Author Archives: JimC_Security

October 2019 Update Sumamry

================
Update: 8th October 2019
================
Unfortunately due to professional commitments I won’t be able to update this post today with details of Adobe’s and Microsoft’s updates. I will do so as soon as possible this week.

Thanks for your understanding.

================
Original Post
================
On the 23rd of September Microsoft issued two out of band (unscheduled) security updates to resolve 2 zero-day (defined) vulnerabilities. The vulnerabilities affect Internet Explorer and Windows Defender.

Microsoft has drawn criticism for adding confusion to these updates since they are not available on Windows Update but must be installed manually. For Windows 10 Version 1903 this prompted the release of kb4524147 which at this time I do NOT recommend you install since it is causing some systems not to boot, not being able to print and in some cases the Start menu is crashing.

With further security updates expected from Microsoft tomorrow, please await those updates and re-assess if you should install them. I’ll updater this post tomorrow with more information on the new monthly updates.

Separately since Windows Defender updates automatically you should have received the relevant anti-malware engine update (Version: 1.1.14700.5) 48 hours after the 23rd September.

Thank you.

Evaluating Anti-ransomware Tools

With ransomware still very much prevalent in the headlines I wanted to test the effectiveness of complimentary products designed to work alongside your anti-malware solution.

For the results presented in the attached Excel file, I turned off all protections of Windows 10/Windows 7 and opened real ransomware samples on an updated version of Windows.

These products are mostly free but paid options are available. They clearly show how effective they can be even when the user follows no security best practices and opens ransomware. I wanted to provide the toughest challenge I could for these products and so chose ransomware that has made the headlines over the past 2 – 3 years.

I hope you find the results useful.

Excel file: Results

Thank you.

================

Products tested:
Please note that these tools are primarily targeted at client rather than server systems. Please check the license before deploying in a commercial environment:

Acronis Ransomware Protection : https://www.acronis.com/en-us/personal/free-data-protection/

Cyberreason RansomFree (discontinued: November 2018)

CheckMAL AppCheck (Free and Pro editions): https://www.checkmal.com/product/appcheck/

Kaspersky Anti-Ransomware Tool for Business: https://www.kaspersky.com/anti-ransomware-tool

Heilig Defense RansomOff: https://www.ransomoff.com/

ZoneAlarm Anti-Ransomware: https://www.zonealarm.com/anti-ransomware/

================

Google Android Zero Day Vulnerability Disclosed

Late last Thursday Google disclosed information concerning a zero-day (defined) vulnerability being used to exploit Google Android powered smartphones e.g. Google Pixel and phones from Huawei, Samsung and Xiaomi.

================
TL DR
================
Be cautious of the apps you download in advance of a patch being made available. The web browsing means of exploitation requires a pre-existing exploit. A list of vulnerable phones is provided below. Update your smartphone to the October 2019 patch when it becomes available.

What details of this vulnerability have been released?
The following smartphones have been confirmed as vulnerable:

1) Pixel 1 and 2 with Android 9 and Android 10 preview

2) Huawei P20

3) Xiaomi Redmi 5A

4) Xiaomi Redmi Note 5

5) Xiaomi A1

6) Oppo A3

7) Moto Z3

8) Oreo LG phones (run same kernel according to website)

9) Samsung Galaxy S7, S8, S9

====================
Not Vulnerable: Google Pixel 3 and 3a
====================
The vulnerability is a local privilege escalation vulnerability (defined) making use of a use after free (defined) issue in the Android binder driver (defined) which has the potential to provide an attacker with full control of the device. The first means of exploiting this vulnerability is via a rogue app. Google Project Zero researcher Maddie Stone adds further details for the second means of exploitation: “If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox”.

In other words, in order to use the second means of exploitation an attacker would already need to have loaded an exploit on your phone that they know the device is vulnerable, making this avenue of attack less likely.

How can I protect my device from this vulnerability?
Try to only download your apps from the Google Play store in advance of a patch becoming available. Read the reviews of the app to make certain it is a genuine app that works as intended. Scan any new app with trusted anti-malware software before you open it (while I acknowledge anti-malware software is not 100% accurate it can provide further protection over not using it).

Install the October 2019 security update when it becomes available for your smart device.

Thank you.

