Category Archives: Security Vulnerabilities

Posts that discuss security vulnerabilities (for both software and hardware) and how best to respond to them.

January 2017 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft only made 4 bulletins available. These updates address 3 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

Once again; there are no Known Issues listed within the above summary page. At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues. However, please check it before deploying your security updates just to be sure. As always, if any issues do arise, those pages should be your first places to check for solutions.

Next month Microsoft will only be publishing it’s security bulletins and release notes within their Security Updates Guide; rather than distributing this information across several pages. This post from WinSuperSite explains the changes in full.

====================
Adobe made a pair of security bulletins available for Adobe Flash and Adobe Acrobat/Adobe Reader. The Flash Player bulletin resolves 13x priority 1 vulnerabilities. The Adobe Acrobat/Adobe Reader resolves 29x priority 2 vulnerabilities. Adobe’s priority rating are explained in the previous link.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

If you use Flash or Adobe Acrobat/Adobe Reader any of the above products, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

While there may only be 3 Microsoft bulletins this month, I will prioritise the order of updates for you below:

The update for Microsoft Office should be installed first due to it’s criticality. This should be followed by the update for Microsoft Edge and finally by the LSASS update. The update for Edge is important due to exploit kits relying on such patches not to be installed in order to spread further malware (defined).

As always you can find detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.51) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Adobe Flash Player 2017 Update Tracker

In a similar manner to the 2015 and 2016 tracker that was incredibly popular on this blog; I am providing the same information below for the year 2017.

I have created a new post to make the timeline easier to follow. It will be updated throughout the year with any details of the Flash vulnerabilities being exploited.

Thank you.

=======================
10th January: Adobe releases Flash Player v24.0.0.194 resolving 13 CVEs.

=======================

Update: 10th January 2017: The timeline was updated to add the Adobe Flash Player update for January 2017. At the time of writing no exploits for the issues fixed by this update are known to be taking place.

December 2016 Security Updates Summary

Today Microsoft and Adobe released their scheduled monthly security updates, the final scheduled set from both vendors for 2016.

Microsoft’s made 12 bulletins available. These updates address 47 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

As with previous months, fortunately this month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring that page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages should be your first places to check for solutions.

====================
Adobe made available 9 security bulletins which included their regular Flash Player update. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

The Flash Player update addresses 17x priority 1 CVEs. All of Adobe’s priority rating are explained in the previous link. The other 8 security bulletins can be summarised as follows:

Adobe Animate (APSB16-38): Addresses 1x priority 3 CVE.
Adobe Experience Manager Forms (APSB16-40): Addresses 2x priority 3 CVEs.
Adobe DNG Converter (APSB16-41): Addresses 1x priority 3 CVE.
Adobe Experience Manager (APSB16-42): Fixes 4x priority 2 CVEs.
Adobe InDesign (APSB16-43): Fixes 1x priority 3 CVE.
Adobe ColdFusion Builder (APSB16-44): Fixes 1x priority 2 CVE.
Adobe Digital Editions (APSB16-45): Fixes 2x priority 3 CVEs.
Adobe RoboHelp (APSB16-46): Fixes 1x priority 3 CVE.

If you use Flash or any of the above products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

As always; to assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month is a little different than before since the Microsoft Internet Explorer and Microsoft Edge bulletins when combined address 6 vulnerabilities that are already publicly disclosed (defined). These should be followed by the Adobe Flash update which addresses a zero day vulnerability (defined). Next up would be Microsoft Office, the Windows Graphics component and the Microsoft Uniscribe update due to their criticality.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Encrypted Linux Systems Affected By Boot Process Vulnerability

Early last week a potentially serious vulnerability (assigned CVE-2016-4484 (defined)) within the Linux boot sequence was disclosed by security researchers at the DeepSec conference in Vienna.

Why Should This Issue Be Considered Important?
This is an elevation of privilege (defined) vulnerability that when exploited can result in an attacker obtaining root (defined) level access over your Linux system. It can be exploited by continually pressing the Enter key at the LUKS (Linux Unified Key Setup) password prompt. According to the researchers Hector Marco & Ismael Ripoll after approximately 70 seconds a new root shell (defined) will appear.

With this shell the attacker can delete all of information on the encrypted disks the LUKS prompt is designed to protect. This could also be used to copy the encrypted information to another location to attempt to brute force (defined) it. This also applies to any unencrypted information on the disk. Finally it could be used to elevate privileges from a standard user by storing an executable file with the SetUID bit enabled.

Interestingly this issue can only occur if the system partition is encrypted. At least Debian and Ubuntu distributions are vulnerable to this issue. Others may be too but the researchers have not exhaustively tested them.

Further details of this issue are provided within the researcher’s blog post.

How Can I Protect Myself From This Issue?
The researchers have provided a workaround and have proposed a more permanent fix within their blog post. It involves editing the cryptroot file so that the computer simply reboots when the number of password guesses reaches the limit.

If you are a Linux system administrator or know someone who is, this issue and it’s fix may be of interest. Thank you.

November 2016 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s made available many bulletins, 14 in total. These updates address 67 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

Once again this month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring this page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages should be your first places to check for solutions.

====================

Today Adobe made available one other security bulletin by Adobe affecting Adobe Connect (resolving 1x priority 3 issue) in addition to their regular Flash Player update. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which was made available very shortly after Adobe’s update.

