Monthly Archives: May 2015

Python 2.7.10 Released

Update: 8th December 2015:
The Python Foundation have released Python 2.7.11. Please see this more recent blog post for details.

Thank you.

=======================
Update: 24th November 2015:
At this time, Python 2.7.11 has entered release candidate testing (defined).The final version should be available in early December. I will update this post and publish a dedicated post when this update becomes available.

Thank you.

=======================
Original Post:
=======================
Last weekend, the Python Foundation made available an update to its older series of Python installers. Version 2.7.10 was released for the 2.7 code branch (3.4.3 is the most recent branch with 3.5 in alpha testing). On one of my PCs I have a specific piece of purchased software installed that requires Python 2.7.

This 2.7.10 update is significant since it incorporates the following noteworthy changes:

  • 4 buffer overflows resolved
  • 2 integer overflows resolved
  • 1 use after free bug resolved
  • Removes the RC4 cipher from the SSL module’s default cipher list
  • Upgrades the Windows build of Python 2.7.10 to include OpenSSL 1.0.2a (previously the OpenSSL version was 1.0.1j bundled with Python 2.7.9 released in December 2014)

The full changelog is available here.

While none of the above overflows or the use after free bug have been assigned CVE numbers and are not explicitly reported as security vulnerabilities, it is still best practice to patch these bugs if you are using an older version of Python. In addition, 14 CVEs have been resolved by the OpenSSL Project between the releases of OpenSSL 1.0.1k up to 1.0.2a (i.e. from the previous 2.7.9 version to the current 2.7.10). Please note that the total of 14 CVEs does not include CVEs that only affected the 1.0.2 branch.

For an explanation of what CVEs are, please see the first short aside within this blog post.

If you have Python 2.7 installed, please consider upgrading to the most recent 2.7.10 update to benefit from the above mentioned fixes. I installed the 2.7.10 update over the previous 2.7.9 version (the installer detects the previous version and offers to update it) and the application that requires Python mentioned above continues to work normally.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

KCodes NetUSB Security Flaw Found In Many Routers

Early last week a security vulnerability was disclosed in KCodes NetUSB. This is a Linux module that is provided as part of the operating system that runs within the router. It allows the sharing of USB services across your local network (i.e. to devices that are connected to your router). These devices could be external hard disks (for media sharing), webcams, printers etc.

The flaw within the KCodes module is a buffer overflow that can be exploited by connecting a computer which has a host name longer than 64 characters. Since this module runs in kernel mode (it’s a kernel driver) once the buffer overflow occurs, the attacker can then use this flaw to execute code or a denial of service.

For a list of affected routers, please see this SEC Consult security advisory and this CERT advisory. At the time of writing TP-Link has released updated firmware for some of their routers with further models to receive updates in the future (a timeline is presented in the aforementioned SEC Consult security advisory). In addition, Netgear is working to address this flaw in its affected products and plans to make updates available in July for this purpose.

How I can defend against/mitigate this attack?
While updates are pending, please ensure that your routers administrative interface (usually accessible via a web browser) is protected with a strong password. In addition, on some models of router it may be possible to disable the sharing of USB devices on the network. In the case of Netgear routers’ disabling this sharing feature has no effect. For all other routers that have this feature preventing access to the sharing service by blocking access to TCP port 20005 (from your local internal network using the routers firewall) will mitigate this vulnerability.

Update: 29th May 2015:
D-Link have made available a security advisory for this issue with a timeline for firmware updates that are currently under development. If you own a D-Link router, please check if your model is affected and take the necessary action (if applicable).

Finally I would recommend monitoring the relevant websites of your routers’ manufacturer for firmware updates that address this flaw. Please follow the steps provided by your router manufacturer to apply the relevant updates. Thank you.