Attackers Turn to OpenDocument Files Attempting to Bypass Attachment Scanning

Earlier last week Cisco Talos researchers discovered 3 OpenDocument files that were being used in an attempt to deliver malware to their intended targets.

================
TL DR
================
For any email attachment you receive, if you weren’t expecting it, don’t open it. Be cautious of clicking unknown or potentially suspicious links received within emails or via social media. If you use alternatives to Microsoft Office e.g. OpenOffice, LibreOffice or StarOffice within your organisation, small business or home office consider scanning files you receive from others with your anti-malware software before opening them. Keep your office/productivity software up to date.

Why should these files be considered a potential risk?
Since OpenXML Microsoft Office files are compressed archives they are commonly treated as such by anti-malware software and scanned. However, this is not always the case for OpenDocuments (ODT) and they are not always opened within malware sandboxes (defined) or by anti-malware software meaning they can be used to deliver malware that would otherwise be detected and blocked. This is despite the fact that While these documents are also Zip archives with XML files.

Description of the 3 files found and analysed are as follows:

File 1:
The file contained an embedded OLE object (defined) which the person opening the files must accept a prompt in order for that embedded object to be executed targeting Microsoft Office. When accepted the object executes an HTA file (defined) which in turn downloads 2 scripts which are used to download a remote access trojan (RAT)(defined) in one instance the NJRAT and the other the RevengeRAT malware.

File 2:
Once again targeting Microsoft, this file also contained an OLE object but this time it downloaded a fake Spotify.exe. This file downloads another file which is packed to disguise its true purpose from anti-malware software. This packed file actually contains the AZORult information stealer.

File 3:
The final files targets OpenOffice and LibreOffice. The attackers used their equivalents of Microsoft Office macros (defined) to download and run a file called “plink” which sets up SSH connections. However, Talos found that the connection being set up when intended for an internal address rather than an external address located on the internet. They assume this was either for use within a commercial penetration testing programme (due to it attempting to download Metasploit (defined) payloads to be executed with WMI scripts (defined) ) or may be used for lateral movement within the network.

How can I protect my organisation or myself from these threats?
Exercise standard caution when receiving email attachments. If you weren’t expecting the file, don’t open it even if it comes from someone you know/trust. Be cautious of links within emails or received by social media or another means. Consider scanning files intended for OpenOffice, LibreOffice or StarOffice before opening them. If those files begin asking confirmation to carry out actions, DON’T provide your consent.

Since such attachments may contain personal information, please pause and think before you upload them to online scanning services e.g. VirusTotal.

Thank you.

Researching the recent Windows CTF Vulnerabilities

================
TL DR
================
There are no known mitigations for these vulnerabilities. Please see below for a more in-depth explanation.
================

With the release of a security updates by Microsoft in September and August to resolve vulnerabilities in the Windows ALPC and Windows Text Service Framework I wish to provide details on these vulnerabilities.

Why should these vulnerabilities be considered important?
If an attacker were to have ALREADY compromised a vulnerable Windows system, they can then use the exploits made available by Google’s Tavis Ormandy to fully compromise your system. They can obtain the highest level of privilege on it namely NT Authority\System (equivalent to root on a Linux system).

Ormandy found that the running ctfmon.exe of Windows allowed a standard user of Windows to hijack any Windows process even if that process was sandboxed within an AppContainer (a means of isolating sensitive/important processes making them harder to attack). When an attacker does so they can obtain administrative and under some circumstances NT Authority\System level access.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1235

How I can protect my organization and myself from these vulnerabilities?
Apart from installing the above linked to updates, I’m afraid no other mitigations are available. You will need to exercise standard vigilance/caution with opening links. Don’t open attachments you weren’t expecting even from trusted contacts.

This advice is an unfortunate outcome. I had a hypothesis that disabling the ctfmon.exe process (Windows XP, Windows Vista and Windows 7) or the Touch Keyboard and Handwriting Panel service in Windows 8.1 and 10 would mitigate this class of vulnerabilities. This was not the case, Ormandy’s tool worked regardless of whether the ctfmon.exe process was running or not, which now makes sense given how his tool exploits a deeply integrated feature of Windows with a scope much larger than that of the above mentioned process and service.

