BlueBorne : Bluetooth Vulnerability Explained

Researchers from the security firm Armis have discovered a set of eight security vulnerabilities within the Bluetooth (defined) communications technology and responsibly disclosed (defined) them to affected device manufacturers. These are not present in the protocol layer of Bluetooth but within the implementation layer of Bluetooth which “bypasses the various authentication mechanisms, and enabling a complete takeover of the target device” (source). An estimated 5.3 billion devices are thought to be vulnerable ranging from computers tablets, smartphone, TVs, watches to Internet of Things (IoT) (defined) medical devices. This set of vulnerabilities is known as “BlueBorne”.

What is BlueBorne and why is it important?
Exploitation of the BlueBorne vulnerabilities allows the complete compromise of the vulnerable device and does not require the vulnerable device be paired (defined) with the attacking device.

Once exploited the vulnerabilities allow the attacker to conduct remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device)) and man in the middle attacks (defined). To begin the attack, the attacker does not need for the user of the vulnerable device to have taken any action.

These vulnerabilities are particularly severe since Bluetooth is less secured on a corporate network than for example, the proxy server (defined) providing internet access making spreading from advice to device in a worm (defined) like fashion (theoretically) possible. The Bluetooth protocol often runs with high privilege on devices and is not usually considered a potential entry point into a network. Air gapped systems (defined) are also potentially vulnerable.

How can I protect myself from these issues?
Software updates for some devices are listed here (for Google, Linux and Microsoft devices). Recent Apple devices were found not to be vulnerable. A full list of affected devices and the software updates to protect them are listed here and will be updated by Armis.

For users of Google Android devices, they can check if their device is vulnerable by downloading the BlueBorne Android app. Disabling Bluetooth if you are not using it and only leaving it enabled for the time you are using it are also good security practices. Once your devices are updated, you should be able to resume normal Bluetooth usage. Please not that not all devices will or can be updated due to end of support lifecycles, newer products and product limitations. It is estimated approximately 2 billion devices will not receive software updates to resolve these issues.

Thank you.

September 2017 Security Updates Summary

Earlier today Microsoft made available their scheduled monthly security updates. These resolve 81 vulnerabilities; more formally known as CVEs (defined). They are detailed within Microsoft’s new Security Updates Guide.

This month there are 3 Known Issues (KB4038792 , KB4038793 , and KB4011050) for this month’s Microsoft updates. 2 of these issues relate to the breaking NPS authentication or the hanging of Japanese IME. The first two links suggest editing the Windows Registry (defined) or installing an update (respectively for each issue) to correct them. The final issue involves the display of black borders around cells in Excel, resolved by installing an update.

====================

Separately Adobe made available three security bulletins for the following products:

Adobe ColdFusion (priority 2, 3x critical, 1x important CVEs)

Adobe Flash (priority 1, 2x critical CVEs)

Adobe RoboHelp (priority 3, 1x important, 1x moderate CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

Of note this month is a vulnerability in PDF reader software which does not affect Adobe’s Acrobat and Reader DC products. A detailed list is available in this news article. Google Chrome, Firefox and others have resolved this vulnerability while other affected products remain in progress.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For this month’s Microsoft updates, I will prioritize the order of installation for you below:
====================
Critical severity:

Windows NetBIOS Vulnerability (CVE-2017-0161)(vulnerability affects more than Windows 10)(NetBIOS : defined)

Windows DHCP Vulnerability (CVE-2017-8686) (vulnerability affects more than Windows Server 2016)(DHCP : defined)

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Microsoft Office (CVE-2017-8630 and CVE-2017-8744)(multiple versions of Office affected)
====================

Please install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column. That link is becoming less useful, it has not been updated since June 2017.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As noted in this new blog post, parts of EMET are to become available in the Creator’s Fall Update for Windows 10 set for release in September 2017. Versions 1703 and 1709 of Windows 10 will consequently block the installation of EMET. This makes sense for version 1709 since it includes a replacement for EMET while 1703 (to the best of my knowledge does not).

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

August 2017 Security Updates Summary

It’s the second Tuesday of August and Microsoft and Adobe made available their monthly scheduled security updates.

Microsoft resolved 48 vulnerabilities in total more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

This month there is only 1 Known Issue for this month’s Microsoft updates.

====================

Separately Adobe made available four security bulletins for the following products:

Adobe Digital Editions (priority 2, 2x critical, 7x important CVEs)

Adobe Experience Manager (priority 2, 1x important, 2x moderate CVEs)

Adobe Acrobat/Reader (priority 2, 43x critical, 24 important CVEs)

Adobe Flash (priority 1, 1x critical, 1x important CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (the link includes “April” in the URL but it is not a typo) as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

Of note this month is the particularly large Adobe Acrobat/Reader update and the very small Flash Player update. The number of vulnerabilities resolved in last month’s Flash Player update was also small but it is too early to tell if vulnerability is moving away from Flash Player due to Adobe’s recent notice of their intention to de-commission Flash Player in 2020.

