Monthly Archives: October 2015

Adobe Shockwave Player Security Update Released

Earlier today Adobe issued a security update for Shockwave Player to address 1 critical CVE (defined). This updates brings Shockwave Player to version 12.2.1.171.

If you use Shockwave Player (this page will tell you if it’s installed and if so which version), please install the appropriate update by following the steps provided by Adobe in their security bulletin).

Finally you may also be interested in this point (see the heading titled: “Update: 25th September 2015”) raised in a previous blog post concerning how the development pace for Shockwave differs from Adobe Flash.

Thank you.

Apple Releases Security Updates October 2015

On Wednesday of last week Apple made available a large collection of security updates to resolve vulnerabilities across it’s product range:

=======================

  • Apple OS X Server 5.0.15: For OS X Yosemite v10.10.5, OS X El Capitan v10.11.1 or later).
  • Apple Xcode 7.1: For OS X Yosemite v10.10.5, OS X El Capitan v10.11.1 or later.
  • Mac EFI: For OS X Mavericks v10.9.5.
  • Apple iTunes: For Windows 7 and later (while this was also available for Apple systems it does not appear to contain security related changes i.e. Apple devices may not be vulnerable to those vulnerabilities).
  • OS X El Capitan 10.11.1 and Security Update 2015-007: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.
  • Apple Safari 9.0.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.
  • Apple watchOS v2.0.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes.
  • Apple iOS 9.1: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.

=======================

Full details on all updates are available on Apple’s Security Updates page. If you wish to prioritize these updates I would suggest beginning with installing the updates for OS X, iOS, watchOS, Safari and OS X Server due to the number and severity of the vulnerabilities that they address.

Noteworthy fixes included are as follows:

OS X Server 5.0.15: Resolves 3 CVEs (defined) with potentially high severity (includes 2 CVEs in ISC BIND).

Apple Xcode 7.1: Addresses a Swift type conversion issues (1 CVE).

Mac EFI Security Update 2015-002: Addresses 1 potentially high severity CVE

Apple iTunes 12.3.1: Addresses 12 critical CVEs.

Apple OS X El Capitan 10.11.1 and Security Update 2015-007: Addresses 60 CVEs and includes fixes for apache_mod_php, CoreText, EFI, FontParser, Grand Central Dispatch, Graphics Drivers, OS X kernel, OpenGL and OpenSSH (among others).

Apple Safari 9.0.1: Addresses 9 critical CVEs in WebKit (the renderer of Safari).

Apple watchOS v2.0.1: Resolves 14 CVEs which includes fixes for Apple Pay, CoreGraphics, FontParser and Grand Central Dispatch (among others).

Apple iOS 9.1: Includes fixes for 49 CVEs; notable fixes of which are CoreGraphics, CoreText, FontParser, Grand Central Dispatch, Graphics Driver, iOS kernel, OpenGL and WebKit (among others).

If you use any of the above software, please install the appropriate updates as soon as possible.
As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad especially since the iOS upgrade is a significant one.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Why Your Organizations Website Should Migrate From SHA-1

Update: 15th March 2017:
The first practical attack against SHA-1 took place in February 2017 and is discussed in a more recent blog post.

Thank you.

=======================
Update: 25th June 2016:
Microsoft have updated their SHA-1 deprecation roadmap to state that from the 12th of July changes described in that psot will be seen for Microsoft Edge, Microsoft Internet and Windows 10 (with the Anniversary update) with regard to how they display the status of SHA-1 certificates. Further details are available within that post.

Thank you.
=======================

Update: 10th January 2016:
As mentioned in a recent blog post Mozilla have needed to re-enable SHA-1 certificates for “man-in-the-middle” (defined) devices due to issues being experienced by companies/organizations using such devices.

In addition, in mid-December Google announced their schedule for phasing out SHA-1. They too are considering moving the deadline forward to 1st July 2016 but have set a hard deadline of the 1st January 2017.

