Tag Archives: Corporate Security

Responding to the WPA-2 Kr00k Vulnerability

=====================
TL;DR
While this vulnerability degrades the security offered by WPA2 and WPA2-Enterprise the use of HTTPS / TLS on your network will keep your web browsing traffic secure. An attacker would need to be in close proximity to the in-use Wi-Fi to exploit it and could only gather small amounts of information (if it not already secured by TLS) over time. Please check if software or firmware updates are available for your Wi-Fi devices.
=====================

Yesterday at the RSA conference ESET Security researchers disclosed details of a vulnerability affecting very large numbers (more than 1 billion) of Wi-Fi devices. They named the vulnerability Kr00k.

How serious is this vulnerability?
Cisco has classified this vulnerability as medium severity with Apple further adding that “an attacker in Wi-Fi range may be able to view a small amount of network traffic”. It has received a CVSS base score of 3.1 (Low). While there is potential for an attacker to eavesdrop on your Wi-Fi it does not mean your Wi-Fi is completely open to attack. ESET clarifies this “eavesdropping on the communication of an unpatched device is simple enough for most black-hat actors”. In other words, an attacker would have to target your vulnerable network and be within Wi-Fi range to exploit it. With most traffic now secured by TLS (indicated by your web browser as HTTPS) an attacker could NOT view such traffic. An attacker could continuously trigger a disassociation between Wi-Fi devices and each time obtain several kilobytes of sensitive information (provided it isn’t already secured by TLS). Each disassociation could be used to gather a little more information.

How does this vulnerability work?
Affected Broadcom chips which are used in many of today’s Wi-Fi capable devices and Cypress chips used within many Internet of Things (IoT) devices. After disassociation between a device and a client device e.g. your laptop and your Wi-Fi access point, the session key used by the WPA2 encryption protocol to secure the connection which is stored within the Wireless Network Interface Controller’s (WNIC) is cleared (set to zero)(this is design). However, the data frames left within the transmit buffer of the chip are then sent and secured with an all zero key. This small amount of information could be captured by an adversary. If the information is not secured by TLS, the attacker may obtain sensitive information. They could then repeat this process over time.

How can you protect your organisation or yourself from this vulnerability?
This vulnerability was responsibly disclosed to Broadcom and Cypress who have released updates. ESET also worked with the Industry Consortium for Advancement of Security on the Internet (ICASI) to notify other possibly affected Wi-Fi chip manufacturers. For any Wi-Fi capable device, you own, please check if there are software or firmware updates available for it.

The ESET researchers did not test if the newer WPA-3 encryption protocol is vulnerable to this issue, however it is less likely to be.

Apples released updates for their iPod, iPad, iPhone, desktop and laptop systems in late October 2019 (please see the references below). The researchers confirmed the following devices are affected but this is not a definitive list.

A list of vulnerable, under investigation and not vulnerable Cisco devices is also linked to below:

Amazon Echo 2nd gen

Amazon Kindle 8th gen

Apple iPad mini 2

Apple iPhone 6, 6S, 8, XR

Apple MacBook Air Retina 13-inch 2018

Google Nexus 5

Google Nexus 6

Google Nexus 6S

Raspberry Pi 3

Samsung Galaxy S4 GT-I9505

Samsung Galaxy S8

Xiaomi Redmi 3S

Wi-Fi Access Points:

Asus RT-N12 (this access point has been confirmed to date back to early 2010)

Huawei B612S-25d (July 2017)

Huawei EchoLife HG8245H (March 2018)

Huawei E5577Cs-321 (February 2015)

My thanks to the ESET researchers for providing the necessary information to write this post.

References:
https://www.eset.com/int/kr00k/

https://www.welivesecurity.com/2020/02/26/krook-serious-vulnerability-affected-encryption-billion-wifi-devices/

https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf

https://nvd.nist.gov/vuln/detail/CVE-2019-15126

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-wi-fi-info-disclosure

https://www.zdnet.com/google-amp/article/new-kr00k-vulnerability-lets-attackers-decrypt-wifi-packets/

https://support.apple.com/en-ie/HT210721

https://support.apple.com/en-ie/HT210722

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15126

https://threatpost.com/billions-of-devices-wifi-encryption-hack/153267/

Adobe Flash Player 2020 Update Tracker

As I have done in previous years this post will track the number of vulnerabilities patched within Adobe Flash for 2020. This will be the last year of tracking these numbers since Flash Player is due to be decommissioned at the end of 2020. The major browsers are taking slightly different approaches to the phase out but the result will be the same (FAQ: Flash Player Deprecation).

Mozilla plan to turn off Flash by default in Firefox 84 scheduled for release in December 2020. However it appears the option to re-enable it manually will still be present.

As you know, this post will be updated throughout the year with the details of vulnerabilities being patched and if they are being exploited in the wild.

Thank you.

=======================
14th January 2020: Adobe did not release any Adobe Flash updates this month.

11th February 2020: Adobe releases Flash Player v32.0.0.330 to resolve 1x critical priority 2 vulnerability.

