Tag Archives: Apple iPhone

BlueBorne : Bluetooth Vulnerability Explained

Researchers from the security firm Armis have discovered a set of eight security vulnerabilities within the Bluetooth (defined) communications technology and responsibly disclosed (defined) them to affected device manufacturers. These are not present in the protocol layer of Bluetooth but within the implementation layer of Bluetooth which “bypasses the various authentication mechanisms, and enabling a complete takeover of the target device” (source). An estimated 5.3 billion devices are thought to be vulnerable ranging from computers tablets, smartphone, TVs, watches to Internet of Things (IoT) (defined) medical devices. This set of vulnerabilities is known as “BlueBorne”.

What is BlueBorne and why is it important?
Exploitation of the BlueBorne vulnerabilities allows the complete compromise of the vulnerable device and does not require the vulnerable device be paired (defined) with the attacking device.

Once exploited the vulnerabilities allow the attacker to conduct remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device)) and man in the middle attacks (defined). To begin the attack, the attacker does not need for the user of the vulnerable device to have taken any action.

These vulnerabilities are particularly severe since Bluetooth is less secured on a corporate network than for example, the proxy server (defined) providing internet access making spreading from advice to device in a worm (defined) like fashion (theoretically) possible. The Bluetooth protocol often runs with high privilege on devices and is not usually considered a potential entry point into a network. Air gapped systems (defined) are also potentially vulnerable.

How can I protect myself from these issues?
Software updates for some devices are listed here (for Google, Linux and Microsoft devices). Recent Apple devices were found not to be vulnerable. A full list of affected devices and the software updates to protect them are listed here and will be updated by Armis.

For users of Google Android devices, they can check if their device is vulnerable by downloading the BlueBorne Android app. Disabling Bluetooth if you are not using it and only leaving it enabled for the time you are using it are also good security practices. Once your devices are updated, you should be able to resume normal Bluetooth usage. Please not that not all devices will or can be updated due to end of support lifecycles, newer products and product limitations. It is estimated approximately 2 billion devices will not receive software updates to resolve these issues.

Thank you.

May 2017 Security Updates Summary

Today Microsoft and Adobe made available their expected monthly security updates.

Microsoft’s updates address 57 vulnerabilities more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

At the time of writing there are no Known Issues for this month’s Microsoft updates. The IT Pro Patch Tuesday blog while not updated since last month doesn’t contain this months updates yet.

Before continuing with this months updates I wanted to provide information on a critical out of band (un-scheduled) update made available by Microsoft yesterday to address a vulnerability responsibly disclosed (defined) by Google Project Zero researchers Natalie Silvanovich and Tavis Ormandy within Microsoft’s Malware Protection Engine. The full list of affected products is listed within their security advisory. The exploit code for this vulnerability was later published within a tweet (which will not exploit the vulnerability).

I recommend updating your version of the Malware Protection Engine as soon as possible to version 1.1.13704.0 (or later) since this vulnerability when exploited by an attacker will lead to them obtaining system level access (NT AUTHORITY\SYSTEM)(defined)(namely the highest level of privilege within a Windows system) over an affected system.

Also today Adobe issued two security bulletins for the following products:

Adobe Experience Manager Forms (1x priority 2 CVE)
Adobe Flash Player (7x priority 1 CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated version installed automatically later this week.

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As always the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):


A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

For the Microsoft updates this month, I will prioritize the order of installation for you below:
Critical severity:
Microsoft Malware Protection Engine
Microsoft Office
Microsoft Edge
Internet Explorer
Microsoft SMB (CVE-2017-0277, CVE-2017-0278, CVE-2017-0279)

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Update: 10th May 2017:
I wish to provide information on other notable updates from May 2017 which I would recommend you install if you use these software products. I only choose a small number of products to list here since it can easily become too many and I wish to highlight the security benefits of installing the latest version of applications many of us use everyday:

Mozilla Firefox:
Firefox 53.0.2

Mozilla Firefox ESR:
Firefox ESR 52.1.1

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

Google Chrome:
Google Chrome: includes 1 security fix.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.

Nvidia Geforce Drivers:
This update applies to Linux, FreeBSD, Solaris and Windows and resolves up to 15 security vulnerabilities. The steps to install the drivers are detailed here.

I detailed where Nvidia list their security advisories in a previous blog post.

This update to Malwarebytes 3.1 (specifically v3.1.2.1733) resolves more than 1 security vulnerability (exact numbers and further details are not available).

Malwarebytes typically roll out updates in waves meaning it may be sometime before you receive this update. If the update is not automatically downloaded and installed in a timely manner, it is available from this link. Manual installation and general troubleshooting steps are available here.

Apple security updates:
Updates were made available by Apple on the 15th of May for iTunes for Windows, Safari, macOS Sierra, El Capitan and Yosemite, iOS, watchOS, tvOS, and iCloud for Windows.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page). This link details how to update your Apple Watch.

Further information on the content of these updates is available this blog post.

Hitman Pro:
As recommended on my Tools and Resources page, Hitman Pro (now part of Sophos Security) has been updated to version 3.7.20 (Build 286). This update resolves 3 important vulnerabilities relating to the driver the tool uses for scanning. Any previous version of the tool should update automatically when opened to the most recent version.

