Monthly Archives: August 2015

Mozilla Releases Firefox Security Updates

Yesterday Mozilla made available unscheduled security updates for Firefox 40 and Firefox ESR (Extended Support Release) 38.2.

These updates resolve 2 CVEs (CVE, defined) (1x critical severity, 1x high severity). The high severity issue concerned a possible means of forging where an add-on for Firefox was being installed from and an issue where the permission to install prompt that is supposed to appear would not do so. This could have been used to deceive a user into trusting an add-on more than they should (since the add-on would appear to come from a trusted site) and could have allowed malicious add-ons to be installed without permission.

The critical issue being addressed was a use-after-free vulnerability (use-after-free, defined) that was reported to Mozilla by 2 distinct sources.

Further details of these updates (and the issues mentioned above) are available for Firefox 40.0.3 and Firefox ESR 38.2.1. If Firefox is installed on any computer that you use, please install the appropriate updates as soon as possible. Details of how to install updates for Firefox are here.

Mozilla Firefox updates generally install without issues, however as always I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Apple Releases QuickTime for Windows Security Update

Late last week Apple released a security update for QuickTime for Windows. The update brings QuickTime to version 7.7.8.

Full details of this update are available on Apple’s Security Updates page. The update resolves 9 critical CVEs (defined).

To update Apple QuickTime for Windows, open QuickTime (by searching for it using the Start menu). From the menu bar at the top of the QuickTime window choose Help->Update Existing Software

Alternatively use Apple Software Update (usually installed with Apple iTunes). Upon opening Apple Software Update it will check for updates for you and display any applicable updates for QuickTime.

As always, I recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Drupal Releases Security Updates (August 2015)

Drupal the very popular website Content Management System (CMS) released security updates earlier this month to resolve 5 security issues within versions 6 and 7 of their product.

Cross site scripting (defined) issues were found in the Drupal.ajax() function (a set of instructions that carries out a specific action within a program) and within the autocomplete functionality of forms.

An SQL injection (defined) vulnerability was found in the SQL comment filtering system which could allow a user (once tricked/coerced by an attacker) with elevated privileges to inject malicious code in SQL comments. Such SQL code injection usually results in a user seeing information that would usually be forbidden/denied to them.

A Cross-site Request Forgery (CSRF)(defined) issue within Drupal’s form API was found to allow the upload of a file by an attacker. However this file would only have been available for 6 hours. Finally an information disclosure issue was found where the titles of nodes (add-ons which are placed within the page viewed by the user) would be visible to a user (which they would not usually have access to). The titles of the nodes would be visible on a page of the site that the user does have access to (namely that a page would contain additional information not normally visible).

Drupal users should upgrade to versions 6.37 or 7.39 (as appropriate) to resolve to these issues. Further information and steps to install the updates are available in this Drupal Security Advisory.

Thank you.

Lenovo Releases Security Update For Laptop and Desktop Systems

Earlier this month computer manufacturer Lenovo released a security update for a wide range of its laptop and desktop systems.

The security update affects the Lenovo Service Engine (LSE). This is a utility created by Lenovo that becomes part of the computers BIOS (see Aside below for a definition) that downloads an application known as OneKey Optimizer. This application downloads updates for the computer’s BIOS, drivers updates for hardware and installs applications that are usually pre-installed when the computer leaves the Lenovo factory. Finally the application also sends non-personally identifiable system data to Lenovo servers.

As explained by Lenovo in their security advisory (see links provided below) in collaboration with an independent security researcher and Microsoft security vulnerabilities were found in the LSE (which included a buffer overflow attack (see Aside 2 below for a definition) and an attempted connection to a Lenovo test server). The LSE used the Microsoft Windows Platform Binary Table (WPBT). Microsoft has since provided updated security guidelines for using this capability of Windows. Since the LSE no longer meets those guidelines, Lenovo has chosen to remove all components of the LSE from the affected Lenovo systems.

Why Should These Issues Be Considered Important?
According to the US-CERT, the flaws within the LSE could allow a remote attacker to take control of the Lenovo system.

How Can I Protect Myself From These Issues?
As recommended by Lenovo in their advisories for laptops and desktop systems (both advisories are different), please update the BIOS of the affected systems using the steps provided in those advisories. Once updated the LSE disabler tool can be used to remove the vulnerable LSE components.

Thank you.

What is a BIOS?

