Category Archives: Security Vulnerabilities

Posts that discuss security vulnerabilities (for both software and hardware) and how best to respond to them.

April 2017 Security Updates Summary

As expected earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s set of updates are much lighter in volume this month addressing 45 vulnerabilities more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

This month sees four known issues listed for this months updates all relating to the AMD Carrizo processor experiencing an issue which prevents the installation of future Windows Updates. Microsoft states in all four knowledge base articles (listed below) they are aware of this issue and are working to resolve it in upcoming updates:

KB4015549
KB4015546
KB4015550
KB4015547

At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues (although it has not been updated since November 2016, I’m unsure why).

====================
Adobe issued five security bulletins today affecting the following products:

Adobe Campaign (1x priority 2 CVE)
Adobe Flash Player (7x priority 1 CVEs)
Adobe Acrobat and Reader (47x priority 2 CVEs)
Adobe Photoshop (2x priority 3 CVEs)
Adobe Creative Cloud Desktop (2x priority 3 CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated version installed automatically later this week.

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

=======================
For the Microsoft updates this month, I will prioritize the order of installation for you below:

====================
Critical severity:
Microsoft Office and Windows WordPad (due to a previously disclosed zero day vulnerability (defined))
Microsoft Edge
Internet Explorer
Microsoft .Net Framework
====================

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Microsoft Ends Support for Windows Vista

As detailed in the news online Microsoft is ending the support lifecycle of Windows Vista today. It will no longer receive security updates going forward.

With the installation share of Windows Vista being only approximately 1% of all installed operating systems, the number of users/systems affected is small. However they should still seriously consider migrating to newer operating systems and possibly newer hardware to support their new choice of operating systems.

Since this is a consumer oriented operating system, the recommendations previously provided for Windows Server 2003 do not apply here. Check if your current applications are compatible with newer operating systems and migrate at your earliest convenience to minimise future since the support lifecycle has ended.

Thank you.

“DoubleAgent” Vulnerability Disclosure: What you need to know

In late March a security vulnerability was disclosed by the Israeli security firm Cybellum. However this was no ordinary public disclosure as I will explain below. Apologies for the untimely nature of this blog post due to other commitments:

What made this disclosure different?
At first glance this disclosure appeared very serious. It discussed the use of the Microsoft Application Verifier present within Windows XP up to and including Windows 10. They detail the leveraging of this tool to add a customised verifier DLL (defined) to hijack any legitimate process (defined) within Windows.

They demonstrated this attack against anti-malware software specifically Norton Security (by Symantec) resulting in a rogue DLL being injected (defined here and here) into the Norton process (ns.exe as demonstrated within their YouTube video). Despite claims by Cybellum security firms such as Avira and Comodo have reported this attack cannot bypass the self-protection features within their products. The full list of capabilities this attack provides is within this news article.

Windows Internals expert; Alex Ionescu later revealed the researchers from Cybellum used his work concerning protected processes to create this exploit and this was already a known issue. As was pointed out in the Twitter timelines linked to below once an attacker has administrative control over your system they could simply uninstall your security software rather than trying to bypass rendering the threat of this exploit far less important/relevant.

Twitter Timeline 1
Twitter Timeline 2
Twitter Timeline 3
Twitter Timeline 4
Twitter Timeline 5

Does this disclosure only affect security software?
It’s important to note this attack potential affects all software on Windows rather than just security software. In addition the proof of concept (PoC) exploit requires no changes for any application you choose to attack. Security software was chosen since almost all systems have anti-malware software installed and their process names are trusted (and allowed within application white listed (defined) environments).

How can I protect myself from this exploit?
Since this attack requires administrative privileges (defined) on Windows to have the intended effect, using a standard user account for everyday use will mitigate this attack.

From the various statements issued by the affected anti-malware vendors (listed below) please ensure your anti-malware software is the latest version available to ensure this attack is ineffective.

Traditional defences such patching your operating system, your web browser and be cautious of the attachments you open will also reduce the risk posed by this attack.

NetworkWorld Anti-Malware Vendor Responses

Malwarebytes Anti-malware

Symantec Endpoint Protection

Symantec Endpoint Protection Affected Versions

Thank you.

Pwn2Own 2017 Results

The final day of competition within Pwn2Own 2017 took place on Friday, 17th March. Full details of how the individual teams performed and how many exploits were successful are available here , here and here.