10th March 2020: Adobe did not release any Adobe Flash updates this month.

14th April 2020: Adobe did not release any Adobe Flash updates this month.

12th May 2020: Similar to the previous 2 months, Adobe did not release any Adobe Flash updates in May.

9th June 2020: Adobe releases Flash Player v32.0.0.387 to resolve 1x critical priority 2 vulnerability.
=======================

Update: 19th February 2020: The timeline was created to include the Adobe Flash Player update for February 2020 and to record not updates were issued in January. At the time of writing no exploits for this critical vulnerability disclosed in February are known to be taking place.

Update: 21st April 2020: The timeline above was updated to document that no Flash Player updates were published in March or April 2020.

Update: 19th May 2020: The timeline above was updated to document that no Flash Player updates were published in May 2020. The main text of this post was updated to add Mozilla’s plans for Firefox’s removal of support for Flash later this year.

Update: 9th June 2020: The timeline above was updated to reflect the release of Flash Player v32.0.0.387. At this time no known exploits are in the wild for the vulnerability it resolves.

February 2020 Update Summary

Today marks the release of this year’s second wave of scheduled updates from Adobe and Microsoft. 42 vulnerabilities were resolved by Adobe with Microsoft addressing 99 CVEs (defined).

Let’s start with Adobe’s patches first:
====================
Adobe
====================
Adobe Acrobat and Reader: 17x Priority 2 CVEs resolved (12x Critical, 3x Important, 2x Moderate severity)

Adobe Digital Editions:  2x Priority 3 CVEs resolved (1x Critical and 1x Important severity)

Adobe Experience Manager: 1x Priority 2 CVE resolved (1x Important severity)

Adobe Flash Player: 1x Priority 2 CVE resolved (1x Critical severity)

Adobe Framemaker: 21x Priority 3 CVEs resolved (21x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Flash Player, Adobe Acrobat/Reader and Framemaker).
====================

Microsoft’s monthly summary; lists Known Issues for 13 Microsoft products but all have workarounds or resolution steps listed.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Scripting Engine: CVE-2020-0710 , CVE-2020-0711 , CVE-2020-0712 , CVE-2020-0713 , CVE-2020-0767

Internet Explorer: CVE-2020-0674 (this was  the zero day (defined) vulnerability reported last month).

Microsoft Edge Chromium:  ADV200002

Windows Shell (LNK): CVE-2020-0729

Windows Remote Desktop Client: CVE-2020-0681 , CVE-2020-0734

Windows Hyper-V: CVE-2020-0662

Windows Media Foundation: CVE-2020-0738

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
Earlier this month Mozilla released Firefox 73 and Firefox ESR  (Extended Support Release) 68.5 to address the following vulnerabilities:

Firefox 73.0: Resolves 3x high severity CVEs and 3x moderate severity CVEs

Firefox ESR 68.5: Resolves 2x high severity CVEs and 3x moderate severity CVEs

Firefox 73 brings the following minor features listed below:

  1. A global zoom level configured from the settings menu
  2. Opt-in notification when the use of virtual reality is being requested
  3. A new DNS over HTTP (DoH) (defined) provider was added within Firefox. The new provider, NextDNS can be selected as follows: Select Options -> General -> Network Settings. Scroll down and place a tick/check in the ‘Enable DNS over HTTPs’ box and finally choose from NextDNS as a DoH provider.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
Google made available a security update in early February; resolving 56 vulnerabilities bringing Google Chrome to version 80. A further 2 updates on the 11th and 13th were also released but are not security updates.

Version 80 of Chrome also brings changes to how it handles cookies (defined). Specifically, restricting them to first party access by default and requiring website developers to specify within their code which cookies are allowed to work across websites. In addition, 3rd party cookies will then only be sent over HTTPS. This change was initially announced by Google in May 2019. As Google states “This change also has a significant security benefit for users, protecting cookies from cross-site injection and data disclosure attacks like Spectre and CSRF by default”. Further advice to developers is available in this video.

Separately in late February Google released Chrome version 80.0.3987.122 to address 3 security vulnerabilities, the most severe being a zero day (defined) vulnerability designated CVE-2020-6418 which is a type confusion vulnerability within Chrome’s JavaScript (defined) and Web Assembly (defined) engine known as V8.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Realtek Audio/Sound Card Drivers
====================
In early February, the hardware manufacturer Realtek released an updated audio/sound card driver. This driver addressed a security vulnerability that requires an attacker to have already compromised your Windows system and to have obtained administrative privileges. More information on this vulnerability is available from the security researchers who responsibly disclosed (defined) it to Realtek. The vulnerability has been assigned CVE-2019-19705 by Mitre.

This vulnerability is a DLL search-order hijacking vulnerability (defined) which if exploited could allow an attacker to download and run a malicious executable file on your system. They also have the ability to achieve persistence on your system namely that any malware they install will remain on your system after it is shutdown or restarted.

