Tag Archives: Apple macOS

Responding to the Meltdown and Spectre Vulnerabilities

Earlier in January updates for Linux, Apple and Windows were made available to work towards addressing the 3 security vulnerabilities collectively known as Meltdown and Spectre.

Why should these vulnerabilities be considered important?
I’ll provide a brief summary of the two categories of vulnerabilities:

Meltdown: This is the name of the vulnerability discovered that when exploited by an attacker could allow an application running with standard privileges (not root or elevated privileges) to read memory only intended for access by the kernel.

Spectre: This is a category of two known vulnerabilities that erode the security boundaries that are present between applications running on a system. Exploitation can allow the gathering of information from applications which could include privileged information e.g. usernames, password and encryption keys etc. This issue can be exploited using a web browser (e.g. Apple Safari, Mozilla Firefox, Google Chrome, Microsoft Edge (or IE) by using it to record the current time at very short intervals. This would be used by an attacker to learn which memory addresses were cached (and which weren’t) allowing the attacker to read data from websites (violating the same-origin policy) or obtain data from the browser.

Browser vendors have responded by reducing the precision of JavaScript timing and making it more unpredictable while other aspects of JavaScript timing (using the SharedArrayBuffer feature) have been disabled.

More in-depth (while still being less technical) descriptions of these issues are available here , here and here.

How can I protect myself from these vulnerabilities?
Since these vulnerabilities are due to the fundamental architecture/design of modern CPUs; it is not possible to fully address them. Instead a combination of software fixes and microcode updates (defined) is more a viable alternative than re-designing the established architecture of modern CPUs.

In-depth lists of updates available from multiple vendors are available here and here. I would suggest glancing at the affected vendors and if you own a device/product from them; checking if you are affected by these vulnerabilities. A list of BIOS (defined) updates from multiple vendors are available here. Google Chrome has a Site Isolation mode that can mitigate these vulnerabilities which will be more comprehensively addressed in Chrome version 64 scheduled for release last this month.

At this time my systems required updates from Google, Mozilla, Microsoft, Apple, VMware, Asus, Lenovo and Nvidia. Many of many existing desktops are unlikely to receive microcode and BIOS updates due to be more than 3 years old. However my Windows 10 laptop has received a BIOS update from the manufacturer.

Are there disadvantages to installing these updates?
While these updates increase security against these vulnerabilities; performance issues and stability issues (Intel and AMD) after the installation of these updates have been reported. These vary in severity but according to Intel and Microsoft the updates will be refined/optimised over time.

Benchmarks made available by TechSpot show negligible impact on most tasks that would stress a CPU (defined). However any work that you perform which makes of large files e.g. databases may be significantly impacted by the performance impact these updates have when accessing files on disk (mechanical and solid state).

Details of the anticipated performance impact for Linux, Apple macOS (and iOS) and Windows are linked to. Further reports of reduced performance from Intel and Apple devices have also been recorded. Further details of a feature known as PCID (Process-Context Identifiers) within more recent CPUs which will help reduce the performance impact are provided here. For Intel CPUs, 4th generation Core CPUs and later should include it but any CPU manufactured after 2011 should have it (one of my CPUs; a Core i7 2600K has this feature, verified using Sysinternals Coreinfo). A full list of Intel CPUs affected by these vulnerabilities is here.

Conclusion:
With the widely reported stability and performance issues present it is your decision if you install the necessary updates now or wait until further refinements. If you experience issues, please report them to the manufacturers where possible and within online forums if not. More refined updates will only be created if a need to do so is established.

I’m in the process of updating my systems but will benchmark them before and after each updates to determine an impact and make a longer term decision to keep the updates or uninstall them until further versions become available. I’ll update this post as I gather more results.

=======================
Update: 16th January 2018:
A newly released free utility from Gibson Research (the same website/author as the well-known ShieldsUp firewall tester) named InSpectre can check if your Windows system has been patched against Meltdown and Spectre and can give an indication of how much the performance of your system will be affected by installing and enabling the Windows and/or the BIOS updates.

