Monthly Archives: January 2016

OpenSSL Releases Security Updates January 2016

Last week the OpenSSL project made available security updates to address 2 security issues (more formally known as CVEs (defined)) and to provide further hardening against the Logjam attack. The updates are available for the following versions of OpenSSL:

  • OpenSSL 1.0.2f: 2x CVEs resolved: 1x high severity, 1x low severity
  • OpenSSL 1.0.1r: 1x CVE resolved: 1x low severity

Why Should These Issues Be Considered Important?
OpenSSL version 1.0.2e and earlier are vulnerable to a high severity vulnerability in the generation of safe prime numbers used within X9.42 style Diffie Hellman (DH) parameters. This vulnerability could allow information disclosure specifically disclosing the private DH exponent (the essential component underlying the encryption provided by the DH algorithm). More information on private and public keys is available here.

For the remaining low severity issue it corrects an issue that could have allowed an attacker to use an older cipher (in this instance SSL v2) for the purpose of securing a connection which would be benefit the attacker since SSLv2 is a weaker cipher (it’s use was prohibited in March 2011).

Finally, a further hardening against the Logjam attack was added by the OpenSSL team in the form of increasing the accepted minimum number of bits used in DH key exchange to 1024 bits. As reported in an earlier post this was previously increased from 512 to 768 bits in June 2015.

How can I protect myself from these issues?
For any server that you manage that uses OpenSSL, please update your OpenSSL installations to 1.0.1r or 1.0.2f (as appropriate).

  • FTP mirrors to obtain the necessary downloads are available from here.
  • Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

Thank you.

Skype Resolves IP Address Disclosure Security Issue

On the 21st of January Skype corrected a vulnerability in their call/instant messenger software that could have allowed a malicious user to discover the IP address of a person of their choice using the victim’s Skype ID.

To prevent this, Skype have changed a default setting within Skype to hide your IP address from potential attackers.

Skype recommends that you install the latest of Skype to benefit from this change. An updated version will be available soon to address this for Skype when installed on an Apple iOS device.

This issue was previously discussed at length in August 2013 in a blog post by Kate Russell. Moreover further discussion of the issue addressed by Skype within this update is available within this blog post by Graham Cluley.

Thank you.

Apple Releases Security Updates January 2016

Earlier this month Apple released a group of security updates for a selection of it’s products:

=======================

  • Apple iOS 9.2.1: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Apple tvOS 9.1.1: For Apple TV (4th generation)
  • Apple OS X El Capitan 10.11.3 and Security Update 2016-001: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan V10.11 to v10.11.2
  • Apple Safari 9.0.3: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.2

=======================

As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.

If you wish to prioritize these updates I would suggest beginning with installing the update for iOS since it addresses a potentially high severity issue that was responsibly disclosed (defined) to Apple. If an attacker were to exploit this issue they would potentially be able to (one or all of the following):

  • impersonate their victim on a website of the attacker’s choice
  • perform execution (carrying out steps of the attacker’s choice) of JavaScript (defined) when the victim visits a website of the attacker’s choice
  • logging the victim into the attackers account for a website (of the attacker’s choice) rather than the account the victim was trying to access.

Noteworthy fixes included are as follows:

Apple iOS 9.2.1: Resolves 13 CVEs (defined) and includes fixes for IOKit, iOS Kernel (the concept of a kernel is defined here), syslog, and WebKit (among others).

Apple OS X El Capitan 10.11.3 and Security Update 2016-001: Addresses 9 CVEs within AppleGraphicsPowerManagement , Disk Images, IOAcceleratorFamily, IOHIDFamily, IOKit, OS X Kernel, and syslog (among others).

Apple tvOS 9.1.1: Resolves 8 CVEs within Disk Images, IOHIDFamily, IOKit, tvOS Kernel, syslog and WebKit (among others).

Apple Safari 9.0.3: Resolves 6 CVEs (in total) within WebKit (the renderer of Safari) and WebKit CSS.

An alternative summary of these updates is available within Intego’s blog post.

=======================

If you use any of the above software, please install the appropriate updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Linux Kernel Vulnerability Patched

On the 14th of January the security firm Perception Point responsibly disclosed (defined) a Linux kernel use-after-free (defined) security vulnerability to Red Hat’s security team.

Why Should This Issue Be Considered Important?
Since this issue has existed since 2012 but has only been recently discovered the number of Linux and Google Android systems affected is very high (most likely millions of servers and workstations) and any Android using version 4.4 (KitKat and older). A more comprehensive list of affected devices is available within this blog post by Liquid Web.