If your system uses a Realtek audio device (use Windows Device Manager and expand the category named “Sound, video and game controllers” looking for a device with Realtek in its name), please refer to the manufacturer of your desktop, laptop or motherboard for a driver update. If no driver is available, please contact them to request that a driver be made available. As per Realtek’s security advisory, drivers with versions later than 1.0.0.8856 (legacy , non DCH (what is the difference between DCH and standard drivers?) are not vulnerable.

====================
Nvidia
====================
On the 28th of February Nvidia released security updates for its drivers which power their Geforce, Tesla and Quadro/NVS GPUs as well and updates for its vGPU software (for Linux, Windows, Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Nutanix AHV). Not all updates for the vGPU software are available at this time but are in progress and will be released over the coming weeks (timelines are provided within Nvidia’s security advisory).

As was the case with November’s security updates all of these vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use the affected Nvidia graphics cards or software, please consider installing these updates.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories.

High
Intel CSME Advisory (Intel Management Engine (ME) Firmware)

Medium
Intel RWC3 Advisory
Intel RWC2 Advisory
Intel MPSS Advisory
Intel Renesas Electronics USB 3.0 Driver Advisory

Low
Intel SGX SDK Advisory

====================
VMware
====================
In the latter half of February, VMware released a critical security advisory to address vulnerabilities within the following product:

vRealize Operations for Horizon Adapter

If you use VMware vRealize Operations for Horizon Adapter, please install the applicable security updates (depending upon which version of this product you are using) as soon as possible.

====================
Wireshark
====================
In the final week of February, updates were released for Wireshark (I’ll detail only the 2 most recent versions here):

v3.2.2: Relating to 4 security advisories (relating to 4 CVEs)

v3.0.9: Relating to 3 security advisories (relating to 3 CVEs)

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.2 or v3.0.9). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Thank you.

Researchers Disclose New DMA Attacks

=====================
TL;DR
If you own an affected laptop from Dell (XPS 13 7390) or HP (ProBook 640 G4), please update its BIOS/firmware to the most recent version. For other laptop vendors, check if the most recent BIOS/firmware resolves this or similarly named vulnerabilities. For servers, keep operating systems and software up to date and enforce physical access control.

If you are cautious with the links you click and when processing your email, you will likely not be vulnerable to these flaws. A social engineer might also attempt to exploit this vulnerability using either a closed or open chassis attack.
=====================

=====================
Acknowledgements
My sincere thanks to Eclypsium researchers, Jesse Michael and Mickey Shkatov for their detailed walkthrough of their research within their referenced work (below). I have used this research to provide the extracts below supplementing my write-up of this work below.

=====================

In the second half of last week, security researchers from Eclypsium disclosed a vulnerability present within Dell and HP laptops (however it is likely other vendors are also affected). Servers (especially hosting cloud infrastructure are at increased risk due to the widespread availability of remote DMA (RDMA) (defined) enabled networks.

How serious is this vulnerability?
While the vulnerability is considered high severity due to its CVSS 3 base score of 7.6 (defined) (in the case of CVE-2019-18579 for Dell systems) an attempt to leverage the vulnerability would not be trivial (see also “How can an attacker exploit this vulnerability?” below).

What could an attacker do if they exploited this vulnerability?
According to the researchers “It can allow attackers to bypass hardware-based root-of-trust and chain-of-trust protections such as UEFI Secure Boot, Intel Boot Guard, HP Sure Start and Microsoft Virtualization-Based Security with Device Guard”.

“an attacker can…extend control over the execution of the kernel itself,”. “This can allow an attacker to execute kernel code on the system, insert a wide variety of kernel implants and perform a host of additional activity such as spawning system shells or removing password requirements”.

How can an attacker exploit this vulnerability?
This vulnerability could be exploited remotely or locally. Let’s discuss the remote means first:

Remote attacks
An attacker would first have needed to compromise software within your system and then attempt to exploit the systems firmware (defined) e.g. the network interface card (NIC). The Eclypsium researchers also provide the following example:

“malware on a device could use a vulnerable driver to implant malicious firmware to a DMA capable device such as a NIC. That malicious code could then DMA back into memory during boot to get arbitrary code injection during the boot process. The fundamental ability of DMA attacks to shim attacker code into the boot process makes it useful for almost any type of attacker goal”.

Alternatively an attacker could use the Throwhammer exploit developed by VUSec to compromise a system by sending specifically crafted data packets to a target system. This results in bit flips within the target systems main memory providing an attacker with code execution for an application (which is remote to the attacker).

Local attacks
Closed chassis
The researchers demonstrated a closed chassis attack on a Dell XPS 13 7390 laptop. They did so by connecting to the Thunderbolt port of the laptop and performed a DMA code injection during the boot process of the system.

Separately the researchers were able to compromise a Dell laptop connected to a modified WiGig (information on WiGig) dock which was wirelessly connected to that dock. They were successful in “dump[ing] secrets out of the laptop remotely over the air. In this example the laptop was never touched by the attacker or physically connected to any device but was compromised remotely via DMA”.

