Daily Archives: August 12, 2015

Windows 10 Possible Privacy Concerns

Update: 5th October 2015:

Microsoft has published a new blog post that describes what data they collect from Windows 10 devices and why. They also provide a means of contacting them should you have any questions or concerns about the privacy aspects of Windows 10.

They also provide explanations for consumers and companies providing more information on how to control what data is collected and why such data is collected.

I hope this additional information is of assistance to you.

Thank you.

=======================
Original Post:
=======================
With the recent launch of Windows 10 near the end of July, the new operating system has very quickly developed a large user base (14 million users after just 24 hours from initial launch). However during the upgrade process (from a previous version of Windows) you are presented with a settings screen that lets you choose Express Settings or to Customize Settings.

If you value your privacy you may wish to choose Customize Settings in order to change how much information Microsoft collects from your Windows 10 device. This information includes (among others):

  • Page Prediction: Speeds up web browsing but sends your browsing data to Microsoft
  • SmartScreen: Scans and possibly sends downloaded files and suspicious files to Microsoft for further analysis.
  • Automatically connecting to open WiFi (wireless) hotspots
  • Automatically connecting to networks shared by your contacts
  • Sending error and diagnostic information to Microsoft

While I have no issue with the collection of this data, it’s a little disconcerting that the defaults if you choose Express Settings will leave all of these enabled. Encouraging users to check these settings and make the changes of their choice (which will take only seconds) would be a better approach rather than down playing them and encouraging the use of the Express settings. A full guide with very helpful screenshots to change these settings if you have already installed Windows 10 is provided here (hat tip to The Register for this link). It has also been pointed out that the collection of error and diagnostic information from Windows 10 devices can be limited but not fully disabled.

Please note that disabling some of the above mentioned settings will make certain features of Windows 10 e.g. Cortana will no longer function exactly as intended.

In addition, Windows 10 by default uses your internet/broadband/network bandwidth to download Windows 10 updates in order to speed up the downloading of such updates for you (if you have more than one Windows 10 device on your network) and to people running Windows 10 nearby on other networks. This feature/setting is called Windows Update Delivery Optimization (WUDO).

As before while I have no problem with this, the default for this setting is on. As pointed out by Security blogger Graham Cluley, this setting can have an impact if you are using a metered or capped data plan for your internet access, this could be using more of your limited bandwidth than you would like. While WUDO will not download over metered/capped connections this will only be respected if you have informed Windows 10 that you are using such a network. How to inform Windows 10 of your use of a metered connection is provided in this FAQ. Information on how to disable this setting (should you wish to do so) is also provided by Graham in his post. My thanks to him for this very useful reference. Moreover Sophos confirmed that WUDO is not a security concern.

While all of the above settings do not pose a security concern; for any person concerned about their privacy, network bandwidth or who simply likes to know what’s going on with their newly Windows 10, the above information may be of assistance to you.

Thank you.

August 2015 Security Updates Summary

Yesterday Microsoft released its monthly security updates to resolve 57 CVEs (definition of the term CVE). Further details are provided in their Security Bulletin Summary.

At the time of writing this summary details known issues for 2 security bulletins MS15-081 (Microsoft Office) and MS15-082 (Windows RDP). The known issues for Office involve no longer being able to access online document templates if the security update mentioned within the bulletin is not installed. The RDP known issue mentions that in some cases, the computer on which the update is installed may need to be restarted twice for the update to complete the installation.

Another source for details of issues encountered with Microsoft security updates is the IT Pro Patch Tuesday blog. At the time of writing, no issues have been posted.

Mozilla Firefox was updated (to version 40.0, resolves 18 CVEs, 8x critical severity, 8x high, 2x moderate) and Firefox ESR (to version 38.2, resolves 17 CVEs, 7x critical severity, 9x high, 1x moderate). Among the issues addressed by Mozilla were the Stagefright media playback issues. Details of how to install updates for Firefox are here.

