Daily Archives: November 30, 2015

Blog Post Shout Out (late November 2015)

In recent weeks the security firm Malwarebytes have encountered an updated variant of the Vonteera adware (see Aside below for a definition).

This updated variant uses a technique that involves certificates (which were also discussed in a recent blog post) in an effort to prevent anti-malware software attempting to remove this adware from an affected device.

Within the blog post mentioned below, Malwarebytes detail how to bypass the protection technique used by the Vonteera adware so that you can remove this threat from your computer:

Vonteera Adware Uses Certificates to Disable Anti-Malware by Pieter Arntz (Malwarebytes)

If you or anyone you know is affected by this adware, the above mentioned blog post should be of assistance in removing this threat.

Thank you.

What is adware?

Adware is software that is either a program on your computer that displays adverts to you or changes your web browser home page to a website it wishes to promote. Such adware can collect personal information without your consent and send it back to a particular company/entity. A complete definition of adware is provided here.

Dell Inadvertently Ships Root Certificates With System Tools

Earlier last week it was discovered that the computer manufacturer Dell had mistakenly included with a Dell Support tool (called DFS (Dell Foundation Services)) used to assist customers in a more efficient manner; a preinstalled root certificate (named eDellRoot) and a private key (defined) that was used to create that certificate. Dell’s explanation for the purpose for this certificate was described as “it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers.” (Source).

A certificate is a means usually provided by a Certificate Authority (defined) to determine if a TLS certificate being used by a website can be trusted.

In addition, a second certificate (named DSDTestProvider) was found to be included with another Dell tool, namely DSD (Dell System Detect) which users are prompted to install when they visit the Dell support website and click the button to detect the type of Dell product they are using.

Why Should The Inclusion Of These Certificates On My Dell Device Be Considered Important?

Since the private keys for these certificates were also bundled with them (a severe deviation from best practice) they could be used by attackers to generate fake certificates for any website of their choice which would be accepted as legitimate by affected Dell systems. The attackers using these certificates could then decrypt the secured connections to those sites using the private keys. An example of another attack in this instance is a man-in-the-middle attack (defined) that could be used against affected devices is presented in this blog post.

These certificates could also be used to digitally sign malware and make it appear legitimate. If malicious drivers were signed using these certificates they could also bypass driver signature verification within 64 bit versions of Windows.

Which Dell Systems/Devices Are Affected By These Issues?
The following systems are reported to be affected: the XPS 15, Latitude E7450, Inspirion 5548, Inspirion 5000, Inspiron 3647, and the Precision M4800.

The Dell Foundation Services certificate may also be present on laptops, desktops, two-in-ones, all-in-ones, and towers from various Dell product lines, including XPS, Vostro and Precision Tower, OptiPlex and Inspiron since it is available to download for all of those devices.

According to this post, further Dell systems are also affected. My thanks to ComputerWorld and Lucian Constantin for this information.

How Can I Protect Myself From These Issues?
First of all you can check if your Dell device is affected by this issue by visiting this website (my thanks to Graham Cluley for this link). US-CERT have also provided a website to check if your system is affected by these issues and have provided a comprehensive set of steps to resolve these security issues.

Moreover, Microsoft have updated their anti-malware tools to detect and remove these certificates. Further details are available here.

Were you affected by this issue? If so, how did you resolve it? Were the above steps useful to you? As always if you have any questions or comments about this post or any other, please do not hesitate to contact me.

Thank you.

Possible Future Security Improvements For Adobe Flash Player In Development

Update 21st February 2016:
In late December 2015 Adobe discussed in a blog post the increasing use of extra security mitigations (defined within this post) being added to Flash Player as a result of their work with the Google Project Zero team and Microsoft’s research team.

Adobe are gradually introducing these mitigations to allow for feedback/suggestions to be used to improve the newly added and soon to be added mitigations. Moreover, by continually changing the code of Flash Player by adding these security features as Adobe points out makes it harder for attackers to obtain consistently working exploits for use within exploit kits (defined).

As discussed in a previous blog post mitigations were added to Vector objects to make exploiting use-after-free (defined) vulnerabilities more difficult. This work has been extended to ByteArrays. Adobe also extended their heap isolation (more information in this post) work in December’s Flash Player update.

