Monthly Archives: November 2015

Blog Post Shout Out (late November 2015)

In recent weeks the security firm Malwarebytes have encountered an updated variant of the Vonteera adware (see Aside below for a definition).

This updated variant uses a technique that involves certificates (which were also discussed in a recent blog post) in an effort to prevent anti-malware software attempting to remove this adware from an affected device.

Within the blog post mentioned below, Malwarebytes detail how to bypass the protection technique used by the Vonteera adware so that you can remove this threat from your computer:

Vonteera Adware Uses Certificates to Disable Anti-Malware by Pieter Arntz (Malwarebytes)

If you or anyone you know is affected by this adware, the above mentioned blog post should be of assistance in removing this threat.

Thank you.

=======================
Aside:
What is adware?

Adware is software that is either a program on your computer that displays adverts to you or changes your web browser home page to a website it wishes to promote. Such adware can collect personal information without your consent and send it back to a particular company/entity. A complete definition of adware is provided here.
=======================

Dell Inadvertently Ships Root Certificates With System Tools

Earlier last week it was discovered that the computer manufacturer Dell had mistakenly included with a Dell Support tool (called DFS (Dell Foundation Services)) used to assist customers in a more efficient manner; a preinstalled root certificate (named eDellRoot) and a private key (defined) that was used to create that certificate. Dell’s explanation for the purpose for this certificate was described as “it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers.” (Source).

A certificate is a means usually provided by a Certificate Authority (defined) to determine if a TLS certificate being used by a website can be trusted.

In addition, a second certificate (named DSDTestProvider) was found to be included with another Dell tool, namely DSD (Dell System Detect) which users are prompted to install when they visit the Dell support website and click the button to detect the type of Dell product they are using.


Why Should The Inclusion Of These Certificates On My Dell Device Be Considered Important?

Since the private keys for these certificates were also bundled with them (a severe deviation from best practice) they could be used by attackers to generate fake certificates for any website of their choice which would be accepted as legitimate by affected Dell systems. The attackers using these certificates could then decrypt the secured connections to those sites using the private keys. An example of another attack in this instance is a man-in-the-middle attack (defined) that could be used against affected devices is presented in this blog post.

These certificates could also be used to digitally sign malware and make it appear legitimate. If malicious drivers were signed using these certificates they could also bypass driver signature verification within 64 bit versions of Windows.

Which Dell Systems/Devices Are Affected By These Issues?
The following systems are reported to be affected: the XPS 15, Latitude E7450, Inspirion 5548, Inspirion 5000, Inspiron 3647, and the Precision M4800.

The Dell Foundation Services certificate may also be present on laptops, desktops, two-in-ones, all-in-ones, and towers from various Dell product lines, including XPS, Vostro and Precision Tower, OptiPlex and Inspiron since it is available to download for all of those devices.

According to this post, further Dell systems are also affected. My thanks to ComputerWorld and Lucian Constantin for this information.

How Can I Protect Myself From These Issues?
First of all you can check if your Dell device is affected by this issue by visiting this website (my thanks to Graham Cluley for this link). US-CERT have also provided a website to check if your system is affected by these issues and have provided a comprehensive set of steps to resolve these security issues.

Moreover, Microsoft have updated their anti-malware tools to detect and remove these certificates. Further details are available here.

Feedback
Were you affected by this issue? If so, how did you resolve it? Were the above steps useful to you? As always if you have any questions or comments about this post or any other, please do not hesitate to contact me.

Thank you.

Possible Future Security Improvements For Adobe Flash Player In Development

Update 21st February 2016:
In late December 2015 Adobe discussed in a blog post the increasing use of extra security mitigations (defined within this post) being added to Flash Player as a result of their work with the Google Project Zero team and Microsoft’s research team.

Adobe are gradually introducing these mitigations to allow for feedback/suggestions to be used to improve the newly added and soon to be added mitigations. Moreover, by continually changing the code of Flash Player by adding these security features as Adobe points out makes it harder for attackers to obtain consistently working exploits for use within exploit kits (defined).

As discussed in a previous blog post mitigations were added to Vector objects to make exploiting use-after-free (defined) vulnerabilities more difficult. This work has been extended to ByteArrays. Adobe also extended their heap isolation (more information in this post) work in December’s Flash Player update.

