Author Archives: JimC_Security

February 2019 Update Summary

Earlier today Microsoft made available 13 bulletins and 3 advisories resolving 74 vulnerabilities (more formally known as CVEs (defined)) respectively. As always more details are available from Microsoft’s monthly summary page.

Also today Adobe released scheduled updates for the products listed below addressing 75 CVEs in total:

Adobe Acrobat and Reader: 71x priority 2 CVEs resolved (43 of the 75 are Critical, the remainder are Important severity)

Adobe ColdFusion: 2x priority 2 CVEs resolved

Adobe Creative Cloud Desktop Application: 1x priority 3 CVE resolved

Adobe Flash Player: 1x priority 2 CVE resolved

If you use the affected Adobe products; due to the public disclosure (defined) of CVE-2019-7089 as a zero day (defined) vulnerability, please install the Adobe Acrobat and Reader updates first followed by Flash Player and the remaining updates. I provide more detail on the zero day vulnerability in a separate post.

As we are accustomed to Microsoft’s updates come with a long list of Known Issues that will be resolved in future updates or for which workarounds are provided. They are listed below for your reference:

4345836
4471391
4471392
4483452
4486996
4487017
4487020
4487026
4487044
4487052

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Microsoft GDI+

Scripting Engine (CVE-2019-0590 , CVE-2019-0591 , CVE-2019-0593 , CVE-2019-0640  ,
CVE-2019-0642
, CVE-2019-0648 , CVE-2019-0649  , CVE-2019-0651 , CVE-2019-0652 , CVE-2019-0655 , CVE-2019-0658)

Windows DHCP

Microsoft Exchange

Microsoft SharePoint and CVE-2019-0604

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

Adobe Reader Vulnerability Disclosed

Yesterday; the security firm 0patch released a micropatch for a vulnerability that was publicly disclosed (defined) in late January.

Why should this vulnerability be considered important?
The vulnerability allows for the extraction/disclosure of the NTLMv2 hashes (defined) associated with your Windows login account to be sent to an attacker when you open a specifically modified PDF document, The information is sent via the SMB protocol (defined) to the attacker essentially allowing the document “to phone home” to them.

Adobe Reader DC (2019.010.20069 and earlier) are affected. This vulnerability is similar to a now patched vulnerability from last year namely; CVE-2018-4993, The new vulnerability is caused by the fact that while a user is warned via a dialog box when opening an XML style sheet via the HTTP protocol; when using the SMB protocol and while following a UNC (defined) link; no such warning appears.

How can you protect your organisation and yourself from this vulnerability?
Please apply the update made available by Adobe earlier today. If for any  reason you cannot update right now, please consider the micropatch from 0patch. A YouTube video of the micropatch in action is available from the following link:

The micropatch does not require a reboot. The patch does not need to be uninstalled once you later install the update from Adobe.

Thank you.

Security of Selected IoT Devices Tested

The current level of security present in Internet of Things (IoT)(defined) devices continues to be low and is in need of further maturity and consideration given to security and best practices.

A recent study carried out by researchers from Brazil’s Federal University of Pernambuco and the University of Michigan found that 31% of the apps (equating 37 out of 96 devices tested) used to control the IoT devices used no encryption while a further 19% used hard coded encryption keys (which can’t be changed). An attacker may be able to reverse engineer these.

The researcher then developed proof of concept attacks against five devices which are controlled by four apps:

Belkin’s WeMo for IoT
Broadlink’s e-Control app
TP-Link’s Kasa app
LIFX app used with that company’s Wi-Fi enabled light bulbs

From these 3 used no encryption while three apps communicated via broadcast messages that can provide an attacker a means of monitoring the nature/contents of the app to device communication. The researchers elaborated “A remote attacker simply has to find a way of getting the exploit either on the user’s smartphone in the form of an unprivileged app or a script on the local network”.

For the TP-Link Smart Plug which was reviewed more than 10k times on Amazon shares an encryption key across a given product line while the initial set up is performed using the app without strict authentication.

How to secure your IoT devices:
The researchers pointed out that Google’s Nest thermostat app was a better example of how security should be done. Its configuration can be carried out over TLS to the cloud or via Wi-Fi with WPA. This app also offers 2 factor authentication (defined) (albeit only via SMS messages which are themselves not best practice).

