Monthly Archives: March 2016

Blog Post Shout Out: Further Tips To Prevent Ransomware

With growing numbers of organizations, companies and individuals being affected by ransomware we need to take precautions before we are affected so that if the worse should happen we can recover.

For the second time this month I wish to provide a respectful shout-out to the following blog post that provides further tips on preventing ransomware that were not present in previous posts.

For example, using the principle of least privilege (not using a privileged user account on your device when you don’t have to e.g. for everyday general use), security awareness (being aware/having knowledge of current computer security trends and knowing what to avoid/which warning signs to look out for) as well as a new security feature developed by Microsoft for Office 2016 in an effort to prevent the spread of ransomware. I hope that you will find the post linked to below useful:

8 tips for preventing ransomware by John Zorabedian (Sophos Security)

Further practical advice on preventing ransomware is provided in a previous blog post.

Thank you.

Oracle Releases Another Out of Band Java Security Update

In a similar manner to an update published by Oracle in February they have again released a further out of band security update to address a critical security issue that was incorrectly patched/not fully resolved in 2013. Updated versions of Java 7 and Java 8 are now available.

Further highlights of this update are provided here and here. Further background info on this issue is available in this Qualys blog post.

A set of suggested practices for using Java on your computer are provided here. Please install the recommended update for your version of Java as soon as possible to protect against this re-patched security issue.

Thank you.

Pre-Announcement of Samba (SMB/CIFS) Security Update

Update: 13th April 2016:

Further details as well as updates to resolve the Badlock issue are discussed in a more recent blog post.

Thank you.

Original Post:
Earlier this week an announcement was made by SerNet (a Samba consulting company who set up the Badlock website) that a critical security update would be made available on the 12th of April to address a vulnerability in the SMB/CIFs protocol (defined below) that is the basis of the open source Samba project. The 12th of April is the well-known second Tuesday of the month known as Update Tuesday (or Patch Tuesday) when Adobe, Microsoft and others commonly make available security updates on a scheduled basis.

Some advice that you can follow to better prepare for this update being made available is described in this SANS blog post as well as this very informative and practical InfoWorld article. Further background on this announcement can be found here.

I will publish another blog post on or very soon after the 12th of April to provide the appropriate information for you to address this vulnerability in a timely manner.

Thank you.

What is the SMB/CIFS protocol?
The Server Message Block (SMB) protocol is also referred to as the Common Internet File System (CIFS) is an application layer (layer 7 of the OSI model) protocol that allows the sharing of printers but mainly provides file access/transfer in a Microsoft network using mapped network drives. Further features of SMB/CIFS are detailed in this Sophos blog post.

Samba is an open source (the source code (human readable code) is free to view and edit by the wider IT community) application that provides the above mentioned network services across Linux/Unix and Microsoft servers/clients.

Google Releases Further Security Update for Chrome (March 2016)

Yesterday Google released an update for Google Chrome this time bringing it to version 49.0.2623.101. This update addresses 5 security issues (4x high severity, 1x uncategorized; all of these issues have been assigned CVEs (defined)). One of the issues addressed was disclosed at Pwn2Own 2016.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.

As always full details of the update were made available by Google in a blog post. If you use Google Chrome as your web browser, please consider updating it as soon as possible. Thank you.

Apple Releases Security Updates To Address iMessage Vulnerability

Yesterday Apple released a very large collection of security updates that affect most of their product range to address issues among them the widely published vulnerability in the iMessage app:


  • Apple iOS 9.3: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • Apple watchOS 2.2: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
  • Apple tvOS 9.2: For Apple TV (4th generation)
  • Apple Xcode 7.3: For OS X El Capitan v10.11 and later
  • Apple OS X El Capitan v10.11.4 and Security Update 2016-002: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3
  • Apple Safari 9.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.3
  • Apple OS X Sever 5.1: For OS X Yosemite v10.10.5 and later

As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.

Without question the most important update is for iOS bringing it to version 9.3. This issue is also present in watchOS and OS X. These updates resolve the cryptographic flaw in Apple’s iMessage app as reported by Matthew Green and his team of research students known as CVE-2016-1788 (defined). I will provide more detail on this vulnerability below.

Noteworthy fixes included are as follows:

Apple iOS 9.3: Resolves 38 CVEs and includes fixes for AppleUSBNetworking, FontParser, HTTPProtocol, iOS kernel (defined), libxml2, Security, TrueTypeScaler, WebKit (and associated components and Wi-Fi (among others).

Apple watchOS 2.2: Resolves 34 CVEs and includes fixes for DiskImages, FontParser, HTTPProtocol, IOHIDFamily, watchOS kernel, libxml2, Messages, Security, syslog, TrueTypeScaler, WebKit and Wi-Fi.

Apple tvOS 9.2: Addresses 23 CVEs, the most severe present in the following components: DiskImages, FontParser, HTTPProtocol, IOHIDFamily, watchOS kernel, libxml2, Messages, Security, syslog, TrueTypeScaler, WebKit and Wi-Fi.

