Monthly Archives: April 2019

April 2019 Update Summary

Yesterday Microsoft and Adobe made available their scheduled security updates. Microsoft addressed 74 vulnerabilities (more formally known as CVEs (defined)) with Adobe resolving 42 vulnerabilities.

Adobe Acrobat and Reader: 21x priority 2 vulnerabilities (11x Critical and 10x Important severity)

Adobe Flash: 2x priority 2 vulnerabilities (1x Critical and 1x Important severity)

Adobe Shockwave Player: 7x priority 2 vulnerabilities (7x Critical severity)

Adobe Dreamweaver: 1x priority 3 vulnerability (Moderate severity)

Adobe XD: 2x priority 3 vulnerabilities (2x Critical severity)

Adobe InDesign: 1x priority 3 vulnerability (Critical severity)

Adobe Experience Manager Forms: 1x priority 2 vulnerability (Important severity)

Adobe Bridge CC: 8x priority CVEs (2x Critical, 6x Important)

If you use Acrobat/Reader, Flash or Shockwave, please apply the necessary updates as soon as possible. Please install their remaining priority 2 and 3 updates when you can.

Please note; as per Adobe’s notice Shockwave Player has now reached it’s end of life. No further updates will be made available.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. All issues however do have at least 1 workaround:

4487563                Microsoft Exchange Server 2019, 2016, and 2013

4491413                Update Rollup 27 for Exchange Server 2010 Service Pack 3

4493441                Windows 10 version 1709, Windows Server Version 1709

4493446                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4493448                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

4493450                Windows Server 2012 (Security-only Rollup)

4493451                Windows Server 2012 (Monthly Rollup)

4493458                Windows Server 2008 Service Pack 2 (Security-only update)

4493464                Windows 10 version 1803, Windows Server Version 1803

4493467                Windows 8.1, Windows Server 2012 R2 (Security-only update)

4493470                Windows 10 version 1607, Windows Server 2016

4493471                Windows Server 2008 Service Pack 2 (Monthly Rollup)

4493472                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

4493474                Windows 10 version 1703

4493509                Windows 10 version 1809, Windows Server 2019

4493730                Windows Server 2008 SP2

4493435                Internet Explorer Cumulative Update

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Win32k: CVE-2019-0803CVE-2019-0859 (both are being actively exploited in the wild)

Scripting Engine: CVE-2019-0861 ,  CVE-2019-0806 , CVE-2019-0739 , CVE-2019-0812 , CVE-2019-0829

Microsoft Graphics Component (GDI+): CVE-2019-0853

Microsoft Windows IOleCvt Interface: CVE-2019-0845

Microsoft Windows SMB Server: CVE-2019-0786

Microsoft (MS) XML: CVE-2019-0790 , CVE-2019-0791 , CVE-2019-0792 , CVE-2019-0793 , CVE-2019-0795

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Notepad++:
======================
As noted in the March Update Summary post (due to a critical regression for the version that was released in March) Notepad++ 7.6.6 was released to resolve a critical regression in 7.6.5 which caused Notepad++ to crash. Version 7.6.5 resolved a further 6 security vulnerabilities.

If you use Notepad++, please update to the newest version to benefit from these reliability and security fixes.

Thank you.

=======================
Wireshark 3.0.1 and 2.6.8
=======================
v3.0.1: 10 security advisories

v2.6.8: 6 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.1 or v2.6.8). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Intel VISA Vulnerabilities Explained

In late March; security researchers published new research concerning a previously undocumented debugging feature of Intel motherboards and CPUs known as VISA (Visualization of Internal Signals Architecture).

TL DR: If your system is affected (please see the advisory); please ensure that you have applied the fixes from Intel’s advisory. Please only allow trusted individuals to physical access your systems e.g. servers and workstations: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html

What is this technology?
VISA (Visualization of Internal Signals Architecture) is a logic signal analyser within the Platform Controller Hub (PCH) of motherboards since the release of the 5-Series Chipsets (November 2008 onwards). This can be used for debugging purposes during manufacturing and is disabled by default.

This feature allows for the real-time monitoring of internal data and address lines as well as other buses within the motherboard.