Open chassis
Due to the presence of HP SureStart it was necessary for the attackers to open the case of the HP laptop they were testing namely a HP ProBook 640 G4 (which includes HP SureStart Gen4). Upon opening the chassis, they replaced the systems M.2 wireless card with a Xilinx SP605 FPGA development platform, they then performed the following:

“We were able to successfully attack the system and gain control over the device. By using DMA to modify the system RAM during the boot process, we gained arbitrary code execution, thus bypassing the HP Sure Start protections that verify BIOS code integrity before CPU execution starts”.

How can I protect myself or my organisation from this vulnerability?
If your organisation uses either of the affected laptops, please update their BIOS(defined)/firmware to the most recent version. For other laptop vendors, check if the most recent BIOS/firmware resolves this or similarly named vulnerabilities. The update for the Dell XPS 13 7390 laptop is referenced from within their security advisory.

Since an attacker would need to first compromise the software of your systems, please keep your software (especially web browsers, email clients, productivity software, document readers, virtualisation software and media players) and operating system up to date.

Be cautious with the links you click and when processing your email, don’t click on unknown/unexpected links and don’t open unexpected file attachments. While up to date software and operating systems for servers are equally important they are much less likely to be vulnerable to malicious links in emails, IM clients or drive by downloads since only authorised administrators should have access for maintenance/admin and not for day to day work activities.

Social engineers or malicious insiders may seek to exploit this vulnerability in person, verify the identity of any person before allowing them near your IT infrastructure especially in the case of servers. Lock laptops away when not in use. If employees need to leave laptops unattended, use Kensington locks (especially at locations other than your usual office) and consider the use of port blockers (Type C for Thunderbolt) for laptops and servers which will deter casual attackers or less determined thieves.

For servers (especially part of cloud infrastructure), your existing IT security policy should already include regular patching of servers, only having necessary applications and sufficient physical access control. Access control monitoring should also be in place to detect malicious insiders, while your incident management policy should contain how to respond in a timely and decisive manner.

Thank you.

=====================

Aside
While I have used the term “BIOS/firmware” above they are not the same thing. I have done this since the terms are often used interchangeably and I wish for users to still understand the intended meaning. For one user, they may understand updating their laptops firmware but not updating its BIOS and vice versa. My intention is for them to check the vendor website for such updates and if present, to install them.

At the time of writing the HP ProBook 640 G4 did not have a BIOS update available resolving this vulnerability. From the researchers work, the BIOS appears to be still in beta testing. Please regularly check with the HP website and apply the update when it is publicly available.

=====================

References
Eclypsium PDF Report:
https://eclypsium.com/wp-content/uploads/2020/01/DMA-Attacks-A-Walk-Down-Memory-Lane.pdf

Eclypsium Vulnerability Write Up:
https://eclypsium.com/2020/01/30/direct-memory-access-attacks/

Dell Security Advisory:
https://www.dell.com/support/article/SLN319808

=====================

Blog Post Shout-out: Potential for Ransomware to Leverage Windows EFS

Related to my previous post detailing my tests of anti-ransomware software that could compliment existing anti-malware software, I wish to provide a respectful shout-out to the following post from SafeBreach. It details their results testing a proof of concept of using the built-in Encrypting File System (EFS) capability of Windows in order to encrypt a victim’s files rather than writing their own means of doing so:

https://safebreach.com/Post/EFS-Ransomware

Please review the list of anti-malware and anti-ransomware solutions available within the SafeBreach post. If yours is not on the list, contact the vendor to ask if such a change will be added soon? If you are certain you will not being EFS, disable it using the Windows Registry (defined) changes suggested in their post.

Thank you.

Cable Modems Vulnerable to Cable Haunt Vulnerabilities

=====================
TL;DR
If you are cautious with the links you click and when processing your email, you will likely not be vulnerable to these flaws. If you use a cable modem for your internet connection, you should check if your modem is vulnerable and follow the step “What should I do” mentioned below.
=====================

In mid-January it was discovered the firmware (defined) of many internet service provider (ISP) modems (specifically combined modems and routers in the same device) was vulnerable to remote takeover by attackers. These vulnerabilities have been named Cable Haunt as an easier to remember reference.

How widespread are the affected modems?
At the least the following manufacturers are affected with up to 200 million vulnerable modems mainly based in Europe but other regions e.g. North America are also affected. Please see also the FAQ “Am I Affected” on the Cable Haunt website.

Arris
COMPAL
Netgear
Sagemcom
Technicolor

Other brands of modems confirmed by the wider community as being vulnerable are:

Cisco EPC3928AD
Cisco/Technicolor DPC3216
Humax HGB10R-02
SMC Electronics SMC D3-CCR-v2
Zoom 5370
Virgin Media’s Super Hub 3 and 4 do not appear to be vulnerable.

How serious are these vulnerabilities?
While the vulnerabilities are serious in their impact, namely complete remote compromise of the device, how an attacker could exploit the vulnerabilities to achieve that outcome is not trivial. As per the researchers:

“This could be exploited by an attacker if you visit a malicious website or if they embed the code, for instance in an advert, on a trusted website. It is important to point out that this is not the only attack vector that can be employed, vulnerable mail-clients, exploited IoT devices, public networks etc. are also viable attack vectors”.

