The Orpheus’ Lyre Bug: How Microsoft is Patching the Security Holes

Media Division | July 31, 2017

The threat landscape is an ever evolving proposition. As we work to defend ourselves against what seems like an endless barrage of threats, cyber attackers continue to create more malicious and adept threats that are able to better break through these defenses and compromise our systems. Sometimes we see threats that tend to get more publicity than others, often because of their malicious potential, and they also end up getting fancy coined names as well. The most recent vulnerability to receive this kind of special treatment is called Orpheus’ Lyre (OL). It even has its own website and logo, along with a theme song that plays when you visit the site.

How it Works

OL is a security hole within a network automation system known as Kerberos. While not necessarily a household name, Kerberos is quite prominent, as it is largely employed by Windows for access control and log on. To understand how OL functions, it is necessary to understand a bit how Kerberos operates. It is called a ticket-based automation system, which essentially means it is a via between a client and a server. As opposed to a direct negotiation between these two points, the client will contact Kerberos to request an access ticket, which centralizes and manages the process, as well as makes it unnecessary to have tons of servers that store massive password lists and validate access. It simply acts as a relay point that can issue these access tickets, and generally, Kerberos has some pretty strong cryptography to prevent tickets from being changed once issued.

While Kerberos can be extremely efficient, it is also a technology that has been in use since the 80’s. Sometimes, the encryption can leave something to be desired, as everything in the issued access tickets is not encrypted. Duplicate data fields can exist within these tickets, where one version is encrypted and another is in plain text, and this is essentially where the vulnerability was found to exist. Basically, the discoverers of OL had realized that in several widespread implementations of Kerberos, programmers had left some inconsistencies where software would rely upon the hackable plain text version of the server name, rather than the protected and encrypted version. What this means is that attackers could technically be able to modify a Kerberos ticket and reroute an unpatched client computer to an imposter server.

As mentioned above, Windows prominently uses Kerberos, which leaves it vulnerable. Fortunately, since discovery, Microsoft had taken quick action to remedy the issue, and it was addressed in their July 2017 patch. In other words, if you are a Windows user, ensure to install the latest patches to protect yourself. As a note, the vulnerability centers around redirecting a client to an imposter server, which means that having only patched servers does not protect unpatched computers that could be misrouted.

Patching as a Cyber Security Point

There is a point to be made in regard to patches, mostly because it is something that many tend to neglect in the realm of cyber security. It is a far too common occurrence for people to keep pushing off or minimizing those frequent reminders to install updates, but this can be device suicide. A large amount of updates often contain important security patches to protect from discovered vulnerabilities like the above. It is one of the most simple points of cyber security to install updates when they come about. Sure, it can take a little bit of time for these patches or updates to finish, but that is much better than your device being ruined or hijacked and having to pay out to get it cleaned up or buy a new one.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.