What is the risk of having this technology within my motherboard?
While the researchers demonstrated 3 methods of exploiting these vulnerabilities:

  • Previous known high severity buffers overflows and privilege escalation flaws within the Intel Management Engine (ME) patched by Intel in 2017
  • Use of the Intel JTAG password
  • Fault injection technique into Intel Management Engine firmware read-only memory (ROM)

If you have already patched the first means of using the VISA technology an attacker would require physical access to your system in order to exploit the remaining 2 methods. Thus the residual risk would be low.

As per Microsoft’s Immutable Laws of Security (the official link seems to have been removed); if an attacker has physical access to a computer system; it can’t be considered your system anymore since the avenues of attack now open to them are large and little can be done to avoid this.

How can I can protect my organisation or system from mis-use of this debugging feature?
Check your systems using the downloadable tool from Intel to check if your system is vulnerable to the known issues from 2017.

If so, please contact the manufacturer of your system or motherboard to obtain the most appropriate firmware updates for your system. You can provide them a link to Intel’s security advisory for further details.

Please only allow authorised and trusted individuals physical access to your systems. Be security aware by knowing that attackers can socially engineer you into providing physical access to a system by impersonating your internal IT support or Security staff. Please check that such individuals work for or on behalf of your company before allowing them access.

Personally; my Asus ROG Rampage VI Apex system has received 3 Intel ME firmware updates to address security vulnerabilities first identified in 2017. Intel’s tool linked to above shows my system as not vulnerable to the issues listed within it’s advisory.

Thank you.

Responding to the Asus Live Update Supply Chain Compromise

Earlier last week the security vendor Kaspersky detailed their initial findings from the compromised supply chain of the Taiwanese hardware vendor Asus.

TL DR: If you own or use any Asus laptop or desktop system, please check if your device is affected using the downloadable tool from Kaspersky (which checks the MAC address (defined) of your network card). If you know how to obtain the MAC address of your network card manually you can use the online tool. This is the link for both tools: https://securelist.com/operation-shadowhammer/89992/

If you are affected, contact Kaspersky, contact Asus or use the anti-malware tools to try attempt removal of the backdoor (defined) yourself.

When did this attack take place and what was affected?
This incident took place from June to November 2018 and was initially thought to have affected approximately 60,000 users. This number was later revised to possibly affecting just over a million users. While primarily users in Asia and Russia were targeted; a graph of victim’s distribution by country shows users within South America, Europe and the US. It was later disclosed that mainly Asus laptops were affected by this incident.

What Asus infrastructure was affected?
An older version of the Asus Live Update utility was compromised by unknown attackers so that it would inject a backdoor within the Asus Live Update utility when it was running. The compromised Asus Live Update utility was signed with an older but still legitimate Asus digital signature. The compromised Asus utility was available for download from two official Asus servers.

What were the attacker’s intentions?
Unfortunately, even after extensive analysis it is unknown why the attackers targeted their chosen victim systems or what their eventual goal was. The backdoor would have likely allowed the attackers to steal files of their choice, remote control the system (if the second stage had been installed) and deploy compromised updates to systems which in the case of a UEFI update may have rendered the system unbootable.

It appears the goal of the attackers was to target approximately 600 systems of interest to them with the initial intention to carry the above-mentioned actions. We know it is approximately 600 systems since upon installation the malware would check if the system had a MAC address of interest; if yes it would install the stage 2 download (which unfortunately Kaspersky was unable to obtain a sample of). The server which hosted the stage 2 download was taken offline in November 2018 before Kaspersky became aware of this attack.

If the system was not of interest, the backdoor would simply stay dormant on the system. It’s unclear how the attackers may choose to leverage this in the future (assuming it remains intact on a system which installed the compromised utility).

Do we know who is responsible?
It is not possible to determine with absolute certainty who these attackers were but it is believed it is the same perpetrators as that of the ShadowPad incident of 2017. Microsoft identifies this advanced persistent threat (APT) (defined) group with the designation of BARIUM (who previously made use of the Winnti backdoor).

How have Asus responded to this threat?
Initially when Kaspersky contacted Asus on the 31st of January 2019 Asus denied their servers were compromised. Separately a Kaspersky employee met with Asus in person on the 14th of February 2019. However, Asus remained largely until earlier this week.

On the 26th of March Asus published a notice which contains an FAQ. They issued an updated version (3.6.8) of the Asus Live Update utility. Additionally, they have “introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future”.

They have also made available a utility to check if your system was affected. It is downloadable from the above linked to notice.