Please note: I haven’t tried this utility yet but will this weekend (it will help with the tests I’m carrying out (mentioned above). I’ll update this post when I have tried out this utility.

Thanks again.
=======================

Thank you.

December 2017 Update Summary

Earlier this month Microsoft closed out the year with a small number of security updates. They resolved 32 vulnerabilities. Further details are provided within Microsoft’s new Security Updates Guide.

Sorry for not posting this sooner; travelling for my job meant my time was much more limited.

No Known Issues were listed as occurring for this months update.

====================

Meanwhile Adobe also completed their yearly updates with a single update for Flash Player resolving a single priority 2 CVE (defined).

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For December Microsoft updates, I will prioritize the order of installation below:
====================
Critical severity:

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Important severity:

Windows RRAS (Routing and Remote Access) Service Remote Code Execution Vulnerability

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
VMware AirWatch Console and other VMware Products
=======================
A security advisory for VMware AirWatch Console to address a moderate security vulnerability was made available in December. A further security advisory to address 4 important vulnerabilities within the products listed below was also published:

  • ESXi
  • vCenter Server Appliance
  • Workstation
  • Fusion

=======================
Google Chrome:
=======================
An update for Google Chrome included 37 security fixes while a second update included 2 further fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================

=======================
Apple security updates:
=======================
During the first half of December Apple made available security updates for the following products:

=======================

Apple tvOS 11.2 and 11.2.1

Apple iOS 11.2 and 11.2.1

Apple watchOS 4.2

Apple Safari 11.0.2

Apple macOS High Sierra 10.13.2, Sierra and El Capitan

Apple iTunes 12.7.2 for Windows

AirPort Base Station Firmware Update 7.6.9 and AirPort Base Station Firmware Update 7.7.9

Apple iCloud for Windows 7.2

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here. Further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
Mozilla Firefox and Firefox ESR
=======================
During December Mozilla released security updates for Firefox and Firefox ESR (Extended Support Release) raising their version numbers to 57.0.2 and 52.5.2 respectively.

  • Firefox 57.0.2 resolves 1 CVE
  • Firefox ESR 52.5.2 resolves 2 CVEs.

As always full details of the security issues resolved by these updates are available in the following links:

Firefox 57.0.2
Firefox 52.5.2

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
VideoLAN VLC:
=======================
In early December VideoLAN made available version 2.2.8 of VLC for Linux, Apple macOS  and Windows. It addresses 4 security vulnerabilities (3 of which were addressed in 2.2.7). If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

=======================
WinSCP
=======================
In mid-December; WinSCP version 5.11.3 was released upgrading it’s embedded OpenSSL version to 1.0.2n (which addresses 1x moderate and 1x low severity CVEs).

November 2017 Security Updates

Back in November; Microsoft released their routine monthly security updates. These updates resolved 53 vulnerabilities with 14 individual updates (which are grouped when downloaded). As always these are detailed within Microsoft’s new Security Updates Guide.

Sorry for not posting this sooner; travelling for my job meant my time was much more limited.

Microsoft have listed 6 Known Issues that can occur from Windows 7 up to and including Windows 10 (version 1703):

Windows 10 (versions 1511, 1607 and 1703 potentially impacted):

KB4048952: caused some Epson SIDM (Dot Matrix) and TM (POS) printers to lose the ability to print. This was later resolved by a further update; KB4053578

KB4048954:

could cause Internet Explorer 11 to not provide users of SQL Server Reporting Services (SSRS) the ability to scroll through drop-down menus.

Windows Pro devices on the Current Branch for Business (CBB) will upgrade unexpectedly.

The above issue regarding Epson printers could also occur. All 3 of the above issues have been resolved. Please see KB4048954 for details of the additional updates containing the appropriate fixes.

KB4048953:

Details 2 of the above issues as well as an additional issue regarding an error message for the CDP User Service. Please see KB4048953 for details of the additional updates containing the appropriate fixes.

Windows 8.1 and Windows Server 2012 R2:

KB4048958

Please see KB4048958 for details of the additional updates containing the appropriate fixes for the issues already discussed above.

