Defending against recent and older cyber attacks

TL; DR

In recent months threat actors have been leveraging alternative means of compromising Windows based systems in order to evade detection. Make certain to download and install software from legitimate sources and where possible make use of the Windows driver blocklist (further recommendations listed below).

====================

By employing techniques such as DLL sideloading (defined below) (first seen in 2010) and bring your own vulnerable driver (BYOVD), threat actors are seeking to increase their chances of success be that information stealing, cryptocurrency theft or the installation of ransomware.

DLL Sideloading

Computer users in China have recently fallen victim to trojanised applications believed to have originated from black search engine optimisation (SEO) results or malicious advertising (malvertising).

The advanced persistent threat (APT) group Dragon Breath has begun to use a variation of a classic DLL sideloading technique (MITRE ATT&CK framework T1574.002) seeking to evade detection in order to infect systems. The applications being targeted by the group are primarily Telegram, LetsVPN and WhatsApp for Android, Apple iOS, or Windows. The group is targeting Chinese speaking users within China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines.

As defined by CrowdStrike, DLL sideloading is “DLL side-loading is the proxy execution of a malicious DLL via a benign executable planted in the same directory, similar to DLL search-order hijacking.” Since the applications loading the malicious DLL are trusted, the DLL will be less likely to be detected. The DLL will also often employ encrypted or obfuscated (more difficult to understand) code to bypass basis anti-malware scanning. With this in mind, this particular attack makes use of an encrypted text file to load its malicious code from (it is the second clean application which loads the malicious DLL).

Within this attack, the DLL deploys a backdoor (a means of hidden access) to the system which accepts commands from the threat actor enabling them to:

1. Edit Windows registry keys
2. Download files of their choice
3. Steal clipboard contents
4. Enter commands of the threat actor’s choice into a hidden command prompt window
5. Restart the system
6. Steal cryptocurrency from the MetaMask Google Chrome extension

Recommended Mitigations

Download software and software updates from trusted sources.

For corporate environments, centralise the deployment and updating of your software seeking to prevent the use of shadow IT as well the use of compromised software installers as seen in the above examples.

For corporate environments, employ the use of EDR, MDR (Managed EDR) or XDR (Extended EDR) solutions to detect and respond to attacks sooner.

====================

Bring Your Own Vulnerable Driver (BYOVD)

As a response to Microsoft blocking the use of macros (a series of commands and instructions that you group together as a single command to accomplish a task automatically) since July 2022, threat actors have increasingly used a technique known as Bring Your Own Vulnerable Driver (BYOVD).

In February 2023, Trend Micro observed the BlackCat ransomware using a signed kernel driver to evade detection by anti-malware and Endpoint Detection and Response (EDR) solutions (the threat actors must already have elevated privileges on a system to install such a driver (sometimes obtained using stolen network credentials or SMS phishing)). Such a capability also enables the threat actors to terminate almost any running security solution.

The use of such drivers is often associated with more sophisticated groups with skills and funding to develop and test them. The use of signed drivers for malicious purposes are used to impair defences and attempt to stay hidden for longer periods due to their ability to “shift left” within the cyber kill chain (thus beginning their attack sooner in the kill chain) blocking detection before they launch their primary attacks within a compromised environment.

Recommended Mitigations

For corporate environments, employ the use of EDR, MDR (Managed EDR) or XDR (Extended EDR) solutions to detect and respond to attacks sooner to detect the indicators of compromise shared by vendors such as Trend Micro for such attacks. A Security information and event management (SIEM) can provide this capability across your entire environment (when its scope encompasses all of your devices).

For consumer and corporate environments, make certain your Windows system has the Windows driver blocklist enabled. Windows Defender (when used as the primary anti-malware solution) can also be used to enable an Attack Surface Reduction rule to block abuse of exploited vulnerable signed drivers.

My thanks to BleepingComputer, The Register, Sophos, Trend Micro and CrowdStrike as references for this article.

Image Credit: https://unsplash.com/@rayhennessy

Recommendations and Lessons Learned from the 3CX Attack (2023)

TL; DR

Following the recent supply chain attack upon 3CX that was detected in late March, follow the links below to determine the appropriate response actions, how to tell if your environment was affected and mitigation/prevention advice.