How can I remove the backdoor from my system if I installed the compromised Asus utility?
While Asus in their announcement recommends a full backup and full reset of your system; for some that may not be a preferred choice. If you use Kaspersky security suite it will very likely easily remove it since they were the first to detect it.

Please which ever approach is more convenient for you.

If you want to leave your system as it is:
I would first recommend a scan of your system with your current anti-malware product. I would then recommend using free anti-malware scanners such as RogueKiller, AdwCleaner and PowerEraser since they use cloud based forensic analysis and compare known safe files on your system with VirusTotal to check if any file has been tampered with or is new/suspicious. It is very unlikely the backdoor could hide from all of these utilities. Yes, this is overkill but will ensure a thorough check.

A link to full original story of this malware is available here.

You use an Asus system; how were you affected?
Since my high-end Core i9 7980 Extreme desktop uses an Asus desktop motherboard (ROG Rampage VI Apex); I ran the Asus utility to check my system; It displayed the message “Only for Asus systems” before closing. I’ll make an educated guess and assume that since the threat mainly affects laptops running this tool on a desktop system resulted in this message.

The offline and online tools from Kaspersky showed no issues with my system. I wasn’t surprised since I don’t use the Asus Live Update utility. Their drivers are available manually from their website and that’s how I stay updated.

I upload every downloaded file for my system to VirusTotal, verify the checksums and digital signatures, use two reputation based scanners on new downloads and have application whitelisting enabled. In summary; my system will be more difficult to compromise.

Thank you.

Botnet Targeted Unpatched Counter-Strike Vulnerabilities

In mid-March the security firm Dr. Web published details of a botnet (defined) they were able to shut down affecting players of the classic first-person shooter (FPS) game; Counter-Strike 1.6.

Why should this development be considered significant?
The report made available by Dr. Web showed that at it’s height the botnet resulting from the distribution of the Trojan (defined) Belonard numbered up to 39% of all the available game servers (1951 out of 5000) listed for Counter-strike gamers to choose from.

How were gamers systems infected?
One of the popular services offering servers to play on exploited 2 zero day (defined) remote code execution vulnerabilities within the 1.6 version of the Counter-Strike client to install Trojan Belonard within a gamer’s system. Researchers from Dr. Web found that this game remains very popular and can be played by 20,000 individuals on average at a time.

Counter-Strike can make use of dedicated servers that gamers can choose to connect to. These servers offer reduced lag, greater reliability while some monetised servers offer access to special weapons and protection against bans.

In an example scenario, a gamer might launch the official Steam gaming client. The client automatically will display a list of servers the player can connect to. Those with the lowest (lower is better) ping rate will be displayed at the top of the list. This list will also contain publicly available Valve (the company which created and maintains the Steam client) servers. However, the Trojan Belonard once it has infected a system it re-orders the servers offered to another system (placing them high in the list you see) in order to spread further. You may think you are connecting to a server with a low ping when in fact connecting to a malicious server which then infects your system with the Trojan. It does this by exploiting a remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device) vulnerability within the Counter-Strike client. A more detailed description and diagram is available from Dr. Web’s analysis of this threat. Your system will now contribute to spreading the Trojan by re-ordering the server list we discussed above.

The botnet herder did this in order to make more money since their other more legitimate servers would also be displayed high in the list of servers and those charge a fee for their use.

What happened to this botnet?
Dr. Web was successful in disrupting this botnet by coordinating with the registrar of the reg.ru domain name to shut down the websites used by the Trojan thus protecting new gamers from becoming infected. Furthermore, the domain generation algorithm (DGA)(defined); is being monitored by Dr. Web in order to continue to sinkhole (defined) the domains the malware attempts to use to continue spreading itself.

How can I protect myself from this threat or clean it from my system if I am already infected?
Unfortunately; the only way to prevent this botnet from being re-activated by whoever created it is for the zero-day vulnerabilities within the Counter-Strike client to be patched. Given the age and lack of financial reward to Valve to do this; that is unlikely.

If you suspect or know your system is infected with this malware; update your anti-malware software and run a full system scan. If this does not remove the malware you can use the free version of Malwarebytes to perform a scan and remove the malware. If you suspect any remnants remain you can use the additional anti-malware scanners linked to on this blog to remove them. In this case; RogueKiller, AdwCleaner and PowerEraser would be the most suitable for this malware.

Thank you.