The vulnerability exists in the keyrings feature of the kernel that is used to manage encryption keys, authentication keys etc. within Linux. This issue exists due to both an integer overflow (defined) which can then be used to exploit use-after-free issue. In addition, Perception Point in their detailed blog post on this issue describe it pretty easy to exploit. In addition, Red Hat mentions that there is no workaround available for this issue.

How Can I Protect Myself From This Issue?
Details of how to check if your Linux device is vulnerable to this issue are provided in the previously mentioned blog post by LiquidWeb. They also provide steps on how to update your RedHat and CentOS devices.

Perception Point mentions that security mitigations such as SMEP (Supervisor Mode Execution Protection, also discussed here) and SMAP Supervisor Mode Access Prevention will make exploitation of this issue more difficult.

If your Linux device is found to be vulnerable continue to check for updates until one becomes available that resolves this issue. You can check for updates for your Linux device by using the Package Manager bundled with your Linux distribution (see this link(Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux).

Specific information for some of the affected versions of Linux are provided below:

A very useful tutorial for updating your Linux system against this specific issue (detailing a larger number of the distributions) is located here. Once the update is installed you will need to restart/reboot the Linux device to have the update take effect.

Thank you.

Adobe Begins Transition From Flash Player

With the large number of Adobe Flash Player security vulnerabilities being patched last year Adobe is seeking a more secure and easier to maintain alternative. Adobe has detailed within 2 blog posts (here and here) it’s plans to gradually transition content previously accessible using Flash Player to its Primetime platform.

This Primetime platform will leverage the capabilities of HTML 5 (defined), W3C’s Encrypted Media Extensions (EME) and Adobe’s TV SDK (SDK, defined) to provide a rich and fluid experience for content viewers.


What Is Changing?

At this time very little is changing but Adobe plans to make available its Animate CC (replacing Flash Professional CC) product early this year. Flash Player will continue to receive security updates in the current manner (which includes bundling the updates as part of Google and Microsoft’s web browsers) for the foreseeable future. However, in an effort to improve security Adobe plans to work with Facebook to ensure that existing Flash games on Facebook continue to work in a secure manner. This should improve response times to any vulnerability found/being exploited on Facebook’s platform.

Adobe also discusses use cases for their Primetime technology within their blog post that will be used instead of Flash Player.

Update: 21st February 2016: Moreover; while Adobe is transitioning from Flash Player it is continuing to add further mitigations to Flash Player to protect users from security vulnerabilities and exploits.

Will I Be More Secure Using Adobe Primetime?
Since Primetime is based on a more modern codebase than Flash Player it promises to offer more security (since old code used to play old formats will no longer be used) but at this time it’s not possible to make an accurate estimate.

HTML 5 also has its own set of potential security issues. One advantage though is that the code used to parse (analyze data in a structured manner in order to create meaning from it)) HTML 5 is present in all modern web browsers which receive updates on a regular basis. This should ensure that any critical issues are resolved in a timely manner when bundled with routine updates.
I will update this post or publish another post (as appropriate) as the transition from Flash Player takes shape.

Thank you.

Mozilla Releases Firefox 44 and Firefox ESR 38.6

Earlier today saw Mozilla release Firefox 44 and Firefox ESR (Extended Support Release) 38.6. This release sees the end of support for the RC4 cipher. This was also discussed in a previous blog post of mine. For details of the new features added to Firefox 44, please see this release notes page.

Firefox 44 resolves 17 security issues more formally known as CVEs (defined). Individually the severity of these issues are as follows:

====================
6x critical severity CVEs
3x high severity CVEs
7x moderate severity CVEs
1x low severity CVE
====================

Meanwhile, Firefox ESR 38.6 resolves 4 security issues:
====================
3x critical severity CVEs
1x moderate severity CVE
====================
Full details of the security issues resolved by these updates are available in the following links:

Firefox 44
Firefox ESR 38.6

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

In general, Mozilla Firefox updates install without issues, however as always I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Google Releases Chrome Version 48

Yesterday Google released an update for Google Chrome bringing it to version 48.0.2564.82. This update includes fixes for 37 security issues described below:

2x high severity CVEs (defined)
6x medium severity CVEs
1x remaining CVE assigned to multiple uncategorized issues

Other security issues addressed are detailed in Google’s blog post. As detailed in a past blog post this version of Chrome no longer supports the RC4 cipher (defined). Google have now dropped support for RC4 ahead of Mozilla and Microsoft.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.

If you use Google Chrome as your web browser, please consider updating it as soon as possible to be protected from these security vulnerabilities. Thank you.