March 2019 Update Summary

====================
Updated: 21st March 2019
====================
Two of the vulnerabilities patched by Microsoft (CVE-2019-0797CVE-2019-0808) were zero day (defined) vulnerabilities being actively exploited in the wild. Four other vulnerabilities were publicly known (CVE-2019-0683CVE-2019-0754CVE-2019-0757 and CVE-2019-0809).

Separately the Google Chrome vulnerability mentioned below namely CVE-2019-5786 was also being exploited by attackers.

I have updated the suggested installation order (below) to reflect this new information. Thank you.

====================
Original Post:
====================
As scheduled; earlier today Microsoft and Adobe made available their security updates. Microsoft addressed 65 vulnerabilities (more formally known as CVEs (defined)) with Adobe resolving 2 vulnerabilities.

For Adobe; if you have not already done so; if you manage an installation of Adobe ColdFusion or know someone who does, please apply the necessary updates made available earlier this month. That update addressed a single priority 1 zero day (defined) vulnerability being exploited in the wild. Today’s Adobe updates are as follows:

Adobe Digital Editions: 1x priority 3 CVE resolved

Adobe Photoshop CC: 1x priority3 CVE resolved

If you use the affected Adobe products; please install their remaining priority 3 updates when you can.

This month’s list of Known Issues is now sorted by Microsoft within their monthly summary page and applies to all currently supported operating systems:

KB4489878          Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

KB4489881          Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

KB4489882          Windows 10 version 1607, Windows Server 2016

KB4489883          Windows 8.1, Windows Server 2012 R2 (Security-only update)

KB4489884          Windows Server 2012 (Security-only update)

KB4489885          Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

KB4489891          Windows Server 2012 (Monthly Rollup)

KB4489899          Windows 10 version 1809, Windows Server 2019

 

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Kernel: CVE-2019-0797CVE-2019-0808

Windows DHCP Client: CVE-2019-0697 , CVE-2019-0698 , CVE-2019-0726

Microsoft XML: CVE-2019-0756

Scripting Engine: CVE-2019-0592 , CVE-2019-0746 , CVE-2019-0639 , CVE-2019-0783 , CVE-2019-0609 , CVE-2019-0611 , CVE-2019-0666 , CVE-2019-0769 , CVE-2019-0665 , CVE-2019-0667 , CVE-2019-0680 , CVE-2019-0773 , CVE-2019-0770 , CVE-2019-0771 , CVE-2019-0772

Visual Studio Remote Code Execution Vulnerability: CVE-2019-0809

Microsoft Active Directory: CVE-2019-0683

NuGet Package Manager Tampering Vulnerability: CVE-2019-0757

Windows Denial of Service Vulnerability: CVE-2019-0754

Microsoft Dynamics 365: a privilege escalation vulnerability (defined) has been addressed (this product is also widely deployed)

If you use Microsoft IIS (Internet Information Services), please review advisory: ADV190005

====================
Please install the remaining updates at your earliest convenience.

As always; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Google Chrome:
=======================
Google released Google Chrome version 72.0.3626.121 to address a single zero day (defined) vulnerability under active exploit. The vulnerability was a high severity use-after-free (defined) flaw in Chrome’s FileReader API (defined) which could have led to information disclosure of files stored on the same system as Chrome is installed.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Notepad++:
=======================
Notepad++ 7.6.4 was released on the 6th of March resolving 8 security issues. This version follows another from January which resolved 7 other vulnerabilities. If you use Notepad++, please update to the newest version to benefit from these security fixes.

=======================
Mozilla Firefox
=======================
In the latter half of March Mozilla issued updates for Firefox 66 and Firefox ESR (Extended Support Release) 60.6:

Firefox 66.0: Resolves 5x critical CVEs (defined), 7x high CVEs, 5x moderate CVEs and 4x low CVEs

Firefox 60.6: Resolves 4x critical critical CVEs, 4x high CVEs and 2x moderate CVEs

Firefox 66 introduces better reliability (since crashes have been reduced) and improved performance. In addition, smooth scrolling has been added. The blocking of websites automatically playing audio or video content is now also present. These and other features are discussed in more depth here and here.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

Thank you.

Windows Exploit Suggester Utility

An updated version of a lightweight utility has been made available on GitHub that provides the useful capability of listing missing security updates on your system and matching them against and listing known exploits for those vulnerabilities.

