April 2017 Security Updates Summary

As expected earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s set of updates are much lighter in volume this month addressing 45 vulnerabilities more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

This month sees four known issues listed for this months updates all relating to the AMD Carrizo processor experiencing an issue which prevents the installation of future Windows Updates. Microsoft states in all four knowledge base articles (listed below) they are aware of this issue and are working to resolve it in upcoming updates:


At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues (although it has not been updated since November 2016, I’m unsure why).

Adobe issued five security bulletins today affecting the following products:

Adobe Campaign (1x priority 2 CVE)
Adobe Flash Player (7x priority 1 CVEs)
Adobe Acrobat and Reader (47x priority 2 CVEs)
Adobe Photoshop (2x priority 3 CVEs)
Adobe Creative Cloud Desktop (2x priority 3 CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated version installed automatically later this week.

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):


A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

For the Microsoft updates this month, I will prioritize the order of installation for you below:

Critical severity:
Microsoft Office and Windows WordPad (due to a previously disclosed zero day vulnerability (defined))
Microsoft Edge
Internet Explorer
Microsoft .Net Framework

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Microsoft Ends Support for Windows Vista

As detailed in the news online Microsoft is ending the support lifecycle of Windows Vista today. It will no longer receive security updates going forward.

With the installation share of Windows Vista being only approximately 1% of all installed operating systems, the number of users/systems affected is small. However they should still seriously consider migrating to newer operating systems and possibly newer hardware to support their new choice of operating systems.

Since this is a consumer oriented operating system, the recommendations previously provided for Windows Server 2003 do not apply here. Check if your current applications are compatible with newer operating systems and migrate at your earliest convenience to minimise future since the support lifecycle has ended.

Thank you.

Tampered NSIS installers contain ransomware

In a blog post earlier this month Microsoft provided an in-depth analysis of a new technique in use by ransomware authors to disguise their attempts to hold your data for ransom.

What has made these newly disguised ransomware installers so successful?
These attack involve tampering with a Nullsoft Scriptable Install System (NSIS) installer (used in paid, free and open-source software such as VideoLAN VLC, Wireshark (among others)). In contrast to previously altered installers the attackers have removed their randomly named DLL (defined) which dramatically reduces the chance of detection due to far less code being present. Inclusions of non-malicious plugins, an uninstallation component and a legitimate .bmp image file for use with the installer help to divert attention away from the installer’s real purpose.

The installer instead contains an installation script which would usually automate the installation of the application for you. In this case however an obfuscated (defined here and here) script which calls the Win32API (API, defined) allows an attacker to allocate (make ready for use) an area in the computer’s memory in order to activate a small code fragment to decrypt the ransomware.

As detailed by Deep Instinct’s security researcher Tom Nipravsky; the script is sophisticated since it operates only in memory in addition to being multi-staged. Moreover the shell code (defined) uses a technique known as Heaven’s Gate which allows 64 bit shell code to make use of a 32 bit process (defined) which makes the work of security researchers more difficult since debuggers (defined) cannot easily handle a transition from one architecture to another. This also has the benefit of bypassing API hooks (defined) which are monitored by anti-malware software and makes use of system calls (defined) as opposed to API calls.

Moreover this ransomware uses a technique known as “process hollowing.” This occurs when an attacker creates a process in a suspended state (defined) but replaces it’s in memory code with code the attacker wishes to hide. Finally the attackers use an encrypted installer within NSIS which currently security vendors are unable to trace and is only decrypted when it is about to be used.

How can I protect myself from these threats?
Since the tampered NSIS installers originate from emails you should follow the advice from SANS with regards to email:

Use Caution Opening Email Attachments – A common method cyber criminals use to hack into people’s computers is to send them emails with infected attachments. People are tricked into opening these attachments because they appear to come from someone or something they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it.

Source: https://www.sans.org/tip-of-the-day (date: 1st March 2017)

Microsoft encourages enterprise/corporate users to upgrade to Windows 10 and make use of its security features to defend against this threat.

Full disclosure: I don’t work for or on behalf of Microsoft nor do I wish to promote their products/services. I have simply provided a link to their advice for corporate users who may already have Windows 10 (or are considering upgrading) in order for them to better protect themselves against this and other threats using the security protections it offers.

Thank you.

“DoubleAgent” Vulnerability Disclosure: What you need to know

In late March a security vulnerability was disclosed by the Israeli security firm Cybellum. However this was no ordinary public disclosure as I will explain below. Apologies for the untimely nature of this blog post due to other commitments:

What made this disclosure different?
At first glance this disclosure appeared very serious. It discussed the use of the Microsoft Application Verifier present within Windows XP up to and including Windows 10. They detail the leveraging of this tool to add a customised verifier DLL (defined) to hijack any legitimate process (defined) within Windows.

They demonstrated this attack against anti-malware software specifically Norton Security (by Symantec) resulting in a rogue DLL being injected (defined here and here) into the Norton process (ns.exe as demonstrated within their YouTube video). Despite claims by Cybellum security firms such as Avira and Comodo have reported this attack cannot bypass the self-protection features within their products. The full list of capabilities this attack provides is within this news article.