At the end of their blog post announcing this schedule they also provide advice on migrating from SHA-1. It is notable that within Step 2 of their plan they mention they took into account the issue Mozilla encountered (mentioned above; however, Google published that blog post before Mozilla Firefox users encountered that issue and worked around it in advance).

The migration from SHA-1 poses some very difficult issues for both users who cannot upgrade their web browsers before the imposed deadlines as well as corporate users who will be unable to make the transition in time (e.g. they are using custom applications that are critical to their business). These issues are discussed here with a possible work around being voted upon by the CA/Browser Forum discussed in a separate post.

Thank you.
=======================

Update: 24th November 2015:
Since publishing this blog post last month Mozilla and Microsoft are considering moving forward the deadline for phasing out SHA-1 to the 1st of July 2016. Their decisions have come in light of the recent disclosure of potential attacks on SHA-1 previously discussed within this blog post. The final deadline has not yet been decided but this should be yet another reason to begin planning to move your organization’s website away from using SHA-1.

Thank you.

=======================
Original Post:
=======================
Earlier this month a report was published by a team of researchers which shows that a potential attack on a SHA-1 hash (defined) could take as little as 3 months and cost in the region of USD $75k to $125k. The time and cost necessary are significantly less than the previous 2012 estimates of $700k necessary in 2015 and $173k by 2018.

Why Should This Potential Attack Be Considered Important?
In October 2012 possible attacks on SHA-1 were discussed and estimates provided on how time such attacks would take to carry out. Migration away from SHA-1 at the time was suggested. With the publication of the new research this month the need for migration has become more important.

An attack against the MD5 hash algorithm in 2012 was used by malware known as Flame to allow the installation of the malware onto PCs by making it “look like” genuine Windows Updates from Microsoft.

This was accomplished by the malware authors making improper use of Microsoft’s Terminal Services licensing certificate authority (CA)(defined). The certificate used to sign the updates was created using the MD5 algorithm (defined). A hash collision attack (defined) was used by the malware authors to make a different signing certificate produce the same hash as that of the genuine signing certificate. This seemingly “genuine” certificate was then used to sign their malware making it look like those malware files were Windows Updates.

While weaknesses in the MD5 algorithm were used to accomplish this, the same method of attack could potentially be used with SHA-1 to once again make malware look like legitimate/non-malicious files. When I say this, I don’t mean that an attack of this kind could again be carried out against Windows Update but I am referring to the use of SHA-1 in general. It’s not uncommon to see SHA-1 hashes provided when downloading new software or software updates from a software vendor’s website. If those files could be replaced with malware that has an identical hash to that of the legitimate file, the same type of attack could be carried out. You could download the file which would be malware but it would have the same SHA-1 hash as the genuine software.

SHA-1 is not only used for code-signing certificates but also with TLS (defined) secured websites. For example, if a website e.g. example.com has a legitimate certificate, that certificate could potentially be used by an attacker to provide more trust to a website of their choice using a collision attack on SHA-1. Thus when you visit the attackers website, malware.com it would appear to have a legitimate/trusted certificate. If this fake certificate were used in combination with another attack e.g. pharming (defined)(also discussed further in this post), there is the potential for you to visit example.com and actually be taken to the attacker’s website but example.com would appear in your web browsers address bar (while at the same time having a seemingly legitimate TLS certificate making the website appear even more trustworthy).

How Can I Protect Against The Known Weaknesses in SHA-1?
If you would like to check if your website uses a SHA-1 certificate you can visit this website. That site also provides advice on obtaining a newer SHA-2 certificate.

In addition this link provides advice on generating a new TLS SHA-2 certificate. Moreover a list of compatible web browsers, operating systems, web servers, databases, firewalls etc. is provided here. Finally the current planned roll-out phases of SHA-2 is provided here. Moreover you may find that this article provides useful background information and advice. For TLS certificates, the deadline for transition to SHA-2 is currently January 2017.

