Author Archives: JimC_Security

January 2017 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft only made 4 bulletins available. These updates address 3 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

Once again; there are no Known Issues listed within the above summary page. At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues. However, please check it before deploying your security updates just to be sure. As always, if any issues do arise, those pages should be your first places to check for solutions.

Next month Microsoft will only be publishing it’s security bulletins and release notes within their Security Updates Guide; rather than distributing this information across several pages. This post from WinSuperSite explains the changes in full.

====================
Adobe made a pair of security bulletins available for Adobe Flash and Adobe Acrobat/Adobe Reader. The Flash Player bulletin resolves 13x priority 1 vulnerabilities. The Adobe Acrobat/Adobe Reader resolves 29x priority 2 vulnerabilities. Adobe’s priority rating are explained in the previous link.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

If you use Flash or Adobe Acrobat/Adobe Reader any of the above products, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

While there may only be 3 Microsoft bulletins this month, I will prioritise the order of updates for you below:

The update for Microsoft Office should be installed first due to it’s criticality. This should be followed by the update for Microsoft Edge and finally by the LSASS update. The update for Edge is important due to exploit kits relying on such patches not to be installed in order to spread further malware (defined).

As always you can find detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.51) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Adobe Flash Player 2017 Update Tracker

In a similar manner to the 2015 and 2016 tracker that was incredibly popular on this blog; I am providing the same information below for the year 2017.

I have created a new post to make the timeline easier to follow. It will be updated throughout the year with any details of the Flash vulnerabilities being exploited.

Thank you.

=======================
10th January: Adobe releases Flash Player v24.0.0.194 resolving 13 CVEs.

=======================

Update: 10th January 2017: The timeline was updated to add the Adobe Flash Player update for January 2017. At the time of writing no exploits for the issues fixed by this update are known to be taking place.

Protecting Your Smart TV From Ransomware

In mid-2016 a news article detailed the possibility for Android powered Smart TVs to be infected by ransomware. Last month that prediction came true.

To recover the affected TV, you should reset it to factory default settings. You may need to contact the manufacturer if they don’t provide the steps to perform the reset as part of the devices documentation.

With 2017 predicted to break the record set in 2016 for ransomware, occurrences such as this will likely become more common.

Unfortunately, TV manufacturers are unlikely to pre-harden vulnerable devices before shipping them due to compatibility concerns and increased costs (during manufacturing and later support costs). To increase use of their after sales service they are again unlikely to publish the key sequences or button presses to perform a factory reset.

The ransomware encountered by this software developer was “just” a screen locker. It didn’t also try to encrypt any connected USB drives. Separately, a Symantec security researcher published a helpful list of mitigations to protect against ransomware targeting Smart TVs.

Continuing the trend of protecting Internet of Things (IoT) devices (defined), I hope that you find the above mitigations useful. Please also refer to this previous blog post for more general advice on preventing ransomware infections on your everyday computing devices (non IoT devices).

Thank you.

Wifi Devices Leak Potentially Sensitive Information

While I was at a security conference late last year it was demonstrated using the Airodump tool for Linux; the association requests visible for all Wifi devices present within the conference room. The command used was:

airodump-ng wlan0mon -w scan.ams --showack --wps -U -M -e -g

Where scan.ams was the name of a previously gathered packet capture.

I realise this is how Wifi was designed and it is working as intended. I also realise that this issue is not new and may not be of assistance to everyone for that reason.

I was fortunate that my phone had Wifi turned off at the time, especially since I was near the front of the room. The association requests display the SSID (defined) of any previous Wifi access point a device has successfully connected to/has credentials for. These requests were shown to be constantly being sent from the devices present in the room.

Using this list of SSIDs, you can input an SSID into the Wigle website and see where in the world that wireless network is located. If you have a unique SSID that website can show the address of where you work or live.

Further information on the Airodump tool is located in the links below:

Airodump-ng

Aircrack-ng Newbie Guide for Linux

airodump-ng(1) – Linux man page

More information on association requests is available here.

Good advice to prevent this type of information disclosure from the Wifi devices that you carry with you is to turn off Wifi if you are not using it (sorry if that is very obvious). If you administer Wifi access points, set the SSID to something that won’t attract attention and choose a non-unique SSID if you can (this way the exact location of a network will be harder to find).

Thank you.

Blog Post Shout Out: New Wireless Routers Enhance Internet of Things Protection

Happy New Year to all readers of this blog!