A Basic Input/Output System (BIOS) is the first piece of code that tells your computer what to do when it is first turned on. This involves 2 stages, the first stage involves a quick diagnostic of the computers components known as a power on self-test (POST).

The second stage involves brining your computer into a usable state by starting your operating system e.g. Linux, Mac OS X or Windows from the first bootable hard drive (or other drive) it locates.

The BIOS will also check for other bootable devices such as CDs/DVDs or USB jump drives. The goal being to find the next stage of the start-up process whether that be the much more common task of starting your operating system so that you can get to work or allowing you to repair the computer or recover your data using emergency bootable discs/USB jump drives. Further information on computer BIOSes and how they are migrating to the newer Unified Extensible Firmware Interface (UEFI) architecture is available here.

Aside 2:
What is a Buffer Overflow attack?

A buffer is an area of computer memory set aside for a specific task. If data larger than that area is (attempted) to be stored in that area, that buffer will overflow. When an overflow happens the data that can fit in the buffer is stored in that buffer while the data that doesn’t fit spills over into memory adjacent to that buffer. Whatever data is stored in those locations is overwritten.

Within the overfilled memory areas (which now contain unintended data (from the point of view of another programs assuming they still contain valid data)) may have previously been another buffer, a programs data output or a pointer (defined below) to another area of memory.

At best this will result in the program using that value (that was overwritten) crashing or getting caught in an infinite loop (performing the same action again and again without ending). At worst, an attack could use a buffer overflow to their advantage.

This can result in an attacker being able to run/execute code of their choice by overwriting the return pointer of the program (due to the overflow that has happened) with a value of the attackers choosing. That value is placed there by the overspill into adjacent memory segments. When an operation is completed, instead of the program returning (using the location the return pointer is referencing) to the place where it was originally asked (called from) the program will instead go to the place in memory where the attacker has stored malicious code (since the attacker supplied this location by inserting a value of their choice (which is too large to fit in the buffer) as mentioned above).

A pointer is a variable (a segment of memory that stores a single value) that contains the address (in computer memory) of another variable.

The attacker’s code can then run with same privileges of the program which suffered the overflow. C and C++ functions (a set of instructions that carries out a specific action within a program) such as strcpy (string copy) and strcat(string concatenation/appending function) are just some examples of functions that are vulnerable to buffer overflows.

Such unsafe functions were replaced with functions that carried out the same task but checked the size of the input against the size of the buffer it was to be stored in and don’t allow an overflow to occur. These safe functions are now recommended by Microsoft. To enforce the use of safe functions the Banned Function Calls header file was created (also documented here). Other mitigations such as /GS cookies (discussed in a previous blog post) were also implemented to protect against buffer overflows.

Please note that it is only Microsoft that uses the newer safer functions mentioned above. Linux takes a different approach as does Apple but each results in safer code.

Update: 7th September 2015:
While the use of “safe” versions of common functions that operate on buffers are the preferred method of working with buffers, they are not perfect since they can suffer from incorrect calculations of the width of the buffer to allocate. If a mistake is made here by the programmer, a buffer overflow can still result. An example of a protected version of such a function (of the strcpy() function mentioned above) can be seen in the function declaration shown below that takes the width of the desired buffer as parameter would be:

strncpy(destination, source, width);

The above function declaration shows the name of the “safe” function, namely strncpy (notice the difference to the standard function with the name of strcpy, the “safe” function includes an extra “n”). The 3 parameters to this function are shown within the parentheses () otherwise known as brackets.

Update: 17th September 2015:
A detailed definition of a stack overflow is provided in a more recent blog post. This similar type of overflow can be a useful addition to the above explanation. Thank you.

A further reference for buffer overflow attacks is the following:

Smashing The Stack For Fun And Profit by Aleph One

Cisco Issues Guidance to Protect Against Rogue IOS Firmware Installation

Update: 20th September 2015: As discussed in a more recent blog post, attackers are now re-imaging Cisco networking devices with modified IOS firmware in order to take control of your networking equipment. These devices can then be used for possible further attacks within your network (among other malicious actions).

The first type of attack using this technique has been called “SYNful Knock”. Details including how to detect, mitigate and recover from this attack are provided in the above linked to blog post.

Thank you.

Original Post:
Earlier this month Cisco issued a security bulletin to notify it’s customers of an evolution in the way that attackers compromise corporate networking devices. After obtaining access to the devices (either physical access or gaining administrative privileges by another means) an attacker can then utilize the standard means of field upgrading the built in firmware of a device.

