Monthly Archives: October 2019

October 2019 Update Sumamry

================
Update: 25th October 2019
================
Apologies for the delay in updating this post due to professional commitments.

I wanted to provide details of this month’s security updates from Microsoft and Adobe. On the 8th of October, Microsoft made available their updates resolving 59 vulnerabilities more formally known CVEs (defined).

Separately Adobe made available their updates a week later:

====================

Adobe Acrobat and Reader: 68x Priority 2 CVEs resolved (45x critical severity, 23x Important severity)

Adobe Download Manager: Priority 3 CVE resolved (1x Important severity)

Adobe Experience Manager: Priority 2 CVEs (1x Critical CVE, 7x Important and 4x Moderate severity)

Adobe Experience Manager Forms: 1x Priority 3 CVE (1x Important severity)

As always, if you use these Adobe products, please install the necessary updates as soon as possible prioritising the Adobe Acrobat/Reader and Experience Manager updates.

====================

This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. All issues have workarounds at this time and none appear to be serious issues. The up to date list is available from their summary page.

As for stability, I have installed all of this month’s updates on my Windows 10 systems (Builds 18362.388 , 18362.418) most recently the new kb4522355 (for Windows 10 Version 1903 Build 18362.449) and have not experienced any issues. Indeed, this update was intended to resolve the issues e.g. among with the Start menu that caused me to advise not to install Windows 10 updates earlier this month. Obviously, please continue to backup and test your systems as you usually would before install widely rolling out these updates but in general you should be fine.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Scripting Engine: , CVE-2019-1307 CVE-2019-1308 CVE-2019-1366

VBScript Remote Code Execution Vulnerability: CVE-2019-1238 CVE-2019-1239

Azure Stack Remote Code Execution Vulnerability : CVE-2019-1372

Remote Desktop Client Remote Code Execution Vulnerability : CVE-2019-1333

MS XML Remote Code Execution Vulnerability: CVE-2019-1060

Windows Error Reporting Manager Elevation of Privilege Vulnerability : CVE-2019-1315

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
On 22nd October Mozilla released Firefox 70 to address multiple critical vulnerabilities and to one again introduce further privacy features (see below):

Firefox 70: Resolves 1x critical CVE (defined)(but consisting of multiple vulnerabilities), 3x high CVEs, 8x moderate and 1x low CVE

Firefox ESR 68.2 (Extended Support Release): Resolves 1x critical CVE (but consisting of multiple vulnerabilities), 3x high CVEs, 5x moderate

Highlights from version 70 of Firefox include:

Details of improvements in the macOS and Windows versions of Firefox are provided in this article. The blocking of social networking tracking is discussed in another article.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
On October 22nd, Google released Chrome version 78.0.3904.70. This update resolves a high severity flaw that earned the researcher who reported it $20,000. The Multi-State Information Sharing and Analysis Center (MS-ISAC) stated “successful exploitation could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.” In total, this update contains 37 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
WinSCP:
=======================
In mid October; WinSCP version 5.15.5 was released upgrading it’s embedded version of Putty (the Windows SSH client) to 0.73 (along with its SSH private key tools to the same version) resolving 2 vulnerabilities (with one other issue possibly security related). WinSCP 5.15.6 has since been released as a non-security update.

Thank you.

================
Update: 8th October 2019
================
Unfortunately due to professional commitments I won’t be able to update this post today with details of Adobe’s and Microsoft’s updates. I will do so as soon as possible this week.

Thanks for your understanding.

================
Original Post
================
On the 23rd of September Microsoft issued two out of band (unscheduled) security updates to resolve 2 zero-day (defined) vulnerabilities. The vulnerabilities affect Internet Explorer and Windows Defender.

Microsoft has drawn criticism for adding confusion to these updates since they are not available on Windows Update but must be installed manually. For Windows 10 Version 1903 this prompted the release of kb4524147 which at this time I do NOT recommend you install since it is causing some systems not to boot, not being able to print and in some cases the Start menu is crashing.

With further security updates expected from Microsoft tomorrow, please await those updates and re-assess if you should install them. I’ll updater this post tomorrow with more information on the new monthly updates.

Separately since Windows Defender updates automatically you should have received the relevant anti-malware engine update (Version: 1.1.14700.5) 48 hours after the 23rd September.

Thank you.

Evaluating Anti-ransomware Tools

With ransomware still very much prevalent in the headlines I wanted to test the effectiveness of complimentary products designed to work alongside your anti-malware solution.

For the results presented in the attached Excel file, I turned off all protections of Windows 10/Windows 7 and opened real ransomware samples on an updated version of Windows.

These products are mostly free but paid options are available. They clearly show how effective they can be even when the user follows no security best practices and opens ransomware. I wanted to provide the toughest challenge I could for these products and so chose ransomware that has made the headlines over the past 2 – 3 years.

I hope you find the results useful.

Excel file: Results

Thank you.