The Logjam Attack: What You Need To Know

A new attack against the Diffie Hellman protocol has been made public. This weakness allows an attacker (a man in the middle (MITM)) to downgrade the key exchange protocol Diffie Hellman to 512-bit export-grade cryptography. When the TLS (Transport Layer Security) connection is secured using this few bits, it becomes vulnerable to being broken (i.e. obtaining the session key) meaning that the connection can then be eavesdropped upon.

Why is this important?
The Diffie Hellman protocol is used to secure many everyday websites using HTTPS (this makes the lock icon appear or for your browser address bar to display green). Samples of what Extended Validation certificates look like within your web browser are shown on this page. EV certificates are less common than standard single domain name certificates but these images should assist in conveying how widely used HTTPS really is. More information on TLS/SSL is available in this podcast.

Diffie Hellman is also frequently used when accessing servers remotely using SSH and within VPNs (including IPSec VPNs). VPNs are commonly used to access servers in your workplace from outside of your workplace or when using a public internet connection e.g. a coffee shop’s free WiFi.

As detailed in a technical report on this attack (see Page 3: Table 1) since a large number of devices use the same prime number (upon which the most efficient algorithm namely number field sieve for breaking a Diffie Hellman secured connection is based) this means that the time needed to break the connection is significantly reduced. Using this attack (see Page 7: Table 2), the times for breaking common Diffie Hellman secured connections are shown below:

512 bit: Linear Algebra Stage: 7.7 years; Descent Time: 10 minutes

768 bit: Linear Algebra Stage: 28,500 years; Descent Time: 2 days (within reach of academic researchers)

1024 bit: Linear Algebra Stage: 35 million years; Descent Time: 30 days (within reach of a nation state)

Source: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

Excellent articles on the impact of this attack and other background information can be found in this blog post and this post.

Recommended Actions:
I refer you to the section titled “What should I do?” within this page for advice on next steps.

Today I tested Mozilla Firefox (v38.0.1), Google Chrome (v43.0.2357.73, 64 bit, Beta Channel) and Internet Explorer (v11.0.19) to check if they were vulnerable to this attack.

You can check your browser by the visiting this page (also mentioned above). The result will be shown at the top of the page for you.

Both Firefox and Chrome at the time of writing were vulnerable, this is likely to be resolved very soon by both browser vendors.

IE 11 was not vulnerable to this attack (most likely since Microsoft issued MS15-055 as part of its May security updates). However since Microsoft Research is credited as a contributor along with many other computer scientists of the above mentioned report its plausible that this gave them advance notice of the issue to resolve it sooner.

If you use WinSCP, you should ensure you have the latest version installed so that you are no longer vulnerable to Logjam and other more recent OpenSSL vulnerabilities.

Update: 20th May 2015: A ComputerWorld blog post provides a table showing which browsers are currently patched against this flaw.

Update: 2nd June 2015: VideoLAN, the creators of VLC have created a ticket within their bug tracker concerning proposed changes to VLC in response to the Logjam flaw.

Update: 7th February 2016:
VideoLAN have updated their VLC media player to version 2.2.2 which addresses the Logjam security issues within their product. Further details are available in a more recent blog post.

Update: 21st May 2015: OpenSSL has published a blog post with a discussion of the Logjam attack, upcoming changes in OpenSSL in response to this attack and provides a means to check if your OpenSSL server installation is vulnerable.

Update: 31st January 2016: To further protect against the Logjam attack the OpenSSL project have now increased the length of the Diffie-Hellman handshake parameters to 1024 bits. Further details are available in this security advisory.

Update: 11th June 2015:
OpenSSL released a security advisory today to resolve 7 CVEs one of which was a workaround for the Logjam security flaw. The change made to resolve this flaw was to reject Diffie-Hellman handshake requests for parameters shorter than 768 bits. A later release of OpenSSL will extend this to 1024 bits. I would advice updating your OpenSSL installations as soon as possible to mitigate these vulnerabilities (usually by using your Linux package manager to install the applicable updates).

Update: 2nd July 2015: On the 30th of June, Apple released fixes for OS X and iOS to address the Logjam flaw within those products.