In summary the following products were successfully exploited:

Adobe Flash
Adobe Reader
Apple Safari
Apple macOS (mostly the macOS kernel)(defined)
Microsoft Edge
Microsoft Windows kernel
Mozilla Firefox
Ubuntu Linux
VMware Workstation

The contest saw 51 vulnerabilities used and a total of USD$833,000 awarded to the contestants (a very large increase over last year’s USD$460K). As I noted last year, many vulnerabilities once again were present within the macOS and Windows kernels specifically:

Apple macOS kernel:
race condition (defined)
information disclosures (defined)
out of bounds (OOB) bug (defined)

Microsoft Windows kernel:
integer overflows (defined)
buffer overflows (defined)
uninitialised buffers (discussed here)
use-after-free (defined here and here)
information disclosures
out of bounds (OOB) bug
race condition

As before Microsoft and Apple need to do more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel to find and resolve vulnerabilities before they are exploited. It is a surprise this year again highlights this short coming which secure coding practices e.g. Microsoft’s SDL and Adobe’s SPLC (among others) were intended to reduce.

Of note is; Mozilla Firefox released Firefox 52.0.1 to resolve an integer flow vulnerability in less than 1 day after it’s disclosure during Pwn2Own; a fantastic response time.

=======================
Update: 28th March 2017:
=======================
On the 28th of March, VMware made available security updates to address the vulnerabilities discovered during Pwn2Own.

Apple have also made available updates (listed in this post) to resolve the vulnerabilities discovered in Pwn2Own 2017. It is unclear if all vulnerabilities are now addressed.

=======================
Update: 11th April 2017:
=======================
In late March, the Linux kernel vulnerability disclosed during Pwn2Own was resolved very quickly with Ubuntu also releasing their fix for this issue.

Adobe have released updates for Flash and Acrobat/Reader to address what appears to be 5 vulnerabilities in Flash and 6  in Acrobat/Reader (assuming near sequential CVEs and the team names attributed top them) disclosed during Pwn2Own.

We can again look forward to these vulnerabilities being addressed over the coming months; helping to make our products more secure.

Thank you.

March 2017 Security Updates Summary

As you know Microsoft and Adobe released their scheduled monthly security updates. For Microsoft this release was anticipated especially since last month’s set was delayed.

Within the above linked to post I predicted Microsoft would make a large number of updates and they did just that. 17 bulletins in total are now available. These updates address 138 vulnerabilities listed within Microsoft’s new Security Update Guide. These vulnerabilities are more formally known as CVEs (defined).

Once again; there are no Known Issues listed within their March summary page. At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues. However, please check it before deploying your security updates just to be sure. As always, if any issues do arise, those pages should be your first places to check for solutions.
====================

Adobe issued two security bulletins today. One affecting Adobe Flash and the other for Adobe Shockwave Player. The Flash Player bulletin resolves 7x priority 1 vulnerabilities. While the Shockwave bulletin resolves 1x priority 2 vulnerability. These priority rating are explained in the previous link.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which was made available last week.

If you use Flash or Adobe Shockwave, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

=======================
Update: 22nd March 2017:
=======================
I wish to provide information on other notable updates from this month which I would recommend you install if you use these software products:

Notepad++ version 7.3.3

VideoLAN VLC Media version 2.2.5 (release currently in progress)

Malwarebytes Anti-malware version 3.0.6 CU3 (with Component package version: 1.0.75):
It is unknown how many vulnerabilities this addresses but this forum post mentions their resolution.

Malwarebytes Anti-malware version 3.0.6 CU4 addresses further vulnerabilities.

More details of the vulnerabilities resolved by Malwarebytes 3.0.6 CU3 have emerged. Researchers responsibly disclosed a technique which uses Microsoft’s Application Verifier to hijack an anti-malware application. More details of this vulnerability are available here and here.

Mozilla Firefox 52.0.1 (more details in this post on Pwn2Own 2017)

VMware Workstation 12.5.4 (relevant security advisories are here and here)

VMware ESXi, Fusion and VMware Workstation 12.5.5 (the relevant security advisory is here). This advisory resolves the vulnerabilities disclosed during Pwn2Own 2017 for the above listed products.

Wireshark 2.2.5 and 2.0.11

Putty 0.68 (while released in February; it contains important security changes)

Apple Security Updates: updates are available for iTunes, iTunes for Windows, Pages, Numbers, Keynote (for macOS and iOS), Safari, macOS Sierra, El Capitan and Yosemite, iOS, watchOS, tvOS, macOS Server, iCloud for Windows.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page). This link details how to update your Apple Watch.

