September 2016 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s updates consist of 14 security bulletins. These bulletins address 50 vulnerabilities more formally known as CVEs (defined)(not including the Adobe vulnerabilities mentioned below).

Only the Internet Explorer security bulletin currently lists a Known Issue (discussed below). However as always please double check the IT Pro Patch Tuesday blog to ensure that there are no issues being experienced before you begin installing the new updates. At this time it does not list any Known Issues.

Update: 15th September 2016:

It has been reported that the security updates for Internet Explorer MS16-104 and Microsoft Edge (MS16-105) patches a zero-day (defined) vulnerability that has been publicly exploited. Further details of this vulnerability have since been disclosed and are available in this ThreatPost article.

The Known Issue for this update now mentions “Microsoft is aware of limited issues in which an ActiveX install may fail when using the ActiveX Installer Service (AXIS) with Internet Explorer 10 or Internet Explorer 11.” However, at this time no workaround or solution is available.

Moreover, the Microsoft Office security bulletin resolves an Important severity level ASLR (defined) bypass designated CVE-2016-0137 within the Microsoft Detours DLL (defined) that applications such as Microsoft App-V use. This issue has the potential to affect a lot of other 3rd party products and is discussed in more detail in this ThreatPost article. Further information/resources concerning this vulnerability are available on this GitHub page. A possibly related issue was found in Nvidia’s graphics driver (defined) (within detoured.dll) late last year which they issued a patch for.

This month also marks the final month that Windows 7 and Windows 8.1 will receive security updates packaged in the traditional format. From October the updates will be offered in packages similar to that of Windows 10 which will mean fewer individual updates will need to be installed to bring systems up to date. The updates will also replace updates from previous months again reducing the volume of updates needing to be installed. There will be single security and reliability updates.

While I am in favour of the simplification of updates, the “Known Issues” that I mention each month will become even more important since you won’t have the option of choosing which updates to install. This will lead to more outages and compatibility issues especially for corporate environments which is discussed in this article. Microsoft provides more details of these changes in their Windows IT Pro blog post. This additional Microsoft blog post and this Windows IT Pro blog post provide further coverage.

Further to this, next month Microsoft plans to begin to block out dated versions of Adobe Flash Player ActiveX controls (defined). Further details are available in their blog post.

====================
For Adobe’s scheduled released they made available an updated version of Flash Player that addresses 29 priority 1 vulnerabilities.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome released today.

Adobe also released a security bulletin for Adobe AIR SDK and compiler (AIR is its application runtime) to address a single priority 3 vulnerability. More information as well as installation steps are available in the relevant security bulletin. Finally, Adobe released a security bulletin for Digital Editions that addresses 8 priority 3 vulnerabilities.

If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

With Adobe’s Flash Player update (to version 23.0.0.162) addressing 29 critical vulnerabilities, this should be installed first if you already have a previous version installed.

For the Microsoft updates, for corporate environments/server operating systems please first install the Microsoft Exchange update (if you use it within your environment). This should be followed by Microsoft Office, Security Update for Windows (MS16-110) and the Microsoft Graphics Component.

For desktop workstations / small business environments please make Internet Explorer, Microsoft Edge, Microsoft Office and the Microsoft Graphics Component your first priorities due to their severities and prevalent use. The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is available in this Computerworld article (a new article is published each month within their Patch Tuesday Debugged column).

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

OpenSSL 1.1.0 Adds Partial TLS 1.3 Support

On the 25th of August the OpenSSL Software Foundation released OpenSSL 1.1.0 which brought partial support for a working IETF draft of TLS 1.3. OpenSSL 1.1 is one of the largest version changes to have occurred in the history of OpenSSL which is now better funded, has more developers and follows an improved code development process following the discovery of the now well-known Heartbleed vulnerability.

What is TLS 1.3?
Transport Layer Security (TLS) version 1.3 is the most recent version (currently in draft form) of the cryptographic protocol originally based on SSL (Secure Socket Layer) version 2 (from 1995) and v3 from 1996. This is the protocol that protects us when we see the HTTPS displayed in our web browsers address bar. More information on TLS/SSL is available in this podcast, this page and this blog post.

Why Is TLS 1.3 an advancement over TLS 1.2 or 1.1?
TLS 1.3 removes support for known insecure ciphers such as RC4, DES, 3DES and export grade ciphers as well older hashing algorithms e.g. SHA-1 and MD5. These are welcome changes that should help to reduce the possibility of further vulnerabilities such as SWEET32 and FREAK being present within the code of TLS libraries e.g. OpenSSL.

This reduces the attack surface (defined within the second paragraph of this blog post) of TLS 1.3 but the improvements don’t stop there. Cipher suites such as NIST P-256 and AES-GCM are being removed as primitives with only x25519, ChaCha20 and Poly1305 remaining developed by Dan Bernstein (who uses the handle djb).

