September 2018 Update Summary

=======================
Update: 11th September 2018:
=======================
Earlier today Microsoft and Adobe made available their scheduled updates. Microsoft resolved 61 vulnerabilities more formally known as CVEs (defined).

At the time of writing; there are known issues but with only the now commonly occurring Windows 7 NIC being an issue this month:

KB4457128

KB4457144

KB4458321

Further details are available in Microsoft’s update summary for September.

Adobe issued 2 updates today:

Adobe ColdFusion (priority 2, resolves 6x critical CVEs)
Adobe Flash (priority 2, resoles 1x CVE)

As per standard practice if you use any of the above Adobe software, please update it as soon as possible especially in the case of Flash. Updates for Google Chrome will be available shortly either via a browser update or their component updater.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Microsoft Hyper-V (affects Windows 10 and Windows 8.1 (including Windows RT 8.1) and their Server equivalents)

Windows Task Scheduler (relating to a previous blog post)

Security advisory for “FragmentSmack” CVE-2018-5391

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Original Post:
=======================
In advance of further updates being released by Microsoft and Adobe this month I wish to provide details of notable updates made available so far. I will update this post as more updates are distributed.

Thank you.

=======================
Mozilla Firefox:
=======================
In early September Mozilla made available updated versions of Firefox:

Firefox 62: Resolves 1x critical CVE (defined), 3x high CVEs, 2x moderate CVEs, 3x low CVEs

Firefox ESR 60.2 (Extended Support Release): Resolves 1x critical CVE, 2x high CVEs, 2x moderate CVEs and 1x low CVE.

Further discussion of the other features introduced by Firefox 62 is available here. In the future Firefox will block multiple trackers which will boost privacy for it’s users. Future versions will implement these changes.

In-depth details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Last week Google released version 69 (specifically version 69.0.3497.81) of Chrome celebrating Chrome’s 10th anniversary. This version not only incorporates fixes for 40 vulnerabilities but also includes many more improvements. Among them are an improved password manager/form filler and a change in how secured (encrypted) webpages are indicated.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMWare has issued a single security advisory so far in September:

Security advisory 1 (addresses 2 vulnerabilities of Low severity):

  • AirWatch Agent for iOS (A/W Agent)
  • VMware Content Locker for iOS (A/W Locker)

If you use the above VMware product, please review the security advisory and apply the necessary updates.

Protecting Against the Windows 10 Task Scheduler Zero Day Vulnerability

====================
Update: 5th September 2018:
====================
As previously advised; exercising caution when receiving emails with attachments will keep you safe from the following malware now exploiting this vulnerability.

Your anti-malware software will likely also protect you from this exploit since the majority of vendors are detecting (verified using VirusTotal) the file hashes listed in the security firm Eset’s blog post:

Eset have detected attackers delivering an exploit for this vulnerability via email. The exploit targets victims in the following countries:

  • Chile
  • Germany
  • India
  • Philippines
  • Poland
  • Russia
  • Ukraine
  • United Kingdom
  • United States

The attackers have made small changes of their own to the published proof of concept code. They have chosen to replace the Google Updater (GoogleUpdate.exe)(which runs with admin privileges (high level of integrity)) usually located at:

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

They replace the updater with a backdoor application of their own that is run with the highest privilege namely System level integrity. This is a stage one of their attack. If the attackers find anything of interest on the infected system a second stage is downloaded allowing them to carry out any commands they choose, upload and download files, shutting down an application or parts of Windows of their choice and listing the contents of the data stored on the system.

The attackers also use the following tools to move from system to system across (laterally) a network: PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

Thank you.

====================
Original Post:
====================
With the disclosure early last week of zero day vulnerability (defined) I wanted to provide some advice on staying safe while a patch from Microsoft is being developed.

What systems are affected and how can an attacker use this vulnerability to compromise systems?
Once this pre-developed working exploit is delivered to a 64 bit Windows 10 system it can be used to provide an attacker with the highest level of privilege (System level access) on that system allowing them to carry out any action they choose. They can achieve this by changing permissions on any file stored on a system thus giving them the ability to replace/change any file. When a system service executes what it believes to be a legitimate file but is instead the attacker substituted file; the attacker obtains the privileged access of that service.

