Daily Archives: February 12, 2019

February 2019 Update Summary

Earlier today Microsoft made available 13 bulletins and 3 advisories resolving 74 vulnerabilities (more formally known as CVEs (defined)) respectively. As always more details are available from Microsoft’s monthly summary page.

Also today Adobe released scheduled updates for the products listed below addressing 75 CVEs in total:

Adobe Acrobat and Reader: 71x priority 2 CVEs resolved (43 of the 75 are Critical, the remainder are Important severity)

Adobe ColdFusion: 2x priority 2 CVEs resolved

Adobe Creative Cloud Desktop Application: 1x priority 3 CVE resolved

Adobe Flash Player: 1x priority 2 CVE resolved

If you use the affected Adobe products; due to the public disclosure (defined) of CVE-2019-7089 as a zero day (defined) vulnerability, please install the Adobe Acrobat and Reader updates first followed by Flash Player and the remaining updates. I provide more detail on the zero day vulnerability in a separate post.

As we are accustomed to Microsoft’s updates come with a long list of Known Issues that will be resolved in future updates or for which workarounds are provided. They are listed below for your reference:

4345836
4471391
4471392
4483452
4486996
4487017
4487020
4487026
4487044
4487052

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Microsoft GDI+

Scripting Engine (CVE-2019-0590 , CVE-2019-0591 , CVE-2019-0593 , CVE-2019-0640  ,
CVE-2019-0642
, CVE-2019-0648 , CVE-2019-0649  , CVE-2019-0651 , CVE-2019-0652 , CVE-2019-0655 , CVE-2019-0658)

Windows DHCP

Microsoft Exchange

Microsoft SharePoint and CVE-2019-0604

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Nvidia Graphics Drivers:
=======================
8 security vulnerabilities with the most severe having a CVSS V3 (defined) base score of 8.8 have been resolved within Nvidia’s graphics card drivers (defined) in February. These vulnerabilities affect Linux FreeBSD, Solaris and Windows. The steps to install the drivers are detailed here (and here) for Ubuntu and here for Linux Mint. Windows install steps are located here. If you use affected Nvidia graphics card, please consider updating your drivers to the most recent available.

=======================
7-Zip:
=======================
In the 3rd week of February; 7-Zip version 19.00 was released. While it is not designated as a security update; the changes it contains appear to be security related. While 7-Zip is extremely popular as a standalone application; other software such as Malwarebytes Anti-Malware, VMware Workstation and Directory Opus (among many others) all make use of 7-Zip. Directory Opus version 12.2.2 Beta includes version 19.00 of the 7-Zip DLL.

If you use these software applications or 7-Zip by itself, please update these installed applications to benefit from these improvements.

=======================
Changes:
=======================
– Encryption strength for 7z archives was increased:
the size of random initialization vector was increased from 64-bit to 128-bit, and the pseudo-random number generator was improved.
– Some bugs were fixed.
=======================

If you are using the standalone version and it’s older than version 19, please consider updating it.

=======================
Mozilla Firefox
=======================
In mid-February Mozilla issued updates for Firefox 65 and Firefox ESR (Extended Support Release) 60.5:

Firefox 65.0.1: Resolves 3x high CVEs (defined)

Firefox 60.5.1: Resolves 3x high CVEs

As always; details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from changes such as improvements to Netflix playback, color management on Apple macOS and resolving audio/video delays during WebRTC calls etc.

=======================
Wireshark 3.0.0, 2.6.7 and 2.4.13
=======================
v3.0.0: 0 security advisories (new features and benefits discussed here and here)

v2.6.7: 3 security advisories

v2.4.13: 3 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.0, v2.6.6 or v2.4.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Note: from this post onwards, I will only report on the most recent (v3.0) and previous branches (v2.6) of Wireshark.

Thank you.

Adobe Reader Vulnerability Disclosed

====================
Updated: 26th February 2019
====================
After the update was issued by Adobe; the original researcher who disclosed it found a bypass and again reported it to Adobe. The bypass was assigned another CVE number; CVE-2019-7815

It has now been addressed by a further update made available by Adobe last Thursday. If you use Adobe Acrobat or Reader, please ensure it is up to date:

Thank you.

====================
Original Post
====================
Yesterday; the security firm 0patch released a micropatch for a vulnerability that was publicly disclosed (defined) in late January.

Why should this vulnerability be considered important?
The vulnerability allows for the extraction/disclosure of the NTLMv2 hashes (defined) associated with your Windows login account to be sent to an attacker when you open a specifically modified PDF document, The information is sent via the SMB protocol (defined) to the attacker essentially allowing the document “to phone home” to them.

Adobe Reader DC (2019.010.20069 and earlier) are affected. This vulnerability is similar to a now patched vulnerability from last year namely; CVE-2018-4993, The new vulnerability is caused by the fact that while a user is warned via a dialog box when opening an XML style sheet via the HTTP protocol; when using the SMB protocol and while following a UNC (defined) link; no such warning appears.