========================

Getting Started

If you use 3CX software within your organisation, if you have not already done so, follow the advice within the 3CX advisories listed below. Depending upon the size of your environment, you may have a small group of systems to remediate or perhaps many systems across your organisation:

In summary you will be removing the 3CX Electron Desktop Application (if in use), switching to the 3CX progressive web app and checking your environment with your anti-malware and EDR solutions for signs of compromise and remediating any compromised systems:

https://www.3cx.com/blog/news/security-incident-updates/

https://www.3cx.com/blog/news/desktopapp-security-alert/

========================

Checking for signs of compromise

Make use of your EDR solutions and a SIEM (if available) to search for the IOCs listed within the following links isolating and cleaning any systems which are found to be compromised.

Monitor your systems using your EDR, SIEM and IPS to look for and act upon any suspicious events such as data exfiltration attempts or attempts to connect to known unsafe sites or IP addresses:

Indicators of Compromise (IOCs)

https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack/#:~:text=The%20%E2%80%9C3CXDesktopApp.exe%E2%80%9D%20loads,%E2%80%9Cd3dcompiler_47.dll%E2%80%9D%20file.

https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised

IOCs specific to the Gopuram malware

Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack

YARA rules (for malware detection)

https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack/#:~:text=The%20%E2%80%9C3CXDesktopApp.exe%E2%80%9D%20loads,%E2%80%9Cd3dcompiler_47.dll%E2%80%9D%20file.

Threat hunting information specific to the Sophos XDR

Update 2: 3CX users under DLL-sideloading attack: What you need to know

========================

Further recommendations

1. Consider deploying the opt-in Microsoft fix for the vulnerability leveraged within the 3CX attack, namely CVE-2013-3900. Recently upgraded systems should also be checked to verify this fix is in place. While Symantec and other sources note this fix is not suitable for all systems and environments, it should still be employed on systems where possible. While the fix would not have prevented the 3CX compromise, it would have made detection simpler. While the fix is not perfect it is a step in the right direction.
2. Once you are certain your environment is free of malware from this attack, if your organisation develops software consider conducting checks of your software supply chain to verify all parts of it are secure.
3. If you use open source components in your software, consider creating a software bill of materials which may be useful in future to show which software is built from which components should any be affected by software vulnerabilities in the future and assist in responding faster to any potential compromises.

Thank you.

========================

References

https://digital.nhs.uk/cyber-alerts/2023/cc-4291

https://www.securityweek.com/3cx-supply-chain-attack-north-korean-hackers-likely-targeted-cryptocurrency-firms/

https://www.securityweek.com/mandiant-investigating-3cx-hack-as-evidence-shows-attackers-had-access-for-months/

https://twitter.com/wdormann/status/1642156921737060352

https://www.bleepingcomputer.com/news/security/3cx-confirms-north-korean-hackers-behind-supply-chain-attack/

https://www.bleepingcomputer.com/news/security/cryptocurrency-companies-backdoored-in-3cx-supply-chain-attack/

https://www.bleepingcomputer.com/news/microsoft/10-year-old-windows-bug-with-opt-in-fix-exploited-in-3cx-attack/

https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/

https://therecord.media/north-korea-hackers-linked-to-3cx-attack

DogWalk Vulnerability Remains a Potential Threat to Windows Systems

Update: This security issue was resolved by the Microsoft security update published in August 2022. Thank you.

========================

TL; DR

In early June with the vulnerability named “Follina” affecting Windows now designated CVE-2022-30190 being exploited (but since patched), this related vulnerability (dubbed “DogWalk”) first documented in early 2020 has re-gained attention. At the time of writing it is not patched by Microsoft. Please exercise caution with diagcab files on Windows systems

========================

What is this vulnerability and which systems are vulnerable?

This is a path directory traversal vulnerability (dubbed “DogWalk”) (no CVE has been assigned yet) which can be used to store an executable file of a threat actor’s choice within the Windows start-up directory after the target user opens a specifically crafted .diagcab archive file.

Windows 7, Windows Server 2008 R2 up to Windows 11 and Windows Server 2022 are affected.

This vulnerability was responsibly disclosed to Microsoft in January 2020 but they didn’t deem it a security issue. Files downloaded from the internet generally have a Mark of the Web flag to indicate to applications that they are potentially untrusted but the MSDT application responsible for accessing the crafted .diagcab files does not read this flag. These files can be downloaded by a web browser (including Microsoft Edge). No warning is shown during or after downloading such files.

How does this exploit work?
This path traversal vulnerability presents various options to a threat actor to exploit it. Please find below a table that details these approaches (Many thanks to Imre Rad for this table within his detailed blog post).

