Monthly Archives: February 2016

Wireshark Releases Security Updates February 2016

Last Friday the Wireshark Foundation made available security updates for their popular open source network packet analyzer Wireshark (v2.0.2; the current branch and v1.12.10; the previous branch).

Version 2.0.2 references 18x security advisories (11x of which were assigned CVEs (defined) that it addresses while version 1.12.10 references 7x security advisories (addressing 4x CVEs).

As per the normal process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

As always, if Wireshark is installed on a critical production system or systems that contain your critical data, please back up your data before installing this update in order to prevent data loss in the rare event that an update causes unexpected issues.

Thank you.

Apple Releases Security Update for Apple TV

Late last week Apple released a single security update for Apple TV bringing it to version 7.2.1 and addresses 61 security issues more formally known as CVEs (defined).

As always, full details of all of these updates are provided on Apple’s Security Updates page. Further release notes are available here. Noteworthy fixes included are as follows:

Code Signing (4x CVEs)
CoreMedia Playback (2x CVEs)
CoreText (2x CVEs)
FontParser (3x CVEs)
ImageIO (3x CVEs)
Apple TV kernel (2x CVEs) (the concept of a kernel is defined here)
libc (3x CVEs)
libpthread (1x CVE)
libxpc (1x CVE)
WebKIt (the renderer of Safari)(24x CVEs)

If you use Apple TV, please install the appropriate update as soon as possible. For advice on how to install updates for Apple TV, please see this page.

Thank you.

Upcoming Pwn2Own 2016 Contest Announced

Update: 20th March 2016:
A more recent blog post discusses the outcome of Pwn2Own 2016.

Thank you.

=======================
Original Post
=======================
Next month on March the 16th and 17th the annual CanSecWest security conference will take place. As you know I’m a particular fan of this since it includes the Pwn2Own contest.

This year Mozilla Firefox and Adobe Reader won’t be included. Exploits for Firefox are quite rare while exploits for Adobe Reader have mostly ceased to be used by exploit kits (defined) in recent years so I can see why this decision was made. However while this is the case, we still see security updates being made available for both of these products on a regular basis. Other changes are the fact that the operating systems to be exploited won’t be directly installed on the computers within the contest but within VMware virtual machines (VMs). Additional prize money will be awarded if the researchers can have their exploits escape from within the VMs.

This contest will mark the first time that Apple Mac OS X 10.11 (“El Capitan”), Microsoft Edge and Windows 10 will be part of the competition as security researchers attempt to exploit the very latest versions of these products. Similar to last year Microsoft EMET will be used to make the exploitation of vulnerabilities more difficult. Whether more vulnerabilities will be found in EMET or if it simply present for the purpose mentioned above remains to be seen.

Further details of this year’s contest are available here. I will post again when the results of the contest are known and will include any highlights that we as users of the software present in the contest can look forward to being more secure and/or whether as a result of the contest more security features will be added.

Thank you.

Microsoft Releases EMET 5.5

====================
Update: 11th July 2017:
As noted in a new blog post, an upcoming update to Windows 10 will contain some features of EMET. Further details are available in the above mentioned blog post.

Thank you.
====================

====================
Update: 14th March 2017:
Since my last update of this post EMET was updated to version 5.52 to resolve the following issues:

  • An issue with the EAF mitigation that causes some applications to hang on Windows 7 SP1.
  • A fix to the MSI installer to allow in-place upgrade behavior.
  • Removed EAF+ mitigation for Chrome from “Popular Software.xml”
  • Fixed import behavior for System Mitigations.

Thank you.

====================
Update: 17th November 2016:
====================
Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018. Further details are available in this blog post.

However Microsoft updated EMET in August 2016 to version 5.51 which incorporates the following minor changes:

  • EMET 5.5 GUI crashing on startup
  • Unexpected BitLocker warning in EMET 5.5 when changing system-wide DEP setting

Further details on EMETs mitigations as well known compatibility issues are listed in this article. A more detailed forum thread on this topic is available here.

Thank you.
====================

====================
Update: 17th November 2016:
Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018. Further details are available in this blog post.

