Daily Archives: December 29, 2015

Adobe Releases Emergency Flash Security Updates

Yesterday Adobe released their January 2016 Flash Player and Adobe AIR (its application runtime) security updates ahead of schedule to address a critical zero-day (defined) security vulnerability designated as CVE-2015-8651.

The updates address 19 security vulnerabilities (more formally known as CVEs (defined). At the time of writing neither Google nor Microsoft have made available the relevant updates for Google Chrome (v47.0.2526.106, Stable 64 bit has not received this update) and Microsoft Edge/Internet Explorer (respectively). This is most likely due to the holiday period. Microsoft should announce the availability of their Flash update by updating this security advisory for users of Microsoft Edge for Windows 10 and Internet Explorer 10 and 11 installed on Windows 8.0 and 8.1 (respectively).
Update 1: 29th December 2015:
Microsoft have now updated their security advisory. Update kb3132372 (no active web site link yet) is now available for Windows 10, 8.1 and 8.0 users.

Update 2: 31st December 2015:
Google updated Chrome (v47.0.2526.106)(Stable, 64 bit) to Flash Player v20.0.0.267 within hours of the above mentioned update from Microsoft. Apologies for not updating this post sooner.

I’m very impressed that they both made available the appropriate updates so quickly especially during the holiday period.

Adobe and Symantec have stated that limited targeted attacks are exploiting the above mentioned zero-day vulnerability. SecurityWeek elaborates on these attacks stating that they are spear phishing attacks (defined).

Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). The use of this alternative link is now deprecated and will be decommissioned by Adobe on the 22nd of January 2016.

As always I would recommend that if you have Flash Player installed to install the necessary updates as soon as possible. You can check if you have Flash Player installed using this page.

In addition, please follow my recommendation to enable the ASR mitigation of Microsoft EMET as detailed in this post in order to mitigate against Flash based vulnerabilities being exploited in applications that can open Microsoft Office documents and/or Adobe PDF files.

Thank you.

Linux GRUB Security Vulnerability Swiftly Patched

Earlier this month a pair of security researchers within the Cybersecurity Group at Universitat Politècnica de València discovered an integer underflow (defined) vulnerability within the Linux GRUB bootloader (defined, my thanks to Lucian Constantin, IDG News Service for providing an excellent summary of the purpose/function of the GRUB bootloader within that article). The researchers responsibly disclosed (defined) this issue to the main distributors of Linux in order to protect their users. My thanks to everyone involved for so quickly addressing this vulnerability.

Why Should This Issue Be Considered Important?
This issue is very easy for an attacker to exploit namely that they only need to have physical access (be in front of the system) for a short time in order to exploit it. With this access, they simply press the backspace key (just above the main Enter/Carriage return) key 28 times in order to exploit this vulnerability. They could easily obtain this physical access by breaking into the premises where such a system is located.

Moreover, systems with defences such as disabled CR-ROM drives (otherwise known as optical drives), disabled USB ports, restricted network boot options, password protected BIOS/UEFI firmware (defined), password protected GRUB edit mode and where the hard disk/SSD (solid state drive (defined)) is encrypted can all be bypassed by exploiting this vulnerability.

The researchers in their description of this vulnerability bypass the encryption of the hard disk/SSD by infecting the system (by means of this vulnerability) and allowing the user to decrypt the data (information disclosure) for the attackers by having the legitimate user enter the correct password as they log on normally to the system (an elevation of privilege attack (defined); since the attackers would not normally have this level of access). A denial of service attack (DoS)(the concept of DoS is defined here) can also be carried out by the attacker by corrupting the encrypted data and/or the GRUB leaving the legitimate user unable to access their own data.

Before bypassing the encryption however, they also describe patching (modifying the genuine/legitimate GRUB loader) so that it always authenticates the logged on user rather than asking for a password (bypassing the password protected edit mode of GRUB mentioned above).

Next they describe using the patched GRUB loader to load a Linux kernel so that they can then install malware of their choice. This also has the advantage that logging of their actions is not recorded since the syslog daemon (defined) is not running (carrying out it’s purpose) since the bash (Bourne-Again SHell)(defined) is the first process to run.

With that shell (defined) running on the system the researchers next describe how they illustrated a proof of their concept by installing a modified library (the general concept of a code library is defined here, only Windows systems use DLLs (defined) and so are not relevant for this discussion of Linux systems) belonging to Mozilla Firefox so that when Firefox is active, code (instructions) of their choice are also carried out. This code uses Netcat (defined) to set up a reverse shell (defined) allowing them to control the victim system as if they were in front of it (in this case the researchers show the reverse shell being able to access the private data folders belonging to the logged in user).

How Can I Protect Myself From This Issue?
Debian, Ubuntu and Red Hat (among others) have released updates to GRUB to address this vulnerability. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link(Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux).

Thank you.

Blog Post Shout Out December 2015

Earlier this year CloudFlare published an informative blog post detailing how malicious JavaScript (defined) can be used to cause a distributed denial of service attack (DDos)(which is defined within CloudFlare’s post linked to below).

As a preventative measure they also provide a recommendation to enable HTTPS for your website (which CloudFlare also provide as an option). If you are using a self-hosted WordPress installation (namely where WordPress is installed on a server that you manage/administer), this blog post may be of assistance in enabling HTTPS by default (by using HSTS (discussed/defined at length within a previous blog post of mine)).

Given the severity of DDoS attacks I wanted to provide a respectful shout-out to following CloudFlare blog post:

An introduction to JavaScript-based DDoS by Nick Sullivan (CloudFlare)

In addition, earlier this month US-CERT created a useful security alert containing a list of tips for securing your home broadband/fibre optic router/wireless access point. In addition, their alert also links to an updated list of routers with known security vulnerabilities with advice on addressing them:

Securing Home and Small Business Routers (US-CERT)

I hope that the above mentioned blog posts and resources are of assistance to you in defending your website from becoming part of such DDoS attacks and securing your home router/access point against malicious use.

Thank you.