The Microsoft Support Diagnostics Tool can open files with the extension .diagcab (which are XML files with references to one or more diagnostic packages collected together with the XML in Microsoft cabinet files (.cab)). Within the XML file, the fie paths to the diagnostic packages point to the %WINDIR%\Diagnostic directory. This directory contains known trusted packages with other packages subject to a digital signature verification. Before checking the signature, a copy is of the package is placed in a temporary directory. If the signature is valid and the user has proceeded through the graphical interface windows of the Microsoft Support Diagnostics Tool then PowerShell scripts are executed in the background to carry out the necessary diagnostics.

However, if the source of the data is controlled by the threat actor and since network file systems are supported by Windows, the threat actor could take advantage of an attached network file share before the signature verification is carried out on the threat actor’s malformed diagnostic package.

In order to exploit this, the threat actor can set the package path of their .diagcab to a rogue network share under their control. Once the victim opens the .diagcab file a new file is saved under the Startup directory of Windows (thus providing the threat actor’s malware with persistence even if the system is restarted). That file will then be executed every time the system starts.

How would a threat actor use this?

The download of a .diagcab file could take place as drive by download as shown in Imre Rad’s proof of concept. But all major web browsers can download these files and run them with just one click from the user. As noted above, while these files are tagged with a Mark of the Web, the MSDT application ignores this mark.

How can I protect my organisation or myself from this vulnerability?

At the time of writing, this vulnerability has not been officially patched by Microsoft despite being informed of it back in January 2020. The original security researcher who responsibility disclosed this issue to them recommends not opening .diagcab files received from any source and for system administrators who maintain email servers to block the receiving of these attachments via email.

0Patch has also released a micropatch for this vulnerability. At this time, it’s unclear if Microsoft will mitigate or patch this vulnerability in the future.

Thank you.

Vulnerable QNAP Devices Targeted by Ransomware

TL; DR

If you use a QNAP NAS server on your network (corporate or home), please update its firmware to the most recent available version and check that its isn’t accepting connections from the public internet. Threat actors are actively scanning the internet for vulnerable QNAP NAS devices and locking their contents using ransomware.

What is happening?

Since January of this year, threat actors have been scanning the internet for unpatched NAS (defined) devices from QNAP in order to encrypt their contents using ransomware. Due to the nature of NAS devices, depending how and when you use them, it may not be immediately obvious your data is no longer accessible.

How does this occur?

Rather than relying on needing to click a link, open an attachment or any other action a threat actor may wish for you to complete, instead they are scanning the internet (likely using Shodan or an equivalent) looking for vulnerable QNAP devices.

If the NAS device is available to access via the internet, this also exposes to be targeted by threat actors. Once located, if the device is vulnerable to the issue resolved in this QNAP security bulletin, the threat actors will encrypt your device and request a ransom to release it and your data.

Suggested Resolution

While QNAP took the unusual step of deploying the update referenced from the above security bulletin to vulnerable devices it appears not all devices received it. Censys has detected more than 1000 devices still vulnerable.

If you own or manage a QNAP NAS device if you have not done so already, please make certain the update in this QNAP security bulletin has been installed.

In addition, please follow QNAP’s advice on disabling port forwarding and Universal Plug and Play (UPnP). Please also consider maintaining a separate offline backup of your data to use should your NAS backup be affected by any issues in the future.

Thank you.

Asus Routers Targeted by Cyclops Blink Malware

TL; DR

Trend Micro security researchers have discovered a known and highly capable advanced persistent threat (APT) group targeting Asus routers to recruit those routers into a botnet. Since the group has previously targeted other vendors too, please make certain your router is security hardened (see below) and has the latest available firmware.

What is happening?

In the latter half of last week Trend Micro researchers acquired malware samples which target Asus consumer routers seeking to recruit these devices into a botnet (defined). This malware originated from the advanced persistent threat group (APT) known as Sandworm or Voodoo Bear known for attacks on the Ukrainian electrical grid in 2015 and 2016 in addition to previous router-based malware, namely VPNFilter and the high impact NotPetya malware.

What capabilities does the malware have?

The overall intentions/purpose of the malware is unclear, but it does contain the following capabilities:

1. It may be used to conduct DDos (defined) attack
2. To carry out espionage activities or to act a proxy to other networks.
3. The malware has the ability to persist (even with a factory reset since it is designed to access and replace the router’s flash memory) and to work around domain sinkholes (used by the security community to attempt to disable the malware).