However Microsoft updated EMET in August 2016 to version 5.51 which incorporates the following minor changes:

  • EMET 5.5 GUI crashing on startup
  • Unexpected BitLocker warning in EMET 5.5 when changing system-wide DEP setting

Further details on EMETs mitigations as well known compatibility issues are listed in this article. A more detailed forum thread on this topic is available here.

Thank you.
====================

Update 23rd February 2016:
According to this FireEye blog post EMET 5.5 also addresses a critical security vulnerability that was responsibly disclosed (defined) to Microsoft.

As mentioned below, if you use a version of EMET prior to version 5.5, please use the links provided to install version 5.5. as soon as possible. Thank you.

Update 3rd April 2016:
As discussed in a more recent blog post the Untrusted font mitigation of EMET 5.5 is now used by Google Chrome when installed on Windows 10 (with the November 2015 update). Thank you.

=======================
Original Post:
=======================
In early February Microsoft released version 5.5 of their Enhanced Mitigation Experience Toolkit (EMET).

This is an important update for users of Windows 10 since it adds full compatibility with that version of Windows in contrast to the previous 5.2 version of EMET. The full list of changes in this new version is available in this Microsoft blog post.

In addition, this version adds a noteworthy enhancement for Windows 10 users that blocks exploit that use font files stored in any directory (folder) in order to gain additional privileges when either remotely or locally (already have a presence) attacking your system. All fonts not stored in the %windir%/Fonts directory will not be loaded. If you are currently using an older version of EMET, please consider upgrading to EMET 5.5 to take advantage of the enhancements in this update. Further resources concerning installation, use and obtaining support for EMET are available on the Protecting Your PC page of this blog.

Please note that in order to migrate previous EMET settings to version 5.5 Microsoft have provided a PowerShell script to do so. Instructions for using this script to migrate the settings are available on page 33 and 36 of the EMET 5.5 users guide.

Thank you.

Google Releases Further Security Update for Chrome (Feb 2016)

Last week Google released an update for Google Chrome bringing it to version 48.0.2564.116. This update addresses a single critical security issues (this issue has been assigned a CVE (defined)).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.

As always full details of the update were made available by Google in a blog post. If you use Google Chrome as your web browser, please consider updating it as soon as possible. Thank you.

Mozilla Releases Firefox 44.0.2 and Firefox ESR 38.6.1

Earlier today Mozilla made available unscheduled security updates for Firefox and Firefox ESR (Extended Support Release) bringing them to versions 44.0.2 and 38.6.1 respectively. Firefox 44.0.2 addresses a critical severity CVE (defined). 2 other critical security issues (1 of which was assigned a CVE) were resolved by Firefox ESR 38.6.1.

These security issues were reported to Mozilla by 2 security researchers (Jason Pang of OneSignal and Holger Fuhrmannek) and the Cisco Talos Security Intelligence and Research Group.

The first issue affecting Firefox 44.0 and 44.0.1 involves the violation of the same-origin policy (defined) of the browser due to how the crossdomain.xml file is open to being forged which can lead to a service worker forging responses to network requests to the network requests made initially by plugins of the browser.

The first issue addressed by Firefox ESR 38.6.1 involves the bypassing of validation of internal instruction parameters within the Graphite 2 library of Firefox when special CNTXT_ITEM instructions are used. The other issues reported by the Cisco Talos group were also addressed but no further details were provided.

Further details of these updates (and the issues they address) are available here and here. If Firefox is installed on any computer that you use, please install the appropriate update as soon as possible. Details of how to install updates for Firefox are here.

Mozilla Firefox updates generally install without issues, however as always I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Google Releases Security Update for Chrome (February 2016)

Yesterday Google released an update for Google Chrome bringing it to version 48.0.2564.109. This update addresses 6 security issues, all of which have been assigned CVE numbers. Security issues are more formally known as CVEs (defined)). The severity levels of these issues are detailed below:

  • 3x high severity
  • 2x medium severity
  • 1x remaining uncategorized issue

Update: 13th February 2016: Apologies for the delay but I have since confirmed that this Google Chrome update includes the Adobe Flash Player v20.0.0.306 update released earlier this week.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.

As always full details of the update were made available by Google in a blog post. If you use Google Chrome as your web browser, please consider updating it as soon as possible. Thank you.