Monthly Archives: November 2015

Blog Post Shout Out (late November 2015)

In recent weeks the security firm Malwarebytes have encountered an updated variant of the Vonteera adware (see Aside below for a definition).

This updated variant uses a technique that involves certificates (which were also discussed in a recent blog post) in an effort to prevent anti-malware software attempting to remove this adware from an affected device.

Within the blog post mentioned below, Malwarebytes detail how to bypass the protection technique used by the Vonteera adware so that you can remove this threat from your computer:

Vonteera Adware Uses Certificates to Disable Anti-Malware by Pieter Arntz (Malwarebytes)

If you or anyone you know is affected by this adware, the above mentioned blog post should be of assistance in removing this threat.

Thank you.

What is adware?

Adware is software that is either a program on your computer that displays adverts to you or changes your web browser home page to a website it wishes to promote. Such adware can collect personal information without your consent and send it back to a particular company/entity. A complete definition of adware is provided here.

Dell Inadvertently Ships Root Certificates With System Tools

Earlier last week it was discovered that the computer manufacturer Dell had mistakenly included with a Dell Support tool (called DFS (Dell Foundation Services)) used to assist customers in a more efficient manner; a preinstalled root certificate (named eDellRoot) and a private key (defined) that was used to create that certificate. Dell’s explanation for the purpose for this certificate was described as “it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers.” (Source).

A certificate is a means usually provided by a Certificate Authority (defined) to determine if a TLS certificate being used by a website can be trusted.

In addition, a second certificate (named DSDTestProvider) was found to be included with another Dell tool, namely DSD (Dell System Detect) which users are prompted to install when they visit the Dell support website and click the button to detect the type of Dell product they are using.

Why Should The Inclusion Of These Certificates On My Dell Device Be Considered Important?

Since the private keys for these certificates were also bundled with them (a severe deviation from best practice) they could be used by attackers to generate fake certificates for any website of their choice which would be accepted as legitimate by affected Dell systems. The attackers using these certificates could then decrypt the secured connections to those sites using the private keys. An example of another attack in this instance is a man-in-the-middle attack (defined) that could be used against affected devices is presented in this blog post.

These certificates could also be used to digitally sign malware and make it appear legitimate. If malicious drivers were signed using these certificates they could also bypass driver signature verification within 64 bit versions of Windows.

Which Dell Systems/Devices Are Affected By These Issues?
The following systems are reported to be affected: the XPS 15, Latitude E7450, Inspirion 5548, Inspirion 5000, Inspiron 3647, and the Precision M4800.

The Dell Foundation Services certificate may also be present on laptops, desktops, two-in-ones, all-in-ones, and towers from various Dell product lines, including XPS, Vostro and Precision Tower, OptiPlex and Inspiron since it is available to download for all of those devices.

According to this post, further Dell systems are also affected. My thanks to ComputerWorld and Lucian Constantin for this information.

How Can I Protect Myself From These Issues?
First of all you can check if your Dell device is affected by this issue by visiting this website (my thanks to Graham Cluley for this link). US-CERT have also provided a website to check if your system is affected by these issues and have provided a comprehensive set of steps to resolve these security issues.

Moreover, Microsoft have updated their anti-malware tools to detect and remove these certificates. Further details are available here.

Were you affected by this issue? If so, how did you resolve it? Were the above steps useful to you? As always if you have any questions or comments about this post or any other, please do not hesitate to contact me.

Thank you.

Possible Future Security Improvements For Adobe Flash Player In Development

Update 21st February 2016:
In late December 2015 Adobe discussed in a blog post the increasing use of extra security mitigations (defined within this post) being added to Flash Player as a result of their work with the Google Project Zero team and Microsoft’s research team.

Adobe are gradually introducing these mitigations to allow for feedback/suggestions to be used to improve the newly added and soon to be added mitigations. Moreover, by continually changing the code of Flash Player by adding these security features as Adobe points out makes it harder for attackers to obtain consistently working exploits for use within exploit kits (defined).

As discussed in a previous blog post mitigations were added to Vector objects to make exploiting use-after-free (defined) vulnerabilities more difficult. This work has been extended to ByteArrays. Adobe also extended their heap isolation (more information in this post) work in December’s Flash Player update.

In addition, in mid-2015 Adobe added Control Flow Guard (CFG) (defined) protection to protect the code generated by their Just-In-Time (JIT) compiler (defined). As I mentioned in a previous post, CFG was added to Flash Player in 2014 and a bypass was quickly found. I’m not stating that CFG protection isn’t worthwhile just that like any security technology it is not perfect but does add extra effort on the part of the attacker to bypass making it a worthy/welcome addition.