X25519 is a key exchange protocol (with a similar purpose to Diffie Hellman), ChaCha20 is a stream cipher (a more secure alternative to the older RC4) and Poly1305 is used as a message authentication code (defined) with a view to replacing GCM.

In addition to improved security TLS 1.3 will offer improved performance but protection against reply attacks was still being finalised in the closing months of 2015.

Conclusion
With the many implementation vulnerabilities that have been uncovered in recent years within SSL and TLS the upcoming TLS 1.3 standard is a significant step in the right direction. With web browsers such as Mozilla Firefox, Google Chrome, Microsoft Edge (in progress) and other implementations adding support for TLS 1.3, the new standard is off to a promising start.

Thank you.

Blog Post Shout Out: Securing Internet of Things and WiFi

With Internet of Things (IoT) devices becoming part of everyday life properly implementing public key encryption (defined) within them is a critical step that should not be overlooked.

Facilitating the use of such devices is very widespread wireless access which should also be secured as much as possible (especially in corporate environments) so as not to inadvertently provide an easy means of accessing your internal network.

For both of the above technologies I wanted to provide a respectful shout-out to the following blog posts that provides step by step advice on securing wireless networks (includes physical security and hardening guest network access) as well as how public key cryptography should be implemented and used within IoT devices:

9 things to check after installing wireless access points by Eric Geier (Computerworld)
4.5 million web servers have private keys that are publicly known! by Paul Ducklin (Sophos Security)

I hope that you find the above posts/resources useful. Thank you.

Cisco Networking Devices Affected By Disclosed Exploits

Earlier this month Cisco made available 2 security advisories (please see below for the relevant links) that relate to the public disclosure of security vulnerabilities within their and other vendors’ products by a hacking group known as Shadow Brokers.

This group released exploits that targeted routers and firewalls from vendors such as Cisco, Juniper and Fortinet.

Further coverage of how these exploits were disclosed are available within the following links:

Cisco Acknowledges ASA Zero Day Exposed By Shadowbrokers (Threatpost)

Shadowbrokers’ Leak Has ‘Strong Connection’ To Equation Group (Threatpost)

Hacking group claims to offer cyber-weapons in online auction (Reuters)

NSA’s Hacking Group Hacked! Bunch of Private Hacking Tools Leaked Online (The Hacker News)

Cisco confirms NSA-linked zeroday targeted its firewalls for years (Ars Technica)

Juniper Acknowledges Equation Group Targeted ScreenOS

Why Should These Issues Be Considered Important?

For the affected Cisco devices (a full list is provided here), the most severe of which could allow remote code execution (where an attacker can remotely target your device and have it carry out any action of their choice). The SNMP (defined) vulnerability is the result of a buffer overflow (defined) which can be exploited by an attacker by sending specifically crafted SNMP packets (piece/unit of data being sent via electronic means e.g. within a cable or in the air e.g. WiFi) to an affected device.

Affected Fortinet devices suffer from a similar overflow within their cookie (defined) parser (a tool that analyzes data in a structured manner in order to create meaning from it). As before successful exploitation results in an attacker obtaining remote access to affected devices.

At a later date Juniper acknowledged that their products were also targeted by the group due to the information found within the files that were disclosed. They have since determined that while the code does target their ScreenOS it cannot be used for a remote attack.

How Can I Protect Myself From These Issues?
=======================
Cisco
The relevant Cisco security advisories are available from the following links (further fixes are also expected):

Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability (patch available)

Cisco Adaptive Security Appliance CLI Remote Code Execution Vulnerability (patch available)

Cisco provides further security recommendations within their dedicated blog post of these vulnerability disclosures that is being updated as new patches are being made available.

=======================
Fortinet
A security advisory for the affected Fortinet devices with suggested upgrades detailed within.
=======================
Juniper
As mentioned above Juniper devices are affected but are not remotely exploitable. They continuing to work on a possible means to tell if malicious code has been installed on devices created by them. More information is available within their dedicated forum post.
=======================

I hope that the above information is useful to you in defending your corporate networks against these disclosed vulnerabilities.

Thank you.

August 2016 Security Updates Summary

Yesterday was Microsoft’s Update Tuesday and they made available their scheduled monthly security updates.

Microsoft’s updates consist of 9 security bulletins. These bulletins resolve 33 vulnerabilities more formally known as CVEs (defined).

Microsoft’s Security bulletin summary lists Known Issues for bulletins MS16-100 (Update for Secure Boot, kb3179577) and MS16-101 (Security update for Windows authentication methods, kb3178465).

The first issue is more informational rather than an error/interruption to your work. While the second known issue is notifying you that this update “disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations”.

The IT Pro Patch Tuesday blog is also a very useful resource to check before installing the updates to better inform you of whether to proceed or not.

====================
For the first time since January Adobe has not published a Flash Player security bulletin. However, they did release a priority 2 update for Adobe Experience Manager, resolving 4 CVEs.

If you use any the above Adobe products, please review the security bulletins linked to above and apply the necessary updates as soon as possible.