Summary of the Technical Aspects of these vulnerabilities
The vulnerability designated formally as CVE-2019-19494 is a buffer overflow (defined) that if exploited could allow remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device) with kernel level (defined) privileges by using JavaScript (defined) within your web browser. The buffer overflow can be exploited using (according to the researchers: “a carefully crafted message the modem can be manipulated to execute arbitrary code specified by a remote attacker”.

An important aspect of the above described exploit is that while the attack is a remote attack (using a victim’s web browser) it results in the local compromise of the modems spectrum analyser. Linked to this; a DNS re-bind attack (defined) can be used to enable an attacker the ability to access the compromised spectrum analyser. The result of the above exploits provides the attackers with (according to the researchers): “full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP,”. This capability could be used to:

  1. Intercept private messages
  2. Redirect traffic
  3. Add the modems to botnets
  4. Replace the devices firmware
  5. Instruct the device to ignore remote system updates (which could be used to patch the vulnerabilities, complicating the resolution of a compromised device by its legitimate owner/user)

How can I protect my organisation or myself from these vulnerabilities?\
For in-depth answers from the researchers to answer this question in the context of an internet service provider (ISP), the user of the modem (e.g. within a small business), as an individual or a security researcher, please see the question “What Should I do” on the dedicated Cable Haunt website:

https://cablehaunt.com/

According to Graham Cluley: “Some ISPs in Scandinavia appear to have remotely patched the cable modems of their customers, but others have some catching up to do it seems.
If your cable modem contains a Broadcom chipset you might want to contact your ISP and ask them what they’re doing about this”.

Thank you.

=====================

My sincere thanks to the Cable Haunt researchers Alexander Dalsgaard Krog (Lyrebirds), Jens Hegner Stærmose (Lyrebirds), Kasper Kohsel Terndrup (Lyrebirds) and Simon Vandel Sillesen (Independent) as well as Graham Cluley for the excellent information which this blog post is built upon.

January 2020 Update Summary

====================
Update: 11th February 2020
====================
This Internet Explorer zero day (defined) vulnerability was resolved by the patch released by Microsoft today. If you use Internet Explorer (especially versions 8 or earlier), please install this update as soon as possible.

Thank you.

==============
Update: 27th January 2020
==============
Shortly after the release of Microsoft’s scheduled updates, on the 17th of January they issued a security advisory for a critical zero day (defined) vulnerability being exploited by attackers in targeted attacks.

An out of bound update has not been released by Microsoft since by default all support versions of Internet Explorer by default use Jscript9.dll rather than Jscript.dll However versions earlier then IE 9 face increased risk.

If you use Internet Explorer for day to day work or just general surfing, please consider implementing the workaround described within Microsoft’s security advisory. Please remember to remove the workaround prior to installing the relevant security update in February. Also, please note that this workaround is causing some printers not to print and the Microsoft Print To PDF function not to work. If this is the case, use another browser and disable the workaround or use the micropatch (discussed below).

An alternative which according to ghacks.net is free is to install the micro-patch for IE available from 0Patch. More information on the micropatch and how to install it is available in the previous link above. This micropatch does not come with side effects. A YouTube video of the micropatch in action is available from the following link:

https://youtu.be/ixpBN_a2cHQ

Thank you.

==============
Original Post
==============
Happy New Year to my dedicated readers!

Today Adobe and Microsoft released their first security updates of the year. Adobe resolved 9 vulnerabilities more formally known as CVEs (defined) with Microsoft addressing 50 vulnerabilities.

====================
Adobe
====================
Adobe Experience Manager: 4x Priority 2 CVEs resolved (3x Important severity, 1x Moderate severity)

Adobe Illustrator CC: 5x Priority 3 CVEs resolved (5x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Illustrator CC).
====================

Inside Microsoft’s monthly summary; there are Known Issues for 9 Microsoft products but all have workarounds (some workarounds will be replaced by further updates).

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows CryptoAPI Spoofing Vulnerability: CVE-2020-0601 (disclosed by the NSA to Microsoft). Further information on this vulnerability is available from KrebsonSecurity, within this CERT advisory and the detailed NSA PDF.

Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability: CVE-2020-0609

Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability: CVE-2020-0610

Remote Desktop Client Remote Code Execution Vulnerability: CVE-2020-0611

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020 0605

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020-0606

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020-0646

Please install the remaining less severe updates at your earliest convenience.

====================
Microsoft Edge Chromium
====================
Tomorrow, 15th January will mark the release of a new version of Microsoft Edge powered by the Chromium rendering engine. This version will be available for Windows 7, 8.1 and 10. This is especially relevant for Windows 7, Windows Server 2008 and Server 2008 R2 since while Windows itself ends its support lifecycle today, Edge Chromium will continue to be supported for a further 18 months. This matches similar statements from Google regarding Chrome and separately Vivaldi.

