Mar 08, 2024NewsroomInteroperability / Encryption

Meta has offered details on how it intends to implement interoperability in WhatsApp and Messenger with third-party messaging services as the Digital Markets Act (DMA) went into effect in the European Union.

“This allows users of third-party providers who choose to enable interoperability (interop) to send and receive messages with opted-in users of either Messenger or WhatsApp – both designated by the European Commission (EC) as being required to independently provide interoperability to third-party messaging services,” Meta’s Dick Brouwer said.

DMA, which officially became enforceable on March 7, 2024, requires companies in gatekeeper positions – Apple, Alphabet, Meta, Amazon, Microsoft, and ByteDance – to clamp down on anti-competitive practices from tech players, level the playing field, as well as compel them to open some of their services to competitors.

As part of its efforts to comply with the landmark regulations, the social media giant said it expects third-party providers to use the Signal Protocol, which is used in both WhatsApp and Messenger for end-to-end encryption (E2EE).

The third-parties are also required to package the encrypted communications into message stanzas in eXtensible Markup Language (XML). Should the message contain media content, an encrypted version is downloaded by Meta clients from the third-party messaging servers using a Meta proxy service.

The company is also proposing what’s called a “plug-and-play” model that allows third-party providers to connect to its infrastructure for achieving interoperability.

“Taking the example of WhatsApp, third-party clients will connect to WhatsApp servers using our protocol (based on the Extensible Messaging and Presence Protocol – XMPP),” Brouwer said.

“The WhatsApp server will interface with a third-party server over HTTP in order to facilitate a variety of things including authenticating third-party users and push notifications.”

Furthermore, third-party clients are mandated to execute a WhatsApp Enlistment API when opting into its network, alongside providing cryptographic proof of their ownership of the third-party user-visible identifier when connecting or a third-party user registers on WhatsApp or Messenger.

The technical architecture also has provisions for a third-party provider to add a proxy or an intermediary between their client and the WhatsApp server to provide more information about the kinds of content their client can receive from the WhatsApp server.

“The challenge here is that WhatsApp would no longer have direct connection to both clients and, as a result, would lose connection level signals that are important for keeping users safe from spam and scams such as TCP fingerprints,” Brouwer noted.

“This approach also exposes all the chat metadata to the proxy server, which increases the likelihood that this data could be accidentally or intentionally leaked.”

Dec 18, 2023NewsroomEmail Security / Vulnerability

Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction.

“An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients,” Akamai security researcher Ben Barnea, who discovered the vulnerabilities, said in a two-part report shared with The Hacker News.

The security issues, which were addressed by Microsoft in August and October 2023, respectively, are listed below –

• CVE-2023-35384 (CVSS score: 5.4) – Windows HTML Platforms Security Feature Bypass Vulnerability
• CVE-2023-36710 (CVSS score: 7.8) – Windows Media Foundation Core Remote Code Execution Vulnerability

CVE-2023-35384 has been described by Akamai as a bypass for a critical security flaw that Microsoft patched in March 2023. Tracked as CVE-2023-23397 (CVSS score: 9.8), the flaw relates to a case of privilege escalation that could result in the theft of NTLM credentials and enable an attacker to conduct a relay attack.

Earlier this month, Microsoft, Proofpoint, and Palo Alto Networks Unit 42 revealed that a Russian threat actor known as APT28 (aka Forest Blizzard) has been actively weaponizing the bug to gain unauthorized access to victims’ accounts within Exchange servers.

It’s worth noting that CVE-2023-35384 is also the second patch bypass after CVE-2023-29324, which was also discovered by Barnea and subsequently remediated by Redmond as part of May 2023 security updates.

“We found another bypass to the original Outlook vulnerability — a bypass that once again allowed us to coerce the client to connect to an attacker-controlled server and download a malicious sound file,” Barnea said.

CVE-2023-35384, like CVE-2023-29324, is rooted in the parsing of a path by the MapUrlToZone function that could be exploited by sending an email containing a malicious file or a URL to an Outlook client.

“A security feature bypass vulnerability exists when the MSHTML platform fails to validate the correct Security Zone of requests for specific URLs. This could allow an attacker to cause a user to access a URL in a less restricted Internet Security Zone than intended,” Microsoft noted in its advisory.

In doing so, the vulnerability can not only be used to leak NTLM credentials, but can also be chained with the sound parsing flaw (CVE-2023-36710) to download a custom sound file that, when autoplayed using Outlook’s reminder sound feature, can lead to a zero-click code execution on the victim machine.

CVE-2023-36710 impacts the Audio Compression Manager (ACM) component, a legacy Windows multimedia framework that’s used to manage audio codecs, and is the result of an integer overflow vulnerability that occurs when playing a WAV file.

“Finally, we managed to trigger the vulnerability using the IMA ADP codec,” Barnea explained. “The file size is approximately 1.8 GB. By performing the math limit operation on the calculation we can conclude that the smallest possible file size with IMA ADP codec is 1 GB.”

To mitigate the risks, it’s recommended that organizations use microsegmentation to block outgoing SMB connections to remote public IP addresses. Additionally, it also advised to either disable NTLM, or add users to the Protected Users security group, which prevents the use of NTLM as an authentication mechanism.