Category Archives: Security Vulnerabilities

Posts that discuss security vulnerabilities (for both software and hardware) and how best to respond to them.

Responding to the recent ZombieLand 2 TSX Vulnerabilities

====================
[TL DR]
====================
These vulnerabilities can only be exploited by attackers who have already compromised a system. Practice standard security precautions and install updates from hardware vendors and for your software (links provided below) when they become available. Resolution for vendors that offer cloud computing will have a more involved decision making process to consider (see below).

Early last week, security researchers disclosed security researchers disclosed further vulnerabilities within Intel’s processors.

How severe are these vulnerabilities?
These vulnerabilities ca be classed as medium severity. An attacker must already have compromised your system in order to exploit these vulnerabilities. This most recent set of vulnerabilities collectively known as ZombieLoad 2 or Transactional Synchronization Extensions (TSX) Asynchronous Abort affect Intel processors produced in the last approx. 2.5 years (August 2017 onwards).

For full technical details of these vulnerabilities, please see this page from Intel and this page from the security researchers. In summary these vulnerabilities according to the researchers allow “a malicious program to exploit internal CPU buffers to get hold of secrets currently processed by other running programs” leading to “these secrets such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys” being used by other running programs.

Of particular note are the performance implications for protecting virtual machines. If your organisation is running potentially untrusted code within virtual machines, protecting that environment will incur a performance penalty. You may need to carry out a risk assessment to determine if enabling these performance reducing mitigations outweigh the risk of putting your virtual machines at risk. Nested virtual machines will be most affected by the performance penalty.

How can I protect my organisation and myself from these vulnerabilities?
These most recent vulnerabilities can be mitigated by updating the firmware (defined) of your system. This is sometimes referred to as the UEFI / BIOS (defined) of your system.

They will be made available separately by the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard (defined) manufacturer for any custom-built systems you may have. You will have to determine from the updates those vendors issue if they are available for the products that you own.

In addition, operating system vendors and virtualisation software vendors have made patches available (links provided below).

Thank you.

====================

HP Enterprise:
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03968en_us

Fedora (referring to the Xen virtual machine (see also below):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/

Red Hat:
https://access.redhat.com/articles/11258

https://access.redhat.com/errata/RHSA-2019:3838

https://access.redhat.com/errata/RHSA-2019:3839

https://access.redhat.com/errata/RHSA-2019:3840

https://access.redhat.com/errata/RHSA-2019:3841

https://access.redhat.com/errata/RHSA-2019:3842

https://access.redhat.com/errata/RHSA-2019:3843

https://access.redhat.com/errata/RHSA-2019:3844

SUSE:
https://www.suse.com/support/update/announcement/2019/suse-su-201914217-1/

https://www.suse.com/support/update/announcement/2019/suse-su-201914218-1/

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/TAA_MCEPSC_i915

Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-11135

Xen:
https://xenbits.xen.org/xsa/advisory-305.html

Performance impact to Xen:
https://xenbits.xen.org/xsa/advisory-297.html

VMware:
Security advisory:
https://www.vmware.com/security/advisories/VMSA-2019-0020.html

Further information:
https://kb.vmware.com/s/article/59139

VMware Performance Impact Statement addressing mitigations for Machine Check Exception on Page Size Change (MCEPSC) CVE-2018-12207:
https://kb.vmware.com/s/article/76050

Potential Privacy and Security Issues of Virtual Assistants Highlighted Again

In late October security researchers published details of proof of concepts exploits affecting smart home devices e.g. Amazon Echoes (known as Amazon Alexa) and Google Home. These techniques allow for eavesdropping on conversations and the obtaining of passwords from users.

Why should these proofs of concepts be considered significant?
The proof of concept apps used by the researchers passed both Amazon’s and Google’s app validation processes and were briefly available to the public. Further modifications to the apps did not require a validation by either vendor.

The researchers demonstrated how their app can mislead a user into believing the smart device is no longer listening (and recording) when in fact it is.

Amazon Echo
Eavesdropping
For an Amazon Echo the device was made to keep listening by changing the de-activation intent (a phrase that can have values (words) within it to carry out custom actions. Instead the de-activation routine does not stop the device from recording you. This was done in a way that the owner of the Amazon Echo would not know anything was wrong since they will still hear the device speak “Goodbye” message. This was achieved by adding a Unicode (defined) character sequence (U+D801, dot, space) to the end of the intent sequence. Since these characters cannot be pronounced (and heard) by the device silencing the speaker but keeping the app active in order eavesdrop on a conversation. By adding more characters, the time can easily be extended.