For details of which versions of Windows 10 will receive the new Edge via Windows Update and which versions will need to download it separately, please refer to this link. I wish to extend my thanks to Softpedia and Bleepingcomputer.com for these really useful links.

If for any reason, you wish to use the previous version of Edge (which uses the legacy rendering engine, please see this link for details of how to run the older version alongside its modern equivalent).

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
In early January Mozilla released new versions of Firefox to address the following vulnerabilities and to add new user privacy features:

Firefox 72.0: Resolves 5x high severity CVEs (defined), 5x moderate CVEs and 1x low CVE

Firefox ESR 68.4 (Extended Support Release): Resolves 4x high severity CVEs and 2x moderate CVEs

More recently Firefox 72.0.1 was released to address a single critical severity zero day (defined) vulnerability which was responsibly disclosed to Mozilla and fixed very quickly. Finally Firefox 72.0.2  was released on the 20th of January resolving inconsistent playback of full-screen HD videos among non-security other issues.

Highlights from version 72 of Firefox include:
In addition to picture in picture enabled by default for macOS and Linux, it blocks the use of fingerprinting by default (the collection of data from your system e.g. browser version, font size, screen resolution and other unique data. This protection is provided by Disconnect. There are multiple levels of fingerprinting protection provided with the standard level being enabled by default. The strict level however may lead to websites not functioning as expected. Further details are available here.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Wireshark
====================
In mid-January the following Wireshark updates were released:

v3.2.1: Relating to 1 security advisory

v3.0.8: Relating to 1 security advisory

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.1 or v3.0.8). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

====================
Google Chrome
====================
Google made available two security updates during November; the first resolves 3 vulnerabilities while the second resolves 16 vulnerabilities. The second also provides mitigation for the vulnerability disclosed by the NSA to Microsoft more commonly known as the  Chain of Fools/CurveBall or CVE-2020-0601 This test page from SANS will then show your system is no longer vulnerable after applying the second update. Please still apply the update from Microsoft to provide the most protection, Google’s changes are a mitigation only.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories:

High
Intel VTune Amplifier for Windows Advisory

Medium
Intel Processors Data Leakage Advisory
Intel Processor Graphics Advisory
Intel RWC 3 for Windows Advisory
Intel Chipset Device Software Advisory
Intel SNMP Subagent Stand-Alone Advisory for Windows

Low
Intel Data Analytics Acceleration Library (DAAL)

====================
VMware
====================
VMware released 2 security advisories in January , the first is of moderate severity with the second being of important severity. The advisories relate to the following products:

Moderate Severity Advisory:

Workspace ONE SDK

Workspace ONE Boxer

Workspace ONE Content

Workspace ONE SDK Plugin for Apache Cordova

Workspace ONE Intelligent Hub

Workspace ONE Notebook

Workspace ONE People

Workspace ONE PIV-D

Workspace ONE Web

Workspace ONE SDK Plugin for Xamarin

Important Severity Advisory:
VMware Tools

If you use the above VMware products, please review the advisories and apply the necessary updates.

=======================
Oracle:
=======================
Oracle issued updates to resolve 334 vulnerabilities in January 2020. Further details and installation steps are available here. 12 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

Microsoft Ends Support for Windows 7, Server 2008 and Server 2008 R2

As you are likely aware, on Tuesday, 14th January Microsoft will end support for Windows 7, Windows Server 2008 and Windows Server 2008 R2.

Approximately, 27% of all Windows devices are using Windows 7 so many devices are potentially impacted.

For enterprise and organisations, please consider upgrading to a newer version of Windows. Further details of your options are available here (this link mentions newer versions of Windows Server after Windows Azure). For Windows 7 users, you can consider upgrading to Windows 10 or paying for extended security updates (for businesses and enterprises only). This article provides details of your options (my thanks to TechRadar for this article).

Application compatibility when migrating from Windows 7 to Windows 10 (or their Server equivalent) is very good. Microsoft (perhaps) conveniently states it at a 99% chance your applications will work without changes. For businesses they offer their Desktop App Assure service for assistance if a Windows 7 applications experiences issues on Windows 10.

====================
Update: 14th January 2020
====================
Further suggestions to better defend Windows 7, Windows Server 2008 and Windows Server 2008 R2 are the following (my thanks to itlab.com for this list):

  • Make the system offline only, if network access isn’t needed (take it off the wired or wireless network).
  • If network access is needed, put the system on a separate subnet and only permit access to and from it for authorized systems. Make sure to narrow the ports permitted to connect to and from this system so that only needed ports are open.
  • Remove all unnecessary apps and disable any unneeded services.
  • If the system is a virtual machine, take periodic snapshots of it, so if it becomes affected by a vulnerability, you can restore the snapshot easily.
  • Make certain this system is not permitted to access the internet unless it is necessary for functionality. Ensure a proxy server is in place and will only permit access to authorized sites.
  • Make sure the system has anti-malware software on it, and it’s regularly updated.