The effectiveness of this exploit has been verified by Will Dorman from the CERT/CC. 32 bit versions of Windows are also affected. For Windows 8.1 and Windows 7 systems; the exploit would require minor changes before it can result in the same level of effectiveness (but may be inconsistent on Windows 7 due to the hardcoded XPS printer driver (defined) name within the exploit).

An attacker must already have local access to the systems they wish to compromise but could obtain this using an email containing an attachment or another means of having a user click on a link to open a file. The base CVSS score of this vulnerability is 6.8 making it make of medium severity for the above reasons.

How can I protect myself from this vulnerability?
Standard best practice/caution regarding the opening of email attachments or clicking links within suspicious or unexpected email messages or links from unknown sources will keep you safe from the initial compromise this exploit code requires to work correctly.

The advisory from the CERT/CC has also been updated to add additional mitigations. BEFORE deploying these mitigations please test them thoroughly since they can “reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates”.

A further option you may wish to consider is the deployment of the following micropatch from 0Patch. This patch will automatically cease functioning when the relevant update from Microsoft is made available. As with the above mitigations; if you wish to deploy this micropatch please test how well it works in your environment thoroughly BEFORE deployment.

Further advice on detecting and mitigating this exploit is available from Kevin Beaumont’s post.

Thank you.

Adobe Issues Further Security Updates

Early last week Adobe made available a further un-scheduled emergency security update available for download affecting Creative Cloud Desktop Application version 4.6.0 and earlier. This vulnerability impacts both Apple macOS and Windows systems.

If an attacker were to exploit this they could elevate their privileges (defined). As with the previous security update the vulnerability was responsibly disclosed (defined) to Adobe by Chi Chou of AntFinancial LightYear Labs.

Please follow the steps within this security bulletin to check if the version of Creative Cloud Desktop Application you are using is impacted and if so; follow the steps to install the relevant update.

Thank you.

Adobe Issues Critical Photoshop CC Security Updates

On Wednesday Adobe made available an out of band (un-scheduled) emergency update available for Photoshop CC for both Apple macOS and Windows systems.

Photoshop CC 2018 (versions 19.1.5 and earlier) and Photoshop 2017 (versions 18.1.5 and earlier) are affected by two critical memory corruption vulnerabilities. If an attacker were to exploit these they could achieve remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device). The vulnerabilities were responsibly disclosed (defined) by Kushal Arvind Shah of Fortinet’s FortiGuard Labs to Adobe.

Please follow the steps within Adobe’s security bulletin to install the applicable updates as soon as possible if you use these products.

Thank you.

Apache Foundation Patches Critical Struts Vulnerability

Earlier this week the Apache Software Foundation made available patches for Apache Struts (a web application framework (defined)) bringing the applications active development branches to version 2.3.35 and 2.5.17. These versions addresses a remote code execution vulnerability (defined: the ability for an attacker to remotely carry out any action of their choice on your device) known as CVE-2018-11776. This vulnerability was responsibly disclosed (defined) by the security researcher; Man Yue Mo.

Why should this vulnerability be considered important?
A data breach at the credit rating agency Equifax last year occurred in part due to their lack of patching their affected web servers. The vulnerability resolved this week can be exploited by an attacker simply by visiting specifically crafted URL (defined) on the affected web server (defined). Once exploited the server can be completely under the attacker’s control.

Typically within days of a vulnerability being disclosed; attackers begin to target and exploit it. Compromised are web servers (which are already public facing and can be located using Shodan) can be used as an entry point into other areas of your corporate network. Any application making use of the Struts framework is vulnerable regardless if those applications use plugins.

How to tell if your installation of Apache Struts is vulnerable?
Your Apache Struts is vulnerable if both of the conditions listed below are true (my thanks to this Semmle blog post for this information):

=====================

  1. The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
  2. Your application uses actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”). This applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=”main”>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin.

=====================

How can I protect my web servers from this vulnerability?
Depending upon which version of Apache Struts your web server is using; please upgrade to version 2.3.35 or 2.5.17 as soon as possible.

Thank you.

Vendors Respond to Foreshadow (L1TF) Vulnerabilities

Yesterday, academic and security researchers publically disclosed (defined) 3 new vulnerabilities affecting Intel CPUs (AMD and ARM are not affected).