This tool was released in 2014 but has been updated to work with Microsoft’s Security Updates Guide. While there are others tools such as Belarc Advisor this tool may be useful if you want something lightweight and don’t want to be locked to a specific tool vendor.

A guide to using the tool provided by BleepingComputer is here. I’ll try this tool and update this post with how it worked on my systems.

Thank you.

Responding to the Intel Spoiler Vulnerability

Earlier this month a new vulnerability was disclosed in a research paper titled “Spoiler: Speculative load hazards boost Rowhammer and cache attacks”.

TL DR: Mitigating this newly disclosed vulnerability is the job of software developers to work around using safer code development practices. Mitigating this issue in hardware will take longer since current measures cause too much of a performance penalty.

Why should this vulnerability be considered important?
Using this new method; attackers are likely to find existing cache and memory Rowhammer attacks easier to carry out. In addition, JavaScript (defined) attacks which can take long periods of time may be shortened to mere seconds. The paper contains a cache prime and probe technique to leak sensitive data using JavaScript.

This Spoiler vulnerability can be used by attackers (who MUST have already compromised your system) to extract sensitive information from the systems memory (RAM). An attack does not require elevated privileges.

What CPUs (microprocessors / computer chips) are affected?
This vulnerability affects Intel processors only; first generation Intel Core (from early 2006) and later are affected. ARM and AMD processors are not affected. Any system with an Intel Core processor is affected regardless of the operating they are using namely Linux, Unix, Apple macOS and Windows can be all affected.

How does this vulnerability achieve the above results?
The security researchers who authored the paper found a vulnerability in the memory order buffer that can be used to gradually reveal information about the mappings of physical memory to non-privileged software processes (in other words; applications). This technique also affects virtual machine (VM) and sandboxed (defined) environments.

The technique works by understanding the relationship between virtual and physical memory by timing the speculative load and store operations to these areas while looking out for discrepancies which disclose the memory layout to you. With this information an attacker knows where to focus their efforts.

Intel’s proprietary implementation of the memory subsystem (memory disambiguation) is the root cause of the vulnerability. When a physical address conflict (the address/area is already in use) occurs, the algorithm leaks the access timings. The algorithm in the researcher’s words works as follows “Our algorithm, fills up the store buffer within the processors with addresses that have the same offset but they are in different virtual pages. Then, we issue a memory load that has the same offset similarly but from a different memory page and measure the time of the load. By iterating over a good number of virtual pages, the timing reveals information about the dependency resolution failures in multiple stages.”

How can this vulnerability be mitigated/patched?
This vulnerability lies within the memory disambiguation algorithm which won’t be trivial to resolve anytime soon. Since this vulnerability is not related to last years Spectre vulnerability; mitigations for that vulnerability don’t help here. Current Spoiler mitigations have too much of performance penalty. At this time, Intel has issued the following statement:

“Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.”

The side channel safe development practices are linked to below:

Software Guidance for Security Advisories

Addressing Hardware Vulnerabilities

Thank you.

Security Researcher Creates Remote WiFi USB Charging Cable

Early last week; a security researcher has demonstrated a new means of social engineering which could be used to compromise the security of a computer network:

TL DR: This cable poses a threat from a social engineering perspective. Should these cables become widespread: I would recommend being more careful of the cables you use to charge devices and consider using power outlets for charging.

What kind of threat does this pose?
The researcher created a custom USB cable that looks just like a standard cable. This cable could obviously be used to charge a smartphone. This cable however contains a custom printed circuit board (PCB) that allows an attacker to send commands to it via WiFi. The cable “appears” and acts as a keyboard and mouse when connected to a system and allows the attacker to control as if they had physical access to it and allows the opening of a reverse shell to execute commands:

The researcher demonstrated how the “mouse” feature of the cable could be used to prevent a system from locking after the real user has left the system by continually moving the mouse; just as a real person would.

Worse than this the cable has the potential to conduct WiFi deuthentication (de-auth) attacks which will disconnect devices in the vicinity from the WiFi networks they have connected with. This would constitute a denial of service attack and the inconvenience of having to keep re-connecting your wireless devices to the WiFi network again. Whether such an attack could be used to sniff/capture WiFi authentication credentials or to be used to exploit the KRACK vulnerability is not clear:

How could an adversary use this cable in a practical way?
The adversary simply need to wait for you to plug this cable into one of your systems. They don’t need to be nearby in order for them to access the system the cable is connected to (since the cable appears to be accessible over the internet connection in your office). Consider if an adversary left some of these cables on the desks in your organisation. How many people connect the cables to their systems to charge their phone? This would be even more common in older offices were USB charging ports aren’t readily available.