Finally Adobe issued updates to Flash Player to resolve 35 CVEs. Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome have received (I have confirmed this) this Flash update within this Chrome update. Microsoft has announced the availability of their Flash update by updating this security advisory for users of Internet Explorer 10, 11 and Microsoft Edge installed on Windows 8.0, 8.1 and Windows 10 (respectively).

You can monitor the availability of security updates for the majority of your software from the following website (among others) or use Secunia PSI:

—————-
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/
—————-

If you use any of the above software, please install the appropriate updates as soon as possible.

Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

Since the Adobe Flash Player update resolves 35 CVEs some of which are likely to be exploited very quickly by exploit kits (exploit kit, defined) should be installed first. The next priority updates should be Mozilla Firefox since it address multiple critical and high severity flaws.

These should be followed by Microsoft Office, Internet Explorer, Microsoft Edge, Windows Mount Manager and Microsoft Graphics Component due to their critical severities. The Mount Manager update should be prioritized since it addresses an issue that could allow arbitrary code to be executed from a USB storage device attached to a Windows system and is being used in targeted attacks.

One other security pre-caution that you may wish to take if you have Microsoft EMET installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of July’s Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Google Android Stagefright Issues Patched

Update: 10th January 2016:
Further updates addressing newer issues within libstagefright have been made available. Please see this more recent blog post for details.

Thank you.

=======================
Update: 17th November 2015:
Further updates addressing newer Stagefright issues have been made available. Please see this more recent blog post for details.

Thank you.

=======================

Update: 5th October 2015:
A new set of security issues related to Stagefright has been disclosed. They are referred to as Stagefright 2.0. How to address these new issues is discussed in a more recent blog post.

Thank you.
=======================

Update: 13th August 2015:

According to this article, the patches that were intended to resolve the issues discussed in this post were incomplete. Further fixes will be made available in September. Further details are provided in the article linked to above. Thank you.
=======================

Update: 9th September 2015: The exploit code for the Android Stagefright issues as been released by the security researcher who discovered the issue. In addition, the researcher has worked with Google to create an app to check if an Android device is vulnerable. Moreover they are continuning to work with Google to add a check for this vulnerability to Android’s Compatibility Test Suite (CTS) to ensure all future Android devices ship with this issue fixed.

According to this article, the September update from Google to resolve the remaining means of exploiting the Stagefright has not yet been released but should be later this month.

=======================

=======================
Update: 15th September 2015: According to this article on Ars Technica, Google have begun to release the first batch of monthly security updates for Android for it’s Nexus devices. It will be interesting to see how quickly the OEM device makers and mobile carriers issue their updates. As this is the first time to release such updates it may take time for these update processes to be streamlined.

As mentioned below in the updated suggestions to protect yourself from the Android Stagefright issue, if you are using Mozilla Firefox for Android, please ensure that you are using the most recent version to ensure that you are protected from this issue. The steps to install updates for Firefox for Android are provided here.

Thank you.
=======================

Original Post:
In the middle of last week a series of security vulnerabilities were patched/updated in the Stagefright media playback service of Google Android smartphones (initial details of these issues became available a week before the updates).

There are 10 security issues in total assigned to 7 CVEs (CVE, defined). They consist of a buffer overflow and several integer overflow and underflow vulnerabilities (see Asides below definitions of these terms). These issues are present in all versions of Android since version 2.2 (codenamed Froyo) up to Android 5.1.1_r9 (codenamed Lollipop).

Why Should These Issues Be Considered Important?
While it is estimated that up to 950 million Android smartphones are affected by these security issues, more than 90 percent of them are protected by security mitigations (namely Address Space Layout Randomization (ASLR)) built into Android since version 4.0 (codenamed Ice Cream Sandwich). Additional improvements were made to the ASLR mitigation of Android in version 4.1 (Jelly Bean). However these mitigations make exploiting the Stagefright issues much more difficult but not impossible.

These security issues can be exploited by an attacker sending a specifically crafted Multimedia Messaging System (MMS) message (MMS, defined). To do this, the attacker only needs to know your phone number. MMS messages are processed automatically by most Android phones providing the attacker with the possibility of executing arbitrary shellcode (shellcode, defined) on your phone.