================

Products tested:
Please note that these tools are primarily targeted at client rather than server systems. Please check the license before deploying in a commercial environment:

Acronis Ransomware Protection : https://www.acronis.com/en-us/personal/free-data-protection/

Cyberreason RansomFree (discontinued: November 2018)

CheckMAL AppCheck (Free and Pro editions): https://www.checkmal.com/product/appcheck/

Kaspersky Anti-Ransomware Tool for Business: https://www.kaspersky.com/anti-ransomware-tool

Heilig Defense RansomOff: https://www.ransomoff.com/

ZoneAlarm Anti-Ransomware: https://www.zonealarm.com/anti-ransomware/

================

Google Android Zero Day Vulnerability Disclosed

================
Update: 25th October 2019
================
Google made available their October 2019 update for Android available on the 7th of October with other manufacturers (consolidated list of links available here) e.g. Huawei, LG, Motorola, Nokia and Samsung making theirs available shortly afterwards.

Thank you.

================
Original Post
================
Late last Thursday Google disclosed information concerning a zero-day (defined) vulnerability being used to exploit Google Android powered smartphones e.g. Google Pixel and phones from Huawei, Samsung and Xiaomi.

================
TL DR
================
Be cautious of the apps you download in advance of a patch being made available. The web browsing means of exploitation requires a pre-existing exploit. A list of vulnerable phones is provided below. Update your smartphone to the October 2019 patch when it becomes available.

What details of this vulnerability have been released?
The following smartphones have been confirmed as vulnerable:

1) Pixel 1 and 2 with Android 9 and Android 10 preview

2) Huawei P20

3) Xiaomi Redmi 5A

4) Xiaomi Redmi Note 5

5) Xiaomi A1

6) Oppo A3

7) Moto Z3

8) Oreo LG phones (run same kernel according to website)

9) Samsung Galaxy S7, S8, S9

====================
Not Vulnerable: Google Pixel 3 and 3a
====================
The vulnerability is a local privilege escalation vulnerability (defined) making use of a use after free (defined) issue in the Android binder driver (defined) which has the potential to provide an attacker with full control of the device. The first means of exploiting this vulnerability is via a rogue app. Google Project Zero researcher Maddie Stone adds further details for the second means of exploitation: “If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox”.

In other words, in order to use the second means of exploitation an attacker would already need to have loaded an exploit on your phone that they know the device is vulnerable, making this avenue of attack less likely.

How can I protect my device from this vulnerability?
Try to only download your apps from the Google Play store in advance of a patch becoming available. Read the reviews of the app to make certain it is a genuine app that works as intended. Scan any new app with trusted anti-malware software before you open it (while I acknowledge anti-malware software is not 100% accurate it can provide further protection over not using it).

Install the October 2019 security update when it becomes available for your smart device.

Thank you.

Attackers Turn to OpenDocument Files Attempting to Bypass Attachment Scanning

Earlier last week Cisco Talos researchers discovered 3 OpenDocument files that were being used in an attempt to deliver malware to their intended targets.

================
TL DR
================
For any email attachment you receive, if you weren’t expecting it, don’t open it. Be cautious of clicking unknown or potentially suspicious links received within emails or via social media. If you use alternatives to Microsoft Office e.g. OpenOffice, LibreOffice or StarOffice within your organisation, small business or home office consider scanning files you receive from others with your anti-malware software before opening them. Keep your office/productivity software up to date.

Why should these files be considered a potential risk?
Since OpenXML Microsoft Office files are compressed archives they are commonly treated as such by anti-malware software and scanned. However, this is not always the case for OpenDocuments (ODT) and they are not always opened within malware sandboxes (defined) or by anti-malware software meaning they can be used to deliver malware that would otherwise be detected and blocked. This is despite the fact that While these documents are also Zip archives with XML files.

Description of the 3 files found and analysed are as follows:

File 1:
The file contained an embedded OLE object (defined) which the person opening the files must accept a prompt in order for that embedded object to be executed targeting Microsoft Office. When accepted the object executes an HTA file (defined) which in turn downloads 2 scripts which are used to download a remote access trojan (RAT)(defined) in one instance the NJRAT and the other the RevengeRAT malware.

File 2:
Once again targeting Microsoft, this file also contained an OLE object but this time it downloaded a fake Spotify.exe. This file downloads another file which is packed to disguise its true purpose from anti-malware software. This packed file actually contains the AZORult information stealer.

File 3:
The final files targets OpenOffice and LibreOffice. The attackers used their equivalents of Microsoft Office macros (defined) to download and run a file called “plink” which sets up SSH connections. However, Talos found that the connection being set up when intended for an internal address rather than an external address located on the internet. They assume this was either for use within a commercial penetration testing programme (due to it attempting to download Metasploit (defined) payloads to be executed with WMI scripts (defined) ) or may be used for lateral movement within the network.

How can I protect my organisation or myself from these threats?
Exercise standard caution when receiving email attachments. If you weren’t expecting the file, don’t open it even if it comes from someone you know/trust. Be cautious of links within emails or received by social media or another means. Consider scanning files intended for OpenOffice, LibreOffice or StarOffice before opening them. If those files begin asking confirmation to carry out actions, DON’T provide your consent.

Since such attachments may contain personal information, please pause and think before you upload them to online scanning services e.g. VirusTotal.

Thank you.