An adversary could also send some cables to your office via postal mail while pretending they came from the marketing department or another office of the same organisation. Cables aren’t considered malicious (like an unknown USB thumb drive should be) and will be used by those who receive them. Employees might also take them home or give these “free” cables to friends and family.

How can I protect myself from this type of threat?
This is not an easy question to answer. While you can educate your employees to not use cables that arrive in the postal mail (or even from your marketing department); what is to prevent them from doing so? Do you then treat every cable as a possible threat? You would need to place your office in a Faraday cage to truly mitigate this! Should you split every cable open to check if it has a WiFi PCB added to it (even if you did; could you tell what you are looking at)?

Given how common and widespread they are; is that even possible? You could ask that charging cables are only connected to power (electrical) outlets (requiring employees to bring the charging adapters for their devices (which almost nobody does) or ask them to use portable battery packs. But again; what is to stop an employee from not doing this especially if they are travelling and need to charge their mobile devices? It’s already difficult to educate your employees about the dangers of BadUSB or juice-jacking (my previous post on that topic) but this is even harder to defend against:

It’s very likely that this cable would have a MAC address and while you can use MAC address authentication to protect your network; that can be bypassed. An adversary can spoof a MAC address (to use a legitimate MAC address from your own network). So, if you deny that MAC access to your network you could block the legitimate device too.

Note: The adversary would need to use some form of software to spoof the MAC address. The cable may not currently accommodate that capability. I assume the adversary can’t manufacture the silicon needed for a WiFi adapter and doesn’t have the ability to “burn” a MAC address of their choice into it.

It’s important to remember this cable is only a proof of concept at this time but the researcher does plan to sell them. They could be used by pen testers in much the same way as Wi-Fi Pineapples or RubberDuckies currently are. Given that the cable looks exactly like a standard USB smartphone charger (for an Apple device); from the photos included you can’t tell the difference between a genuine cable and this pen testing cable.

Can an upcoming standard for USB help with this issue?
Possibly.

Unfortunately, while the new USB Type-C Authentication Program appears to be more of a Digital Rights Management (DRM) feature that may raise charger and cable prices and potentially creating vendor lock-in. While it would help with detecting a malicious cable or a cable that was tampered with; it remains to be seen if the standard in reality increases security. It’s also unclear how the cables will authenticate since we have seen digital signatures being stolen in the past to bypass this form of authentication:

Thank you.

Adobe Flash Player 2019 Update Tracker

In a similar manner to previous years this post will track the number of vulnerabilities patched within Adobe Flash for 2019. This will be the penultimate year of tracking these numbers since Flash Player is due to be decommissioned in 2020.

As always this post will be updated throughout the year with the details of vulnerabilities being patched and if they are being exploited in the wild. Apologies for not making this 2019 tracker available sooner.

Thank you.

=======================

=======================
8th  January 2019: Adobe releases Flash Player v32.0.0.114 This update is a non-security update addressing only feature and performance bugs.

12th February: Adobe releases Flash Player v32.0.0.142 resolving 1x priority 2 CVE.

12th March: Adobe have not released any Flash Player updates this month.

=======================
Update: 19th February 2019: The timeline was created to include the Adobe Flash Player updates for January and February 2019. At the time of writing no exploits for the issue fixed by the February update are known to be taking place.

Update 12th March 2019: The timeline was updated to reflect that Adobe did not issue Flash Player updates this month.

=======================

February 2019 Update Summary

Earlier today Microsoft made available 13 bulletins and 3 advisories resolving 74 vulnerabilities (more formally known as CVEs (defined)) respectively. As always more details are available from Microsoft’s monthly summary page.

Also today Adobe released scheduled updates for the products listed below addressing 75 CVEs in total:

Adobe Acrobat and Reader: 71x priority 2 CVEs resolved (43 of the 75 are Critical, the remainder are Important severity)

Adobe ColdFusion: 2x priority 2 CVEs resolved

Adobe Creative Cloud Desktop Application: 1x priority 3 CVE resolved

Adobe Flash Player: 1x priority 2 CVE resolved

If you use the affected Adobe products; due to the public disclosure (defined) of CVE-2019-7089 as a zero day (defined) vulnerability, please install the Adobe Acrobat and Reader updates first followed by Flash Player and the remaining updates. I provide more detail on the zero day vulnerability in a separate post.