KB4048961

Please see KB4048961 for details of an additional update containing the appropriate fix for an issue already discussed above.

Windows 7 SP1 and Windows Server 2008 R2 Standard:

KB4048957

Please see KB4048957 for details of the additional updates containing the appropriate fixes for the issues already discussed above.

KB4048960

Please see KB4048960 for details of an additional update containing the appropriate fix for an issue already discussed above.

This month there are 4 Known Issues (kb4041691kb4042895 , kb4041676 and kb4041681) for this month’s Microsoft updates. 2 of these issues relate to an exception error dialog box appearing, with the others causing a black screen, updates not to install in express , a BSOD and changing of display languages. Microsoft states in each link above they are working on resolutions to these issues.

====================

Adobe also made available their scheduled security updates for the following products:

Adobe Acrobat and Reader (priority 2, 56 CVEs)

Adobe Connect (priority 3, 5 CVEs)

Adobe DNG Converter (priority 3, 1 CVE)

Adobe Digital Editions (priority 3, 6 CVEs)

Adobe Experience Manager (priority 3, 3 CVEs)

Adobe Flash Player (priority 2, 5 CVEs)

Adobe InDesign CC (priority 3, 1 CVE)

Adobe Photoshop CC (priority 3, 2 CVEs)

Adobe Shockwave Player (priority 2, 1 CVE)

As always the priority updates are Flash Player first and Adobe Acrobat (in that order).

One point to note is that Adobe Acrobat 11 (or XI) / Reader 11 are now out of support from November onwards. These will be the final updates they receive. Adobe recommends upgrading to Adobe Acrobat DC or Reader DC (as appropriate). Apart from the different user interface of the DC version, possible privacy concerns were raised about one of the components of this newer version namely RdrCEF.exe (the purpose of which is described here). The suggestions to resolve these concerns were:

  • Adding cloud.adobe.com to your Hosts file (defined) to redirect it to localhost (defined) (to prevent it disclosing any private info)
  • Blocking RdRCEF.exe from accessing the internet using your software firewall

A list of changes to the Windows Registry (defined) were suggested in this forum thread but it is not clear if these are effective.

As always you can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For Novembers Microsoft updates, I will prioritize the order of installation below:
====================
Critical severity:

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Microsoft Office Vulnerability : CVE-2017-11882 : was described as “extremely dangerous” by researchers at security firm Embedi to disclosed the vulnerability to Microsoft. In addition to installing the security update they recommend disabling the legacy equation editor to protect against future attackers against the code which does not benefit from the more secure coding practices.

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
VMware Workstation, Fusion and Horizon View Client
=======================
A security advisory with details of how to obtain updates for the above mentioned products to address 6 CVEs was made available by VMware in November.

=======================
Google Chrome:
=======================
An update for Google Chrome included 2 security fixes while a second update included a further security fix,

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================

=======================
Wireshark 2.4.3 and 2.2.11
=======================
v2.4.3: 3 CVEs (defined) resolved

v2.2.11: 3 CVEs resolved

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.3) or v2.2.11). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
=======================

=======================
Apple security update:
=======================
An updates was made available by Apple on the 29th of November for macOS High Sierra to resolve a critical security vulnerability that could have resolved in the creation of a root (defined) account on the affected system allowing an unauthorised user privileged access to that system. Further details of this vulnerability are available here. As discussed in that link, this security update should have been installed automatically (no user action required).

=======================
Mozilla Firefox and Firefox ESR
=======================
During November Mozilla released security updates for Firefox and Firefox ESR(Extended Support Release) raising their version numbers to 57 (and later to 57.0.1) and 52.5 respectively.

  • Firefox 57 resolves 15 security issues more formally known as CVEs (defined) while 57.0.1 resolves 2 CVEs.
  • Firefox ESR 52.5 resolves 3 CVEs.