However, the Nest and any IoT rely on you to practice good security e.g. not re-using passwords for researching how best to secure that device. This story linked to is an example of what can happen if you don’t:

Further tips on securing IoT devices are listed provided below with a further tip of “Track and assess devices” from CSO Online. Devices such as Amazon Echo, Apple HomePod and Google Home require even more steps (final link below):

7 tips for securing the Internet of Things by Chester Wisniewski (Sophos Security)

8 tips to secure those IoT devices by Michelle Drolet (CSO Online)]

Securing the Internet of Things (US-CERT)

9 things to check after installing wireless access points by Eric Geier (Computerworld)

Securing Your Smart TV

Increasing the privacy and security of virtual assistants

Thank you.

Apple KeyChain Vulnerability Disclosed

Last week a security researcher publicly disclosed a vulnerability within Apple macOS’ Keychain (Apple’s password management system). The exact proof of concept code has not been released.

TL DR:  This vulnerability is currently unpatched by Apple. Be cautious of the links you click on, email attachments and applications you download/open. Keep your system current with already released updates. Watch for updates from Apple in the near future.

Why should this vulnerability be considered important?
This vulnerability affects all versions of Apple macOS up to the most recent 10.14.3 (Mojave). Apple Keychain is used to store passwords for application, websites and servers. This information is encrypted by default blocking access via other means without your permission.

However; the exploit allows an attacker to access this information from a standard user account (thus not requiring root (defined)(privileged) access) without generating a password prompt. The keychain must first be unlocked but it is when you are logged into the system. The System keychain which contains (among other items) is not affected. Thus, if the attacker can persuade you to run an application of their choice (e.g. substituting an app that looks like an app you regularly download manually); they could obtain your passwords/sensitive information. A YouTube video demonstrating the custom application designed to exploit this is provided below:

https://youtu.be/nYTBZ9iPqsU

How can I protect myself?
Please see the TL DR above. You should also consider manually locking your keychain or setting a keychain specific password (further details below).

===========

Lock your Keychain:
Open Keychain Access in the Applications: Utilities folder. Select your keychain (usually your user name) in the drawer (click on Show Keychains in the toolbar if it’s not visible). Then choose Edit: Change Settings For Keychain keychain name. Select Lock After 5 Minutes Of Inactivity (or lower according to your preference).

Password Protect Your Keychain:
Open the Keychain Access application, and select your keychain in the drawer. Select Edit: Change Password For Keychain keychain name, and then enter a new password.

With thanks to MacWorld:

===========

Why did the researcher not disclose this to Apple privately?
The researcher, Linus Henze chose not to privately disclose this to Apple since while Apple have a bug bounty for iOS which is by invite only; they don’t have such a program for macOS. The researcher wishes to highlight this omission. A quote from the researcher is included below (my thanks to Sergiu Gatlan of BleepingComputer.com) for this:

“Please note that even if it looks like I’m doing this just for the money, this is not my motivation at all in this case. My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers. I really love Apple products and I want to make them more secure. And the best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program (like other big companies already have)”

Separately he is not the only researcher to be criticising Apple’s approach to vulnerability remediation. Ian Beer of Google Project Zero publicly criticised Apple last August for simply fixing vulnerabilities rather than thinking of them in an exploit context namely “Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could have found [the bug] earlier? Who had access to this code and reviewed it and why, for whatever reason, didn’t they report it?”

Thank you.

DNS Flag Day Aims to Make DDoS Attacks Harder

Since the 1st of February multiple major DNS (defined) resolvers removed resolver workarounds. The resolvers involved in the initiative include ISC, Cloudflare, Facebook, Cisco, Google (among others).

The workarounds were removed to stop DNS queries not compliant with the following official Requests for Comments (RFC) 1035 and 2671 from being completed(resolved). In more depth; the DNS Flag day page explains these workarounds are being removed due to:

==============
The current DNS is unnecessarily slow and inefficient because of efforts to accommodate a few DNS systems that are not in compliance with DNS standards established two decades ago.

To ensure further sustainability of the system it is time to end these accommodations and remediate the non-compliant systems. This change will make most DNS operations slightly more efficient, and also allow operators to deploy new functionality, including new mechanisms to protect against DDoS attacks.
==============

It appears that DNS amplification and DNS flood attacks are the threats attempting to be mitigated with these changes. A full list of the types of DDoS (defined) attacks is available from the following Cloudflare page (at the end of that page):

It will be interesting to see the effect of these changes on the DNS infrastructure when it is again targeted by botnets (defined) (e.g. made up of Internet of Things (IoT)(defined) or compromised systems or by other means. Such botnets can make use a command and control (C2) (defined) infrastructure.

Thank you.