In addition, in mid-2015 Adobe added Control Flow Guard (CFG) (defined) protection to protect the code generated by their Just-In-Time (JIT) compiler (defined). As I mentioned in a previous post, CFG was added to Flash Player in 2014 and a bypass was quickly found. I’m not stating that CFG protection isn’t worthwhile just that like any security technology it is not perfect but does add extra effort on the part of the attacker to bypass making it a worthy/welcome addition.

In Adobe’s conclusion of their post they mention that further improvements will be made available in 2016. I will update this post as those security improvements become available.

Thank you.

=======================
Original Post:
=======================
On the 10th of November Adobe released a security update for Flash Player to address 17 security issues (CVEs, defined). Among these issues was a use-after free (defined) issue (designated CVE-2015-7663) responsibly disclosed (defined) to Adobe by security firm Endgame.

Endgame have since detailed in a blog post 2 new techniques/defensive measures that they have developed with a view to have these included in future versions of Flash Player.

How Do These New Techniques Work?
While Adobe’s recently added security mitigations (defensive measures used to harden against attack) focus on a commonly used object (Vector. Objects) within the ActionScript language used by Flash Player. This type of object is only one class of object and as Endgame mentions attackers will simply move on to find another type of object that does not include such defenses and work to exploit it (indeed attackers have developed a bypass to the security mitigations introduced by Adobe earlier this year which has been analysed by Trend Micro).

Endgame’s approach is to apply heap (defined) isolation to as many objects as possible rather than commonly exploited objects. A use-after-free issue relies on the fact that an attacker can place an object of their choice into the space/gap in computer memory that was previously allocated for another object and direct the target program/application to access that specifically placed object. The isolation mitigation developed by Endgame seeks to only allow the attacker to re-allocate the original object rather than one of their choice which breaks the principle behind a use-after-free issue rendering it ineffective for exploitation.

Since Flash Player incorporates commonly used defences such as DEP and ASLR (references discussing DEP are provided here (see “References” at the end of the post), while ASLR is discussed here and here (see “References” at the end of the post)) attackers generally seek to bypass these mitigations using a technique known as Return Oriented Programming (ROP)(defined).

However, to do this the attackers must change the sequence of steps being carried out by the target application. For example, instead of carrying out instructions 1, 2 and 3, the attackers will have the program jump within the program (similar to jumping position to the front of a queue of people so that you are next to be served) to instructions of the attacker’s choice.

Moreover, Endgame has developed a technique to detect when this jump is carried out without the need for making extensive changes to the target program/application. When such a jump is detected, a message can be displayed allowing the person using the computer to abort what the program is doing or to continue. This technique is similar in approach to Control Flow Guard (CFG) introduced by Microsoft with Visual Studio 2015. CFG was discussed in a past blog post of mine.

Conclusion
As mentioned at the end of my previous blog post on Adobe Flash Player mitigations it is always welcome to see such improvements being made in an effort to thwart attackers since it raises the bar/standard attackers must use to successfully compromise their intended targets.

I very much hope that these mitigations are effective (if only for a short time against attackers). As before, I don’t mean this is in an offensive manner, no mitigation is perfect and these new mitigations were designed to make it harder not impossible for exploits occur (as mentioned by Trend Micro at the end of a blog post written last month).

Thank you.

Lenovo System Update Patched Against Security Issues

On the 25th of November 2 elevation of privilege (defined) security issues (CVEs, defined) were discussed by security firm IOActive relating to Lenovo’s System Update application. This application is used to automatically download and install updates from Lenovo for systems such as ThinkPads and ThinkStations (among others).

Why Should These Issues Be Considered Important?
If an attacker were to use the first issue responsibly disclosed (defined) by IOActive, the attackers could have opened Internet Explorer with Administrative privileges. As discussed by IOActive these additional privileges could then be used by an attacker to obtain System level privileges over the affected system giving them complete control over it.

The second remaining issue related to how a temporary Windows administrative account is created and used by System Update specifically how it’s username and password are generated. The username contains a sequence of characters (otherwise known as a string) that is predictable. The password for the temporary account can be generated using 1 of 2 methods, it is the second method that has also been found to be predictable. If an attacker were to exploit this second issue they could potentially obtain administrative privileges over the affected system.