====================
You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying this month’s Microsoft updates, I will prioritise the updates for you below:

Please make the updates for Microsoft Office, Microsoft Internet Explorer, Microsoft Edge your first priorities since they all address critical severity vulnerabilities. Please follow these with the Microsoft Graphics Component update (since it addresses a critical font handling issue (font vulnerabilities are discussed in a previous blog post)). All remaining security updates can be installed when you have the time available.

A final security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

July 2016 Security Updates Summary

Earlier today Microsoft released their scheduled monthly security updates.

Microsoft’s updates consist of 10 security bulletins (not including the Adobe Flash Player update (more details below)). These bulletins resolve 49 vulnerabilities more formally known as CVEs (defined).

Just like last month at the time of writing there are Known Issues for this month’s updates (although last month’s summary was later updated to include 3 Known Issues including the well-known issues with the Group Policy update). However please double check the IT Pro Patch Tuesday blog to ensure that there are no issues being experienced before you begin installing the new updates.

As I mentioned above one of Microsoft’s bulletins relates to Adobe’s Flash Player update. This update addresses a massive 52 critical CVEs.

For Windows 8.1 and later Microsoft have released a corresponding Adobe Flash security bulletin MS16-093. As expected, it includes the same fixes within the above mentioned Adobe bulletin.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically alongside the updated version of Chrome.

Adobe also released a large security update for Adobe Acrobat DC, Acrobat XI, Acrobat Reader DC and Adobe Reader XI addressing 30 CVEs within those products. These vulnerabilities have been classified as critical but have been assigned Priority 2 by Adobe, meaning that these updates should be installed sometime within the next 30 days. Further details of these updates are available in this security bulletin.

Finally, Adobe published an update for it’s XMP Toolkit for Java affecting versions prior to 5.1.2. Adobe has classified this as a priority 3 update that addresses an information disclosure issue.
====================
If you use any of the above Adobe products, please review the security bulletins linked to above and apply the necessary updates as soon as possible. This is especially true for Adobe Flash.

Whether you are an individual, a large or small organization you should be aim to deploy Flash updates within 1 week in order to reduce the possibility of being affected by exploit kits (defined) that may seek to take advantage of these newly disclosed issues.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

Please make the updates for Microsoft Office, Microsoft Internet Explorer, Microsoft Edge your first priorities since they all address critical severity vulnerabilities. Please follow these with Windows Print Spooler Components (please see this link for an explanation of why this update is of critical severity) and finally Microsoft Jscript and VBScript due to their severities and prevalent use. All remaining security updates can be installed when you have the time available.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Blog Post Shout Out: Creating Passwords and Internet Privacy

This blog post shout out will focus on both security and privacy related issues.

While there has recently been a renewed focus to phase out passwords, until that happens we need to continue to manage them.

The following article discusses (among other topics) managing passwords. It focuses on providing security while making it easier for users to remember them. It also raises doubts about the need for changing passwords so often and provides evidence to back this up.

All of this advice may useful if you are trying to create or update your corporate password policy to make it more user friendly while still maintaining security.

How to hack the hackers: The human side of cybercrime by M. Mitchell Waldrop (Nature Journal)

================================
In an effort to preserve your privacy you may be using a VPN (defined) connection when browsing the internet using your computer or mobile devices.

However as noted by F-Secure in this FAQ article, this may not be enough to fully protect your identity since some information (namely your real IP address) can still be leaked via WebRTC traffic. Within that FAQ article they provide advice on how to prevent this leak for the most common web browsers.
================================
Related to the above topic of VPNs, using public Wi-Fi hotspots isn’t a good idea if you want to preserve your privacy as this Kaspersky article demonstrates.

While a VPN can assist with preserving that privacy when using a public Wi-Fi, it isn’t a perfect solution. For example, apps installed on mobile devices can still leak data as discussed in this article.

However, it possible to better control such data leakage on Android and Apple iPhones. A guide to do this for Android is available here.

For an iPhone, you can open Setting -> Mobile data and change the settings according to your preference. However, when you connect to a public Wi-Fi hotspot all the network connections in use by the apps will begin new connections or resume existing connections.

To minimise the amount of data leaked you should use a VPN (as I have already discussed above) for your mobile device. In addition, you should use the Low Power Mode option of your iPhone from Settings -> Battery and change the setting. This setting change will halt background tasks, delete Wi-Fi access point associations, previous new emails being received and automatic downloads. More information on this setting is available from here.

Next, turn on your VPN (Settings -> General -> VPN). A list of popular VPN providers is available here.

Using the above steps will help to minimise the amount of data leaked if you are privacy conscious and use an Android powered device or an iPhone. Full disclosure: as you know I use an Android phone so I haven’t intentionally provided more information/discussion on the iPhone.

I hope that you find the above references useful in maintaining your security and privacy. Many thanks to a colleague (you know who you are) for contributing the advice on using VPNs with mobile devices.

Thank you.