While Microsoft’s Extended Security Updates (ESU) paid for scheme applies to businesses of all sizes you may experience is fewer than 50 staff as evidenced by well known Microsoft blogger, Ed Bott in the his article. While further providers came forward after the article was published, please be aware that it may not be a simple process to be accepted for the scheme.

A practical list of Windows 7 FAQs is also available from here (my thanks to AskWoody.com for this)

Thank you.

====================

Further References:
Support for Windows 7 is nearing the end

Support for Windows 7 ends in January 2020 (links for business, enterprise and home users)

December 2019 Update Summary

As scheduled, on the 10th of December Adobe and Microsoft made available their monthly security updates.

Adobe resolved 25 CVEs this month with Microsoft separately patching 36 CVEs (defined).
====================
Adobe Brackets (an open source (the source code (human readable code) is free to view and edit by the wider IT community) application development editor focused on web development): 1x Priority 3 CVE resolved (1x Critical severity)

Adobe ColdFusion: 1x Priority 2 CVE resolved (1x Important severity)

Adobe Photoshop CC: 2x Priority 3 CVEs resolved (2x Critical severity)

Adobe Acrobat and Reader: 21x Priority 2 CVEs resolved (14x Critical severity and 7x Important severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities in all but ColdFusion).
====================

Within Microsoft’s monthly summary; there are Known Issues for 17 Microsoft products but all have workarounds (some workarounds will be replaced by revised or further updates) or updates already available to resolve them.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Graphics Component (Win32k Graphics): CVE-2019-1468

Microsoft Windows Kernel (defined): CVE-2019-1458

Windows Hyper-V: CVE-2019-1471

Microsoft Visual Studio: CVE-2019-1349 , CVE-2019-1350 , CVE-2019-1352 , CVE-2019-1354 , CVE-2019-1387

Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs (defined) and used for Windows Hello for Business: Security Advisory

Please install the remaining less severe updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
Mozilla released new versions of Firefox to address the following vulnerabilities and to introduce new privacy features:

Firefox 71.0: Resolves 6x high severity CVEs (defined) and 5x moderate CVEs

Firefox ESR 68.3 (Extended Support Release): Resolves 4x high severity CVEs and 4x moderate CVEs

Highlights from version 71 of Firefox include:
An improved password manager which has the ability to recognise subdomains and to provide password breach notifications from Firefox Monitor for users with screen readers. Native MP3 decoding, kiosk mode and picture in picture support were also added.

The tracking protection enabled by default from Firefox 69 has been enhanced to add 3 different levels (similar to high, medium and custom) of protection and to provide a summary of the number of tracking preventative actions Firefox takes on your behalf. An in-depth description of this feature is available in this Softpedia article. My thanks as always to its author Bogdan Popa for this really well gathered information.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
Google made available two security updates during November; the first resolves 4 vulnerabilities while the second resolves  5 vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
AMD
=======================
In early December AMD issued a security advisory for its GPU and APU (defined) drivers (defined). It resolves 2 vulnerabilities CVE-2019-5049 and CVE-2019-5098. The steps to install the drivers on Windows are located here with a guide for Linux available here. Please make certain the drivers are version 20.1.1 or later (as per multiple recommendations from Talos, 1 , 2 and 3). As per those same recommendations if you use VMware Player or Workstation Pro, please make certain it is version 15.5.1 or later. If you use the affected AMD graphics cards, please consider updating your drivers to the most recent available.

====================
Nvidia
====================
In late December Nvidia released a security update for Nvidia Geforce Experience to resolve a vulnerability that may lead to a denial of service (defined) issue or an escalation of privilege (defined) issue. This vulnerability is a local vulnerability rather than remote meaning that an attacker would first need to compromise your system before exploiting this vulnerability to elevate their privileges. To resolve this local vulnerability within Geforce Experience  apply the necessary update by opening Geforce Experience which will automatically update it or the update can be obtained from here.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The high priority advisories are the following:

High
Linux Administrative Tools for Intel Network Adapters Advisory

Intel NUC Firmware Advisory

The remaining advisories are of medium and low priority:

Medium
Intel Quartus Prime Pro Edition Advisory

Intel RST Advisory (see also my separate post on this vulnerability)

Control Center-I Advisory

Intel SCS Platform Discovery Utility Advisory

Unexpected Page Fault in Virtualized Environment Advisory

Intel FPGA SDK for OpenCL Advisory

Low
Intel Ethernet I218 Adapter Driver for Windows Advisory

Intel Dynamic Platform and Thermal Framework Advisory

====================
VMware
====================
Similar to last month, VMware released 2 further security advisories, the first is of critical severity with the second being of moderate severity relating to the products:

Critical Severity Advisory:

VMware ESXi
VMware Horizon DaaS appliances

Moderate Severity Advisory:
VMware Workstation Pro / Player for Linux
VMware Horizon View Agent

If you use the above VMware products, please review the advisories and apply the necessary updates.