Eavesdropping using the Amazon Echo is demonstrated in the following video from the SRLabs researchers:

https://youtu.be/A3n-0AbXznc

Phishing a Password
To phish a password the researchers simply added an audible message in place of some of the unpronounceable characters to simply ask the user for their password by first telling them a security update for app is available and to supply the password to install the update. The researchers demonstrated the ability to convert the spoken sentence into text and send it to their proof of concept server. This is demonstrated in the following video:

https://youtu.be/Wh2uexUAy7k

====================
Google Home
Eavesdropping
To perform the same actions with Google Home the researchers put the user into a loop and were able to capture recognised speech as text without alerting the user of the Google Home to this being carried out. This time the researchers used multiple “noInputPrompts” with SSML elements or the Unicode characters again to capture whatever is being spoken.

This is demonstrated in the following video:

https://youtu.be/X2gddqD1wUI

Phishing a Password
This was carried out using the same technique as for the Amazon Echo above. This is demonstrated in the following video:

https://youtu.be/HliuWtVW4vY

How can I protect my smart speaker / virtual assistant from these vulnerabilities?
Unfortunately, as the purchaser of these devices there is no action you can carry out to prevent these techniques being used against you. Instead the responsibility lies with Amazon and Google. They need to improve their app validation processes, as per the researcher’s findings:

“To prevent ‘Smart Spies’ attacks, Amazon and Google need to implement better protection, starting with a more thorough review process of third-party Skills and Actions made available in their voice app stores. The voice app review needs to check explicitly for copies of built-in intents. Unpronounceable characters like “U+D801, dot, space. “ and silent SSML messages should be removed to prevent arbitrary long pauses in the speakers’ output. Suspicious output texts including “password“ deserve particular attention or should be disallowed completely.”

My thanks to the SRLabs researchers who explain what needs to be done by the vendors to remediate these issues.

The well-known security researcher Karsten Nohl provides his informed opinion on this issue and how we should treat our usage of these devices.

Proof of concept attacks using laser beams
Smart speakers use specific microphones known as microelectro-mechanical systems (MEMS) microphones to convert the voices they hear into electrical signals they can understand and process. Such microphones however also respond to the application of light to them as proven by academic researchers who user lasers to have the devices call out the time, order a laser pointer online, set the devices volume to zero and open a garage door (or potentially the front door of a house).

What are the limitations of this technique?
The aiming of the laser can be imprecise which limits its distance and may also inadvertently hit other smart speaker devices. The researchers used a telescope, a telephoto lens and a tripod to focus the beam and to provide accurate timing.

Further limitations are detailed in this BleepingComputer article. My thanks to them for this detail and for the descriptions of this technique.

They also detail methods by which the owner of the smart speaker could be alerted to this technique being used to exploit it: “the victim may be alerted by the visibility of the light beam, unless infrared is used – but additional gear is necessary in this case, and the audio response from the target device confirm execution of the command”.

Both Amazon and Google provided statements that they are analysing the results of this research and are working with the researchers to improve security.

Thank you.

Exploits of BlueKeep Vulnerability Have Begun

In early November the security researcher Kevin Beaumont detected exploitation of the BlueKeep RDP vulnerability (patched in May 2019) within his honeypot network (defined).

How serious are these attacks?
At this time the attacks are not considered serious since the exploits are not using a wormable (automatic) means of spreading.

While this is true, Beaumont and Microsoft have cautioned that more stable exploits are likely to follow. Beaumont points to a blog post that discusses why the current exploits are mostly causing crashes upon systems and how to make the exploit more stable. Beaumont has stated over 724k system remain exposed to this vulnerability.

How can I protect my organisation or myself from this vulnerability?
For workstation systems, as recommended in my previous post, please install the Microsoft update if your system is vulnerable. Beaumont and Microsoft provide recommendations specific to organisations in their respective posts to both mitigate the vulnerability and to locate vulnerable systems within your network.

Thank you.