The Flash Player update addresses 9 priority 1 CVEs. If you use either of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month the previously disclosed zero day (defined) vulnerability under attacker should take first priority, it is addressed in MS16-135 Next, please prioritise the deployment of the following updates:

Microsoft Internet Explorer, Microsoft Edge, Microsoft Graphics Component , Microsoft Office, Microsoft Video Control and the Windows Security Update bulletin.

Businesses and enterprise should priorities the deployment of the SQL Server update since it addresses 6 important vulnerabilities.

As always Adobe’s Flash Player update (to version 23.0.0.207) should also be on your shortlist this month.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Disclosed Microsoft Zero Day Under Attack By APT Group

====================
Update: 8th November:
The Microsoft zero day vulnerability discussed in this post has now been patched. Please refer to this post for the appropriate information and download links.

Thank you.

====================
Original Post:
====================
Earlier this week Google publicly disclosed (defined) details of a new zero day (defined) vulnerability affecting supported versions of Windows up to Windows 10. Fortunately, the disclosure only included minimal details.

Why Should These Issues Be Considered Important?
The vulnerability disclosed by Google could result with an attacker being able to elevate their privileges (defined) on an affected system. However, when used in combination with a previously patched Adobe Flash Player vulnerability (reference previous post) this could result in a Windows system under your responsibility or in your ownership to have a backdoor (defined) installed.

Some good news is that this new exploit primarily targets organisations that operate in the following sectors (thus all other organisations are at somewhat reduced risk): government, intelligence or military organisations.

The nature of the backdoor is the decision of the attacker but would usually include a means of remaining persistent on the system and allowing the attacker to remote access the infected system. This backdoor can then be used to move data of the attacker’s choice off the affected system. The APT group known as STRONTIUM by Microsoft (other aliases used in the wider cyber security industry are APT28, also aka Sofacy aka Fancy Bear aka TsarTeam aka Sednit aka PawnStorm). STRONTIUM is also known for moving laterally throughout the network which they compromise (where the pass the hash (PtH) (defined) technique is the method of choice to do so).

How Can I Protect Myself From This Issue?
While a patch from Microsoft is in progress (scheduled for release on the 8th of November): follow safe email guidelines namely don’t click on unexpected/unsolicited links or open potentially dangerous email attachments to prevent the execution (carrying out of) the exploits actions in the first instance.

If you use the Microsoft Edge or Google Chrome web browsers the exploit for the local elevation of privilege vulnerability will be mitigated. This is due to Chrome’s sandbox (defined) blocking the use of API (defined) calls to the win32k.sys driver (defined). This in addition to its existing mitigations when installed on Windows 10 which I previously discussed.

Microsoft Edge on the other hand implements Code Integrity to prevent the next steps of exploitation.

To protect endpoints within your organisation you could consider utilising the logging capabilities of Microsoft EMET and Systinternals’ Sysmon by processing their logs using a SIEM (defined) and taking action when that SIEM a alerts you to suspicion activity. This is especially true since this exploit can occur from within web browsers, the Java JRE, Microsoft Word and Microsoft PowerPoint (namely that these applications are used to open suspicious/untrusted files).

My thanks to a colleague (you know who you are!) for compiling very useful information for this blog post.

Thank you.

October 2016 Security Updates Summary

====================
Update: 2nd November:
Last week Adobe made available an out of band (unscheduled) security update to Adobe Flash. This was due to a zero day (defined) vulnerability being exploited in limited targeted attacks (using spear phishing (defined) emails sometimes originating from previous victims of this vulnerability).

To protect your organisation or yourself from this vulnerability please install the Adobe Flash update if you make use of Flash Player on your organisations devices or your own individual systems. This link can be used to test if Flash Player is already installed.

This vulnerability is related to an APT (defined) group’s activity that is detailed in a more recent post.

Thank you.

====================
Original Post:
====================
Yesterday Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s made available 10 security bulletins. These updates address 36 vulnerabilities listed within Microsoft’s security bulletin summary (excluding the Adobe bulletin). These are more formally known as CVEs (defined).

This month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring this page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages are the best first places to check for solutions.

====================
Tuesday also saw the release of 3 security bulletins by Adobe affecting Adobe Flash Player, Adobe Acrobat/Adobe Reader and Adobe Creative Cloud Desktop.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome released today.

The Flash Player update addresses 12 priority 1 CVEs while the Adobe Acrobat/Adobe Reader security bulletin resolves 71 priority 2 CVEs. The final security bulletin published by Adobe this month fixes 1 priority 3 CVE in the Adobe Creative Cloud Desktop application.

If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month saw an unusually high number of 5 Microsoft zero day (defined) vulnerabilities being addressed. For this reason, please prioritise the deployment of the following updates: Microsoft Graphics Component, Microsoft Internet Explorer, Microsoft Edge, Microsoft Internet Messaging API and Microsoft Office.

Once these updates are deployed, please move onto Adobe’s Flash Player update (to version 23.0.0.185) addressing 12 critical vulnerabilities, should be installed next if you already have a previous version installed. Due to the high number of vulnerabilities patched this month in Adobe Acrobat/Adobe Reader this should be installed next if you use their PDF creation/reader software.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.