Preface: According on 2020 market statistic, FireFox market share only 9.25%. But Chrome has 68.11% coverage. However I like FireFox.

How Firefox’s memory allocator works?

Firefox uses a memory allocator called moz jemalloc. There are two properties which focus by cyber security expert so far!

[PSJ] – In essence, a chunk is broken into several runs.

– Each run holds regions of a specific size. [TSOF]

– The feature of jemalloc is that it operates in a last-in-first-out (LIFO) manner, a free followed by a garbage collection and a subsequent allocation request for the same size, most likely ends up in the freed region.

Vulnerability details: CVE-2020-6819 is a use-after-free vulnerability due to a race condition when the nsDocShell destructor is running. CVE-2020-6820 is a use-after-free vulnerability due to a race condition in the ReadableStream class, which is used to read a stream of data.

Official announcement – https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/

Preface: Maybe the software vendor didn’t disclose it explicitly. But you will be interested review this concept.

Background: Adobe Creative Cloud is a set of applications and services from Adobe Inc. that gives subscribers access to a collection of software used for graphic design, video editing, web development, photography, along with a set of mobile applications and also some optional cloud services. The Creative Cloud desktop application is instralled automatically when you download your first Creative Cloud product. If you have Adobe Application Manager installed, it auto-updated to the Creative Cloud desktop application.

Vulnerability Details: Creative Cloud Desktop Application versions 4.6.1 and earlier have a using components with known vulnerabilities vulnerability. Successful exploitation could lead to arbitrary code execution. As the software vendor did not disclose details. The vulnerability is suspected to come from the synchronization feature. See whether the diagram can provides an hints to you.

Official Announcement – https://helpx.adobe.com/security/products/creative-cloud/apsb20-11.html

Preface: Make our life easy, just rename or disable it.

Background: Type 1 is a font format which came to market around 1984, together with PostScript and the Apple LaserWriter. Perhaps ATMFD.DLL was first built into Windows 2000. Through observation, this vulnerability was caught by Google project Zero in 2015. Over time, maybe someone has forgotten this. Therefore, the direct method is to disable it.

Impact: Stacks in computing architectures are regions of memory where data is added or removed in a last-in-first-out (LIFO) manner. In most modern computer systems, each thread has a reserved region of memory referred to as its stack. A specially-crafted font that is capable of operating on any data on the thread stack and has all the instructions (including arithmetic, logic, condition, and other instructions) in the Type 1 / Type 2 Charstring instruction set. Official announcement: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

Or quick and Dirty: Right-click C:\Windows\System32\atmfd.dll Properties | Security | Advanced | Owner, take ownership. Close dialogs, go back in and give yourself Full Control.

Preface: Cisco SD-WAN Solution Privilege Escalation Vulnerability. Sound dangerous but it can only conduct internally. If someone can make it happen. It can elevate privileges to root on the underlying operating system.

Details: Perhaps Cisco fans still remember that a vulnerability encountered on SDWAN on Jun 2019. I presumably there may be similarities to this matter. The official announcement said An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to gain root-level privileges. The details happened on June 2019 shown as below:

Cisco official announcement – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwpresc-ySJGvE9

Other than that perhaps you will be interested of other vulnerabilities found on SDWAN

Buffer overflow – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwanbo-QKcABnS2

Command Injection – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwclici-cvrQpH9v

Preface: ThinPrint technology offload the print burden on all virtual and physical desktops, and keeps all client hardware free of printer drivers.

Background: VMware Workstation is a type 2 hypervisor. Type 2 hypervisors are essentially treated as applications because they install on top of a server’s OS. If the host gets cracked, the hypervisor gets cracked. If the hypervisor gets cracked, it depends on the host will have vulnerability let hacker to be use. From technical point of view, it is difficult but it may possible.

Vulnerability details: Linux Guest VMs running on VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. Local attackers with non-administrative access to a Linux guest VM with virtual printing enabled may exploit this issue to elevate their privileges to root on the same guest VM. For the details of attack. Please refer to diagram.

Official announcement – https://www.vmware.com/security/advisories/VMSA-2020-0004.html

Preface: Microsoft has released a security advisory to address a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3) on 11th Mar 2020.

Vulnerability details: A remote attacker can exploit this vulnerability (CVE-2020-0796) to take control of an affected system. A “potentially wormable” vulnerability exists in SMBv3 and specifically the compression. Citrix already hints that SMB3 has design limitation occurs (see below):

CIFS compression—CIFS connections are compressed automatically whenever they meet the requirements for CIFS protocol acceleration. In addition, SMB3 connections are compressed when unsigned and unsealed.

Why is it dangerous? SMB Signing is a feature through which communications using SMB can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of packets and “man in the middle” attacks.

Remedy solution by Microsoft – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

Background: CVE-2019-0090 told that Insufficient access control vulnerability in subsystem for Intel(R) CSME before version 12.0.35, Intel(R) SPS before version SPS_E3_05.00.04.027.0 may allow unauthenticated user to potentially enable escalation of privilege via physical access. On 5th Mar, 2020, cyber security expert firm has following findlings.Intel CSME firmware in the boot ROM first initializes the page directory and starts page translation. IOMMU activates only later. Therefore, there is a period when SRAM is susceptible to external DMA writes (from DMA to CSME, not to the processor main memory), and initialized page tables for Intel CSME are already in the SRAM.

Impact: Nonlinear write will bypass stack protector!

Remedy: When Stack-Protector XORed with Return address implemented, the Nonlinear write to bypass stack protector become difficult.

Current status: Please do the patching even though it is not perfect – https://www.intel.com.au/content/www/au/en/support/articles/000025694/processors/intel-core-processors.html

Preface: Let’s review on CVE-2019-11043, it is still valid today!
An underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx.

Background: Too many people have criticized the performance of Apache Server. And therefore , web application developers sometimes will decide turned their architecture focus to Event-driven Server. The design objective of event-driven server typically has a single thread which manages all connections to the server. The thread uses the select() system call to simultaneously wait for events on these connections. As such , event driven architecture greatly increased the volume and speed of connection services.
NGINX uses an event-driven architecture with nonblocking I/O. The design concept waits for events on the listen and connection sockets.

Nginx itself is just a simple HTTP server. If you need to run programs, you have to use the help of CGI.Sometimes use Nginx + PHP-FPM.But a drawback of CGI is that each page load incurs overhead by having to load the programs into memory. Scripts that process remote user input, such as the contents of a form or a “searchable index” command, may be vulnerable to attacks in which the remote user tricks them into executing commands.

Impact: Attack can exploits an underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx. Only servers with certains Nginx PHP-FPM configurations are exploitable. So, be alerted!