Daily Archives: March 20, 2016

Malwarebytes Releases Security Update For Consumer Products

As originally discussed in a previous blog post, Malwarebytes last Friday made available a security update for their Anti-Malware product used by consumers. The update brings it to version 2.2.1.

While Malwarebytes originally mentioned that the products client had more than one vulnerability, the release notes of v2.2.1 only mention one vulnerability being resolved.

In order to resolve the reported vulnerability(ies), please install the updated version of Malwarebytes Anti-Malware (available from the above v2.2.1 link) as soon as possible. Automatic upgrades will take place later this week.

Thank you.

VMware Security Updates Address Cross-site scripting (XSS) Issues

In the middle of last week VMware made available security updates for the following products:

  • VMware vRealize Automation 6.2.4
  • VMware vRealize Business Advanced and Enterprise 8.2.5

These updates address a cross-site scripting (XSS) issue (defined) in each of these products. These issues were assigned separate CVE numbers (defined). These vulnerabilities were responsibly disclosed (defined) by Lukasz Plonka and Alvaro Trigo Martin de Vidales of Deloitte Spain (respectively) to VMware.

Why Should These Issues Be Considered Important?

If an attacker were to successfully exploit this issue it may lead to the compromise of the client’s workstation being used to access these products. Further details or severity of this compromise are not provided by VMware.

How Can I Protect Myself From These Issues?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

Thank you.

Symantec Releases Security Updates for Endpoint Protection

On the 17th of March Symantec issued security updates to address 3 critical CVEs (defined) within their Endpoint Protection Manager and Endpoint Protection Client products. All versions prior to 12.1-RU6-MP4 are affected.

Why Should These Issues Be Considered Important?
Symantec Endpoint Protection Manager (SEPM) was found to be vulnerable to three security issues (discussed below):

The first issue was a cross-site request forgery vulnerability (defined here, here and here) caused by insufficient security checks. If exploited this issue could allow an attacker to execute arbitrary code (run or carry out any steps/instructions of their choice) with the permissions/access of the logged in user. This could result in the attacker obtaining unauthorized and/or elevated access to the Symantec Endpoint Protection Manager (SEPM) management console.

An SQL injection issue (defined) was found in SEPM which if exploited would again possibly allow an attacker to obtain unauthorized and/or elevated access (up to administrative level (defined) of access) to the Symantec Endpoint Protection Manager (SEPM) management console.

The final issue involves the Application and Device Control (ADC) installed on a Symantec Endpoint Protection client. Despite a previous security update this driver (defined) does not sufficiently validate external input. If an attacker were to exploit this, they could execute arbitrary code with the permissions/access of the logged on user. However, to exploit this, the attacker would first require the user to click on a malicious link or open a specifically crafted document. This link and/or document could be present on a website or received via email.

How Can I Protect Myself From These Issues?
Symantec issued a security advisory which contains details of the necessary updates to address these 3 critical issues which were responsibly disclosed (defined) to Symantec. Please note the download link for these updates requires the serial number of your Symantec product in order to proceed.

Moreover, Symantec provides further best practice advise to minimize the impact of these issues within their advisory and to mitigate the third issue discussed above during the time before you apply the necessary updates.

If you make use of the affected Symantec corporate anti-malware products within your organization, please install the relevant updates as soon as possible.

Thank you.

Pwn2Own 2016 Highlights Kernel Exploits

Update: 19th March 2017:
Apologies for not continually updating this post detailing the fixes for each issue identified. When I attempted to do so I found it wasn’t possible to identify the fixes.

During Pwn2Own CVE numbers (defined) are generally not assigned to the vulnerabilities found or other similar identifiers when publishing the results. With the availability of security updates which include CVEs you cannot tell if they refer to Pwn2Own issues or simply routine responsible disclosures.

Occasionally vendors will mention they have resolved a Pwn2Own vulnerability but not always. In addition the names of the researchers who took part in the contest are frequently present in routine disclosures making singling out specific vulnerabilities more difficult.

Thank you for your understanding.

=======================
Update: 25th March 2016:
=======================
The first security issue to be addressed as a result of this year’s Pwn2Own contest was a vulnerability in Google Chrome as detailed in a more recent blog post.

Thank you.

=======================
Original Post:
=======================
As scheduled the final day of Pwn2Own 2016 took place on the 17th of March. Full details of how the individual teams performed and how many exploits were successful are available here and here. In summary Adobe Flash, Apple Safari and Microsoft Edge were successfully exploited with Google Chrome only partially exploited using a known issue.

As noted by Trend Micro the highlights of this year’s contest include that every exploit presented achieved System/root privileges (separately defined) which took advantage of flaws such as buffer overflows (defined) within the kernels (defined) of these products. With the change of focus of exploits targeting the kernel this is a worrying trend and highlights the need for more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel by the vendors to find and resolve vulnerabilities before they are exploited.

The prize money of $460k earned by the participants is truly amazing. Pwn2Own was again a great success and we can look forward to the issues found in the above mentioned products to be fixed and rolled-out to us in the coming months.

Thank you.