Monthly Archives: September 2015

Google Releases Security Update for Chrome

Last Thursday Google released an update for Google Chrome bringing it to version 45.0.2454.101. This update addresses 2 high severity CVEs (defined).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.

As always full details of the update were made available by Google in a blog post.

Thank you.

Cisco Releases Scheduled Security Updates For IOS and IOS XE

Earlier this week Cisco released security updates to address authentication bypass and denial of service (defined) security vulnerabilities within Cisco IOS and IOS XE.

Why Should These Issues Be Considered Important?
The SSHv2 RSA authentication bypass vulnerability could allow an unauthenticated remote attacker to obtain the access privileges of the logged in user or the privileges of the Virtual Teletype (VTY) line which could be admin privileges. The attacker would however need to know a valid user name and possess a specifically crafted private key. The only workaround to this issue is to disable RSA based SSHv2 authentication.

Meanwhile a vulnerability in the processing of IPv4 packets that require Network Address Translation (NAT) and Multiprotocol Label Switching (MPLS) services could allow an unauthenticated remote attacker to cause your Cisco IOS XE device to stop functioning (namely a denial of service attack. The attacker would only need to send the device a specifically crafted IPv4 (defined) packet.

This flaws affects the following products:

  • Cisco ASR 1000 Series
  • Cisco ISR 4300 Series
  • Cisco ISR 4400 Series
  • Cisco Cloud Services 1000v Series Routers

Separately 2 vulnerabilities in the IPv6 snooping feature from the first-hop security features in Cisco IOS and IOS XE Software could also cause a denial of service issue. For an attacker to exploit the insufficient validation of IPv6 ND packets they would only need to send it a malformed IPv6 packet. For the second flaw, the insufficient Control Plane Protection (CPPr) against specific IPv6 ND packets an attacker would need to send a large amount of specifically crafted IPv6 ND packets to a vulnerable device.

For the vulnerabilities involving the processing of IPv4 and IPv6 (defined) packets, no workarounds are available (apart from disabling the IPv6 snooping feature) to mitigate the 2x IPv6 flaws until the appropriate security updates are installed.

The remaining vulnerabilities affect any Cisco device running IOS and/or IOS XE. As you can see, only the access bypass issue is likely to pose a challenge to a determined adversary, all other issues discussed above could potentially be easily exploited.

How Can I Protect Myself From These Issues?
Within the Cisco security advisory you can use the link provided to access the Cisco IOS Software Checker to determine if your Cisco IOS device is vulnerable to these issues. This security advisory also provides the links to the individual advisories for each vulnerability which contain the steps to install the appropriate updates.

Thank you.

HP Adds Security Features To Enterprise Printer Firmware

Earlier this week HP announced that their range of enterprise class LaserJet printers would include security features to better secure them against external attacks.

The printer models that include these features are the following:

  • HP LaserJet Enterprise M506 series
  • HP LaserJet Enterprise MFP M527 series
  • HP Color LaserJet Enterprise MFP M577 series

In addition, printers manufactured since 2011 should be able to benefit from some of the new security enhancements via a HP FutureSmart service pack update.

The security improvements enable the printers to defend against having their BIOS (defined) updated with a maliciously tampered version. In addition, only known good firmware can be executed (allowed to run/function). Moreover the printers feature a runtime intrusion detection system that prevents malware from being loaded into the printer’s memory.

Such printers can also take advantage of HP JetAdvantage Security Manager software that allows the IT administrator to enforce a security policy to allow them to disable unused access protocols (reducing the possibility of external attack), closing networking ports and erasing documents stored within the printers memory/hard disk to maintain confidentiality. When a printer is rebooted, all of the settings specified within the security policy will be enforced returning the printer to a known good and compliant state.

More information on these new printer models is available here and here. A link to the firmware updates for older printer models is provided above.

These security enhancements should enhance an enterprise’s security posture by preventing confidential documents from leaving the organization via networked printers or from malware installed on the printer capturing documents sent for printing or stored in the printer’s hard disk or memory. According to HP they are currently the only printer manufacturer to offer these security features but other manufacturers will likely follow suit. These features will make a worthwhile addition to have if you are considering replacing/upgrading your enterprise printer in the future.

Thank you.

Blog Post Shout Out September 2015

Update: 24th November 2015:
Since this blog post was written FireEye have continued to monitor the command and control servers (defined) of XcodeGhost to determine where devices are located that are connecting to these servers and to determine if this malware still poses a threat. They have also found an updated version of XcodeGhost that they have named “XcodeGhost S”.

FireEye have worked with Apple to remove an app from the App Store that was found to be infected with this new variant of the malware.

In addition, an app development firm Possible Mobile has detailed in a blog post how their newly updated app that was built with a verifiably legitimate version of Apple Xcode was being rejected by Apple since their app contained the XcodeGhost malware. It was eventually found that while the code written by Possible Mobile was clean, the third party libraries and frameworks used to provide essential functionality within their app were found to contain the infected code. How Possible Mobile resolved this issue, is detailed in their blog post.