Security researchers theorise that the purpose of the botnet may be larger than DDoS since some devices have been compromised for more than 2 years while also acting as stable command and control (defined) sites for other botnets.

Why does it matter?

A compromised router within a corporate or home environment could be used:

1. For espionage activities within those environments
2. To carry our DDoS attacks external to your networks
3. To act as a means for accessing other segments of the networks the router is connected

While the malware currently only targets WatchGuard and now Asus devices, given the malware is modular in its design and the groups previous success in exploiting devices from other vendors e.g., D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL and ZDE, its likely more devices will be targeted in the future. The Trend Micro researchers noted that that while they have evidence of other routers being targeted, they were unable to collect samples for analysis.

Suggested resolution

Already compromised?

At this time, there does not appear to be a means of checking if your Asus router may have already been infected. If you are using a model of router from the list with firmware version less than those listed within the Asus security bulletin (no direct link is available, click the entry for Security Advisory for Cyclops Blink to view it) it’s possible its already infected. Indicators of compromise for corporate environments are available here.

If your router has already been infected, its best to simply replace it and then follow the prevention steps below going forward. This malware can persist even with a factory reset and not all firmware updates will overwrite the compromised parts of the routers operating system.

Prevention

Preventing infection of your router (and not just an Asus router) from this malware is possible and most of the security recommendations you may already have in place:

1. Make certain your router has the most recent firmware installed from the vendor (set reminders to periodically check the vendor’s website or opt to install updates automatically (if available as an option)
2. Make certain the default password to access the administrative interface of the router has been changed
3. Disable Remote Management (for Asus routers this disabled by default and can only be enabled via the Advanced Settings)

Refer to the user guide for the router to learn how to carry out these steps if you are not sure. Usually the steps are quick and straight forward.

Additional recommendations for corporate environments

1. Only essential services should be exposed to the internet (e.g., a web servers port 80 and 443)
2. Use a VPN if you need to access services remotely

For reference, indicators of compromise for corporate environments are available here.

Further Reference

New Sandworm Malware Cyclops Blink Replaces VPNFilter

https://www.cisa.gov/uscert/ncas/alerts/aa22-054a

Thank you.

March 2022 Update Summary

Early last week Adobe and Microsoft released their scheduled security updates to address 6 and 71 vulnerabilities (respectively)(more formally known as CVEs (defined)).

First, please find below the list of Adobe products affected:

Adobe After Effects: Resolves 4x Priority 3 severity CVEs (4x Critical Severity)

Adobe Illustrator: Resolves 1x Priority 3 severity CVE (1x Critical Severity)

Adobe Photoshop: Resolves 1x Priority 3 severity CVE (1x Important Severity)

If you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.

====================

Useful source of update related information are the US Computer Emergency Readiness Team (CERT) and the Cybersecurity & Infrastructure Security Agency (CISA)  (please see the “Information on Security Updates” heading of the “Protecting Your PC” page): 

https://www.us-cert.gov/

https://www.cisa.gov/uscert/ncas/bulletins

==================== 

For this month’s Microsoft updates, I will prioritise the order of installation below and provide further relevant links and steps where necessary:

====================

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2022-22006

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2022-23277

VP9 Video Extensions Remote Code Execution Vulnerability: CVE-2022-24501

Remote Desktop Client Remote Code Execution Vulnerability: CVE-2022-21990

Windows Fax and Scan Service Elevation of Privilege Vulnerability: CVE-2022-24459

.NET and Visual Studio Remote Code Execution Vulnerability: CVE-2022-24512

Windows SMBv3 Client/Server Remote Code Execution Vulnerability: CVE-2022-24508

Azure Site Recovery Elevation of Privilege Vulnerability: CVE-2022-24469

Windows Event Tracing Remote Code Execution Vulnerability: CVE-2022-23294

====================

Following standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. 

I have also provided further details of updates available for other commonly used applications below. I will add to this list over time.

To all of my readers, I hope you and your families are staying safe. Thank you.

==================== 
Mozilla Firefox 
==================== 

So far this month Mozilla have released 2 sets of security updates for Firefox and Firefox (Extended Support Release) detailed below:

Firefox 97.0.2: Addresses 2x Critical Severity CVEs

Firefox 98: Addresses 4x High Severity CVEs and 3x Moderate Severity CVEs

Firefox ESR 91.6.1: Addresses 2x Critical Severity CVEs

Firefox ESR 91.7: Addresses 4x High Severity CVEs and 1x Low Severity CVE

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

==================== 
Google Chrome
==================== 

Google has released 1 (stable channel) Chrome update so far this month version 99.0.4844.51 for Linux, Mac and Windows to address 28 security vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect. 