Notepad++ Update Results from Bug Bounty / 7-Zip Updates

On Sunday, 27th January; a new version of Notepad++ was released to address 7 vulnerabilities found by the EU-Free and Open Source Software Auditing (EU-FOSSA). Given that one of the vulnerabilities is potentially remotely exploitable and that Notepad++ is in such wide use both across the world and within the EU; we should update to version 7.6.3 to benefit from the remediation of these vulnerabilities.

TL DR: If you use Notepad++ or 7-Zip, please consider updating them (even if exploits for these vulnerabilities are rare or do not exist):

Other widely used software participating this bug bounty program are listed here (highlights include VLC, Putty, Apache Kafka, KeePass, Drupal, glibc and FileZilla). As I have previously discussed on this blog; if you use a 64 bit version of Windows, please consider using the 64 bit version of Notepad++; here’s why:

Please note, the 64 bit version of Notepad++ became available in September 2016. It allows the opening of larger files and includes High Entropy ASLR (Address Space Layout Randomization (defined)) on a 64 bit version of Windows. I have discussed HEASLR on this blog before and it’s an excellent security measure/control/mitigation (defined). Further information on HEASLR can be found on Alex Ionescu’s blog.

=======================
7-Zip Ranked as Number 5 in outdated software present on systems
=======================
On a separate but related note, earlier this month Avast made available a report that listed the most out of date software typically installed on systems. It was found that 7-Zip ranked number 5 with 92% of installs being out of date:

If you use 7-Zip, please consider upgrading it to version 18.06. I have previously provided descriptions of the vulnerabilities found in 7-Zip in 2018 and 2016 below. In addition; there have been several performance improvements in recent versions making the tool faster than before:

Updating 7-Zip is very easy. You should only download it from its official website. Installing the new version over an existing version takes only seconds.

Thank you.

Linux and Windows Address Page Cache Vulnerabilities

In early January security researchers located further vulnerabilities in how Windows and Linux operating systems use a memory page cache.

How severe are these vulnerabilities and what is their impact?
One of the co-authors of the academic paper disclosing these vulnerabilities described the work as mostly “a matter of academic interest” meaning that attackers are less likely to take advantage of these vulnerabilities.

Local attacks:
For the localised rather than remote variant of utilizing these vulnerabilities; the attacker must already have gained access to the victim system to read the target memory page. The attacker could do this by “[having a] malicious process on the operating system or when processes run in sandboxes that have shared files”.

Other actions an attacker could potentially carry out are:

• Cloning an open window and replacing the legitimate application window
• Gathering the root (Linux) or administrator (Windows) password

Remote attack:
To exploit the vulnerabilities remotely; the researchers leveraged “timing differences between memory and disk access, measured on a remote system, as a proxy for the required local information”. This was achieved by measuring the times when soft page faults (the page is erroneously mapped, with the help of a process that runs on a remote server) occurred. The researchers were successful in sending data covertly from an unprivileged malicious process within the victim system to a remote server fulfilling the role of a web server. They used a technique from previous research namely the NetSpectre attack to distinguish cache hits and misses over a network connection. This was successful on systems with mechanical hard drives (HDDs) and solid-state disks (SSDs). SSDs were more complex since the timing differences were smaller but the researchers compensated by using larger files to distinguish between cache hits and misses.

How can I protect my organization/myself from these vulnerabilities?
Since these vulnerabilities are more academic in nature; attackers are less likely to exploit them. Linus Torvalds has explained that the code to resolve this vulnerability has been checked in and is undergoing testing before being more widely rolled out. For Windows; Build 18305 of the upcoming Windows 19H1 (otherwise known as Version 1903) due for release in April 2019 contains fixes for these vulnerabilities. It is anticipated Microsoft will back-port this patch to earlier Windows versions.

In addition; the mitigations for the Spectre vulnerabilities from last year should address the remote attack vector using the NetSpectre attack method.

Why are there so many timing attacks being disclosed lately?
Since modern systems rely on timing for almost every component e.g. the CPU (internal caches and registers respond in nanoseconds (ns)), the memory/RAM (e.g. CAS latency), HDDs (measured in milliseconds (ms) e.g. 8.9 ms), SSDs (e.g. 0.05 ms , much faster) we are likely to continue to see further vulnerabilities disclosed as further scrutiny is applied to devices and architectures that have been in use for many years.

E.g. the affected code from Linux was timestamped in 2000 and stated that further revision should be carried out when more information was known. 19 years later we know more and are revising that code. It’s a similar situation with Windows where the revised code works to ensure low privilege processes can no longer access page cache information or shared cache information. As The Register points out; “something complex that’s just working can remain untouched for a very long time, lest someone breaks it” and is more likely to contain vulnerabilities since nobody has taken the time to look for what has been there for years.

Thank you.