Windows Internals expert; Alex Ionescu later revealed the researchers from Cybellum used his work concerning protected processes to create this exploit and this was already a known issue. As was pointed out in the Twitter timelines linked to below once an attacker has administrative control over your system they could simply uninstall your security software rather than trying to bypass rendering the threat of this exploit far less important/relevant.

Twitter Timeline 1
Twitter Timeline 2
Twitter Timeline 3
Twitter Timeline 4
Twitter Timeline 5

Does this disclosure only affect security software?
It’s important to note this attack potential affects all software on Windows rather than just security software. In addition the proof of concept (PoC) exploit requires no changes for any application you choose to attack. Security software was chosen since almost all systems have anti-malware software installed and their process names are trusted (and allowed within application white listed (defined) environments).

How can I protect myself from this exploit?
Since this attack requires administrative privileges (defined) on Windows to have the intended effect, using a standard user account for everyday use will mitigate this attack.

From the various statements issued by the affected anti-malware vendors (listed below) please ensure your anti-malware software is the latest version available to ensure this attack is ineffective.

Traditional defences such patching your operating system, your web browser and be cautious of the attachments you open will also reduce the risk posed by this attack.

NetworkWorld Anti-Malware Vendor Responses

Malwarebytes Anti-malware

Symantec Endpoint Protection

Symantec Endpoint Protection Affected Versions

Thank you.

Blog Re-design

Hello everyone,

As I am sure you have noticed, this blog has just undergone a re-design. It’s intention is to ease navigation and provide access to previous posts which you may find helpful.

I hope you like the new image at top of the page in addition to adverts no longer being present at the end of every page. Please let me know if you don’t like this new design and I will endeavor to improve it for you.

Thank you.

Pwn2Own 2017 Results

The final day of competition within Pwn2Own 2017 took place on Friday, 17th March. Full details of how the individual teams performed and how many exploits were successful are available here , here and here.

In summary the following products were successfully exploited:

Adobe Flash
Adobe Reader
Apple Safari
Apple macOS (mostly the macOS kernel)(defined)
Microsoft Edge
Microsoft Windows kernel
Mozilla Firefox
Ubuntu Linux
VMware Workstation

The contest saw 51 vulnerabilities used and a total of USD$833,000 awarded to the contestants (a very large increase over last year’s USD$460K). As I noted last year, many vulnerabilities once again were present within the macOS and Windows kernels specifically:

Apple macOS kernel:
race condition (defined)
information disclosures (defined)
out of bounds (OOB) bug (defined)

Microsoft Windows kernel:
integer overflows (defined)
buffer overflows (defined)
uninitialised buffers (discussed here)
use-after-free (defined here and here)
information disclosures
out of bounds (OOB) bug
race condition

As before Microsoft and Apple need to do more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel to find and resolve vulnerabilities before they are exploited. It is a surprise this year again highlights this short coming which secure coding practices e.g. Microsoft’s SDL and Adobe’s SPLC (among others) were intended to reduce.

Of note is; Mozilla Firefox released Firefox 52.0.1 to resolve an integer flow vulnerability in less than 1 day after it’s disclosure during Pwn2Own; a fantastic response time.

Update: 28th March 2017:
On the 28th of March, VMware made available security updates to address the vulnerabilities discovered during Pwn2Own.

Apple have also made available updates (listed in this post) to resolve the vulnerabilities discovered in Pwn2Own 2017. It is unclear if all vulnerabilities are now addressed.

Update: 11th April 2017:
In late March, the Linux kernel vulnerability disclosed during Pwn2Own was resolved very quickly with Ubuntu also releasing their fix for this issue.

Adobe have released updates for Flash and Acrobat/Reader to address what appears to be 5 vulnerabilities in Flash and 6  in Acrobat/Reader (assuming near sequential CVEs and the team names attributed top them) disclosed during Pwn2Own.

We can again look forward to these vulnerabilities being addressed over the coming months; helping to make our products more secure.

Thank you.

Proton Trojan targeting Apple macOS discovered

Earlier this month Sixgill, a cyber intelligence company provided information on a recently discovered trojan for Apple macOS systems. It is being sold on the underground Russian cybercrime forums and acts as a remote administration tool (RAT)(defined). It sells under the name of Proton for 100 Bitcoin (more than USD$100,000) but now allows unlimited installations for 40 Bitcoin or a single installation for 2 Bitcoin.

Since the trojan is a RAT (discussed above) it allows an attacker to have full control of a victim’s system which includes controlling file uploads and downloads, monitoring keyboard presses, taking screenshots and webcam surveillance.

Sixgill theorizes the trojans developers bypassed/worked around Apple’s Developer ID program allowing this “application” to appear harmless while possibly exploiting an unknown zero day vulnerability (defined) within macOS to root privileges (defined) over the victim system.

How can I protect myself from this malware?
Since the trojan allows full control of an over an infected system, this will complicate removal since the attackers could easily attempt to resist or undo removal actions. Malwarebytes state this trojan is not in widespread use and they have been unable so far to obtain a sample of it. Moreover, VirusTotal did not have a sample to provide to them.

Apple added detections for this trojan to their XProtect (defined) anti-malware security feature; however as detailed in this TechRepublic article the trojans creators can easily modify it to avoid Apple’s signatures.

Further information on this trojan is available in this Softpedia article. TechRepublic provides a detailed list of recommendations within their article to prevent infection by this threat.

Thank you.