Suggestions to improve security of printers on your network

TL; DR

Corporate network printers should be secured in a similar manner to your servers and endpoints. Threat actors often leverage printers to gain access to networks. Please use the points listed below to better protect them.

Commonplace in Corporate Networks

Large, fast and convenient business printers have long been a feature of our corporate networks. It is not uncommon for network printers to use a variant of Linux as their operating system which is more sophisticated than you may be aware. Thus, the printer should employ security controls similar to that of a server or an endpoint.

Why would a threat actor target a printer?

While patch management for servers and endpoint is usually well established, this may not be the case for printers which may patched less often or at all. If a threat actor can obtain access to a printer, they are now within your network with the possibility to conduct further reconnaissance for targets of interest and other possibly vulnerable systems.

Not only are these of concern but it is common for business printers to store previous printed documents and business templates within their built-in hard drives. Those documents could leak information to threat actors while the templates may allow them to impersonate your organisation.

The following suggested security controls for business printers should be of assistance with increasing their security posture.

Suggested Security Controls for Business Printers

1. Make certain your printer is situated behind an IPS (defined) within your network to prevent printers from being targeted. The printer should not be accessible from the public internet. In addition to this, make printing only possible from your internal network by removing the default gateway from the settings of the printer
2. Configure a dedicated system as print server with appropriate access controls
3. Regularly update the firmware (defined) of the printer to make certain it is protected against discovered vulnerabilities (choose to automatically update the firmware where possible to remove the need for manual effort).
4. Printers usually support multiple means of printing over protocols such as FTP (defined) and SNMP (defined), turn these off where possible in favour of the IPPS protocol over port 443. Access the printers’ settings using a web browser via https. Other ports to consider disabling are:

• Server Message Block (SMB)(defined) (ports 135 to 139 and 445)
• IPP on port 631
• HTTP (Port 80)
• Telnet (defined) (Port 23)

5. Turn off UPnP (defined) (if the printer supports it)
6. Change the default login password of your printer (choose a strong password, greater than 12 characters, 16 or more if possible)
7. Record all printers in your configuration management database (CMDB)(defined) including the responsible owner, the printers location and purpose
8. Encrypt the hard drive of the printer (if the hard drive is stolen it won’t be accessible to that unauthorised individual)
9. Enable pull printing, this works to make certain the employee needs to present themselves at the printer to retrieve their documents
10. Where possible employ the use of third parties to evaluate the security of your printers (usually referred to as penetration testing or just pen testing) from both inside and outside your network to proactively prevent any vulnerabilities present being exploited by threat actors
11. When the printer has reached the end of its useful life, make certain standard de-commissioning processes are followed that includes the forensic data wiping of the printer’s hard drive before it is responsibly de-commissioned.

Thank you.

May 2021 Update Summary

During the second week of May, Adobe and Microsoft released their expected monthly security updates. They addressed 44 and 55 vulnerabilities (respectively) more formally known as CVEs (defined). System administrators may be pleased to see the decrease in the number of updates from Microsoft for that month. Apologies for not publishing this post sooner.

Adobe’s updates for May month address issues across a diverse range of products: 

Adobe Acrobat and Reader: Resolves 14x Priority 1 vulnerabilities (10x Critical Severity and 4x Important Severity) 

Adobe After Effects: Resolves 3x Priority 3 vulnerabilities (2x Critical Severity and 1x Important Severity) 

Adobe Animate: Resolves 7x Priority 3 vulnerabilities (2x Critical and 5x Important Severity) 

Adobe Creative Cloud Desktop: Resolves 1x Priority 3 vulnerability (1x Critical Severity) 

Adobe Experience Manager: Resolves 2x Priority 2 vulnerabilities (1x Critical Severity and 1x Important Severity) 

Adobe Genuine Service: Resolves 1x Priority 3 vulnerability (1x Important Severity) 

Adobe Illustrator: Resolves 5x Priority 3 vulnerabilities (5x Critical Severity) 

Adobe InCopy: Resolves 1x Priority 3 vulnerability (1x Critical Severity) 

Adobe InDesign: Resolves 3x Priority 3 vulnerabilities (3x Critical Severity) 

Adobe Medium: Resolves 1x Priority 3 vulnerability (1x Critical Severity) 

Adobe Media Encoder: Resolves 1x Priority 3 vulnerability (1x Important Severity) 

Magento Security Updates: Resolves 7x Priority 2 vulnerabilities (1x Important Severity and 6x Moderate Severity) 

Just as always, if you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.  