=======================

For the 17 Microsoft bulletins this month, I will prioritize the order of updates for you below:

====================
Critical severity:
Windows Graphics Component

Windows SMB Server

Microsoft Edge

Internet Explorer

Windows Hyper-V

Windows PDF

====================
Important Severity
====================
The update for Microsoft Office should be installed next due to it’s criticality. With the follow updates after it:

Microsoft Exchange

Microsoft IIS

Active Directory Federation Server

As always you can find detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

WD My Cloud NAS Vulnerabilities

=======================
Update: 12th April 2017:
=======================
Western Digital have made available firmware updates to their My Cloud EX2100 and EX4100 models. The updates are available from this page.

They resolve some of the critical vulnerabilities identified in these products. Steps to update the firmware are available in this Softpedia article.

Thank you.

=======================
Update: 22nd March 2017:
=======================
Western Digital have made available firmware updates to My Cloud Mirror, EX2 and EX4 models. The updates are available from http://support.wdc.com/downloads.aspx

They resolve some of the critical vulnerabilities identified in these products. Steps to update the firmware are available in this Softpedia article.

Thank you.

=======================
Original Post:
=======================
Earlier this month a freelance security researcher known as Zenofex publically disclosed (defined) a total of 85 security vulnerabilities within the Western Digital (WD) MyCloud Network Attached Storage (NAS)(defined) devices

The vulnerabilities consist of authentication bypasses and code execution (carrying out instructions/steps of an attacker’s choice) and the upload/download of the data the device contains. Since the researcher did not receive cooperation with addressing previously communicated vulnerabilities from WD in the past they chose not to responsibly disclose (defined) these vulnerabilities.

After this disclosure, SEC Consult Vulnerability Lab (SCVL) provided further details of these vulnerabilities to the wider security community. For some of the 85 issues disclosed they had contacted WD in January 2017 and disclosed some of the details on the 20th of February. These vulnerabilities range from : command injection vulnerabilities, a stack-based buffer overflow (defined) bug and a cross-site request forgery flaw (defined)

In December 2016 WD issued fixes for some of the vulnerabilities discovered but created further vulnerabilities which resulted in the very same outcome they were trying to address.

How can I protect myself from these vulnerabilities?
Unfortunately, due to the very large number of vulnerabilities disclosed it will take a significant duration of time to resolve them all (especially if inadvertently; further vulnerabilities become evident; as has happened before).

If you use this NAS device; the data it contains will be at elevated risk of compromise while WD works to resolve these vulnerabilities. I would recommend ensuring these devices are not accessible to the external internet. Shodan may be of assistance to you in determining this. More information on Shodan is available in a previous blog post.

Please create backups of the data these NAS devices contain and store them on other devices until these vulnerabilities are resolved. Monitor WD’s website and install new firmware releases as they become available.

While Western Digital issued fixes for some of the vulnerabilities in December 2016, the independent security researcher found the fixes created another vulnerability with the same results they intended to resolve.

In addition, within this ThreatPost article WD recommends:

“My Cloud users contact our Customer Service team if they have further questions; find firmware updates; and ensure their My Cloud devices are set to enable automatic firmware updates.”

I will update this post as new information on the relevant updates becomes available.

Thank you.

Cloudflare addresses data leak

For 5 days within February this year; an information disclosure issue affected Cloudflare’s infrastructure. This led to their systems inadvertently leaking private session keys, website cookies, encryption keys and passwords.

Why should this vulnerability be considered important?

The scale of the issue was large, affecting an estimated 2 million websites. This flaw was due to a coding error within a parser (defined) (undetected at the time) used to modify HTML webpages and related to how the memory containing buffers (defined) of their NGINX (defined) web server functioned. Google Project Zero vulnerability researcher Tavis Ormandy contacted Cloudflare over Twitter who mitigated the issue in 47 minutes and completed their work in less than 7 hours; an incredibly swift resolution. Cloudflare later noted it would usually take 3 months to resolve an issue similar to this.

How can I protect myself from this vulnerability?

Cloudflare documented their findings of this incident within this blog post. Their analysis shows no evidence of attackers using the leaked information for malicious account access, accessing sensitive information or fraudulent purchases (in the case of exposed credit card numbers).

Cloudflare is continuing to review the leaked information and working to remove it from third party caches. They have committed to a review (both internal and with the assistance of external auditor Veracode) of the parser code which inadvertently lead to this information leakage.

As a precaution I would recommend monitoring any affected accounts for unwanted activity and change passwords and enable 2 factor authentication should any unwanted activity take place. The list of affected websites is here.

Further discussion of the impact of this issue is available from this SANS forum post and this Softpedia news article.

Thank you.