5 in 1993 to improve the limitations and enhance the security.
Heimdal is an implementation of Kerberos 5 and large footprint in Sweden.

Specifies the Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol. This protocol enables the use of public key cryptography in the initial authentication exchange of the Kerberos Protocol (PKINIT) and specifies the Windows implementation of PKINIT where it differs from [RFC4556].

Vulnerability Details:
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key exchange when anonymous PKINIT is used. Failure to do so can permit an active attacker to conduct MITM.

Comment: This vulnerability not only happen in Heimdal open source product. Believe that it will have more vendor report similar problem afterwards. Heimdal has released updates via following link:

New order in the Asia-Pacific region – Cyber security Law 2019

China Cracks Down on Foreign Firms Over Cyber Security, FT Says – two foreign companies that deal with consumer data in China had been under official investigation for several months.For details about the News, please refer below link:


Synopsis: Information technology personnel are familiar with MPLS. But do they understand China’s MLPS (multi-level protection scheme)?

Background: Since the launch of the legislative process of China’s Cyber Security Law in 2015, the National Information Security Standardization Technical Committee (TC260) has issued nearly 300 standards for network security. Based on 8 factors that have the most important influence on the industry. Whereby implement new order.

  1. Network security review of network products and services – 是网络产品和服务的网络安全审查
  2. Certification and evaluation of network key equipment and network security special products – 是网络密钥设备和网络安全专用产品的认证和评估
  3. Safe and controllable products and services – 是安全和可控的产品及服务。
  4. Multi-level protection scheme (MLPS) – 是多层次的保护方案(MLPS)
  5. Critical information infrastructure (CII) network security protection – 是关键信息基础设施(CII)网络安全保护。
  6. Cross-border data transfer – 是跨境数据转移
  7. Personal data and data protection – 是个人数据和数据保护
  8. Is encrypted data – 是加密数据

Security Focus – VMware (May 2019)

Preface: Intel flaw let VMware become victim (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) ! VMware Workstation update addresses a DLL-hijacking issue (CVE-2019-5526) looks not a news?

VMware Vulnerability details:

VMware Workstation update addresses a DLL-hijacking issue (CVE-2019-5526) –

VMware product updates enable Hypervisor-Specific Mitigations, Hypervisor-Assisted Guest Mitigations, and Operating System-Specific Mitigations for Microarchitectural Data Sampling (MDS) Vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091)

Technical background: To improve the performance of writing data back to Intel CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. But a design limitation occurs which allows unauthorized users to access data used by other programs, containers, and virtual machines. So called Zombieload. ZombieLoad Attack affects all Intel CPUs since 2011.

VMware Security Advisories –

Do not contempt “CVE-2019-0708” (Remote Desktop Services Remote Code Execution) Vulnerability – 14th May 2019

Preface: Heard that Microsoft is trying to head off another WannaCry-style malware outbreak before it starts.

Technical background: Remote Desktop Protocol is based on, and is an extension of, the T-120 family of protocol standards.

Vulnerability details: A vulnerability in the Remote Desktop Services component of Microsoft Windows could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

Current status: The POC details open to cyber world. The source code let people know the design weakness of RDP. For instance, the buffer of TPKT (ver 3,5,8) , ITU-T Rec X.224 & MULTIPOINT-COMMUNICATION-SERVICE T.125. The overall feedback in commercial IT world is that they are not vulnerable because they do not have Win 2008, Win 7 and XP. It is right. But the attack vector is not a commercial area, and its targets are medical systems, SCAD control, power facilities and the oil industry. So this let Microsoft headache this time.

Remediation via following link:

Cisco follow up vulnerability item: Cisco Secure Boot Hardware Tampering Vulnerability (May 2019)

Preface: If you could talk to God. And ask in the world who can be trust? He will reply……

About technology risk for the FPGA:
How to trusting an external party with maintaining keys that protect the FPGA configuration?
A common practice till now is that it is a distinction between trust in operational processes and trust in functionality. In particular, we assume that the FPGA manufacturer is trustworthy at the time the device is created and provisioned. But the exception is that if the one of the element may become untrusthworty or manipulate by criminals. The original functionality of the FPGA as initially provisioned contains backdoors or other malicious components. Apart from that any long term keys maintained by the manufacturer might have risk.

Cisco findings and recommendation: A vulnerability in the logic that handles access control to one of the hardware components in Cisco’s proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component. This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality.

Remediation: For more information, please see the link below:

With great power comes great responsibility.

If I am true – WhatsApp vulnerability ( CVE-2019-3568) – May 2019

Preface: I do not care about this vulnerability since social media communication not secure by far. This is not the news.

Headline news: Facebook Releases Security Advisory for WhatsApp. A remote attacker could exploit this vulnerability to take control of an affected device. For more details, please refer following url –

About vulnerability background Quote: Whatsapp, and messenger both of which uses STUN protocols to establish video call connectivities.

Doubt – The WebRTC Vulnerability
The fundamental vulnerability with WebRTC is that your true IP address can be exposed via STUN requests with Firefox, Chrome, Opera and Safari browsers, even when you are using a VPN.
Besides, STUN requests are made outside of the normal XMLHttpRequest.This makes these types of requests available for online tracking if threat actors sets up a STUN server with a wildcard domain.

Does VPN avoid WebRTC leaks?
WebRTC vulnerability on your browser, rather than relying solely on a VPN for protection.

Objective: As a matter of fact, the specify spyware is custom made for law enforcement. So, I believe that not easy to know the truth. Perhaps above hits will let you have more imaginations.