Update: 25th May 2017:
Yesterday VideoLAN released version 2.2.6 of VLC for Windows only. It resolves the security issues listed below (assuming at least 2 heap overflows (given their use of the plural form)). This list came from the NEWS.txt file after installing version 2.2.6 since the detailed release notes on VideoLAN’s website have not yet been updated (and may not be until 2.2.6 is officially made available for macOS and Linux systems).

The update is currently being distributed via their automatic updater (upon opening VLC) and manually from their website (unexpectedly that page also contains tarballs for Linux):

Changes between and 2.2.6:

Video output:
* Fix systematic green line on nvidia
* Fix direct3d SPU texture offsets handling

* Fix heap buffer overflows


It was not known at the time version was made available that the correction of “Fix potential out-of-band reads in subtitle decoders and demuxers” were actually security issues assigned to 4x CVEs discovered by CheckPoint security.

Late last week VideoLAN released version of VLC. This update is available for Linux, Apple Mac OS X and Windows. It addresses (at least) 13 security issues mentioned here (I’ll explain my numbering using the list below). This update is available for download for the above operating systems from this page.

If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

1. Security hardening for DLL hijacking environments
2. Fix potential out-of-band dereference in flac decoder
3. Fix potential out-of-band reads in mpeg packetizers
4. Fix incorrect memory free in ogg demuxer
5. Fix potential out-of-band reads in subtitle decoders and demuxers
6. Fix ADPCM heap corruption (FG-VD-16-067)
7. Fix DVD/LPCM heap corruption (FG-VD-16-090)
8. Fix possible ASF integer overflow
9. Fix MP4 heap buffer overflows
10. Fix Flac metadata integer overflow
11. Fix flac null-pointer dereference
12. Fix vorbis and opus comments integer overflows and leaks
13. The plugins loading will not load external DLLs by default. Plugins will need to LoadLibrary explicitly.

On the 14th of May, Notepad++ made available a new version updating it to version 7.4. While it is not a security update it includes a security related improvement namely: Improve certificate verifying method.

This version has since been updated to version 7.4.1 to resolve a number of non-security issues. If you use Notepad++, please consider updating to the most recent version to benefit from the security improvement and the bug fixes it includes.

Please note, the 64 bit version of Notepad++ became available in September 2016. It allows the opening of larger files and includes High Entropy ASLR (Address Space Layout Randomization (defined)) on a 64 bit version of Windows. I have discussed HEASLR on this blog before and it’s an excellent security measure/control/mitigation (defined). Further information on HEASLR can be found on Alex Ionescu’s blog.

GIMP (photo editor):
The open source ((the source code (human readable code) is free to view and edit by the wider IT community) photo editor GIMP has made available version 2.8.22 which resolves one security vulnerability. If you use this editor, please update it to this version (or later).

Blog Post Shout Out: Creating Passwords and Internet Privacy

This blog post shout out will focus on both security and privacy related issues.

While there has recently been a renewed focus to phase out passwords, until that happens we need to continue to manage them.

The following article discusses (among other topics) managing passwords. It focuses on providing security while making it easier for users to remember them. It also raises doubts about the need for changing passwords so often and provides evidence to back this up.

All of this advice may useful if you are trying to create or update your corporate password policy to make it more user friendly while still maintaining security.

How to hack the hackers: The human side of cybercrime by M. Mitchell Waldrop (Nature Journal)

In an effort to preserve your privacy you may be using a VPN (defined) connection when browsing the internet using your computer or mobile devices.

However as noted by F-Secure in this FAQ article, this may not be enough to fully protect your identity since some information (namely your real IP address) can still be leaked via WebRTC traffic. Within that FAQ article they provide advice on how to prevent this leak for the most common web browsers.
Related to the above topic of VPNs, using public Wi-Fi hotspots isn’t a good idea if you want to preserve your privacy as this Kaspersky article demonstrates.

While a VPN can assist with preserving that privacy when using a public Wi-Fi, it isn’t a perfect solution. For example, apps installed on mobile devices can still leak data as discussed in this article.

However, it possible to better control such data leakage on Android and Apple iPhones. A guide to do this for Android is available here.

For an iPhone, you can open Setting -> Mobile data and change the settings according to your preference. However, when you connect to a public Wi-Fi hotspot all the network connections in use by the apps will begin new connections or resume existing connections.

To minimise the amount of data leaked you should use a VPN (as I have already discussed above) for your mobile device. In addition, you should use the Low Power Mode option of your iPhone from Settings -> Battery and change the setting. This setting change will halt background tasks, delete Wi-Fi access point associations, previous new emails being received and automatic downloads. More information on this setting is available from here.

Next, turn on your VPN (Settings -> General -> VPN). A list of popular VPN providers is available here.

Using the above steps will help to minimise the amount of data leaked if you are privacy conscious and use an Android powered device or an iPhone. Full disclosure: as you know I use an Android phone so I haven’t intentionally provided more information/discussion on the iPhone.

I hope that you find the above references useful in maintaining your security and privacy. Many thanks to a colleague (you know who you are) for contributing the advice on using VPNs with mobile devices.

Thank you.