Why Should These Issues Be Considered Important?
With the attacker modified version of the firmware installed on the Cisco networking devices the attackers can manipulate it’s behavior and settings. In addition since the code is installed in the firmware of the device this means that it persists/survives a reboot of the device and makes removal of the modified firmware far more difficult.

How Can I Protect Myself From These Issues?
Since no vulnerability is used to install unauthorized firmware updates Cisco has provided extensive guidance within their security bulletin to harden the devices against this and other attacks. Please follow the guidance to harden your Cisco IOS devices against these more persistent attacks (advice on removing such threats if your firmware has already been compromised is also provided).

Thank you.

SAP Releases Security Updates for Mobile Platform

3 security issues (detailed below) were found by Onapsis security and reported to SAP in relation to SAP’s Mobile platform specifically version 3.0 SP5 earlier this month.

None of the issues are remotely exploitable but if an attacker has access to the mobile device no further authentication would be needed for them to exploit these issues.

Why Should These Issues Be Considered Important?
Since all of the issues discussed below make it easier for an attacker to attempt to retrieve the encrypted data or provide them with a fixed encryption key in an attempt to brute force, if they were successful your encrypted data is no longer secure.

How Can I Protect Myself From These Issues?
SAP recommends implementing/installing the patches discussed within SAP Security Note 2094830. This note is also mentioned within this Onapsis blog post. Please note that a SAP Marketplace account is required to access the contents of this Security Note. An account can be created from this page.

If you are in any doubt or would like further advice, please contact SAP Support for more information.

Thank you.

Issue 1: SAP Mobile Platform DataVault Keystream Recovery:
This component is used to access encrypted data on mobile devices. Due to an implementation error it is possible to recover the keystream (defined) for the encrypted data. Thus it becomes possible to retrieve part of the unencrypted plaintext corresponding to encrypted data within the DataVault of the mobile device. There is also a limited possibility that an attacker could re-encrypt the data within the vault (potentially blocking access to the legitimate/original authorized person).

Having both the plaintext and the encrypted version of data will allow the use of a known plaintext attack (see Aside below for a definition).

Issue 2: SAP Mobile Platform Predictable Encryption Password for Configuration Values:

The password of the SAP DataVault is derived from the combination (more details below) of easily obtainable (plaintext i.e. “in the clear”) values. This password is used to encrypt important configuration details of the SAP DataVault e.g. the count of invalid attempts to unlock a secure store.

The password is a combination of a value stored in plaintext within the secured store in addition to another fixed value. The salt value (a random value added to another value to make the encryption key unique each time a new key is created) is also a fixed value. These fixed values are the same for all installations of the SAP Mobile DataVault (this is similar to static encryption keys discussed in a previous blog post).

Issue 3: SAP Mobile Platform DataVault Predictable Encryption Password for Secure Storage:

If no password or salt value is provided during the initial creation of the DataVault, the password and salt are then derived from a combination of fixed values and the ID number of the vault. This again results in a fixed encryption key used to secure the data within the vault.

What is a known plaintext attack?

This attack relies on recovering and analyzing a matching plaintext and cipher text pair with the goal of deriving the key that was used. Techniques such as reverse-engineering, frequency analysis (e.g. looking for the word “the” usually the most common word that is used) and brute force attempts are used to carry out such an attack. Obtaining the key will allow you to decrypt cipher texts encrypted with the same key.

Please note that encryption algorithms have defences against such attacks e.g. using a large keystream, initialization vectors (IVs), substitution and transposition (among others) usually making such attacks non-trivial.

Removing Conficker in 2015

In early August a research paper was published by a team of Dutch researchers trying to determine the reasons why there are more than 1 million computers worldwide still infected with variants of the Conficker malware (others known as Downadup) more than 6 years after it began spreading.

The reasons appears to be that the infections are present on systems that are no longer maintained or are embedded systems that cannot easily be accessed to carry out the removal of the malware. In addition, ISPs (Internet Service Providers) around the world have worked with their customers to remove this malware. However while their efforts have paid off, when the malware is removed efforts are not made to patch the now cleaned up systems and they quickly become infected again.