In addition, in mid-2015 Adobe added Control Flow Guard (CFG) (defined) protection to protect the code generated by their Just-In-Time (JIT) compiler (defined). As I mentioned in a previous post, CFG was added to Flash Player in 2014 and a bypass was quickly found. I’m not stating that CFG protection isn’t worthwhile just that like any security technology it is not perfect but does add extra effort on the part of the attacker to bypass making it a worthy/welcome addition.

In Adobe’s conclusion of their post they mention that further improvements will be made available in 2016. I will update this post as those security improvements become available.

Thank you.

Original Post:
On the 10th of November Adobe released a security update for Flash Player to address 17 security issues (CVEs, defined). Among these issues was a use-after free (defined) issue (designated CVE-2015-7663) responsibly disclosed (defined) to Adobe by security firm Endgame.

Endgame have since detailed in a blog post 2 new techniques/defensive measures that they have developed with a view to have these included in future versions of Flash Player.

How Do These New Techniques Work?
While Adobe’s recently added security mitigations (defensive measures used to harden against attack) focus on a commonly used object (Vector. Objects) within the ActionScript language used by Flash Player. This type of object is only one class of object and as Endgame mentions attackers will simply move on to find another type of object that does not include such defenses and work to exploit it (indeed attackers have developed a bypass to the security mitigations introduced by Adobe earlier this year which has been analysed by Trend Micro).

Endgame’s approach is to apply heap (defined) isolation to as many objects as possible rather than commonly exploited objects. A use-after-free issue relies on the fact that an attacker can place an object of their choice into the space/gap in computer memory that was previously allocated for another object and direct the target program/application to access that specifically placed object. The isolation mitigation developed by Endgame seeks to only allow the attacker to re-allocate the original object rather than one of their choice which breaks the principle behind a use-after-free issue rendering it ineffective for exploitation.

Since Flash Player incorporates commonly used defences such as DEP and ASLR (references discussing DEP are provided here (see “References” at the end of the post), while ASLR is discussed here and here (see “References” at the end of the post)) attackers generally seek to bypass these mitigations using a technique known as Return Oriented Programming (ROP)(defined).

However, to do this the attackers must change the sequence of steps being carried out by the target application. For example, instead of carrying out instructions 1, 2 and 3, the attackers will have the program jump within the program (similar to jumping position to the front of a queue of people so that you are next to be served) to instructions of the attacker’s choice.

Moreover, Endgame has developed a technique to detect when this jump is carried out without the need for making extensive changes to the target program/application. When such a jump is detected, a message can be displayed allowing the person using the computer to abort what the program is doing or to continue. This technique is similar in approach to Control Flow Guard (CFG) introduced by Microsoft with Visual Studio 2015. CFG was discussed in a past blog post of mine.

As mentioned at the end of my previous blog post on Adobe Flash Player mitigations it is always welcome to see such improvements being made in an effort to thwart attackers since it raises the bar/standard attackers must use to successfully compromise their intended targets.

I very much hope that these mitigations are effective (if only for a short time against attackers). As before, I don’t mean this is in an offensive manner, no mitigation is perfect and these new mitigations were designed to make it harder not impossible for exploits occur (as mentioned by Trend Micro at the end of a blog post written last month).

Thank you.

Lenovo System Update Patched Against Security Issues

On the 25th of November 2 elevation of privilege (defined) security issues (CVEs, defined) were discussed by security firm IOActive relating to Lenovo’s System Update application. This application is used to automatically download and install updates from Lenovo for systems such as ThinkPads and ThinkStations (among others).

Why Should These Issues Be Considered Important?
If an attacker were to use the first issue responsibly disclosed (defined) by IOActive, the attackers could have opened Internet Explorer with Administrative privileges. As discussed by IOActive these additional privileges could then be used by an attacker to obtain System level privileges over the affected system giving them complete control over it.

The second remaining issue related to how a temporary Windows administrative account is created and used by System Update specifically how it’s username and password are generated. The username contains a sequence of characters (otherwise known as a string) that is predictable. The password for the temporary account can be generated using 1 of 2 methods, it is the second method that has also been found to be predictable. If an attacker were to exploit this second issue they could potentially obtain administrative privileges over the affected system.

How Can I Protect Myself From These Issues?
Lenovo have released a security advisory that contains details on how to obtain the most recent version of System Update that addresses these issues. If you have Lenovo System Update installed, I would recommend installing the most recent version of System Update as soon as possible in order to protect yourself from these issues.

Thank you.