=======================
Update:12th September 2017:
=======================
Adobe last month updated their Adobe Acrobat and Acrobat Reader again after the availability of the initial patches in order resolve a regression (defined). Please ensure your installations of these products are updated to the version detailed by Adobe in their updated security bulletin (or are more recent than those listed in the bulletin).

Thank you.
=======================

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For this month’s Microsoft updates, I will prioritize the order of installation for you below:
====================
Critical severity:

Windows Search

Microsoft Windows Hyper-V

Windows Scripting Engine (affecting Edge, Internet Explorer and Office)

Microsoft Edge and Internet Explorer

Windows PDF Viewer

 

Important severity:

Windows Font Engine
====================

Please install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As noted in this new blog post, parts of EMET are to become available in the Creator’s Fall Update for Windows 10 set for release in September 2017.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

July 2017 Security Updates Summary

Earlier today as expected Microsoft and Adobe made available their monthly scheduled security updates.

Microsoft resolved a relatively large number of vulnerabilities at 54 in total more formally known as CVEs (defined). However it’s less than last month at 94. These are detailed within Microsoft’s new Security Updates Guide.

After 2 months of updates being released for versions of Windows which were no longer supported, this month is a return to the usual expected patches.

At the time of writing there are no Known Issues for this month’s Microsoft updates. The IT Pro Patch Tuesday blog which I routinely referenced is no longer available.

====================

Adobe made available just two security bulletins for the following products:

Adobe Connect (priority 3, 2x important and 1x moderate CVE)

Adobe Flash (priority 1, 1x critical, 2x important CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (the link includes “April” in the URL but it is not a typo) as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

 

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For this month’s Microsoft updates, I will prioritize the order of installation for you below:
====================
Critical severity:

Windows Search

Microsoft Edge and Internet Explorer

NT LAN Manager Elevation of privilege (CVE-2017-8563)(Corporate users: please ensure to set a more secure LDAP setting as per this knowledge base article)

Windows Explorer (CVE-2017-8463)
====================

Please install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As noted in this new blog post, parts of EMET are to become available in the Creator’s Fall Update for Windows 10 set for release in September 2017.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Note: This post marks the 300th post on this blog. Thank you very much to my readers and here’s to the next 300!

=======================
Update:8th August 2017:
=======================

=======================
Nvidia Geforce Drivers:
=======================
This update applies to Linux, FreeBSD, Solaris and Windows and resolves up to 9 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.

Windows 10 Fall Creator’s update to include EMET features

Late last month Microsoft published two blogs (here and here) which announce forthcoming security features being added to the Windows 10 Fall Creator’s Update (intended to be released in September 2017).

Among the features such as enhancements to the Windows Defender Advanced Threat Protection (ATP) are features such as Windows Defender Application Guard (intended to block zero day (defined) threats by isolating the threat), improved Windows Defender Device Guard and Windows Defender Exploit Guard. The final feature here, Exploit Guard is noteworthy since it will incorporate some of the mitigations (defined) previously available from EMET and will provide the ability to harden legacy applications, just like EMET did namely 32 bit Windows applications.

The improvements to Windows Defender Exploit Guard don’t stop there; it introduces new mitigations and vulnerability prevention capabilities. Moreover a new class of mitigations leveraging intelligence from the Microsoft Intelligent Security Graph (ISG), will include intrusion rules to protect against more advanced threats e.g. zero days exploits. Exploit guard will act as “an extra layer of defense against malware attacks in-between the firewall and antivirus software.”

As a fan of Microsoft EMET, it’s great to see it’s return. However whether it will be available in all versions of Windows 10 or only corporate managed Windows 10 Pro and Windows 10 Enterprise is not yet clear.

I will update this post when new information becomes available. Thank you.

June 2017 Security Updates Summary

Yesterday Microsoft and Adobe made available their monthly scheduled security updates.

Microsoft’s addressed a large number of vulnerabilities, 94 in total more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

At the time of writing there are three Known Issues for this month’s Microsoft updates (although all three knowledge base articles (4022717, 4022726, 4022715) describe the same iSCSI availability issue which is currently awaiting a resolution). The IT Pro Patch Tuesday blog hasn’t been updated since April and isn’t of assistance this time (and for that reason is becoming increasingly irrelevant).

====================

This month again breaks the usual trend with these updates to offer a collection of updates for Windows XP and Windows Server 2003 which address the remaining vulnerabilities disclosed by the ShadowBrokers hacking team back in April this year. The majority of these updates were already released for more modern versions of Windows after the end of support dates for Windows XP (April 2014) and Windows Server 2003 (July 2015) respectively. Please review the detailed security advisory to download the appropriate updates for your systems. Further information is available in Microsoft’s blog posts here and here.

As with the update made available in May, these updates will not be available via Microsoft Updates or Automatic Updates. The availability of these updates provides mixed meanings; namely that while they were made available is positive. However for those corporations, organisations and individuals sing out dated versions of Windows, it provides them less reasons to migrate since it hints at an attitude that Microsoft will patch those system if the situation get very bad. While Microsoft worked to dispel this point, not everyone will be aware of their statement on this matter.