How can you protect your organisation and yourself from this vulnerability?
Please apply the update made available by Adobe earlier today. If for any  reason you cannot update right now, please consider the micropatch from 0patch. A YouTube video of the micropatch in action is available from the following link:

The micropatch does not require a reboot. The patch does not need to be uninstalled once you later install the update from Adobe.

Thank you.

Security of Selected IoT Devices Tested

The current level of security present in Internet of Things (IoT)(defined) devices continues to be low and is in need of further maturity and consideration given to security and best practices.

A recent study carried out by researchers from Brazil’s Federal University of Pernambuco and the University of Michigan found that 31% of the apps (equating 37 out of 96 devices tested) used to control the IoT devices used no encryption while a further 19% used hard coded encryption keys (which can’t be changed). An attacker may be able to reverse engineer these.

The researcher then developed proof of concept attacks against five devices which are controlled by four apps:

Belkin’s WeMo for IoT
Broadlink’s e-Control app
TP-Link’s Kasa app
LIFX app used with that company’s Wi-Fi enabled light bulbs

From these 3 used no encryption while three apps communicated via broadcast messages that can provide an attacker a means of monitoring the nature/contents of the app to device communication. The researchers elaborated “A remote attacker simply has to find a way of getting the exploit either on the user’s smartphone in the form of an unprivileged app or a script on the local network”.

For the TP-Link Smart Plug which was reviewed more than 10k times on Amazon shares an encryption key across a given product line while the initial set up is performed using the app without strict authentication.

How to secure your IoT devices:
The researchers pointed out that Google’s Nest thermostat app was a better example of how security should be done. Its configuration can be carried out over TLS to the cloud or via Wi-Fi with WPA. This app also offers 2 factor authentication (defined) (albeit only via SMS messages which are themselves not best practice).

However, the Nest and any IoT rely on you to practice good security e.g. not re-using passwords for researching how best to secure that device. This story linked to is an example of what can happen if you don’t:

Further tips on securing IoT devices are listed provided below with a further tip of “Track and assess devices” from CSO Online. Devices such as Amazon Echo, Apple HomePod and Google Home require even more steps (final link below):

7 tips for securing the Internet of Things by Chester Wisniewski (Sophos Security)

8 tips to secure those IoT devices by Michelle Drolet (CSO Online)]

Securing the Internet of Things (US-CERT)

9 things to check after installing wireless access points by Eric Geier (Computerworld)

Securing Your Smart TV

Increasing the privacy and security of virtual assistants

Thank you.

Apple KeyChain Vulnerability Disclosed

Last week a security researcher publicly disclosed a vulnerability within Apple macOS’ Keychain (Apple’s password management system). The exact proof of concept code has not been released.

TL DR:  This vulnerability is currently unpatched by Apple. Be cautious of the links you click on, email attachments and applications you download/open. Keep your system current with already released updates. Watch for updates from Apple in the near future.

Why should this vulnerability be considered important?
This vulnerability affects all versions of Apple macOS up to the most recent 10.14.3 (Mojave). Apple Keychain is used to store passwords for application, websites and servers. This information is encrypted by default blocking access via other means without your permission.

However; the exploit allows an attacker to access this information from a standard user account (thus not requiring root (defined)(privileged) access) without generating a password prompt. The keychain must first be unlocked but it is when you are logged into the system. The System keychain which contains (among other items) is not affected. Thus, if the attacker can persuade you to run an application of their choice (e.g. substituting an app that looks like an app you regularly download manually); they could obtain your passwords/sensitive information. A YouTube video demonstrating the custom application designed to exploit this is provided below:

https://youtu.be/nYTBZ9iPqsU

How can I protect myself?
Please see the TL DR above. You should also consider manually locking your keychain or setting a keychain specific password (further details below).

===========

Lock your Keychain:
Open Keychain Access in the Applications: Utilities folder. Select your keychain (usually your user name) in the drawer (click on Show Keychains in the toolbar if it’s not visible). Then choose Edit: Change Settings For Keychain keychain name. Select Lock After 5 Minutes Of Inactivity (or lower according to your preference).

Password Protect Your Keychain:
Open the Keychain Access application, and select your keychain in the drawer. Select Edit: Change Password For Keychain keychain name, and then enter a new password.

With thanks to MacWorld:

===========

Why did the researcher not disclose this to Apple privately?
The researcher, Linus Henze chose not to privately disclose this to Apple since while Apple have a bug bounty for iOS which is by invite only; they don’t have such a program for macOS. The researcher wishes to highlight this omission. A quote from the researcher is included below (my thanks to Sergiu Gatlan of BleepingComputer.com) for this:

“Please note that even if it looks like I’m doing this just for the money, this is not my motivation at all in this case. My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers. I really love Apple products and I want to make them more secure. And the best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program (like other big companies already have)”

Separately he is not the only researcher to be criticising Apple’s approach to vulnerability remediation. Ian Beer of Google Project Zero publicly criticised Apple last August for simply fixing vulnerabilities rather than thinking of them in an exploit context namely “Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could have found [the bug] earlier? Who had access to this code and reviewed it and why, for whatever reason, didn’t they report it?”

Thank you.