Update: 3rd July 2015: Today Mozilla released Firefox 39 and Firefox ESR (Extended Support Release) 38.1 and ESR 31.8 to address the Logjam flaw within those products.

Update: 10th July 2015: I have verified that the Opera web browser is not vulnerable to Logjam since version 30.0.1835.52 released on the 9th of June 2015.

In addition, at the time of writing (10th July 2015), Google Chrome v43.0.2357.132 (Stable, 64 bit) and Google Chrome v44.0.2403.81 (Beta, 64 bit) remain vulnerable to Logjam.

Update: 24th July 2015: At the time of writing (24th July 2015), Google Chrome v44.0.2403.107 (Stable, 64 bit) and Google Chrome v44.0.2403.89 (Beta, 64 bit) remain vulnerable to Logjam.

Update: 28th July 2015: Google Chrome v44.0.2403.125 (Stable, 64 bit) remains vulnerable to Logjam. However Google Chrome v45.0.2454.15 (Beta, 64 bit) includes a fix for Logjam. I have verified it is no longer vulnerable.

Update: 12th August 2015: Google Chrome v44.0.2403.155 (Stable, 64 bit) remains vulnerable to Logjam.

Update: 13th August 2015: OpenSSH has released v7.0 which addresses the Logjam issue within it’s implementation.

Update: 25th August 2015: VideoLAN, the creators of VLC have closed the ticket that I mentioned above (see update: 2nd June 2015) since they have resolved the Logjam issue within their code for the upcoming version 2.2.2 of VLC. A related ticket involving a regression (an unintentional introduced software bug/error) caused by the changes they made was also resolved.

Update: 3rd September 2015: Google Chrome v45.0.2454.85 (Stable, 64 bit) is no longer vulnerable to the Logjam issue since it includes the fix mentioned in the 28th of July entry (above).

I hope that the above advice assists you in securing your servers and computer systems from this new attack. I will update this article when more information concerning updates for web browsers becomes available.

Thank you.

Defending Against Ransomware

What is Ransomware?

Ransomware is malware that stops you using your computer in some way. This can be either by showing a lock out screen (not allowing you to login) or by encrypting your personal data. For each of these possibilities a ransom is demanded in order to use your computer or recover your (now) lost data.

Ransomware has been around for many years becoming most prevalent from late 2011 onwards with Reveton being one of the most well-known variants from approximately 3 years ago. Despite this category of malware being several years old, newer variants such as CryptoLocker, TeslaCrypt and most recently Los Pollos Hermanos continue to cause disruption, stress and cause financial loss to their victims. Further information on ransomware is provided in this blog post and explained further in this podcast.

Should you pay the ransom?

Since paying the ransom convinces the malware authors that their scheme is working and funds a black market economy, you should not pay the ransom. I realize that if the ransomware has encrypted irreplaceable data that is not backed up you may have no choice to pay it, but there is no guarantee that you will get your data back. The human impact of ransomware is detailed in this analysis by FireEye. One possible outcome is that the ransom is paid but the files cannot be decrypted.

How To Remove an Existing Ransomware Infection?

If you have an existing ransomware infection I would suggest following the advice from this short Sophos blog post. That blog post also references an explanatory YouTube video. The Sophos Bootable Antivirus CD mentioned in the above blog post can be created using the steps in this knowledge base article.

An alternative approach is detailed by Mark Russinovich of Microsoft in this blog post (see the section titled “The Hunt”). He provides further easy to follow steps to remove the malware should scans with Microsoft Security Essentials or Windows Defender Offline fail.

If the above advice is not successful in removing the ransomware infection, please consider using one of the 3rd malware removal services mentioned in this Symantec forum post. Please note this forum post does not list services that Symantec wishes to promote or advertise, these services are provided by trusted and highly successful 3rd parties independent of Symantec.