How Can I Protect Myself From These Issues?
Sophos provides practical advice on both mitigating the issue until a patch is available for your phone and how to obtain the patch for your phone. Further advice is available in Zimperium’s blog post and this CERT knowledge base article. Apologies that some of this information overlaps/is repeated but each link does contain useful information.

The good news that has occurred since more information was provided on these issues by the person who discovered them (Joshua Drake of Zimperium) last week in his BlackHat security lecture is that Google and Samsung have pledged to provide monthly security updates for their Nexus and Galaxy smartphones (respectively). LG have also pledged to do the same.

In addition, fixes to security issues will be made available to mobile carriers (mobile providers) sooner. This should result in a less complicated means of updating when future security vulnerabilities are discovered. The new monthly update process should keep Android smartphones much more secure in the future, this improvement is long overdue.

Update: 15th September 2015: In addition, if you are using Mozilla Firefox for Android, please ensure that you are using the most recent version to ensure that you are protected from this issue. The steps to install updates for Firefox for Android are provided here.

Thank you.

=======================
Aside:
What is an integer overflow?

When the value of an integer being used by a computing device becomes too large to be represented accurately e.g. on some systems the maximum value of an integer is 32767 (namely 2 ^ 15 -1). If a value higher than this is used to access a location in computer memory, that value may wrap around (begin counting from the beginning again resulting in a very small value or in a value less than its minimum value).

At best this will result in the program using that value crashing or getting caught in an infinite loop (performing the same action again and again without ending). At worst, an attack could use an integer overflow to overflow a buffer (a region in computer memory set aside (allocated) to hold a data or a value). This happens because the extra-large integer value flows over into parts of memory that it was not intended to.

This can result in an attack being able to run/execute code of their choice by overwriting the return pointer of the program (due to the overflow that has happened) with a value of the attackers choosing. That value is placed there by the overspill into adjacent memory segments. When an operation is completed, instead of the program returning (using the location the return pointer is referencing) to the place where it was originally asked (called from) the program will instead go to the place in memory where the attacker has stored malicious code (since the attacker supplied this location by inserting a value of their choice as mentioned above).

That code can then run with the same privileges of the program which suffered the overflow. The overwriting of the return pointer was one reason for Microsoft adding defences (namely guard stack cookies) part of the /GS mitigations to Windows Vista and all later versions of Windows. The other reason was being able to detect such buffer overflows and terminate the program which had suffered the overflow. By terminating/force closing the program the attack is immediately halted and the system remains secure. The /GS mitigation is explained in more depth here, here and here.

In explaining the integer overflow attack I have also defined the outcome of a buffer overflow attack.

Update: 25th August 2015: An individual definition of a buffer overflow attack is provided in a more recent blog post. Further mitigations for buffer overflow attacks are also discussed in that post.

=======================
Update: 17th September 2015:
A detailed definition of a stack overflow is provided in a more recent blog post. This similar type of overflow can be a useful addition to the explanations of overflows in this post. Thank you.
=======================

=======================
Aside 2:
What is an integer underflow?

Integer variables within computer programming languages such as C generally can store numbers in the range of -2,147,483,647 to 2,147,438,647. While the range of an unsigned integer ranges from 0 to 4,294,967,295.

If 2 numbers are subtracted from another and the result is less than -2,147,483,647 this will cause an integer underflow since the result cannot be represented correctly and thus will be incorrect when the computer accesses that result. This is because only a partial result will be shown since not enough digits are available to represent the full number. If the result is used to access a certain position in an array (called an index) the position accessed will result in an out of bounds error most likely crashing the program.

An array is a group of memory locations within a program allocated to store data of the same type e.g. integer, floating point etc. It is similar to have a filing cabinet with multiple folders inside. Arrays would store data in folders starting from 0 e.g. folder0, folder1, folder2 etc. The index mentioned above determines the number of the folder in this example being accessed. Arrays are usually accessed using loops within a program.

The above example is for signed integers however underflows can also occur with unsigned integers.

In a similar manner to that described for integer overflows, underflows can be used to trigger the execution (performing actions)/running of code of an attackers choice.
=======================