====================  

A useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):   

https://www.us-cert.gov/

====================   

For this month’s Microsoft updates, I will prioritise the order of installation below:  

==================== 

Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability: CVE-2021-31166 (This vulnerability is wormable and a proof of concept exploit is available) 

Microsoft Hyper-V Remote Code Execution Vulnerability: CVE-2021-28476 (a proof of concept exploit for this vulnerability is also available) 

Microsoft Exchange Server Security Feature Bypass Vulnerability: CVE-2021-31207 

Microsoft OLE Automation Remote Code Execution Vulnerability: CVE-2021-31194 

Microsoft .NET Core and Visual Studio Elevation of Privilege Vulnerability: CVE-2021-31204 

Microsoft Common Utilities Remote Code Execution Vulnerability: CVE-2021-31200

Microsoft Scripting Engine Memory Corruption Vulnerability: CVE-2021-26419 

==================== 

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications below.

To all of my readers, I hope you and your families are doing well during these challenging times. Thank you. 

==================== 
Mozilla Firefox 
==================== 
In the first week of May Mozilla released Firefox 88.0.1 and Firefox ESR (Extended Support Release) 78.10.1 to resolve the following vulnerabilities: 

Firefox 88.0.1: Addresses 1x Critical Severity CVE and 1x High Severity CVE 

Firefox ESR 78.10.1: Addresses 1x Moderate Severity CVE

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above change. Firefox 88 also introduced the features listed at this link. 

====================  

Google Chrome 

====================  

Google released 2 Chrome updates in May versions 90.0.4430.212 and 91.0.4472.77 for Linux, Mac and Windows to resolve 19 and 33 security vulnerabilities (respectively).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect. 

======================= 
Putty 
======================= 
Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.75 in early May. It contains 1 security fixes (see below). Version 0.75 is downloadable from here. 

If you use Putty, please update it to version 0.75. Thank you. 

Security vulnerability fixed: 

• vuln-windows-remote-title-dos: Rapid changes of window title can DoS Windows GUI 

==================== 
VideoLAN VLC 
==================== 
On the 10th of May VideoLAN released version 3.0.13 resolving 4 known vulnerabilities. The other non-security improvements introduced are detailed in the above 3.0.13 link and within the changelog. Version 3.0.14 was later released to address an auto-update issue (not security related). 

The most recent versions of VLC can be downloaded from: 
http://www.videolan.org/vlc/ 

==================== 
VMware 
==================== 
VMware released 4 security advisories to resolve vulnerabilities within the following products: 

==================== 
Advisory 1: Severity: Critical: 
VMware vRealize Business for Cloud 

Advisory 2: Severity: Low: 

VMware Workspace ONE UEM console 

Advisory 3: Severity: Low: 

VMware Workstation Pro / Player (Workstation) 

VMware Horizon Client for Windows 

Advisory 4: Severity: Critical: 

VMware vCenter Server (vCenter Server) 

VMware Cloud Foundation (Cloud Foundation) 

If you use any of the above VMware products, please review the above advisories and install the applicable security updates as soon as possible. 

April 2021 Update Summary

To my readers; I hope you and your families are doing well in these still challenging times. 

Last week Adobe and Microsoft released their scheduled security updates. Adobe’s updates resolve 10 and Microsoft’s updates 114 vulnerabilities (respectively) more formally known as CVEs (defined). 

==================== 

Adobe released updates for the following products: 

Adobe Bridge: Resolves 6x Priority 3 vulnerabilities (4x Critical Severity and 2x Important Severity) 

Adobe Digital Editions: Resolves 1x Priority 3 vulnerability (1x Critical Severity) 

Adobe Photoshop: Resolves 2x Priority 3 vulnerabilities (2x Critical Severity) 

RoboHelp: Resolves 1x Priority 3 vulnerability (1x Important Severity) 

As always, if you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates. 