Preventing A Ransomware Infection:

In order to prevent a ransomware infection I would recommend the following steps:

  1. Keep your operating system and web browser up to date. I detail how within this page.
  2. Install and use anti-malware software (ensure that it offers real time protection (continuous monitoring)).
  3. Don’t open attachments from an untrusted source or attachments you weren’t expecting from someone you do trust (their email account could have been hijacked).
  4. Backup up your data regularly. At least one such backup should not be connected to your computer (if it’s connected at the time the malware infects your computer, your backup could also be encrypted). In addition, test that you can restore any data that you wish from your backup before such a malware infection occurs.
  5. Further advice is also provided by FireEye in the blog post that I mentioned above (please see the final section titled “Individuals and Small Businesses Should Consider Basic Steps to Protect Themselves”).
  • Note: Please ensure that if you use cloud storage e.g. Google Drive, Dropbox etc. to not have the cloud drive accessible (in the same way as a standard folder) on your computer when you are not actively using it. If you get a ransomware infection it could also encrypt the backup cloud drive (since it works just like another folder on your computer) and this makes restoring your data more difficult.

Update: 29th May 2015:
If you are using an edition of Windows (compatible editions listed here) that incorporates AppLocker (for Windows 8.0 and later only corporate versions of Windows incorporate AppLocker), please enable it to Enforce executable rules to prevent ransomware and other malware from running on your PC.

Update: 10th November 2015:
This detailed post from Susan Bradley provides easy to understand further advice on defending against ransomware.

Update: 10th January 2016:
In addition to the information/advice in this blog post; a more recent blog post also discusses a new type of ransomware threat and how to protect yourself against it.

Update: 31st January 2016:
This Computerworld article provides further defensive tips e.g. restricting mapped network drives and knowing the users of your devices.

Since AppLocker is another name for application white listing only executable files that you pre-approve (i.e. files that run code, usually applications) will be allowed to run. AppLocker can also prevent unauthorized Windows Installer files (*.msi and *.msp) and scripts e.g. PowerShell and batch files (among others, more details provided here) from running without prior approval. Further resources for configuring AppLocker are provided in this article and this series of articles.

Update: 6th March 2016:
For advice on preventing a ransomware attack from affecting your business, please see this more recent blog post. This post also provides a resource to defend against the “Locky” variant of ransomware and provides an excellent explanation of your options/what to do when ransomware has already infected your computing device (complimenting the existing information in this post) and how to defend against the Locky variant of ransomware being spread via spam messages.

Update: 17th March 2016:
In February 2016 very large numbers of websites powered by WordPress (a blogging tool/content management system) were compromised and used to spread ransomware to those who visited the websites. This threat and recommendations to remove/prevent it are also available in a previous blog post.

In early March 2016, Apple Mac OS X systems that had the Transmission BitTorrent client version 2.90 installed were at risk from a ransomware infection. Further discussion and recommendations are provided in a more recent blog post.

Update: 26th March 2016:
This more recent blog post provides further advice on preventing ransomware (not previously documented within this blog). Please review it to further defend yourself against this increasingly prevalent threat.

Thank you.

Google Releases Chrome Version 43

Earlier today Google made available Chrome version 43.0.2357.65 for Linux, Mac OS X and Windows. This updates includes 37 security fixes including 6 high severity CVEs. Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Alternatively Chrome can be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines) in the upper right corner of the window and choosing “About Google Chrome” from the menu.

Full details of the update are available in this Google blog post.

While Google Chrome updates usually go smoothly, as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues. Thank you.

May 2015 Security Updates Summary

Earlier this week, Microsoft made available its anticipated security updates on Update Tuesday resolving 48 CVEs. The individual products affected are detailed in the Security Bulletin Summary. Any Known Issues are also summarized there. Another very useful source detailing known issues is the IT Pro Patch Tuesday blog.

For an explanation of what CVEs are, please see the first short aside within this blog post.

Adobe also issued updates to resolve security issues in Flash Player and Adobe Reader. Further details are available in this Adobe PSIRT blog post. 52 CVEs in total were resolved.