In Adobe’s conclusion of their post they mention that further improvements will be made available in 2016. I will update this post as those security improvements become available.

Thank you.

Original Post:
On the 10th of November Adobe released a security update for Flash Player to address 17 security issues (CVEs, defined). Among these issues was a use-after free (defined) issue (designated CVE-2015-7663) responsibly disclosed (defined) to Adobe by security firm Endgame.

Endgame have since detailed in a blog post 2 new techniques/defensive measures that they have developed with a view to have these included in future versions of Flash Player.

How Do These New Techniques Work?
While Adobe’s recently added security mitigations (defensive measures used to harden against attack) focus on a commonly used object (Vector. Objects) within the ActionScript language used by Flash Player. This type of object is only one class of object and as Endgame mentions attackers will simply move on to find another type of object that does not include such defenses and work to exploit it (indeed attackers have developed a bypass to the security mitigations introduced by Adobe earlier this year which has been analysed by Trend Micro).

Endgame’s approach is to apply heap (defined) isolation to as many objects as possible rather than commonly exploited objects. A use-after-free issue relies on the fact that an attacker can place an object of their choice into the space/gap in computer memory that was previously allocated for another object and direct the target program/application to access that specifically placed object. The isolation mitigation developed by Endgame seeks to only allow the attacker to re-allocate the original object rather than one of their choice which breaks the principle behind a use-after-free issue rendering it ineffective for exploitation.

Since Flash Player incorporates commonly used defences such as DEP and ASLR (references discussing DEP are provided here (see “References” at the end of the post), while ASLR is discussed here and here (see “References” at the end of the post)) attackers generally seek to bypass these mitigations using a technique known as Return Oriented Programming (ROP)(defined).

However, to do this the attackers must change the sequence of steps being carried out by the target application. For example, instead of carrying out instructions 1, 2 and 3, the attackers will have the program jump within the program (similar to jumping position to the front of a queue of people so that you are next to be served) to instructions of the attacker’s choice.

Moreover, Endgame has developed a technique to detect when this jump is carried out without the need for making extensive changes to the target program/application. When such a jump is detected, a message can be displayed allowing the person using the computer to abort what the program is doing or to continue. This technique is similar in approach to Control Flow Guard (CFG) introduced by Microsoft with Visual Studio 2015. CFG was discussed in a past blog post of mine.

As mentioned at the end of my previous blog post on Adobe Flash Player mitigations it is always welcome to see such improvements being made in an effort to thwart attackers since it raises the bar/standard attackers must use to successfully compromise their intended targets.

I very much hope that these mitigations are effective (if only for a short time against attackers). As before, I don’t mean this is in an offensive manner, no mitigation is perfect and these new mitigations were designed to make it harder not impossible for exploits occur (as mentioned by Trend Micro at the end of a blog post written last month).

Thank you.

Lenovo System Update Patched Against Security Issues

On the 25th of November 2 elevation of privilege (defined) security issues (CVEs, defined) were discussed by security firm IOActive relating to Lenovo’s System Update application. This application is used to automatically download and install updates from Lenovo for systems such as ThinkPads and ThinkStations (among others).

Why Should These Issues Be Considered Important?
If an attacker were to use the first issue responsibly disclosed (defined) by IOActive, the attackers could have opened Internet Explorer with Administrative privileges. As discussed by IOActive these additional privileges could then be used by an attacker to obtain System level privileges over the affected system giving them complete control over it.

The second remaining issue related to how a temporary Windows administrative account is created and used by System Update specifically how it’s username and password are generated. The username contains a sequence of characters (otherwise known as a string) that is predictable. The password for the temporary account can be generated using 1 of 2 methods, it is the second method that has also been found to be predictable. If an attacker were to exploit this second issue they could potentially obtain administrative privileges over the affected system.

How Can I Protect Myself From These Issues?
Lenovo have released a security advisory that contains details on how to obtain the most recent version of System Update that addresses these issues. If you have Lenovo System Update installed, I would recommend installing the most recent version of System Update as soon as possible in order to protect yourself from these issues.

Thank you.

VMware Security Updates Address Information Disclosure Vulnerability

In the middle of last week VMware issued security updates for the following products:

VMware vCenter Server
VMware vCloud Director
VMware Horizon View

These updates address 1x information disclosure security vulnerability (CVE, defined). This vulnerability was responsibly disclosed (defined) by security researcher Matthias Kaiser from Code White.

Why Should This Issue Be Considered Important?
Since multiple VMware products have this vulnerability which could be used to leak the contents of sensitive files on your network, this issue should be patched as soon as possible.