However a ballot with the CA/Browser Forum wishes to extend the issuing of SHA-1 certificates throughout 2016 giving large organizations with too many certificates to switch over during 2016 more time to do so. It appears from this post that this 1 year extension was granted (please see the update below for clarification on this).

Update: 4th January 2016:
I have been contacted in relation to the CA/Browser forum vote and have been informed that Symantec withdrew their ballot and the Baseline Requirements section on SHA-1 are unchanged. Many thanks to Mr. E. Mill for this information.

Update: 7th February 2016:
Qualys in September 2014 published a thorough blog post detailing how to migrate from SHA-1 including what to do should you need to support devices that cannot migrate from SHA-1.

I hope that the above information is useful to any organization or individual wishing to migrate their websites TLS certificate from SHA-1 to SHA-2.

Thank you.

Popular WordPress Anti-spam Plugin Addresses Critical Security Issue

The website security firm Sucuri earlier this month disclosed a critical issue in Akismet, an anti-spam plugin used by millions users of the WordPress content management system. Sucuri notified Automattic (parent company of WordPress) of this issue earlier this month. Sucuri only disclosed the issue after an update was made available.

Why Should This Issue Be Considered Important?
A critical cross-site scripting (XSS) issue (defined) was found within Akismet caused by how it handles hyperlinks (links to other websites) placed within blog comments. This could allow an unauthenticated attacker (namely an attacker that does not have any prior access to your WordPress website) to insert malicious scripts into the Comment section of the WordPress administration panel. The most serious consequence of this would be a full website compromise. Further details of this vulnerability are provided within Sucuri’s advisory.

How Can I Protect Myself From This Issue?
Please update to version 3.1.5 of Akismet using the steps provided in this Akismet blog post.

Thank you.

Oracle Releases Security Updates Across It’s Product Range

Yesterday Oracle made available security updates for 54 of their products resolving 154 security issues. The full list of affected products is available here.

The update for Oracle Java resolves a second security vulnerability being used by the malicious hacking group known as Pawn Storm (another further flaw being exploited by them was by fixed by Adobe last week). The first flaw in Java was resolved by Oracle in July. Further details of the second flaw are available in this Trend Micro blog post. A set of suggested practices for using Java on your computer are provided here.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Netgear Releases Router Firmware Update Addressing Security Issues

Early last week Netgear issued a firmware update for some of their consumer broadband routers. This update resolves 2 critical vulnerabilities (1x command injection vulnerability and 1x authentication bypass vulnerability).

Affected Routers (authentication bypass vulnerability):

  • JNR1010v2
  • JNR3000
  • N300
  • R3250
  • WNR614
  • WNR618
  • JWNR2000v5
  • WNR2020
  • JWNR2010v5
  • WNR1000v4
  • WNR2020v2

Affected Routers (command injection vulnerability):

  • JWNR2010v5
  • JWNR2000v5

Why Should These Issues Be Considered Important?
By default the affected routers administrative interface can be accessed by any user on the same internal network as the router. If WAN administration is enabled (a setting that allows anyone outside of your network to access your router) the above mentioned authentication bypass vulnerability is even more serious since a remote attacker could access your router’s admin interface without needing a username or password.

The command injection vulnerability could allow an attacker to issue a command of their choice to your router e.g. performing a file listing.

How Can I Protect Myself From These Issues?
If you own any of the affected routers listed above, please either apply the update (if it is already available for your router). If not, check if an updated firmware is available for your router that corrects this issue. If no corrected version is available it would be advisable to contact Netgear to determine if an update is planned. They may also be able to supply steps to mitigate the issue if no update is planned.

Netgear has issued updated firmware for some of the affected routers:

  • JNR1010v2
  • WNR614
  • WNR618
  • JWNR2000v5
  • WNR2020
  • JWNR2010v5
  • WNR1000v4
  • WNR2020v2

Please follow the instructions within the above linked to Netgear knowledgebase article to install the updated firmware.