====================
OpenSSL
====================
On the 6th December; the OpenSSL Foundation issued 1 update for OpenSSL to address a single low severity security vulnerability as detailed in this security advisory. To resolve this issue please update your OpenSSL installations to 1.1.1e-dev or 1.0.2u (as appropriate). Please note that OpenSSL 1.0.2 will be unsupported and thus will not receive any security updates after 31st December 2019. Please upgrade to version 1.1.1 or later.

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
Apple Security Updates
=======================
Throughout December Apple has released security updates for the following products:

Apple iOS v12.4.4 and 13.3 / iPad OS 13.3: Resolves 1 CVE (defined) and 14 CVEs (respectively)

Apple Safari 13.0.4: Resolves 2 CVEs

Apple macOS Catalina and macOS High Sierra: Resolves 52 CVEs

Apple tvOS 13.3: Resolves 11 CVEs

Apple watchOS 5.3.4 and 6.1.1: Resolves 1 CVE and 10 CVEs (respectively)

Apple Xcode 11.3: Resolves 1 CVE

Apple iTunes 12.10.3 for Windows: Resolves 4 CVEs

Apple iCloud for Windows 7.16 (includes AAS 8.2): Resolves 4 CVEs

Apple iCloud for Windows 10.9: Resolves 4 CVEs

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

====================
Wireshark
====================
In early December the following Wireshark updates were released:

v3.0.7: 1 security advisory

v2.6.13: 1 security advisory

The above v3.0.7 version was later super seceded by v3.2 on the 18th of December. While it does not address security issues, it will be the version being updated going forward. Version 3.2 will also be the last version to support Windows Server 2008 R2 and Windows 7.

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.7 or v2.6.13). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

November 2019 Update Sumamry

Apologies this notification is late due to my professional commitments.

As expected, on Tuesday 12th November Adobe and Microsoft made available their scheduled security updates. Adobe addressed 11 vulnerabilities with Microsoft also addressing 74 vulnerabilities more formally known as CVEs (defined).

====================
Adobe Animate CC: 1x Priority 3 CVE resolved (1x Important severity)

Adobe Bridge CC: 2x Priority 3 CVEs resolved (2x Important severity)

Adobe Illustrator CC:  3x Priority 3 CVEs resolved (1x Critical severity and 2x Important severity)

Adobe Media Encoder: 5x Priority 3 CVEs resolved (1x Critical severity and 4x Important severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities).
====================

Within Microsoft’s monthly summary; there are Known Issues for 13 Microsoft products but all have workarounds or updates available to resolve  them.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================

Microsoft Graphics Component (Win32k Graphics): CVE-2019-1441

Microsoft Graphics Component (OpenType font Parsing): CVE-2019-1419

Microsoft Scripting Engine: CVE-2019-1429 , CVE-2019-1426 , CVE-2019-1427

Microsoft Exchange Server: CVE-2019-1373

Windows Media Player: CVE-2019-1430

Windows Hyper-V: CVE-2019-1398 , CVE-2019-0719 , CVE-2019-1397 , CVE-2019-0721 , CVE-2019-1389

STMicroelectronics TPM (defined) Security Advisory

Please install the remaining less severe updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Google Chrome
====================
Google made available two security updates during November; the first resolves 4 vulnerabilities while the second resolves  5 vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Intel Security Advisories:
====================
Intel have released a series of security advisories this month. The critical and high priority advisories are the following:

Critical
2019.2 IPU – Intel® CSME, Intel® SPS, Intel® TXE, Intel® AMT, Intel® PTT and Intel® DAL Advisory

High
2019.2 IPU – Intel® Graphics Driver for Windows* and Linux Advisory

2019.2 IPU – Intel® SGX and TXT Advisory

2019.2 IPU – Intel® Processor Security Advisory

The remaining advisories are of medium priority:
2019.2 IPU – Intel® Processor Machine Check Error Advisory

2019.2 IPU – Intel® Processor Graphics Update Advisory

2019.2 IPU – Intel® TXT Advisory

2019.2 IPU – Intel® SGX with Intel® Processor Graphics Update Advisory

2019.2 IPU – Intel® Processor Graphics SMM Advisory

If you use any of the affected software or products, please update them as soon as possible especially in the case of the critical and high severity advisories.

====================
VMware
====================
VMware made available two security advisories, one of Important severity and the other of Moderate severity to addresses vulnerabilities within the following products:

Important Severity Advisory:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

Moderate Severity Advisory:
VMware ESXi
VMware Workstation
VMware Fusion

If you use the above VMware products, please review the advisories and apply the necessary updates.

====================
Nvidia
====================
In early November Nvidia made available Windows driver updates for their Geforce, Tesla and Quadro/NVS GPUs as well as their vGPU software (for Linux and Windows).  All vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the Nvidia vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use the affected Nvidia graphics cards or software, please consider updating your drivers to the most recent available.

Further updates were made available for the NVFlash tool (not applicable to end users) and Nvidia Geforce Experience. To resolve the local vulnerabilities within Geforce Experience  apply the necessary update by opening Geforce Experience which will automatically update it or the update can be obtained from here.