==================== 
A useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):  

https://www.us-cert.gov/

====================  

For this month’s Microsoft updates, I will prioritise the order of installation below: 

==================== 

Important

==================== 

If you use Microsoft Exchange (the on-premises, non-cloud Office 365 version); please follow the steps from last month to first verify your server is first not infected before installing this month’s security updates for Exchange server. This post from BleepingComputer may be helpful with providing hints on how to install the Exchange Server updates for this month (many thanks to BleepingComputer for this advice): 

==================== 

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-28480 

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-28481 

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-28482 

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-28483 

Remote Procedure Call Runtime Remote Code Execution Vulnerabilities: CVE-2021-28329 , CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339 and CVE-2021-28343 

Win32k Elevation of Privilege Vulnerability: CVE-2021-28310 

Azure Sphere Unsigned Code Execution Vulnerability: CVE-2021-28460 

Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability: CVE-2021-28458 

RPC Endpoint Mapper Service Elevation of Privilege Vulnerability: CVE-2021-27091 

Windows Media Video Decoder Remote Code Execution Vulnerabilities: CVE-2021-27095 and CVE-2021-28315 

Windows Installer Information Disclosure Vulnerability: CVE-2021-28437 

Windows NTFS Denial of Service Vulnerability: CVE-2021-28312 (Resolving the issue discussed in this post)

==================== 

Update: 8th May 2021

The gaming performance issue introduced with the security update kb5001330 is not resolved and does affect more systems that only have single monitors. AMD GPUs also appear to be impacted.

Further Reddit threads discussing this issue are located here and here.

Microsoft have since released a Known Issue Rollback (KIR) update to resolve the performance issues caused by kb5001330.

While some users are confirming that the resolves some of their issues; some issues remain (please also see the Reddit thread I previously linked). I have patched all of my Windows 8.1 and Windows 10 systems. My most powerful Windows 10 system is affected by this performance issue but only in some games, others play fine.

==================== 

Please note: For Windows 10 systems which use AMD and Nvidia graphics cards; there are reports of stability issues and loss of performance after the Windows 10 Version 20H2 security update kb5001330 is installed. Further details are here, here and here. Please note the prior update mentioned in these links kb5000842 was the April preview update released in late March. Not all systems with Nvidia graphics cards seem to be affected. Some affected systems have the latest models while others have older models. It is not clear if AMD graphics are affected too. At this time; it is unknown when these issues will be resolved.

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. 

I have also provided further details of updates available for other commonly used applications below

(I will continue to add to this list). 

To all of my readers; I hope you and your families continue to do well during these challenging times. Thank you. 

==================== 
Google Chrome (and a potential privacy issue)
==================== 

Google has released 2 Chrome updates so far in April version 89.0.4389.128 and 90.0.4430.72 for Linux, Mac and Windows to resolve 2 and 37 security vulnerabilities (respectively). 

Another point to note is the initial incorporation of Federated Learning of Cohorts, or FLoC into Chrome. The EFF have published their feedback on this new technology. At this time, Microsoft Edge has not activated it. This is an emerging potential privacy issue. It’s unclear what action to take at this time but it is an item to aware of. 

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect. 

==================== 
Nvidia 
==================== 

On the 19th April in Nvidia released security updates for its drivers (defined) which power their Geforce, Nvidia RTX, Tesla and Quadro/NVS GPUs as well as updates for Geforce Experience. 

Not all drivers updates are available at this time but are in progress and will be released this week (timelines are provided within Nvidia’s security advisory). 

As was the case with January’s security updates all of these vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use the affected Nvidia graphics cards or Geforce Experience software, please consider installing these updates.

Blog Post: Shout Out April 2021

I wanted to provide a respectful shout out to the following blog post from Check Point that highlights the number of organisations globally affected by the well-known WannaCry ransomware has risen by 53% since the beginning of 2021:

Unfair exchange: ransomware attacks surge globally amid Microsoft Exchange Server vulnerabilities by Check Point

If you have not done so already, please update your systems or seek to place them behind a firewall so that they are no longer exposing any of the following ports to the internet:

• TCP port 445 with related protocols on UDP ports 137-138
• TCP port 139
• Also disable SMBv1 (it’s a deprecated protocol)
• Please also block the Remote Desktop Protocol (RDP) port 3389 (defined) at the entry point to your corporate to prevent the spread of this malware as recommended by the US CERT.

If you suspect your system is infected with WannaCry, please disconnect the system from the internet and use anti-malware tools (in a similar manner to that described in this previous post) to remove the malware and then make certain your system has the necessary updates installed.

Thank you.