Daily Archives: January 10, 2016

JavaScript Ransomware Poses Increased Risk of Data Loss

On January the 1st this year, security software vendor Emsisoft presented an analysis of a new variant of ransomware (defined in a previous post of mine) that demonstrates a concerning evolution in this type of malware. This type of ransomware is available for purchase by those with malicious intent following the growing popularity of the Software as a Service (SaaS)(defined) model.

Why Should I Be Concerned About This Malware?
This new variant is written in JavaScript (defined) but uses the NW.js framework to allow JavaScript apps to be installed and run (execute/carry out their purpose) just like traditional desktop applications (that you use every day) on your computer. This flexibility is also what makes this malware of particular concern since the NW.js framework is a portable framework it has the potential to enable this malware to spread to Linux and Apple OS X computers (however as noted by Emsisoft so far no such malware has been seen “in the wild” (namely being present on computing devices used by the general public in their professional and personal lives)).

Initially the number of anti-malware signatures for this variant was very low (3) but has since increased significantly to 32 (out of a possible 57) anti-malware vendors on the Virustotal website (at the time of writing).

Moreover, this malware arrives within spam email which begins the download of the complete malware package. Once the malware has encrypted your files you will be unable to retrieve them since the encryption is well-implemented (i.e. has no implementation flaws). Recovering the files from a backup is the best option. Paying the ransom doesn’t necessarily mean you will be able to retrieve your files.

How Can I Protect Myself From This Malware?
The advice within my previous posts on ransomware still applies. Emsisoft again emphasized the importance of backing up your files to avoid the loss of your data from these kind of infections. Their advice of how to access/use your backup after it’s been created may also be of assistance to you.

I hope that you find the above information useful in preventing infection from this malware and/or recovering from an infection.

Thank you.

Google Releases Security Updates for Android

In early December 2015 and January 2016 Google made available further security updates for their Android smartphone operating system.

The December update addresses 16 security issues (all of which have been assigned CVE numbers (defined)(4x critical severity, 10x high severity and 2x moderate severity). That update brings Androids build number to version LMY48Z Android version 6.0 (known as Marshmallow) with Security Patch Level of December 1, 2015 or later address these issues. This update includes 2 fixes for security issues within libstagefright (both high severity) and 1 issue within both the Mediaserver (critical severity) and Media Framework (high severity) components.

Meanwhile the January update resolves 12 security issues (all assigned CVE numbers). That update when installed will show build version LMY49F As before, Android version 6.0 (known as Marshmallow) with Security Patch Level of January 1, 2016 or later address these issues. This update includes a fix for a critical issue in the Mediaserver component.

Why Should These Issues Be Considered Important?
As part of the December update a critical issue within Mediaserver was resolved that could be exploited by a remote attacker to allow them to carry out any instructions/actions of their choice (remote code execution). 3rd party applications could then be used to carry out the attacker’s actions with high privileges that they wouldn’t otherwise have. The issue can be exploited by sending specifically crafted media files within MMS messages (defined) or displaying those files on a specifically crafted webpage. Similar critical issues (3 in total) in the Skia graphics engine and Display driver can also use the above 2 means of attack mentioned above in addition to email. The final critical issue would have allowed malicious apps to carry out actions with root privilege (defined) allowing them full control over the smartphone.

For the January update if the MediaServer issue was exploited it could allow an attacker to use any emails, websites or MMS messages containing specifically crafted media files to remotely execute code (i.e. instructions or actions of their choice) due to a memory corruption issue corrected in this update. In addition, the critical issues corrected in the Display Driver (which interacts with high privilege with kernel) and the Android kernel (defined) are serious since the kernel can control any piece of the phones hardware and since it’s the core of the Android operating system it can be used to carry out any action/step since it has the highest level of privilege within the operating system.


How Can I Protect Myself From These Issues?

Updates to resolve these issues were made available by Google on 7th of December 2015 and 4th of January 2016. Manufacturers such as Samsung/LG etc. received these updates on the 2nd of November and the 7th of December respectively.

As mentioned by Sophos you may need to ask your device manufacturer or mobile carrier when this update will be made available to you. As discussed in a previous post regarding Android updates, please ensure to only apply updates from your mobile carrier or device manufacturer.