Both Mozilla Firefox (to version 38.0, 15 CVEs) and Firefox ESR (Extended Support Release) (to version 31.7, 7 CVEs) were also updated. Google Chrome was updated to version 42.0.2311.152. This update simply includes the above mentioned Flash Player update.

As always you can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————-
Security Updates Calendar: (please see the heading “Information on Security Updates” within the Protecting Your PC page):
http://www.calendarofupdates.com/updates/index.php?act=calendar

Edit: 21st June 2015:
I have learned that the Calendar of Updates website is now permanently offline. Some members of that website along with new members/volunteers are working to set up a new version as soon as possible. I will monitor their progress and will provide the link to the new website when it’s available. In the meantime, please use Secunia PSI, refer to the US-CERT link below or refer to the heading “Information on Security Updates” within the Protecting Your PC page.

US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/
—————-

If you use any of the above software, please install the appropriate updates as soon as possible.

I would like to mention that Adobe’s Flash Player update and Microsoft’s updates for Internet Explorer, Microsoft Font Drivers and Windows Journal should be prioritized for installation before all other updates due to their severity, especially in the case of Adobe Flash since the time for exploitation of patched flaws has shortened recently.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

US-CERT Details Top 30 Targeted High Risk Security Vulnerabilities

In the final week of April the US-CERT announced the Top 30 exploitable security vulnerabilities that could be used to attack critical infrastructure organizations/companies.

The list includes flaws that can be exploited through malicious email attachments, targeted attacks (spear phishing) and most commonly “watering hole” attacks.

What is a Watering Hole Attack?
A watering hole attack is a targeted exploit of a frequently visited website by specific group of people. The attacker compromises/tampers with the website to inject HTML or JavaScript that will redirect visitors to another site/page specifically crafted to exploit a security vulnerability/flaw e.g. one of the top 30 flaws mentioned by US-CERT. If the exploit is successful (i.e. if the flaw exists on the users computing device) then malware can be installed or any other action of the attacker’s choice can take place (if it’s a remote code execution flaw).

Such an attack is more likely to succeed since the visitors to the site trust it and more likely to respond in a way the attackers wish should a dialog box appear or a message to perform an action is displayed e.g. download a fake codec update to watch a video (which would lead to an exploit taking place against a visitors computing device).

All of the products listed within the above mentioned alert are commonly used and can be patched with low to moderate effort. Please find below advice on how to update each of the affected products in the list.

I hope that the list of products with the associated steps to update each are useful to you in applying the necessary updates in order to avoid being exploited by the Top 30 high Risk Security Vulnerabilities mentioned by US-CERT.

Thank you.

==========================
Microsoft Internet Explorer:
==========================
Please see “Enable automatic updates for Windows” within my “Protecting Your PC“ page.
==========================

==========================
Microsoft Silverlight:
==========================
For Mac:
Please visit this Silverlight page. If you have Silverlight installed and an update is available, please download and install it

For PC:
Please see “Enable automatic updates for Windows” within my “Protecting Your PC“ page.
==========================

Microsoft Office for Mac and Windows:

Office for Mac:

==========================
Office 2011 for Mac:
==========================
The most recent update (at the time of writing is 14.4.9, please select “Office 2011” under the Products column on this page). Please download and install the most recent update for Office 2011 for Mac. In order to install all updates I would suggest using Microsoft AutoUpdate for Mac 2.3.6 (which is compatible with Office 2011 for Mac).

Please note that Update 14.4.9 requires 14.1.0 i.e. SP1 for Office 2011 for Mac to be installed first.

==========================
Office 2008 for Mac:
==========================
While this version of Office is now unsupported if you are using this version it would still be recommended to have the most recent version available. Update 12.3.6 is the most recent update. This update requires Update 12.2.0 (i.e. SP2 for Office 2008 for Mac) to already have been installed. SP2 requires that SP1 also be installed beforehand.