What are these new vulnerabilities and what can they allow an attacker to do?
The first vulnerability known as Foreshadow or CVE-2018-3615 is used to extract data from an Intel SGX (Software Guard Extensions)(defined) secure enclave (area) by creating a shadow copy of the SGX protected data but that copy does not have the protection of SGX and can be read/accessed by the attacker. The attacker can also re-direct speculative execution into copying further private/sensitive into the shadow copied area while at the same time making it appear that area is genuine and thus has the same protection as the real SGX protected data.

The second vulnerability (part of a wider Foreshadow Next Generation (NG) group of two variants) known as CVE-2018-3620 allows the reading of data copied into the level 1 cache (defined) of a CPU (defined) when that data is in use by a computer operating system e.g. Red Hat Linux, Apple macOS or Microsoft Windows.

The third vulnerability is the second and final variant of the Foreshadow NG group known as CVE-2018-3646.  This affects virtualised environments. If a CPU thread (defined) being directed by an attacker is able to read the level 1 cache of a CPU that is also shared by another thread by a victim user (within another virtualised environment but using the same physical CPU) while that request will be blocked; if the information the attacker is looking to steal is in the level 1 cache they may still get a glimpse of this information.

How can I protect myself from these new vulnerabilities?
For the first and second vulnerabilities; the microcode (defined)/firmware (defined) updates made available earlier this year coupled with the newly released updates for operating systems linked to below will mitigate these two issues.

====================

For the third vulnerability; affecting virtualised (defined) environments there are operating system updates and microcode/firmware updates available that will occasionally clear the contents of the level 1 cache meaning that when the attacker attempts to read it they will not receive any benefit from doing so. Partially removing the usefulness of the cache will have a performance impact from a few percent up to 15 percent in the worst case scenario.

However to completely mitigate this third vulnerability a capability known as Core Scheduling needs to be leveraged. This ensures that only trusted/non attacker controlled virtual machines have access to the same thread (this capability is already available in some virtual machine (hypervisor)(defined) environments).

However in some environments if it cannot be guaranteed that all virtual machines are trustworthy the disabling of Intel Hyper Threading (this means that only 1 thread will work per CPU core)(otherwise known as simultaneous multi-threading (SMT)(defined)) may be necessary and will more significantly impact performance than just the level 1 cache clearing.

In summary for this third vulnerability; depending upon the virtualised environment you are using and the trustworthiness of the virtual machines you are using will determine how many of the these extra security measure you will need to take.

To be clear I am NOT advocating that Intel Hyper Threading/SMT be disabled EN MASSE for security reasons. As per the advice in the linked to advisories (below)(specifically Intel and VMware) ; you MAY wish to disable Intel Hyper Threading/SMT to mitigate the third vulnerability (CVE-2018-3646) depending upon the environment your virtualised machines are operating.

This Ars Technica article explains it very well: “if two virtual machines share a physical core, then the virtual machine using one logical core can potentially spy on the virtual machine using the other logical core. One option here is to disable hyperthreading on virtual-machine hosts. The other alternative is to ensure that virtual machines are bound to physical cores such that they don’t share.”

====================

Please find below links to vendor responses on these vulnerabilities as well as videos that can help in understanding these vulnerabilities:

Thank you.

====================

Foreshadow Vulnerability Official Website:
https://foreshadowattack.eu/

Intel’s Blog Post:
https://newsroom.intel.com/editorials/protecting-our-customers-through-lifecycle-security-threats/

Intel’s FAQ Page:
https://www.intel.com/content/www/us/en/architecture-and-technology/l1tf.html

Intel’s Security Advisory:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

Intel’s Software Developer Guidance:
https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault

Red Hat’s Security Advisory:
https://access.redhat.com/security/vulnerabilities/L1TF

Linux Kernel Patch:
https://lore.kernel.org/patchwork/patch/974303/

Oracle’s Security Advisory:
https://blogs.oracle.com/oraclesecurity/intel-l1tf

Amazon Web Services’ Security Advisory:
https://aws.amazon.com/security/security-bulletins/AWS-2018-019/

Google Cloud Security’s Blog Post:
https://cloud.google.com/blog/products/gcp/protecting-against-the-new-l1tf-speculative-vulnerabilities

Microsoft Windows Azure’s Guidance:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/mitigate-se

Microsoft’s Windows Security Advisory (high level details):
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180018