This issue occurs since the XML (defined) parser (a program that analyzes data in a structured manner in order to create meaning from it) contained within Apache Flex BlazeDS 4.7.0 (and earlier) when passed a specifically crafted request parameter (a value to be placed into a program before it carries out a task) could be used to access the contents of a file on your network.

An example of the path (a means of locating/looking up a file starting from the root (beginning) of a file system and progressing towards the desired file) to such a file is shown on the final line of the first code snippet (paragraph) with the title “Disclosing /etc/passwd or other targeted files” of this article from OWASP.

Where etc/passwd is the password file of a Linux/Unix system that stores hashed (defined) user account credentials. Such an attack is called an XML External Entity (XXE) attack (defined). Most importantly, Code White within a blog post discussing this issue describe the issue as easy for an attacker to exploit.

How Can I Protect Myself From This Issue?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

OWASP also list best practices to avoid XXE attacks in general with examples for many popular programming languages.

Thank you.

Wireshark Releases Major New Version

On Wednesday of last week, the Wireshark Foundation released a major new update for their very popular open source packet analyzer, Wireshark. This project has now reached version 2.0.0.

While this version does not include any security related fixes it does include a large amount of general bug fixes and introduces a new look to the program. A full list of changes is available here in the release notes. A summary of changes can be found in Gerald Combs’ blog post. A video introduction to this version is available here.

As mentioned in the release notes, the traditional look and feel (interface) of previous 1.12 (and earlier versions) will be removed in version 2.2. Since it is likely that future security fixes will only be made available for version 2.0.0 and newer, if you use Wireshark you should begin testing this new version before more widely using it for day to day activities.

For Linux distributions this update can be obtained using the operating systems standard package manager (if the latest version is not installed automatically you can instead compile the source code). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

As always, if Wireshark is installed on a critical production system or systems that contain your critical data, please back up your data before installing this update in order to prevent data loss in the rare event that an update causes unexpected issues.

Thank you.

Microsoft Updates Edge Browser To Harden Against DLL Injection

On the 12th of November Microsoft began rolling out Windows 10 Build 10586 (also known as Version 1511). This was the first major update made available for Windows 10. Included in this update was an improved version of Microsoft Edge, the default browser of Windows 10.

For most consumers, this update will be delivered automatically to their PCs. For businesses and large organizations using the new Windows Update for Business they should be able to choose a time when they wish to deploy this update more widely to the company’s employees.

What’s The Main Security Improvement in This Update?
In the updated version of Microsoft Edge, known as EdgeHTML 13, DLLs (Dynamic Link Libraries, defined) are no longer permitted to load within Edge. DLLs are loaded into a Windows application using a technique known as DLL injection. The technique of DLL injection is explained in more detail here and here. It is this technique that Edge has been hardened against to prevent it succeeding.

Why Was This Change Made?
If an unauthorized DLL is loaded into a web browser, it can do such things as displaying un-wanted adverts (such as the type previously discussed by Google) or installing unnecessary toolbars that may attempt to re-direct your web searches from your preferred search engine to another search engine in order to benefit from increased usage (and possibly increased revenue when adverts are displayed among those search results). Such unwanted adverts and/or toolbars annoy and distract users and make their web browser less user friendly.

If I’m a Microsoft Edge user, how will this benefit me?
If you like using Microsoft Edge on Windows 10, this change will mean that it will be harder for adware and malware to be loaded into your browser either for malicious purposes or to simply display adverts. This means that your web browser is more likely to work the way you prefer and you can simply concentrate on achieving what you would like to do.

I welcome this change which makes every day browsing for Microsoft Edge users safer. Thank you.

Microsoft Patches Windows Authentication Vulnerability Used To Bypass BitLocker Encryption

During Microsoft’s scheduled release of security updates earlier this month, they issued an update MS15-122 to resolve a security vulnerability responsibly disclosed (defined) to them by security researcher Ian Haken of Synopsys Inc.

How this does flaw work?
Apologies but this explanation is as short as I can make it while explaining what’s happening as we go along:

This authentication bypass succeeds since an artefact used by the Kerberos protocol (defined) is used for malicious intentions.

In a standard scenario where a legitimate user logins onto their organizations domain using their device, their hashed password (defined) is checked against the corresponding password hash stored on the domain controller (defined). However, when the user is away from the office and cannot connect to the domain controller, the user’s hashed credentials (stored within the device) are used to log them on to their device.

A machine/device hashed password is also created and stored on the device. This device password is a defence in depth measure (defined)(PDF) used to prevent a scenario such as a stolen laptop being connected to a purposefully created domain controller in order to access the contents of the stolen device. Since the domain controller would not have any corresponding device password for this stolen device (i.e. it has no prior knowledge of this device), the device remains secure since the attacker can’t logon to it.

