Audit your apps
So you've audited your application and found no vulnerabilities. And that's good - you're in the top n% (where n < 10) of security programs out there if you are doing real security auditing on your applications. But it turns out that it's about more than just the code your developers write. It's the libraries your code uses too.
There's a rich history of applications being vulnerable through the use of vulnerable libraries. For example, in CVE 2014-8485 all the reporting seemed to be that the program strings was vulnerable. But that wasn't really the case. Rather, it was libbfd that actually had the vulnerability - strings was simply using libbfd.
Another obvious example is Heartbleed. Although the vulnerability was in OpenSSL, applications that used a vulnerable version of OpenSSL (compiled with DTLS heartbeats enabled) were also vulnerable.
Heartbleed has been patched - no more OpenSSL patches?
Unfortunately, Heartbleed wasn't the last vulnerability associated with OpensSSL. There have been a number of OpenSSL vulnerabilities in 2015 alone. Of those, CVE 2015-0209 is probably the most concerning since it is a use after free. So far, there is no publicly working code execution exploit for this (and a working exploit might not be possible). But that's not to say that the recent OpenSSL vulnerabilities don't matter. Several are Denial of Service (DoS) vulnerabilities, abusing a null pointer dereference. This means that software using a vulnerable version of OpenSSL would crash if one of these vulnerabilities were exploited.
Why am I talking about libraries now? I came across this last week looking at an implementation of Dropbox for a client of Rendition Infosec. As you may know, Dropbox and I have a rich, sordid history with Dropsmack.
While investigating the current version of Dropbox (3.10.11) we noticed that one of the support libraries (Qt5Network.dll, version 220.127.116.11) is linked with OpenSSL 0.9.8ze. This version of OpenSSL was released in January 2015 and is two versions out of date. We didn't try to exploit these any null pointer dereference vulnerabilities, but feel free to jump on that if you're interested.
|OpenSSL 0.9.8ze vulnerabilities|
Remember to audit your apps (and the libraries they use) regularly.