Microsoft’s Technical Analysis of the Foreshadow Vulnerabilities:
https://blogs.technet.microsoft.com/srd/2018/08/10/analysis-and-mitigation-of-l1-terminal-fault-l1tf/

VMware Security Advisories:
https://www.vmware.com/security/advisories/VMSA-2018-0020.html

https://www.vmware.com/security/advisories/VMSA-2018-0021.html
====================

Videos:
Foreshadow Video (explains the first vulnerability very well):
https://www.youtube.com/watch?v=ynB1inl4G3c

Intel’s Video (explains all 3 vulnerabilities):
https://www.youtube.com/watch?v=n_pa2AisRUs

Demonstration of the Foreshadow attack:
https://www.youtube.com/watch?v=8ZF6kX6z7pM

Red Hat’s Video (explains all 3 vulnerabilities):
https://www.youtube.com/watch?v=kBOsVt0iXE4

Red Hat’s In-depth video of the 3 vulnerabilities:
https://www.youtube.com/watch?v=kqg8_KH2OIQ

====================

August 2018 Update Summary

Today Microsoft released updates to resolve 63 vulnerabilities (more formally known as CVEs (defined)).

This month also brings a new set of vulnerabilities affecting only Intel CPUs. I detail these more thoroughly in a separate post. However high level details are provided below.

Compared to previous months updates these have a smaller list of known issues (most of which have workarounds). Links to the relevant knowledge base (KB) articles are provided below:

KB4340731

KB4340733

KB4343885

KB4343892

KB4343897

KB4343900

KB4343909

====================

Adobe also released update for the following products:

Adobe Acrobat and Reader DC (priority 2, 2x CVEs)

Adobe Creative Cloud Desktop (priority 3, 1x CVE)

Adobe Experience Manager (priority 2, 3x CVEs)

Adobe Flash (priority 2, 5x CVEs)

As always if you use any of the above Adobe software, please update it as soon as possible especially in the case of Flash and Acrobat DC/Reader DC. Updates for Google Chrome will be available shortly either via a browser update or their component updater.

Please also review the out of band updates for Photoshop CC and Creative Cloud Desktop and apply them if you use these products.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:

====================

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Font Library

Malicious LNK File

Microsoft Exchange

Foreshadow (L1TF) Vulnerabilities: Allow information disclosure via speculative execution; are only locally executable (rather than remotely). This vulnerability may allow one virtual machine to improperly access information from another. More details in my dedicated blog post.

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Nvidia Geforce Experience Software:
=======================
In late August, Nvidia released a security advisory for their Geforce Experience software for Windows. This update resolves 3 high severity vulnerabilities (as per their CVSS base scores). The necessary updates can be obtained from here.

=======================
VideoLAN VLC:
=======================
On the final day of August, VideoLAN made available VLC 3.0.4. This appears to be a security update for Apple macOS due to the following entries within the releases notes (however it is unclear if this overflow is exploitable by an attacker):

=======================
Text renderer:
* Fix head buffer overflow on macOS with some fonts
=======================

For Linux and Windows this version provides fixes numerous non-security issues. Please update to version 3.0.4 to benefit from these improvements.

=======================
Wireshark 2.4.9 and 2.6.3
=======================
v2.4.9: 3 security advisories

v2.6.3: 3 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.6.3) or v2.4.9). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

=======================
WinSCP:
=======================
In late August; WinSCP version 5.13.1 was released upgrading it’s embedded OpenSSL version to 1.0.2p (which addresses 2x low severity CVEs (Link1 and Link2).

=======================
OpenSSL
=======================
On the 12 June and 16th April 2018; the OpenSSL Foundation issued 2 updates for OpenSSL to address 2x low severity security vulnerabilities as detailed in these security advisories (Link1 and Link2). To resolve these issues please update your OpenSSL installations to 1.1.0i (released 14th August) or 1.0.2o (released 14th August) (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
VMware
=======================
VMWare issued two security advisories for the following products during August:

Security advisory 1 (addresses 1 vulnerability of Important severity):

  • VMware Horizon 6
  • VMware Horizon 7
  • VMware Horizon Client for Windows
  • VMware Horizon View Agent
  • VMware Horizon Agents Installer (HAI)

Security advisory 2 (addresses 1 vulnerability of Critical severity):

  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

If you use the above VMware products, please review the security advisories and apply the necessary updates.