Apple Xcode 7.3: Resolves 2 critical CVEs.

Apple OS X El Capitan v10.11.4 and Security Update 2016-002: Resolves 59 CVEs the most severe being present in the following: apache_mod_php, AppleRAID (defined), AppleUSBNetworking, Bluetooth, Carbon, dyld, FontParser, HTTPProtocol, Intel Graphics Driver (defined), IOGraphics, IOUSBFamily, OS X kernel, libxml2, Messages, Nvidia Graphics Drivers, OpenSSH, OpenSSL, Python, QuickTime, Ruby, Security, Tcl, TrueTypeScaler, Wi-Fi.

Update: 30th March 2016:
The update for OS X 10.11 (El Capitan) also addresses a vulnerability in the System Integrity Protection (SIP) present in the most recent version of the OS. This vulnerability was assigned the following CVE: CVE-2016-1757 Further discussion of this vulnerability is available here.

Apple Safari 9.1: Resolves 12 CVEs the most critical being present in the libxml2 and WebKit (the renderer of Safari).

Apple OS X Server 5.1: Addresses 4 CVEs the most severe of which could allow information disclosure.

An alternative summary of these updates is available within Intego’s blog post.

Why Should The Critical Cryptographic Flaw Resolved in the Updated Messages App be Considered Important?
From the information that has been made available on this attack it appears to be a side-channel attack; namely one where real world data is gathered in how the cryptosystem works. This is then used to attack it. If an attacker were to access Apple’s servers without being detected and obtained cipher texts(encrypted messages sent using iMessage) they could given sufficient time decrypt the attachments of the messages which can be photos or other files providing that either the sender or receiver of that encrypted message is online.

The tests to decrypt the attachments are done by sending 2^18 (invisible) encrypted messages to the target device. For each response, an attacker can tell if they “guessed” the encryption of that segment of the attachment correctly. This process must be repeated over and over until the entire attachment has been decrypted. It took the researchers over 70 hours to complete a proof of concept attack using un-optimized code but they estimate with optimized code only a fraction of 1 day would be needed.

A more complete technical description is available in Matthew Green’s blog post.

How Can I Protect Myself From This Issue?
As mentioned below if you own any devices that have Apple iOS, watchOS, tvOS or OS X or you know someone that does, advise them to use the links below to install the most recent security updates.

If you use any of the above software, please install the appropriate updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Malwarebytes Releases Security Update For Consumer Products

As originally discussed in a previous blog post, Malwarebytes last Friday made available a security update for their Anti-Malware product used by consumers. The update brings it to version 2.2.1.

While Malwarebytes originally mentioned that the products client had more than one vulnerability, the release notes of v2.2.1 only mention one vulnerability being resolved.

In order to resolve the reported vulnerability(ies), please install the updated version of Malwarebytes Anti-Malware (available from the above v2.2.1 link) as soon as possible. Automatic upgrades will take place later this week.

Thank you.

VMware Security Updates Address Cross-site scripting (XSS) Issues

In the middle of last week VMware made available security updates for the following products:

  • VMware vRealize Automation 6.2.4
  • VMware vRealize Business Advanced and Enterprise 8.2.5

These updates address a cross-site scripting (XSS) issue (defined) in each of these products. These issues were assigned separate CVE numbers (defined). These vulnerabilities were responsibly disclosed (defined) by Lukasz Plonka and Alvaro Trigo Martin de Vidales of Deloitte Spain (respectively) to VMware.

Why Should These Issues Be Considered Important?

If an attacker were to successfully exploit this issue it may lead to the compromise of the client’s workstation being used to access these products. Further details or severity of this compromise are not provided by VMware.

How Can I Protect Myself From These Issues?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

Thank you.

Symantec Releases Security Updates for Endpoint Protection

On the 17th of March Symantec issued security updates to address 3 critical CVEs (defined) within their Endpoint Protection Manager and Endpoint Protection Client products. All versions prior to 12.1-RU6-MP4 are affected.

Why Should These Issues Be Considered Important?
Symantec Endpoint Protection Manager (SEPM) was found to be vulnerable to three security issues (discussed below):

The first issue was a cross-site request forgery vulnerability (defined here, here and here) caused by insufficient security checks. If exploited this issue could allow an attacker to execute arbitrary code (run or carry out any steps/instructions of their choice) with the permissions/access of the logged in user. This could result in the attacker obtaining unauthorized and/or elevated access to the Symantec Endpoint Protection Manager (SEPM) management console.

An SQL injection issue (defined) was found in SEPM which if exploited would again possibly allow an attacker to obtain unauthorized and/or elevated access (up to administrative level (defined) of access) to the Symantec Endpoint Protection Manager (SEPM) management console.