How Can I Protect Myself From This Issue?
In addition to the guidance provided within the blog posts linked to below I would recommend the following:

  1. If you are an app developer and are submitting apps to the Apple App Store it may be worthwhile to follow the steps within Possible Mobile’s blog post concerning validating your copy of Apple Xcode and checking any third party libraries for infection.
  2. As detailed in FireEye’s blog post, for all of the apps installed on your Apple devices, ensure they are the latest versions. This Apple Support article explains how to enable automatic app updates. This is important since later versions of apps should not contain this malware. FireEye discovered large numbers of users (exact figures are provided in this FireEye blog post) still using older versions of their app which still contained the infected code).
  3. If you were using one of the apps removed by Apple from the App Store, uninstall those apps and switch to similar/alternative apps available within the App Store.
  4. Ensure that your Apple device is using the most recent version of iOS that is available for your device. If your device is too old to support iOS 9, this blog post may help to explain your options. Updating to most recent iOS will ensure that you are not affected by the original version of XcodeGhost. Moreover, iOS 9 and iOS 9.1 contain many fixes for other security vulnerabilities.

Thank you.

Original Post:
In recent days there has been detailed coverage of a new technique used to tamper with legitimate Apple iOS apps by adding extra code to those apps when they were being compiled (converted from human written source code into a form that a computer can use). That additional code called XcodeGhost was also found to contain a vulnerability that could allow remote access to the infected apps using a man-in-the-middle (MITM) (defined) attack as discussed in the ThreatPost article mentioned below.

In addition, a new technique used by malware authors to install a rootkit (see Aside below for a definition) on a user’s Android smartphone by having them download a popular app has also been discovered.

In order to provide advice and further information on how to protect yourself from these threats I wanted to respectfully give a shout out for the following new articles and blog posts:

I hope that you find these useful in further securing your Apple iOS or Google Android based smartphone from malware.

Thank you.

What is a rootkit?
To provide a comprehensive definition of a rootkit I have chosen to quote from 2 well-known texts on the subject written by Reverend Bill Blunden in his book “The Rootkit Arsenal” (1st edition, Wordware Publishing 2009) and “Rootkits: Subverting the Windows Kernel” by Greg Hoglund and James Butler (Addison-Wesley, 2005). My thanks to them for providing excellent sources of information on this topic:

“A rootkit is a collection of tools (e.g. binaries, scripts, configuration files) that allow intruders to conceal their activity on a computer so that they can covertly monitor and control the system for an extended period of time by maintaining access to the root (defined) account.

While the above definition mentions a computer it still applies equally to smartphones since they run sophisticated operating systems, in this case Google Android.

Mozilla Releases Firefox 41 and Firefox ESR 38.3

Yesterday Mozilla made available Firefox 41 and Firefox ESR (Extended Support Release) 38.3.

Firefox 41 resolves 26 CVEs (defined) and 3 issues (not yet assigned CVEs). When broken down the severity of these issues is as follows:

6x critical severity CVEs
11x high severity CVEs and 2 high priority issues
8x moderate severity CVEs and 1 moderate issue
1x low severity CVE

Firefox ESR 38.3 meanwhile resolves 17 CVEs and 2 issues (not yet assigned CVEs):
5x critical severity CVEs
10x high severity CVEs and 2 high priority issues
2x moderate severity CVEs

Full details of the security issues resolved by these updates are available in the following links:

Firefox 41
Firefox ESR 38.3

Details of how to install updates for Firefox are here. Mozilla Firefox updates generally install without issues, however as always I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Apple Releases Security Update for WatchOS

Earlier this week Apple made available a large update for their Apple Watch bringing it’s operating system to version 2 from the previous 1.01 released in May.

Full details of this update are available within this Apple knowledge base article.

The update resolves 36 CVEs (defined) and 2 other issues by updating the Certificate Trust Policy and CoreCrypto.

Noteworthy fixes included are as follows:

Apple Pay, CoreCrypto, CFNetwork, CoreText, dyld (dynamic linker), IOKit, watchOS kernel and libpthread

If you own an Apple Watch, please install the appropriate update as soon as possible following Apple’s directions within this support article.

Thank you.

Adobe Releases Flash Player Security Update

Yesterday Adobe published a security bulletin for Flash Player it’s web browser plugin and Adobe AIR, its application runtime. While the reason for releasing this update outside of it’s usual schedule of the second Tuesday of each month is unknown, Wolfgang Kandek of Qualys offers some possible explanations as to why this update has been released at this time.

This update brings Flash Player to version and resolves 23 CVEs (defined).

Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Moreover only Flash Player is installed by the installers included on that page, no additional unwanted is offered/included.

Users of Google Chrome 45 have also received this update. Microsoft has announced the availability of their Flash update by updating this security advisory for users of Microsoft Edge on Windows 10 and Internet Explorer 10 and 11 installed on Windows 8.0 and 8.1 respectively.

I would recommend that if you use Flash Player (you can check it its installed using this page), that you install the necessary updates as soon as possible. It is only a matter of time before these security issues will be used by exploit kits to install malware/carry out malicious actions.

To add a further layer of protection, please follow my recommendation to enable the ASR mitigation of Microsoft EMET as detailed in this post in order to mitigate against Flash based vulnerabilities being exploited in applications that can open Microsoft Office documents and/or Adobe PDF files.

Thank you.