As always full details of the security issues resolved by these updates are available in the following links:

Firefox 57 and Firefox 57.0.1
Firefox 52.5

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

WPA2 KRACK Vulnerability: What you need to know

Last Sunday, the early signs of a vulnerability disclosure affecting the extensively used Wi-Fi protected access (WPA2) protocol were evident. The next day, disclosure of the vulnerability lead to more details. The vulnerability was discovered by  two researchers Mathy Vanhoef and Frank Piessens of the Katholieke Universiteit Leuven (KU Leuven) while examining OpenBSD’s implementation of the WPA2 four way handshake.

Why should this vulnerability be considered important?
On Monday 16th October, the KRACK (key re-installation attacks) vulnerability was disclosed. This vulnerability was found within the implementation of the WPA2 protocol rather than any single device making it’s impact much more widespread. For example, vulnerable devices include Windows, OpenBSD (if not already patched against it), Linux, Apple iOS, Apple macOS and Google Android.

If exploited this vulnerability could allow decryption, packet replay, TCP connection hijacking and if WPA-TKIP (defined) or GCMP (explained) are used; the attacker can inject packets (defined) into a victim’s data, forging web traffic.

How can an attacker exploit this vulnerability?
To exploit the vulnerability an attacker must be within range of a vulnerable Wi-Fi network in order to perform a man in the middle attack (MiTM)(defined). This means that this vulnerability cannot be exploited over the Internet.

This vulnerability occurs since the initial four way handshake is used to generate a strong and unique key to encrypt the traffic between wireless devices. A handshake is used to authenticate two entities (in this example a wireless router and a wireless device wishing to connect to it) and to establish the a new key used to communicate.

The attacker needs to manipulate the key exchange (described below) by replaying cryptographic handshake messages (which blocks the message reaching the client device) causing it to be re-sent during the third step of the four way handshake. This is allowed since wireless communication is not 100% reliable e.g. a data packet could be lost or dropped and the router will re-send the third part of the handshake. This is allowed to occur multiple times if necessary. Each time the handshake is re-sent the attacker can use it to gather how cryptographic nonces (defined here and here) are created (since replay counters and nonces are reset) and use this to undermine the entire encryption scheme.

How can I protect myself from this vulnerability?
AS described in this CERT knowledge base article.; updates from vendors will be released in the coming days and weeks. Apple (currently a beta update) and Microsoft already have updates available. OpenBSD also resolved this issue before the disclosure this week.

Microsoft within the information they published for the vulnerability discusses how when a Windows device enters a low power state the vulnerable functionality of the wireless connection is passed to the underlying Wi-Fi hardware. For this reason they recommend contacting the vendor of that Wi-Fi hardware to request updated drivers (defined).

Links to affected hardware vendors are available from this ICASI Multi-Vendor Vulnerability Disclosure statement. Intel’ security advisory with relevant driver updates is here. The wireless vendor, Edimax also posted a statement with further updates to follow. A detailed but easy to use list of many vendors responses is here. Since I use an Asus router, the best response I could locate is here.

======
Update: 21st October 2017:
Cisco have published a security advisory relating to the KRACK vulnerability for its wireless products. At the time of writing no patches were available but the advisory does contain a workaround for some of the affected products.
======

The above updates are software fixes but updates will also be made available for devices in the form of firmware updates e.g. for wireless routers, smartphones and Internet of Things (IoT)(defined) devices. For any wireless devices you own, please check with the manufacturer/vendor for available updates with the above CERT article and vendor response list detailing many of the common vendors.

Thank you.

May 2017 Security Updates Summary

Today Microsoft and Adobe made available their expected monthly security updates.

Microsoft’s updates address 57 vulnerabilities more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

At the time of writing there are no Known Issues for this month’s Microsoft updates. The IT Pro Patch Tuesday blog while not updated since last month doesn’t contain this months updates yet.
====================

Before continuing with this months updates I wanted to provide information on a critical out of band (un-scheduled) update made available by Microsoft yesterday to address a vulnerability responsibly disclosed (defined) by Google Project Zero researchers Natalie Silvanovich and Tavis Ormandy within Microsoft’s Malware Protection Engine. The full list of affected products is listed within their security advisory. The exploit code for this vulnerability was later published within a tweet (which will not exploit the vulnerability).