Thank you.

Detecting and Removing Apple iOS YiSpecter Malware

Early this month news of a new malware threat for Apple iOS devices (iPhone and iPad) began to circulate. This threat has been named YiSpecter by Palo Alto Networks.

This threat has been primarily seen in East Asia, particularly in China and Taiwan. However the method of infection and it’s effects could easily be used by other threats in the future and thus Apple iOS users should take the appropriate precautions which I will discuss below.

Why Should This Threat Be Considered Important?
This threat is distributed from a number of different places (my thanks to Symantec for the full list of where this threat originates from):

  • Hijacked Internet Service Provider (ISP) Traffic causing websites to redirect to another page where the threat is downloaded
  • Forums
  • Social media
  • Alternative App Stores

The threat allows an adversary to perform a range of actions of their choice namely by first installing a backdoor (defined) and installing adware (defined here and here). The backdoor provides the malware authors with the following capabilities:

  • To download and install fraudulent apps (that appear to be legitimate iOS system apps)
  • Change Apple Safari bookmarks to all point to a link as specified by the command and control server (see Aside below for a definition) of this malware.
  • Uninstalling apps
  • Displaying adverts within installed apps
  • Change your default search engine
  • Steal information about you

This malware can infect both jailbroken (defined) and non-jailbroken Apple devices. This is possible since it makes uses of a legitimate means of app installation normally used by large corporations to allow the installation of customized corporate apps by their employees that are not otherwise available in the official Apple App Store. Such apps are not checked by Apple and can thus have the potential to incorporate malicious functionality (that would otherwise be blocked/not allowed by Apple).

Through the malware’s use of private APIs (Application Programming Interface)(defined) the malware can install malicious apps of it’s choice without notifying the user. Private APIs are a means of using functions within Apple iOS that Apple has not publically document since such functions are not considered stable namely that these functions are not guaranteed to be still present in future releases of the iPhone SDK or that such functions may work slightly differently than before.

These malicious apps can replace legitimate apps with malicious versions of the same name (by installing the legitimate apps). These private APIs are also used to show adverts within apps not known to the malware. Finally such private APIs are used to gather a list of the installed apps on your phone.

How Can I Protect Myself From This Threat?
If you suspect that your iPhone is infected with this malware e.g. you have seen full screen adverts when using apps on your phone, please follow the steps provided at the end of this Palo Alto Networks blog post to manually remove this threat.

As mentioned by Palo Alto Networks the most effective means of avoiding being infected by this threat is to only download apps from the official Apple App Store and not to trust unknown app developers. However they also acknowledge that this will prevents most infections (from similar threats) but not all.

In addition, Apple has confirmed that Apple iPhone users with iOS version 8.4 and later are not vulnerable to this threat. However it would still be recommended to use the most recent iOS update to benefit from the security improvements that it includes. iOS 9.0 and later will also make the installation of this malware a more deliberate action on your part and thus you are less likely to install the malware inadvertently. This change involves manually setting a related provisioning profile to “trusted” in the Settings menu before you can install enterprise/corporate provisioned apps rather than simply choosing “OK” when you are about to launch the app. The latest iOS at the time of writing is 9.0.2.

I hope that the above information and suggestions are useful in removing this threat if you have been affected by it and in preventing this threat from being installed on your Apple device in the first instance.

Thank you.

=======================
Aside:
What is a command and control server?

When malware can be controlled by it’s author remotely that control is usually carried out using a server.

The command and control server (sometimes shortened to the “C2” server) allows the malware author to administer the devices under their control in a convenient manner. This control can include issuing commands to multiple devices to carry out an action at a desired time. Examples would be changing the type of data being collected by the malware (if the malware has this capability), requesting the malware to send all of it’s collected data back to the server for later review, uninstalling the malware and updating the malware to provide it with more capabilities of the author’s choice.

Command and control servers are usually separate to the devices they control. The servers communicate with the controlled device using a customized protocol.
=======================