The research paper also points out that 15% of the systems infected with GameOverZeus are also infected by Conficker. The security vulnerability (CVE-2008-4037, CVE defined) exploited by Conficker in order to propagate itself affects the following versions of Windows:

Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Service Pack 3
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Vista (32 bit and 64 bit) with or without Service Pack 1
Windows Server 2003 (32 and 64 bit) Service Pack 1 and Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Serer 2008 (32 bit and 64 bit)
Windows Server 2008 for Itanium-based Systems

This security vulnerability was resolved by Microsoft with this security bulletin.

In order to assist with removing this malware from any systems I would like to offer the following advice:

For single computers used for home or small business use (up to a maximum of 5 computers):

  • If you don’t wish to continue using your old computer:
    Back up your important data to external media e.g. a USB jump/flash drive, an external hard disk or recordable CD/DVD. Computers than can run these above mentioned older versions of Windows should still have all that you need to back up your data e.g. USB ports and CD/DVD recording (burning) drives.
  • Responsibly dispose of your old computer and upgrade to a new computer. Follow the advice on the “Protecting Your PC” page to keep it free from malware.

If you want to continue using your old computer:

  • Disconnect the infected computer from the internet.
  • Using a malware free computer (e.g. a friends or a computer at an internet café) to download the Conficker Removal tool from Symantec. Bring the tool to the infected using an external hard drive, USB jump/flash drive, or CD/DVD. Run the tool by double clicking it.

The tool will remove all traces of the infection from the computer. I tested this tool on a Windows XP SP3 computer (disconnected from the internet) and it took just over 5 minutes to complete a full scan of the system.

  • If you suspect any other malware may be present on the infected computer, I would suggest using another computer to download any of the following free tools and transfer those tools as described above to the infected computer. Complete a full system scan with any of these tools.

I tested all of these tools using a Windows XP SP3 system not connected to the internet. All tools were able to complete scans without the assistance of an internet connection:

Microsoft Safety Scanner
Sophos Virus Removal Tool
Malwarebytes Anti Malware (free edition)

For Malwarebytes, the included definitions dated from June 2015 since no internet connection was available. Updating using this MBAM rules tool appeared to succeed but had no effect. The Microsoft and Sophos tools did not have this limitation.

  • Once the computer is free of malware, ensure the Window Firewall is turned on, re-connect the computer to the internet.
  • Visit Microsoft Update (for Window 2000, Windows XP and Server 2003 systems) to download and install all necessary security updates. Windows Vista and Windows Server 2008 systems can use the built-in Windows Update to download all necessary security updates.
  • Install anti-malware software that is compatible with your computer. Free and paid for software products are listed on this page. Corporate anti-malware software is listed here. Contact the manufacturer/vendor of the software to check it’s compatibility with your version of Windows if you are purchasing a paid for version. If an anti-malware product is not available for your version of Windows, disconnect the computer from the internet (to significantly reduce the possibility of malware infection) and consider purchasing a new computer sometime in the future at a time convenient to you.
  • If you wish, disconnect the computer from the internet (see the bullet point above about available anti-malware software). Continue using your computer as normal.

Update: 7th September 2015:
Please note that my suggestion to disconnect a Windows computer (that no longer receives security updates on a monthly basis) from the internet is an effective suggestion to reduce it’s risk of infection however air-gapping (defined) a device is not perfect solution.

If a device such as an external hard disk or USB flash/jump drive is connected to a computer not connected to the internet, it can still become infected if an infected file is present on this storage device and that file is transferred and loaded/opened on that computer.

To attempt to address some of the pitfalls of air-gapping I would recommend scanning all files that you intend to transfer using an up to date malware scanner or use (only for single or a small numbers of files, don’t upload files that contain private/sensitive data) before using files on older Windows systems to minimize the risk of malware infection. The link referenced above referring to air-gapped systems includes further advice which you may or may not decide to implement.


For computers for small businesses or larger businesses (more than 5 computers):
While the above steps to remove malware can be applied to any number of computers, the process becomes tedious and time consuming when more than 5 computers are infected. I would recommend seeking the assistance of qualified corporate IT security companies in your locality to perform a malware clean-up. Such companies generally offer a network security assessment and can provide on-going assistance to keep your network safe from security threats.

US-CERT has written an in-depth easily to follow guide with advice on how to remove the Conficker malware and prevent it from spreading further.

I hope that the above advice and resources are assistance to you in removing the Conficker malware from any Windows devices that you may have.

Thank you.