In a similar manner to the user’s password as mentioned above however this check of the device password with the domain controller can’t happen if the legitimate user is away from the office. This fact is exploited by this authentication bypass to access the contents of the device.

As discussed above a purposefully created domain controller can be created by the attacker with the same account name used by the owner of the device (this can be obtained by just looking at the login username on the screen of the device or by using a man-in-the-middle attack (defined) to sniff the network (obtain information from passing data packets on a network connection) since DNS and Kerberos send the account username in plaintext (not encrypted)). The attacker also creates a corresponding password for the user’s account on the domain controller that has a creation date many years in the past (in the example code provided on page 8 within this report (PDF), the year 2001 was used).

If the attacker were to connect the device to the newly created domain controller (which is under their control) and try to logon as mentioned above the logon should fail since the domain controller would not have any prior knowledge of that device (no corresponding machine password would be present on the controller). But this check never happens because the account password is checked first and as we will see below, this account password check will eventually succeed (it was never thought that the account password could be changed) resulting in the device being unlocked.

Next; the attacker enters the password they set earlier using the code mentioned above; the password is rejected since it’s very old (the domain controller the device is connected to informs the device of this) and the attacker is asked to set a new password, once they do so, they have access to the device and all the data it contains. The device unlocked the encrypted drive since it received the correct password and did not detect that anything was wrong.

Why Should This Issue Be Considered Important?
In order for this attack to succeed it needs to assume the following:

  • The Windows device to be attacked has been joined to a Windows domain (defined) and a legitimate user from that domain has previously successfully logged in.
  • Microsoft Windows BitLocker is enabled without pre-boot authentication i.e. no PIN or USB drive is required for the Windows login password prompt to be displayed. This is often the case since its more convenient for the users of the device to login.
  • Assumes the attacker has physical access to the target device for a short period of time.

This attack can be executed in a matter of seconds using a set of commands based on the example within page 8 of this report (PDF).

How Can I Protect Myself From This Issue?
You should ensure that all of your Microsoft Windows devices have the update mentioned in Microsoft’s security bulletin MS15-122 installed. This update resolves the issue discussed above.

I recommended installing this update as part of the scheduled November Microsoft updates discussed in a recent blog post. The steps for installing this update and the other November updates are also provided in that blog post.

Thank you.

Blog Post Shout Out (mid November 2015)

Late last week, the security firm CyberArk published a blog post summarizing the findings of a report they have written:

What percentage of your Windows network is exposed to credential theft attacks? By Amy Burnis (CyberArk)

This report details the consequences that can result when an attacker compromises a Microsoft Windows based computing device within your organization’s network and then uses the credentials of the person logged into that device to access further Windows devices and data within your network.

If an attacker can use privileged credentials to laterally traverse a network (i.e. move from device to device compromising more and more credentials as they do so), eventually the attackers can obtain the credentials of a Windows Domain Administrator account (used to administer your Windows Server based domain controller (defined)), with these the Windows based devices on your network can be completely taken over by an attacker.

This method of attack used to obtain privileged credentials is known as a Pass-the-Hash (PtH) attack. Mitigations to protect against Windows credential theft attacks are discussed on pages 10 and 11 of CyberArk’s report.

I hope that the mitigations and advice discussed in the report mentioned above assist with hardening your organization against such attacks.

Thank you.

Further Google Android Stagefright Vulnerabilities Patched

Update: 10th January 2016:
Further updates addressing newer issues within libstagefright have been made available. Please see this more recent blog post for details.

Thank you.

Original Post:
In early November Google began rolling out an update to it’s Android smartphone operating system to resolve 7 CVEs (defined)(2x critical severity, 4x high severity and 1x moderate severity). This update brings Android to Build version LMY48X The newest version of Android version 6.0 (known as Marshmallow) also includes these fixes if it’s patch level is dated the 1st of November or later. This update includes 4 fixes relating to more vulnerabilities in Stagefright (discussed in a previous blog post).

Why Should These Issues Be Considered Important?

The 4 issues related to Stagefright were assigned critical and high severity by Google. Such critical flaws will allow an attacker the ability to have the device carry out any instruction they wish (otherwise known as remote code execution). Google provides more specifics in it’s Google Groups post which includes that attackers could try to exploit these flaws when playing back media in a web browser or via an MMS message (defined).

How Can I Protect Myself From These Issues?
Fixes for these issues began to be made available on the 5th of November to Google Nexus devices. Manufacturers such as Samsung received these updates on the 5th of October.

As mentioned by Sophos you may need to ask your device manufacturer or mobile carrier when this update will be made available to you. As discussed in my previous post on Android updates, please ensure to only apply updates from your mobile carrier or device manufacturer.

Thank you.