Recent news reflected a vulnerability tale as old as time, with the operative word being "old." Two known, but long unpatched vulnerabilities were revealed to have visited numerous organizations. One was a 6-year-old Microsoft Office remote code execution (RCE) flaw being actively used to deliver spyware via malicious Excel attachments. The other vulnerability was an eight year old unpatched vulnerability in the GWT framework discovered by Bishop Fox researcher Ben Lincoln. Originally developed by Google, GWT is an open source development toolkit for building and optimizing complex browser-based applications. This critical vulnerability could expose application owners to server-side remote code execution (RCE) by unauthenticated attackers.
While these vulnerabilities differ in where they reside, and the nature and status of a patch, they share an all too common and unsettling attribute – existing in plain sight for more than half a decade or more without being addressed.
While we could dive into the vagaries of the software supply chain, or the massive discrepancies in how organizations manage vulnerabilities and patching, we decided to take a different tack. We asked our Red Team Practice Director, Trevin Edgeworth what long-standing, unpatched vulnerabilities communicate to a Red Teamer, how do they approach/leverage them, and is it a fatal flaw? As the situations differ in terms of patch availability, Trevin took the opportunity to dive a little deeper and differentiate how each changes a Red Team perspective.
0:00:00 - Microsoft Office Memory-Corruption Flaw
0:07:24 - GWT Java Serialization Flaw