In order to install all updates I would suggest using Microsoft AutoUpdate for Mac 2.3.6 (which is compatible with Office 2008 for Mac).

==========================
Office 2004 for Mac:
==========================
This version of Office is also unsupported. Update 11.6.6 is the most recent update and requires Update 11.6.5 (and all prior updates). In order to install all updates I would suggest using Microsoft AutoUpdate for Office 2004 for Mac.

==========================
Office for Windows:
==========================
For Office 365 (Business Essentials, Business, Business Premium, Home and Personal): These suites stays up to date automatically while an internet connection is available.

==========================
Office 2013, 2010 and 2007:
==========================
Windows Update can detect and install all updates for you when it is configured correctly. Alternatively for Office 2013, it can also be updated manually.

==========================
For Office 2003, Office XP and Office 2000:
==========================
Windows Update can detect and install all updates for Office for you when it is configured correctly.

For any product listed in the table within US-CERT alert that you have installed and no update is being offered within Windows Update I would recommend checking the security bulletins mentioned in the US-CERT alert for more information on installing the appropriate updates manually.

==========================
Oracle Java:
==========================
In order to obtain the latest updates for Java, if you are developer, visit this page and download the most recent Java Development Kit (JDK) or the most recent update for your version of Java JDK e.g. v7, v6, v5 etc. Currently JDK v8 is the most recent. Some developers may also need the latest Java FX.

For corporate desktop systems or consumer/home users, please visit http://java.com to download the most recent Java Runtime Environment (JRE). There is also the option of enabling automatic updates when Java is installed on Windows.

==========================
Adobe:
==========================
Adobe Flash:
For Adobe Flash, since version 11.2 Adobe has included an automatic updater when Flash is installed on Windows. For any version of Windows older than Windows 8.0, Flash can also be downloaded and installed manually from this page (the downloaded version will automatically replace any older version of Flash already installed).

For Windows 8.0 and later, Microsoft issues updates to Adobe Flash via Windows Update. These updates are detailed in this security advisory.

==========================
Adobe AIR:
For the Adobe SDK and SDK & Compiler, updates can be obtained from Adobe’s developer page.
For Adobe AIR desktop runtime, updates are available from this download page.

==========================
Adobe Acrobat and Adobe Reader:
For Acrobat DC and Reader DC, updates are automatically delivered (and available using “Check for Updates” mentioned below). Alternatively, updates for Acrobat for Mac and Windows are available. The latest version of Reader DC is available from here (please ensure to un-check install options such as Google Chrome and Google Toolbar).

For Acrobat 11 and 10, updates are available for Mac and Windows. Alternatively use the built in updater by clicking the Help menu and choosing “Check for Updates”.

For Adobe Reader 11 and 10, updates are available for Mac and Windows. Alternatively use the built in updater by clicking the Help menu and choosing “Check for Updates”.

For older versions of Acrobat and Reader (namely 9, 8 and earlier), no further updates are being made available. It should be possible to run a check for updates as mentioned above but it is recommended to upgrade to a currently serviced version, e.g. 10, 11 or DC.

==========================
For Adobe ColdFusion:
Updates are available for ColdFusion 11 and 10. Installation instructions are also provided within the aforementioned pages.

For ColdFusion 9, there are 3 updates available to be installed in the order presented here:

ColdFusion Security hotfix APSB13-03

ColdFusion Security hot fix APSB13-13

ColdFusion Security hot fix APSB13-27

Additional Security Hotfixes (in addition to those above)

==========================
Adobe Flex:
Adobe Flex is available for download from here. However in an April 2015 security bulletin Adobe recommended updating the Flex index.html file using the steps provided in that bulletin.

==========================
OpenSSL:
==========================
For OpenSSL I would recommend following the guidance provided by US-CERT for upgrading to the most recent non-vulnerable version of OpenSSL using their link provided within their alert since the upgrade/update process requires specific steps to be completed.
==========================