Blog Post Shout Out November 2019

While patching workstations and servers within organisations can be time consuming and occasionally disruptive to operations; critical infrastructure must remain online or at least minimise downtime.  I wish to provide a respectful shout-out to the following article from Amir Levintal,CEO and Co-Founder of Cylus who discusses these challenges and provides suggestions e.g. more resources, increased security awareness, and increased lobbying among regulators (among other suggestions) to overcome them:

How to Secure Critical Infrastructure When Patching Isn’t Possible: Kaspersky ThreatPost by Amir Levintal

I also wish to provide a respectful shout-out for the following article which highlights possible upcoming software updates for Amazon Kindles since vulnerabilities in the Universal Boot Loader were recently resolved:

Amazon Kindle, Embedded Devices Open to Code-Execution: Kaspersky ThreatPost by Tara Seals

Full-disclosure: I am not affiliated or sponsored by Kaspersky ThreatPost in any way. I simply wish to more widely highlight good advice on topical security issues.

Thank you.

October 2019 Update Sumamry

================
Update: 25th October 2019
================
Apologies for the delay in updating this post due to professional commitments.

I wanted to provide details of this month’s security updates from Microsoft and Adobe. On the 8th of October, Microsoft made available their updates resolving 59 vulnerabilities more formally known CVEs (defined).

Separately Adobe made available their updates a week later:

====================

Adobe Acrobat and Reader: 68x Priority 2 CVEs resolved (45x critical severity, 23x Important severity)

Adobe Download Manager: Priority 3 CVE resolved (1x Important severity)

Adobe Experience Manager: Priority 2 CVEs (1x Critical CVE, 7x Important and 4x Moderate severity)

Adobe Experience Manager Forms: 1x Priority 3 CVE (1x Important severity)

As always, if you use these Adobe products, please install the necessary updates as soon as possible prioritising the Adobe Acrobat/Reader and Experience Manager updates.

====================

This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. All issues have workarounds at this time and none appear to be serious issues. The up to date list is available from their summary page.

As for stability, I have installed all of this month’s updates on my Windows 10 systems (Builds 18362.388 , 18362.418) most recently the new kb4522355 (for Windows 10 Version 1903 Build 18362.449) and have not experienced any issues. Indeed, this update was intended to resolve the issues e.g. among with the Start menu that caused me to advise not to install Windows 10 updates earlier this month. Obviously, please continue to backup and test your systems as you usually would before install widely rolling out these updates but in general you should be fine.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Scripting Engine: , CVE-2019-1307 CVE-2019-1308 CVE-2019-1366

VBScript Remote Code Execution Vulnerability: CVE-2019-1238 CVE-2019-1239

Azure Stack Remote Code Execution Vulnerability : CVE-2019-1372

Remote Desktop Client Remote Code Execution Vulnerability : CVE-2019-1333

MS XML Remote Code Execution Vulnerability: CVE-2019-1060

Windows Error Reporting Manager Elevation of Privilege Vulnerability : CVE-2019-1315

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
On 22nd October Mozilla released Firefox 70 to address multiple critical vulnerabilities and to one again introduce further privacy features (see below):

Firefox 70: Resolves 1x critical CVE (defined)(but consisting of multiple vulnerabilities), 3x high CVEs, 8x moderate and 1x low CVE

Firefox ESR 68.2 (Extended Support Release): Resolves 1x critical CVE (but consisting of multiple vulnerabilities), 3x high CVEs, 5x moderate

Highlights from version 70 of Firefox include:

Details of improvements in the macOS and Windows versions of Firefox are provided in this article. The blocking of social networking tracking is discussed in another article.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
On October 22nd, Google released Chrome version 78.0.3904.70. This update resolves a high severity flaw that earned the researcher who reported it $20,000. The Multi-State Information Sharing and Analysis Center (MS-ISAC) stated “successful exploitation could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.” In total, this update contains 37 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
WinSCP:
=======================
In mid October; WinSCP version 5.15.5 was released upgrading it’s embedded version of Putty (the Windows SSH client) to 0.73 (along with its SSH private key tools to the same version) resolving 2 vulnerabilities (with one other issue possibly security related). WinSCP 5.15.6 has since been released as a non-security update.

Thank you.

================
Update: 8th October 2019
================
Unfortunately due to professional commitments I won’t be able to update this post today with details of Adobe’s and Microsoft’s updates. I will do so as soon as possible this week.