I recommend updating your version of the Malware Protection Engine as soon as possible to version 1.1.13704.0 (or later) since this vulnerability when exploited by an attacker will lead to them obtaining system level access (NT AUTHORITY\SYSTEM)(defined)(namely the highest level of privilege within a Windows system) over an affected system.

====================
Also today Adobe issued two security bulletins for the following products:

Adobe Experience Manager Forms (1x priority 2 CVE)
Adobe Flash Player (7x priority 1 CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated version installed automatically later this week.

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As always the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For the Microsoft updates this month, I will prioritize the order of installation for you below:
====================
Critical severity:
Microsoft Malware Protection Engine
Microsoft Office
Microsoft Edge
Internet Explorer
Microsoft SMB (CVE-2017-0277, CVE-2017-0278, CVE-2017-0279)
====================

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Update: 10th May 2017:
=======================
I wish to provide information on other notable updates from May 2017 which I would recommend you install if you use these software products. I only choose a small number of products to list here since it can easily become too many and I wish to highlight the security benefits of installing the latest version of applications many of us use everyday:

=======================
Mozilla Firefox:
=======================
Firefox 53.0.2

=======================
Mozilla Firefox ESR:
=======================
Firefox ESR 52.1.1

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google Chrome: includes 1 security fix.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Nvidia Geforce Drivers:
=======================
This update applies to Linux, FreeBSD, Solaris and Windows and resolves up to 15 security vulnerabilities. The steps to install the drivers are detailed here.

I detailed where Nvidia list their security advisories in a previous blog post.

=======================
Malwarebytes:
=======================
This update to Malwarebytes 3.1 (specifically v3.1.2.1733) resolves more than 1 security vulnerability (exact numbers and further details are not available).

Malwarebytes typically roll out updates in waves meaning it may be sometime before you receive this update. If the update is not automatically downloaded and installed in a timely manner, it is available from this link. Manual installation and general troubleshooting steps are available here.

=======================
Apple security updates:
=======================
Updates were made available by Apple on the 15th of May for iTunes for Windows, Safari, macOS Sierra, El Capitan and Yosemite, iOS, watchOS, tvOS, and iCloud for Windows.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page). This link details how to update your Apple Watch.

Further information on the content of these updates is available this blog post.

=======================
Hitman Pro:
=======================
As recommended on my Tools and Resources page, Hitman Pro (now part of Sophos Security) has been updated to version 3.7.20 (Build 286). This update resolves 3 important vulnerabilities relating to the driver the tool uses for scanning. Any previous version of the tool should update automatically when opened to the most recent version.

=======================
VideoLAN VLC:
=======================
=======================
Update: 25th May 2017:
=======================
Yesterday VideoLAN released version 2.2.6 of VLC for Windows only. It resolves the security issues listed below (assuming at least 2 heap overflows (given their use of the plural form)). This list came from the NEWS.txt file after installing version 2.2.6 since the detailed release notes on VideoLAN’s website have not yet been updated (and may not be until 2.2.6 is officially made available for macOS and Linux systems).

The update is currently being distributed via their automatic updater (upon opening VLC) and manually from their website (unexpectedly that page also contains tarballs for Linux):

Changes between 2.2.5.1 and 2.2.6:
———————————-

Video output:
* Fix systematic green line on nvidia
* Fix direct3d SPU texture offsets handling

Demuxer:
* Fix heap buffer overflows

———————————-

It was not known at the time version 2.2.5.1 was made available that the correction of “Fix potential out-of-band reads in subtitle decoders and demuxers” were actually security issues assigned to 4x CVEs discovered by CheckPoint security.

=================
Late last week VideoLAN released version 2.2.5.1 of VLC. This update is available for Linux, Apple Mac OS X and Windows. It addresses (at least) 13 security issues mentioned here (I’ll explain my numbering using the list below). This update is available for download for the above operating systems from this page.