With attacks on routers increasing (e.g. this article concerning D-Link) and vulnerabilities being patched within internet of things (IoT) (defined) devices; it’s great news that security technologies are adapting to monitor and protect them.

I wanted to provide a respectful shout out (although not to blog posts) to products from several vendors that promise to better protect from threats such as the Mirai malware and other examples.

Full disclosure: I’m not receiving any incentives or benefits from any of these vendors; I simply wish to promote awareness of existing and upcoming technologies that we can use to better secure the increasing number of IoT devices that we are using in our everyday lives.

For example, early last week Symantec began accepting pre-orders for their new wireless router. Initially this will only be available in the US but will be extended to more regions in the future.

While a wireless router is nothing new, it is one of first that I have encountered that includes protection for Internet of Things (IoT) devices.

In their words it “constantly monitors your connected devices like WiFi thermostats, smart locks, appliances or home security cameras for suspicious activity and identifies vulnerabilities. If a device becomes compromised, it quarantines the threat before it spreads ensuring your digital world is safe.”

A similarly powerful offering from F-Secure is also in progress. Like Symantec, F-Secure’s is scheduled for release in Q2 of 2017.

These solutions are further refinements to wireless router/access point security solutions that have been available since late 2015. For example, Asus’ Ai-Protection feature (using technology licensed from Trend Micro) incorporates most of the features that F-Secure and Symantec offer just without the IoT management and reporting.

There are interesting times ahead as Internet of Things (IoT) devices and wireless router become increasingly more managed and monitored devices allowing us to secure them better. My sincere thanks to a colleague (you know who you are!) for assistance with this post.

Thank you.

December 2016 Security Updates Summary

Today Microsoft and Adobe released their scheduled monthly security updates, the final scheduled set from both vendors for 2016.

Microsoft’s made 12 bulletins available. These updates address 47 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

As with previous months, fortunately this month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring that page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages should be your first places to check for solutions.

====================
Adobe made available 9 security bulletins which included their regular Flash Player update. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

The Flash Player update addresses 17x priority 1 CVEs. All of Adobe’s priority rating are explained in the previous link. The other 8 security bulletins can be summarised as follows:

Adobe Animate (APSB16-38): Addresses 1x priority 3 CVE.
Adobe Experience Manager Forms (APSB16-40): Addresses 2x priority 3 CVEs.
Adobe DNG Converter (APSB16-41): Addresses 1x priority 3 CVE.
Adobe Experience Manager (APSB16-42): Fixes 4x priority 2 CVEs.
Adobe InDesign (APSB16-43): Fixes 1x priority 3 CVE.
Adobe ColdFusion Builder (APSB16-44): Fixes 1x priority 2 CVE.
Adobe Digital Editions (APSB16-45): Fixes 2x priority 3 CVEs.
Adobe RoboHelp (APSB16-46): Fixes 1x priority 3 CVE.

If you use Flash or any of the above products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

As always; to assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month is a little different than before since the Microsoft Internet Explorer and Microsoft Edge bulletins when combined address 6 vulnerabilities that are already publicly disclosed (defined). These should be followed by the Adobe Flash update which addresses a zero day vulnerability (defined). Next up would be Microsoft Office, the Windows Graphics component and the Microsoft Uniscribe update due to their criticality.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Windows 10 Credential Guard Bypassed

Despite the demonstrated successes and new security mitigations (specifically Credential Guard) of Windows 10 detailed by Microsoft in the link and PDF document listed below, security researchers from CyberArk have been able to obtain domain admin account (defined) credentials from the Local Security Authority (LSA) Secrets registry hive of Windows 10 using a technique similar to Pass the Hash (PtH)(defined):

https://technet.microsoft.com/en-us/itpro/windows/whats-new/security

https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf

Once obtained they injected the credentials into a newly created malicious service to achieve lateral movement (defined) which lead to the compromise of the domain controller (defined). The only requirement of the exploit the researchers developed was obtaining administrator access to a workstation within the domain.

While this could be considered a tall order, a well-designed spear phishing email (defined) with a malicious attachment or a malicious link targeting an unpatched or (zero day, defined) vulnerability on the workstation could be used to achieve privilege escalation (defined) and gain administrative rights (defined). Social engineering (defined) in combination with a malicious USB flash drive could also be a potential way of exploiting this. The methodology of how the CyberArk researchers carried out this exploit is available within their blog.

They also provide a list of mitigations for this exploit, many of which are well known and/or best practice. Microsoft responded to the team’s disclosure of this vulnerability that there will not be a fix since the system must already be compromised for it to succeed.

Thank you.