================
Proof of Concept
================
As a proof of concept on an un-patched version of Windows 10 Version 1903, I can confirm Tavis Ormandy’s CTFTool successfully provides you with both System and Administrative (depending on the type of exploit you run). Only administrative access is available for Windows 7, the tool does not incorporate the System level exploit for Windows 7. Further details of this tool are available at the following links:

https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html

https://github.com/taviso/ctftool

Thank you.

September 2019 Update Summary

Today is the 2nd Tuesday of the month, when both Adobe and Microsoft routinely release their scheduled security updates.

Similar to last month Microsoft have released many updates resolving 79 vulnerabilities more formally known as CVEs (defined). It was a light month for Adobe releasing 2 updates resolving 3 vulnerabilities.

====================
Adobe Application Manager: 1x Priority 2 vulnerability resolved (Important severity)
Adobe Flash Player: 2x Priority 3 vulnerabilities resolved (Critical severity)

If you use either of these Adobe products, please install the necessary updates as soon as possible prioritising the Adobe Flash Player update.
====================

This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Almost all issues have workarounds at this time and none appear to be serious issues. The up to date list is available from their summary page.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Windows LNK Remote Code Execution Vulnerability: CVE-2019-1280

Microsoft Scripting Engine: CVE-2019-1298

Microsoft Scripting Engine: CVE-2019-1300

Microsoft Scripting Engine: CVE-2019-1217

Microsoft Scripting Engine: CVE-2019-1208

Microsoft Scripting Engine: CVE-2019-1221

Microsoft Scripting Engine: CVE-2019-1237

Windows RDP: CVE-2019-1291

Windows RDP: CVE-2019-1290

Windows RDP: CVE-2019-0788

Windows RDP: CVE-2019-0787

Team Foundation Server/Azure DevOps: CVE-2019-1306

Microsoft Office SharePoint: CVE-2019-1295

Microsoft Office SharePoint: CVE-2019-1257

Microsoft Office SharePoint: CVE-2019-1296

Common Log File System Driver (defined): CVE-2019-1214

Microsoft Windows Elevation of Privilege Vulnerability (defined): CVE-2019-1215

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
On September the 3rd Mozilla released Firefox 69.0 to address the following vulnerabilities and to introduce new privacy features:

Firefox 69.0: Resolves 1x critical CVE (defined), 11x high CVEs, 4x moderate and 3x low CVEs

Firefox ESR 68.1 (Extended Support Release): Resolves 1x critical, 9x high, 4x moderate and 2x low CVEs

Firefox 60.9 ESR : Resolves 1x critical CVE, 7x high CVEs and 1x moderate CVE

Highlights from version 69 of Firefox include:
Blocks 3rd party cookies and cryptominers (using Enhanced Tracking Protection) by default (blocking of fingerprinting scripts will be the default in a future release)

Adobe Flash disabled by default (must be re-enabled if needed)

Separately Mozilla is facing criticism over their plans to gradually roll-out DNS over HTTPS (DoH) later this month since all DNS traffic would go to only one provider, Cloudflare. Google Chrome will implement a similar feature soon (further details are available in the above link also regarding Mozilla).

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

Thank you.

Mitigating August’s Remote Desktop Services (RDS) Vulnerabilities

Earlier last week Microsoft released security updates for Remote Desktop Services (RDS).

====================
TL DR:
If you use  Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions, please install the security updates for August 2019 which include fixes to these vulnerabilities: CVE-2019-1181 and CVE-2019-1182
====================

Why should these vulnerabilities be considered important?
The following two vulnerabilities CVE-2019-1181 and CVE-2019-1182 have received a CVSS 3 base score (defined) of 9.8 and have the potential to be used by network worms to rapidly spread without the need for assistance from computer users. There is the potential for a repeat of an attack very similar to the WannaCry ransomware outbreak of May 2017.

How can I protect my organisation or myself from these vulnerabilities?
The most effective means of defence is to install the updates released by Microsoft available via Windows Update (this link provides guidance on doing so) or manually from the above links.

While the BlueKeep vulnerability has not yet been exploited, there are indications (here and here) it may be soon. These more recent vulnerabilities will likely receive similar or more interest since they are present in more versions of Windows (8.1 and 10 alongside their Server based equivalents) than BlueKeep.

If for any reason this is not possible, the mitigations listed in this Microsoft blog post will be useful. Thank you.