Thanks for your understanding.

================
Original Post
================
On the 23rd of September Microsoft issued two out of band (unscheduled) security updates to resolve 2 zero-day (defined) vulnerabilities. The vulnerabilities affect Internet Explorer and Windows Defender.

Microsoft has drawn criticism for adding confusion to these updates since they are not available on Windows Update but must be installed manually. For Windows 10 Version 1903 this prompted the release of kb4524147 which at this time I do NOT recommend you install since it is causing some systems not to boot, not being able to print and in some cases the Start menu is crashing.

With further security updates expected from Microsoft tomorrow, please await those updates and re-assess if you should install them. I’ll updater this post tomorrow with more information on the new monthly updates.

Separately since Windows Defender updates automatically you should have received the relevant anti-malware engine update (Version: 1.1.14700.5) 48 hours after the 23rd September.

Thank you.

Evaluating Anti-ransomware Tools

With ransomware still very much prevalent in the headlines I wanted to test the effectiveness of complimentary products designed to work alongside your anti-malware solution.

For the results presented in the attached Excel file, I turned off all protections of Windows 10/Windows 7 and opened real ransomware samples on an updated version of Windows.

These products are mostly free but paid options are available. They clearly show how effective they can be even when the user follows no security best practices and opens ransomware. I wanted to provide the toughest challenge I could for these products and so chose ransomware that has made the headlines over the past 2 – 3 years.

I hope you find the results useful.

Excel file: Results

Thank you.

================

Products tested:
Please note that these tools are primarily targeted at client rather than server systems. Please check the license before deploying in a commercial environment:

Acronis Ransomware Protection : https://www.acronis.com/en-us/personal/free-data-protection/

Cyberreason RansomFree (discontinued: November 2018)

CheckMAL AppCheck (Free and Pro editions): https://www.checkmal.com/product/appcheck/

Kaspersky Anti-Ransomware Tool for Business: https://www.kaspersky.com/anti-ransomware-tool

Heilig Defense RansomOff: https://www.ransomoff.com/

ZoneAlarm Anti-Ransomware: https://www.zonealarm.com/anti-ransomware/

================

Google Android Zero Day Vulnerability Disclosed

================
Update: 25th October 2019
================
Google made available their October 2019 update for Android available on the 7th of October with other manufacturers (consolidated list of links available here) e.g. Huawei, LG, Motorola, Nokia and Samsung making theirs available shortly afterwards.

Thank you.

================
Original Post
================
Late last Thursday Google disclosed information concerning a zero-day (defined) vulnerability being used to exploit Google Android powered smartphones e.g. Google Pixel and phones from Huawei, Samsung and Xiaomi.

================
TL DR
================
Be cautious of the apps you download in advance of a patch being made available. The web browsing means of exploitation requires a pre-existing exploit. A list of vulnerable phones is provided below. Update your smartphone to the October 2019 patch when it becomes available.

What details of this vulnerability have been released?
The following smartphones have been confirmed as vulnerable:

1) Pixel 1 and 2 with Android 9 and Android 10 preview

2) Huawei P20

3) Xiaomi Redmi 5A

4) Xiaomi Redmi Note 5

5) Xiaomi A1

6) Oppo A3

7) Moto Z3

8) Oreo LG phones (run same kernel according to website)

9) Samsung Galaxy S7, S8, S9

====================
Not Vulnerable: Google Pixel 3 and 3a
====================
The vulnerability is a local privilege escalation vulnerability (defined) making use of a use after free (defined) issue in the Android binder driver (defined) which has the potential to provide an attacker with full control of the device. The first means of exploiting this vulnerability is via a rogue app. Google Project Zero researcher Maddie Stone adds further details for the second means of exploitation: “If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox”.

In other words, in order to use the second means of exploitation an attacker would already need to have loaded an exploit on your phone that they know the device is vulnerable, making this avenue of attack less likely.

How can I protect my device from this vulnerability?
Try to only download your apps from the Google Play store in advance of a patch becoming available. Read the reviews of the app to make certain it is a genuine app that works as intended. Scan any new app with trusted anti-malware software before you open it (while I acknowledge anti-malware software is not 100% accurate it can provide further protection over not using it).

Install the October 2019 security update when it becomes available for your smart device.

Thank you.