If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

1. Security hardening for DLL hijacking environments
2. Fix potential out-of-band dereference in flac decoder
3. Fix potential out-of-band reads in mpeg packetizers
4. Fix incorrect memory free in ogg demuxer
5. Fix potential out-of-band reads in subtitle decoders and demuxers
6. Fix ADPCM heap corruption (FG-VD-16-067)
7. Fix DVD/LPCM heap corruption (FG-VD-16-090)
8. Fix possible ASF integer overflow
9. Fix MP4 heap buffer overflows
10. Fix Flac metadata integer overflow
11. Fix flac null-pointer dereference
12. Fix vorbis and opus comments integer overflows and leaks
13. The plugins loading will not load external DLLs by default. Plugins will need to LoadLibrary explicitly.

=======================
Notepad++:
=======================
On the 14th of May, Notepad++ made available a new version updating it to version 7.4. While it is not a security update it includes a security related improvement namely: Improve certificate verifying method.

This version has since been updated to version 7.4.1 to resolve a number of non-security issues. If you use Notepad++, please consider updating to the most recent version to benefit from the security improvement and the bug fixes it includes.

Please note, the 64 bit version of Notepad++ became available in September 2016. It allows the opening of larger files and includes High Entropy ASLR (Address Space Layout Randomization (defined)) on a 64 bit version of Windows. I have discussed HEASLR on this blog before and it’s an excellent security measure/control/mitigation (defined). Further information on HEASLR can be found on Alex Ionescu’s blog.

=======================
GIMP (photo editor):
=======================
The open source ((the source code (human readable code) is free to view and edit by the wider IT community) photo editor GIMP has made available version 2.8.22 which resolves one security vulnerability. If you use this editor, please update it to this version (or later).

Pwn2Own 2017 Results

The final day of competition within Pwn2Own 2017 took place on Friday, 17th March. Full details of how the individual teams performed and how many exploits were successful are available here , here and here.

In summary the following products were successfully exploited:

Adobe Flash
Adobe Reader
Apple Safari
Apple macOS (mostly the macOS kernel)(defined)
Microsoft Edge
Microsoft Windows kernel
Mozilla Firefox
Ubuntu Linux
VMware Workstation

The contest saw 51 vulnerabilities used and a total of USD$833,000 awarded to the contestants (a very large increase over last year’s USD$460K). As I noted last year, many vulnerabilities once again were present within the macOS and Windows kernels specifically:

Apple macOS kernel:
race condition (defined)
information disclosures (defined)
out of bounds (OOB) bug (defined)

Microsoft Windows kernel:
integer overflows (defined)
buffer overflows (defined)
uninitialised buffers (discussed here)
use-after-free (defined here and here)
information disclosures
out of bounds (OOB) bug
race condition

As before Microsoft and Apple need to do more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel to find and resolve vulnerabilities before they are exploited. It is a surprise this year again highlights this short coming which secure coding practices e.g. Microsoft’s SDL and Adobe’s SPLC (among others) were intended to reduce.

Of note is; Mozilla Firefox released Firefox 52.0.1 to resolve an integer flow vulnerability in less than 1 day after it’s disclosure during Pwn2Own; a fantastic response time.

=======================
Update: 28th March 2017:
=======================
On the 28th of March, VMware made available security updates to address the vulnerabilities discovered during Pwn2Own.

Apple have also made available updates (listed in this post) to resolve the vulnerabilities discovered in Pwn2Own 2017. It is unclear if all vulnerabilities are now addressed.

=======================
Update: 11th April 2017:
=======================
In late March, the Linux kernel vulnerability disclosed during Pwn2Own was resolved very quickly with Ubuntu also releasing their fix for this issue.

Adobe have released updates for Flash and Acrobat/Reader to address what appears to be 5 vulnerabilities in Flash and 6  in Acrobat/Reader (assuming near sequential CVEs and the team names attributed top them) disclosed during Pwn2Own.

We can again look forward to these vulnerabilities being addressed over the coming months; helping to make our products more secure.

Thank you.