As we are accustomed to Microsoft’s updates come with a long list of Known Issues that will be resolved in future updates or for which workarounds are provided. They are listed below for your reference:

4345836
4471391
4471392
4483452
4486996
4487017
4487020
4487026
4487044
4487052

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Microsoft GDI+

Scripting Engine (CVE-2019-0590 , CVE-2019-0591 , CVE-2019-0593 , CVE-2019-0640  ,
CVE-2019-0642
, CVE-2019-0648 , CVE-2019-0649  , CVE-2019-0651 , CVE-2019-0652 , CVE-2019-0655 , CVE-2019-0658)

Windows DHCP

Microsoft Exchange

Microsoft SharePoint and CVE-2019-0604

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Nvidia Graphics Drivers:
=======================
8 security vulnerabilities with the most severe having a CVSS V3 (defined) base score of 8.8 have been resolved within Nvidia’s graphics card drivers (defined) in February. These vulnerabilities affect Linux FreeBSD, Solaris and Windows. The steps to install the drivers are detailed here (and here) for Ubuntu and here for Linux Mint. Windows install steps are located here. If you use affected Nvidia graphics card, please consider updating your drivers to the most recent available.

=======================
7-Zip:
=======================
In the 3rd week of February; 7-Zip version 19.00 was released. While it is not designated as a security update; the changes it contains appear to be security related. While 7-Zip is extremely popular as a standalone application; other software such as Malwarebytes Anti-Malware, VMware Workstation and Directory Opus (among many others) all make use of 7-Zip. Directory Opus version 12.2.2 Beta includes version 19.00 of the 7-Zip DLL.

If you use these software applications or 7-Zip by itself, please update these installed applications to benefit from these improvements.

=======================
Changes:
=======================
– Encryption strength for 7z archives was increased:
the size of random initialization vector was increased from 64-bit to 128-bit, and the pseudo-random number generator was improved.
– Some bugs were fixed.
=======================

If you are using the standalone version and it’s older than version 19, please consider updating it.

=======================
Mozilla Firefox
=======================
In mid-February Mozilla issued updates for Firefox 65 and Firefox ESR (Extended Support Release) 60.5:

Firefox 65.0.1: Resolves 3x high CVEs (defined)

Firefox 60.5.1: Resolves 3x high CVEs

As always; details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from changes such as improvements to Netflix playback, color management on Apple macOS and resolving audio/video delays during WebRTC calls etc.

=======================
Wireshark 3.0.0, 2.6.7 and 2.4.13
=======================
v3.0.0: 0 security advisories (new features and benefits discussed here and here)

v2.6.7: 3 security advisories

v2.4.13: 3 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.0, v2.6.6 or v2.4.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Note: from this post onwards, I will only report on the most recent (v3.0) and previous branches (v2.6) of Wireshark.

Thank you.

Adobe Reader Vulnerability Disclosed

====================
Updated: 26th February 2019
====================
After the update was issued by Adobe; the original researcher who disclosed it found a bypass and again reported it to Adobe. The bypass was assigned another CVE number; CVE-2019-7815

It has now been addressed by a further update made available by Adobe last Thursday. If you use Adobe Acrobat or Reader, please ensure it is up to date:

Thank you.

====================
Original Post
====================
Yesterday; the security firm 0patch released a micropatch for a vulnerability that was publicly disclosed (defined) in late January.

Why should this vulnerability be considered important?
The vulnerability allows for the extraction/disclosure of the NTLMv2 hashes (defined) associated with your Windows login account to be sent to an attacker when you open a specifically modified PDF document, The information is sent via the SMB protocol (defined) to the attacker essentially allowing the document “to phone home” to them.

Adobe Reader DC (2019.010.20069 and earlier) are affected. This vulnerability is similar to a now patched vulnerability from last year namely; CVE-2018-4993, The new vulnerability is caused by the fact that while a user is warned via a dialog box when opening an XML style sheet via the HTTP protocol; when using the SMB protocol and while following a UNC (defined) link; no such warning appears.

How can you protect your organisation and yourself from this vulnerability?
Please apply the update made available by Adobe earlier today. If for any  reason you cannot update right now, please consider the micropatch from 0patch. A YouTube video of the micropatch in action is available from the following link:

The micropatch does not require a reboot. The patch does not need to be uninstalled once you later install the update from Adobe.

Thank you.