====
I followed this advice with my very recently purchased Sony smartphone which currently runs Android 5.0 (Lollipop). The Sony website shows that the latest build of Android they offer is already installed on my phone. The build is dated October 2015 (not shown in the image below). They do however show a logo below the build number that appears to suggest that at some time in the future the phone will receive Android 6.0 (Marshmallow). I have attached the image below:

Sony_Update

====
The “Android” name, the Android logo, and other trademarks are property of Google Inc.
Copyright © 2011-2016 Sony Mobile Communications Inc. All rights reserved
====

I also contacted my network carrier and they stated that the device can run these updated versions of Android and that there is no reason why it wouldn’t have received such updates (assuming auto-updates hasn’t been turned off). As I said it appears that I received such updates up to October 2015 (I purchased the phone in November). They stated that Marshmallow will be rolled out in the future but no other details were provided. Neither of these answers are perfect and clearly demonstrate that while updates are being made available by Google and are being provided to the mobile carriers the update process (being used by the mobile carriers) needs to be streamlined for much faster deployment. I hope that you have better luck than I did.

Thank you.

VMware Security Updates Address Elevation of Privilege Vulnerability

In the second half of last week VMware released security updates for the following products:

  • VMware ESXi 6.0 without patch ESXi600-201512102-SG
  • VMware ESXi 5.5 without patch ESXi550-201512102-SG
  • VMware ESXi 5.1 without patch ESXi510-201510102-SG
  • VMware ESXi 5.0 without patch ESXi500-201510102-SG
  • VMware Workstation prior to 11.1.2
  • VMware Player prior to 7.1.2
  • VMware Fusion prior to 7.1.2

These updates address elevation of privilege (the concept is defined here) security issue which has been assigned 1x CVE number, (defined). This vulnerability was responsibly disclosed (defined) by Dmitry Janushkevich from the Secunia Research Team to VMware.

Why Should This Issue Be Considered Important?
Since multiple VMware products have this vulnerability which could allow an attacker to escalate their level of privilege/access within the guest operating system (namely one or more of your virtual machines) this issue should be patched as soon as possible. The issue is due to memory corruption vulnerability within the kernel (defined) of the VMware Tools “Shared Folders” HGFS feature.

How Can I Protect Myself From This Issue?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

Thank you.

WordPress Releases Security Updates (January 2016)

On Wednesday of last week, WordPress released version 4.4.1 of it’s popular self-hosted blogging tool/content management system (CMS, defined).

This update resolves 1 security cross-site scripting (XSS) vulnerability (defined) that if exploited by an attacker could have allowed them gain control of your WordPress website. This issue was responsibly disclosed (defined) to WordPress and they worked internally to resolve it.

Due to the severity of this issue, WordPress is advising it’s users to update immediately.

WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. Full details of this update and how to install it are available in this WordPress blog post. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

Thank you.

Mozilla Releases Firefox 43.0.2 and Firefox ESR 38.5.2

In late December 2015 Mozilla released security updates for Firefox bringing it to version 43.0.2 and Firefox ESR (Extended Support Release) 38.5.2.

At that time the release notes for these updates didn’t reference any further security issues resolved since the previous updates (described in a previous post of mine). The above mentioned Firefox version numbers were not present in late December. I was aware of these updates but since they didn’t contain further security related changes I didn’t create a post about them. In future I will need to re-check those pages again in the days following such updates in order to avoid such a delay in posting.

Since that time the security advisory pages for Firefox and Firefox ESR (linked to below) now include details of a moderate severity security issue (assigned 1 CVE number (defined)) resolved by these updates. The issue relates to the Network Security Services (NSS) component of Firefox still accepting TLS 1.2 ServerKeyExchange messages with MD5 digital signatures. As discussed here and here, the use of MD5 is discouraged and Mozilla has rectified this issue using these updates.

Full details of the security issues resolved by these updates are available in the following links:

Firefox 43.0.2
Firefox ESR 38.5.2

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve this security issue.

Note: The most recent version of Firefox 43 at the time of writing is 43.0.4. It has since been updated following the release of 43.0.2. Please ensure you are using the most up to date version available. 43.0.4 re-enables SHA-1 certificates for “man-in-the-middle” (defined) devices. More details are provided here.

In general, Mozilla Firefox updates install without issues, however as always I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Apple Releases QuickTime for Windows Security Update (January 2016)

On Thursday of last week Apple released a security update for QuickTime for Windows. The update brings QuickTime to version 7.7.9.

Full details of this update are available on Apple’s Security Updates page. The update resolves 9 critical security issues (formally known as CVEs (defined).

To update Apple QuickTime for Windows, open QuickTime (by searching for it using the Start menu). From the menu bar at the top of the QuickTime window choose Help->Update Existing Software

Alternatively use Apple Software Update (usually installed with Apple iTunes). Upon opening Apple Software Update it will check for updates for you and display any applicable updates for QuickTime.

As always, I recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.