In a further break from the routine of Update Tuesday, I wanted to mention a further set of vulnerabilities found in Windows Defender which Microsoft patched last month. Please ensure your version of Windows is using the patched version of Windows Defender as detailed in this news article to address these issues.

====================
Separately Adobe made available four security bulletins to updates for the following products:

Adobe Captivate (1x priority 3 CVE)

Adobe Digital Editions (9x priority 3 CVEs)

Adobe Flash (9x priority 1 CVEs)

Adobe Shockwave Player (1x priority 2 CVE)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (the link includes “April” in the URL but it is not a typo) as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

 

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For the Microsoft updates this month, I will prioritize the order of installation for you below:
====================
Critical severity:

Windows Search

Windows Lnk

Windows Graphics

Microsoft Edge (CVE-2017-8498CVE-2017-8530 and CVE-2017-8523) and Internet Explorer

Microsoft Office  (CVE-2017-0260 and CVE-2017-8506)

Microsoft Outlook
====================

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Update: 14th June 2017:
=======================
I wish to provide information on other notable updates from June 2017 which I would recommend you install if you use these software products. I only choose a small number of products to list here since it can easily become too many and I wish to highlight the security benefits of installing the latest version of applications many of us use everyday:

=======================
Mozilla Firefox:
=======================
Firefox 54.0

=======================
Mozilla Firefox ESR:
=======================
Firefox ESR 52.2

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google Chrome: includes 30 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Wireshark 2.2.7 and 2.0.13
=======================
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.2.6) or v2.0.13). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
=======================

Attackers intercept SMS/text messages to drain bank accounts

In early May this year a German newspaper Süddeutsche Zeitung detailed the first documented case where cybercriminals exploited known SS7 (Signalling System version 7)(defined)(PDF) vulnerabilities for their own profit (the attack took place in January 2017).

How did this incident take place?

According to the German newspaper, the attackers first obtained the victim’s credentials for their bank account (by phishing (defined) emails), then used the SS7 flaws to hijack their phone number and receive the transaction confirmation code (within a text message (an SMS (defined) message)) on a mobile phone in use by the attackers. This exploit allowed the attackers to steal users’ mobile transaction authentication numbers (mTAN) and thereby withdraw money from their victim’s accounts.

Currently, carrying out such attacks requires specialized hardware and special codes to interact with other telephony providers. Buying such equipment and the codes isn’t as hard as you believe, and an SS7 hacking rig could cost an attacker a few hundred to a thousand dollars, well below the money they stand to make.

Why should this vulnerability be considered important?

The SS7 (Signalling System No. 7) protocol was developed in the 1980s and is a so-called telephony signalling protocol, used to route calls between different telephony providers.

The protocol has no security features, and its flaws became widely known after talks at the Chaos Communication Congress meetings held in 2010 and 2014. In these two talks, German security researcher Tobias Engel (with Karsten Nohl in 2014) showed how a determined actor could locate and track any person on the planet via SS7, and even manipulate their communications by taking over their phone number.

Moreover in April 2016; the issues surrounding SS7 came back again into the limelight when a CBS reporter with the help of the above mentioned German security researcher (Karsten Nohl) used the same flaws to track US House of Representative’s member Ted Lieu’s whereabouts (with his consent). Indeed; both US Senator Ron Wyden and Representative Lieu have previously called for the FCC to at least look into strengthening the security of SS7. They also wrote an open letter (PDF) to the Homeland Security Secretary John Kelly.

Just one month later (May 2016) security firm Positive Technologies showed how using another technique an attacker could hijack a person’s phone number and receive messages intended for other WhatsApp and Telegram accounts.

How can I protect myself from these vulnerabilities?

Before focusing on the vulnerabilities within SS7, let us first review how the attackers emptied victim’s bank accounts:

They first obtained their victims banking details via phishing emails. Tips to avoid being effected by such emails are provided here.

Following this incident, the affected German mobile network operator made it impossible for call forwarding to be effected by other organizations that have access to the mobile operator’s network. Other German mobile network operators have implemented this change. This should mitigate a similar attack occurring in the future for these mobile operators. All other mobile operators should deploy similar mitigations. Further recommendations to mobile operators e.g. the use of a signalling firewall are provided in this news article. As this article mentions, the successor of SS7, namely Diameter will take time to migrate to and unfortunately suffers from some of the same vulnerabilities.

In 2016 the US National Institute of Standards and Technology (NIST) began recommending not to use SMS messages for two-factor or two-step verification (differences between 2FA and 2SV). Instead they are suggesting the use of tokens (most likely hardware tokens) and cryptographic authenticators (and perhaps at a later time biometric authentication (defined)).  They also encourage software vendors to check for the presence of a VoIP connection (Voice over IP, defined). This is due to some VoIP services allowing the hijacking of SMS messages.

At this time, the use of software authenticators such as the Google and Microsoft authenticators and RSA’s SecurID app are increasing and it favours the eventual phase out of SMS messages. The use of biometrics (perhaps making use of Windows Hello) or USB tokens such as the YubiKey.

Advice for consumers/end-users:

The previously linked to article (above) also contains advice (in the final three paragraphs) which you may find useful.

Thank you.