The final issue involves the Application and Device Control (ADC) installed on a Symantec Endpoint Protection client. Despite a previous security update this driver (defined) does not sufficiently validate external input. If an attacker were to exploit this, they could execute arbitrary code with the permissions/access of the logged on user. However, to exploit this, the attacker would first require the user to click on a malicious link or open a specifically crafted document. This link and/or document could be present on a website or received via email.

How Can I Protect Myself From These Issues?
Symantec issued a security advisory which contains details of the necessary updates to address these 3 critical issues which were responsibly disclosed (defined) to Symantec. Please note the download link for these updates requires the serial number of your Symantec product in order to proceed.

Moreover, Symantec provides further best practice advise to minimize the impact of these issues within their advisory and to mitigate the third issue discussed above during the time before you apply the necessary updates.

If you make use of the affected Symantec corporate anti-malware products within your organization, please install the relevant updates as soon as possible.

Thank you.

Pwn2Own 2016 Highlights Kernel Exploits

Update: 19th March 2017:
Apologies for not continually updating this post detailing the fixes for each issue identified. When I attempted to do so I found it wasn’t possible to identify the fixes.

During Pwn2Own CVE numbers (defined) are generally not assigned to the vulnerabilities found or other similar identifiers when publishing the results. With the availability of security updates which include CVEs you cannot tell if they refer to Pwn2Own issues or simply routine responsible disclosures.

Occasionally vendors will mention they have resolved a Pwn2Own vulnerability but not always. In addition the names of the researchers who took part in the contest are frequently present in routine disclosures making singling out specific vulnerabilities more difficult.

Thank you for your understanding.

Update: 25th March 2016:
The first security issue to be addressed as a result of this year’s Pwn2Own contest was a vulnerability in Google Chrome as detailed in a more recent blog post.

Thank you.

Original Post:
As scheduled the final day of Pwn2Own 2016 took place on the 17th of March. Full details of how the individual teams performed and how many exploits were successful are available here and here. In summary Adobe Flash, Apple Safari and Microsoft Edge were successfully exploited with Google Chrome only partially exploited using a known issue.

As noted by Trend Micro the highlights of this year’s contest include that every exploit presented achieved System/root privileges (separately defined) which took advantage of flaws such as buffer overflows (defined) within the kernels (defined) of these products. With the change of focus of exploits targeting the kernel this is a worrying trend and highlights the need for more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel by the vendors to find and resolve vulnerabilities before they are exploited.

The prize money of $460k earned by the participants is truly amazing. Pwn2Own was again a great success and we can look forward to the issues found in the above mentioned products to be fixed and rolled-out to us in the coming months.

Thank you.

First Apple Mac Ransomware Poses Serious Risk

The prevalence of ransomware continues to increase this time affecting Apple Mac OS X devices. Earlier this month users of the Trasnmission BitTorrent client (specifically the version for Mac OS X) were at risk of having their data stolen since the downloadable version of the client had extra code added to it by attackers seeking to obtain a ransom to recover your data after stealing it from you.

Why Should This Issue Be Considered Important?
If you had downloaded and installed version 2.90 of the Transmission app after 3 days, it would have encrypted your personal data and demanded 1 bitcoin (approx. USD $400) in order to retrieve it. This would have not only been a huge inconvenience but also could possibly lead to you being unable to carry out routine tasks or your job if you are small business owner using your personal Mac system for business.

The fact that the malicious code included with the hijacked Transmission app would have encrypted your data only after 3 days since you installed it would have made narrowing down the source of the malware infection much more difficult.

An analysis of the malware by Palo Alto showed that malware had partial support for encrypting the data stored within Apple’s Time Machine backup software which if it had been operational would have caused far more data loss.

As discussed below, while this particular malware infection has now been resolved by the combined efforts of Apple, Transmission, Palo Alto and other security companies; the ramifications for future malware to be made available using similar techniques to steal data will be present from now on.

How Can I Protect Myself from This Issue?
As per Transmission’s recommendation, if you use their BitTorrent client on your Mac OS X system, please update it to version 2.92 or later. If you have anti-malware/anti-virus software installed, please run a full system scan and remove any traces of the malware that may be present. Alternatively, easy to follow manual instructions to remove the malware are provided here.

As mentioned in previous ransomware blog posts, please back up your critical data and ensure to have at least one full copy that is not connected to your computer. This will ensure that it is not available to the ransomware for it to be encrypted too. Recommendations for using Apple’s Time Machine backup software are provided here.

Separately Apple revoked the fake app development certificate (when Palo Alto Networks informed them of it’s misuse) that allowed the malware to bypass it’s Apple’s Gatekeeper security feature. They also updated their XProtect malware protection software to detect and remove the malware.

Meanwhile Transmission updated their software to version 2.92 to remove the malware from the app and to remove any existing malware traces that may have been present on a Mac system after installing version 2.90. All of the mentioned companies/teams should be applauded for their thorough and swift response to this threat.

Thank you.

Further References:
ComputerWorld: First Mac ransomware had sights on encrypting backups, too
The Safe Mac: First Mac ransomware spotted