How Can I Protect Myself From These Issues?
Lenovo have released a security advisory that contains details on how to obtain the most recent version of System Update that addresses these issues. If you have Lenovo System Update installed, I would recommend installing the most recent version of System Update as soon as possible in order to protect yourself from these issues.

Thank you.

VMware Security Updates Address Information Disclosure Vulnerability

In the middle of last week VMware issued security updates for the following products:

VMware vCenter Server
VMware vCloud Director
VMware Horizon View

These updates address 1x information disclosure security vulnerability (CVE, defined). This vulnerability was responsibly disclosed (defined) by security researcher Matthias Kaiser from Code White.

Why Should This Issue Be Considered Important?
Since multiple VMware products have this vulnerability which could be used to leak the contents of sensitive files on your network, this issue should be patched as soon as possible.

This issue occurs since the XML (defined) parser (a program that analyzes data in a structured manner in order to create meaning from it) contained within Apache Flex BlazeDS 4.7.0 (and earlier) when passed a specifically crafted request parameter (a value to be placed into a program before it carries out a task) could be used to access the contents of a file on your network.

An example of the path (a means of locating/looking up a file starting from the root (beginning) of a file system and progressing towards the desired file) to such a file is shown on the final line of the first code snippet (paragraph) with the title “Disclosing /etc/passwd or other targeted files” of this article from OWASP.

Where etc/passwd is the password file of a Linux/Unix system that stores hashed (defined) user account credentials. Such an attack is called an XML External Entity (XXE) attack (defined). Most importantly, Code White within a blog post discussing this issue describe the issue as easy for an attacker to exploit.

How Can I Protect Myself From This Issue?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

OWASP also list best practices to avoid XXE attacks in general with examples for many popular programming languages.

Thank you.

Wireshark Releases Major New Version

On Wednesday of last week, the Wireshark Foundation released a major new update for their very popular open source packet analyzer, Wireshark. This project has now reached version 2.0.0.

While this version does not include any security related fixes it does include a large amount of general bug fixes and introduces a new look to the program. A full list of changes is available here in the release notes. A summary of changes can be found in Gerald Combs’ blog post. A video introduction to this version is available here.

As mentioned in the release notes, the traditional look and feel (interface) of previous 1.12 (and earlier versions) will be removed in version 2.2. Since it is likely that future security fixes will only be made available for version 2.0.0 and newer, if you use Wireshark you should begin testing this new version before more widely using it for day to day activities.

For Linux distributions this update can be obtained using the operating systems standard package manager (if the latest version is not installed automatically you can instead compile the source code). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

As always, if Wireshark is installed on a critical production system or systems that contain your critical data, please back up your data before installing this update in order to prevent data loss in the rare event that an update causes unexpected issues.

Thank you.

Microsoft Updates Edge Browser To Harden Against DLL Injection

On the 12th of November Microsoft began rolling out Windows 10 Build 10586 (also known as Version 1511). This was the first major update made available for Windows 10. Included in this update was an improved version of Microsoft Edge, the default browser of Windows 10.

For most consumers, this update will be delivered automatically to their PCs. For businesses and large organizations using the new Windows Update for Business they should be able to choose a time when they wish to deploy this update more widely to the company’s employees.

What’s The Main Security Improvement in This Update?
In the updated version of Microsoft Edge, known as EdgeHTML 13, DLLs (Dynamic Link Libraries, defined) are no longer permitted to load within Edge. DLLs are loaded into a Windows application using a technique known as DLL injection. The technique of DLL injection is explained in more detail here and here. It is this technique that Edge has been hardened against to prevent it succeeding.

Why Was This Change Made?
If an unauthorized DLL is loaded into a web browser, it can do such things as displaying un-wanted adverts (such as the type previously discussed by Google) or installing unnecessary toolbars that may attempt to re-direct your web searches from your preferred search engine to another search engine in order to benefit from increased usage (and possibly increased revenue when adverts are displayed among those search results). Such unwanted adverts and/or toolbars annoy and distract users and make their web browser less user friendly.

If I’m a Microsoft Edge user, how will this benefit me?
If you like using Microsoft Edge on Windows 10, this change will mean that it will be harder for adware and malware to be loaded into your browser either for malicious purposes or to simply display adverts. This means that your web browser is more likely to work the way you prefer and you can simply concentrate on achieving what you would like to do.

I welcome this change which makes every day browsing for Microsoft Edge users safer. Thank you.