Tag Archives: javascript

February 2020 Update Summary

Today marks the release of this year’s second wave of scheduled updates from Adobe and Microsoft. 42 vulnerabilities were resolved by Adobe with Microsoft addressing 99 CVEs (defined).

Let’s start with Adobe’s patches first:
====================
Adobe
====================
Adobe Acrobat and Reader: 17x Priority 2 CVEs resolved (12x Critical, 3x Important, 2x Moderate severity)

Adobe Digital Editions:  2x Priority 3 CVEs resolved (1x Critical and 1x Important severity)

Adobe Experience Manager: 1x Priority 2 CVE resolved (1x Important severity)

Adobe Flash Player: 1x Priority 2 CVE resolved (1x Critical severity)

Adobe Framemaker: 21x Priority 3 CVEs resolved (21x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Flash Player, Adobe Acrobat/Reader and Framemaker).
====================

Microsoft’s monthly summary; lists Known Issues for 13 Microsoft products but all have workarounds or resolution steps listed.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Scripting Engine: CVE-2020-0710 , CVE-2020-0711 , CVE-2020-0712 , CVE-2020-0713 , CVE-2020-0767

Internet Explorer: CVE-2020-0674 (this was  the zero day (defined) vulnerability reported last month).

Microsoft Edge Chromium:  ADV200002

Windows Shell (LNK): CVE-2020-0729

Windows Remote Desktop Client: CVE-2020-0681 , CVE-2020-0734

Windows Hyper-V: CVE-2020-0662

Windows Media Foundation: CVE-2020-0738

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
Earlier this month Mozilla released Firefox 73 and Firefox ESR  (Extended Support Release) 68.5 to address the following vulnerabilities:

Firefox 73.0: Resolves 3x high severity CVEs and 3x moderate severity CVEs

Firefox ESR 68.5: Resolves 2x high severity CVEs and 3x moderate severity CVEs

Firefox 73 brings the following minor features listed below:

  1. A global zoom level configured from the settings menu
  2. Opt-in notification when the use of virtual reality is being requested
  3. A new DNS over HTTP (DoH) (defined) provider was added within Firefox. The new provider, NextDNS can be selected as follows: Select Options -> General -> Network Settings. Scroll down and place a tick/check in the ‘Enable DNS over HTTPs’ box and finally choose from NextDNS as a DoH provider.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
Google made available a security update in early February; resolving 56 vulnerabilities bringing Google Chrome to version 80. A further 2 updates on the 11th and 13th were also released but are not security updates.

Version 80 of Chrome also brings changes to how it handles cookies (defined). Specifically, restricting them to first party access by default and requiring website developers to specify within their code which cookies are allowed to work across websites. In addition, 3rd party cookies will then only be sent over HTTPS. This change was initially announced by Google in May 2019. As Google states “This change also has a significant security benefit for users, protecting cookies from cross-site injection and data disclosure attacks like Spectre and CSRF by default”. Further advice to developers is available in this video.

Separately in late February Google released Chrome version 80.0.3987.122 to address 3 security vulnerabilities, the most severe being a zero day (defined) vulnerability designated CVE-2020-6418 which is a type confusion vulnerability within Chrome’s JavaScript (defined) and Web Assembly (defined) engine known as V8.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Realtek Audio/Sound Card Drivers
====================
In early February, the hardware manufacturer Realtek released an updated audio/sound card driver. This driver addressed a security vulnerability that requires an attacker to have already compromised your Windows system and to have obtained administrative privileges. More information on this vulnerability is available from the security researchers who responsibly disclosed (defined) it to Realtek. The vulnerability has been assigned CVE-2019-19705 by Mitre.

This vulnerability is a DLL search-order hijacking vulnerability (defined) which if exploited could allow an attacker to download and run a malicious executable file on your system. They also have the ability to achieve persistence on your system namely that any malware they install will remain on your system after it is shutdown or restarted.

If your system uses a Realtek audio device (use Windows Device Manager and expand the category named “Sound, video and game controllers” looking for a device with Realtek in its name), please refer to the manufacturer of your desktop, laptop or motherboard for a driver update. If no driver is available, please contact them to request that a driver be made available. As per Realtek’s security advisory, drivers with versions later than 1.0.0.8856 (legacy , non DCH (what is the difference between DCH and standard drivers?) are not vulnerable.

====================
Nvidia
====================
On the 28th of February Nvidia released security updates for its drivers which power their Geforce, Tesla and Quadro/NVS GPUs as well and updates for its vGPU software (for Linux, Windows, Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Nutanix AHV). Not all updates for the vGPU software are available at this time but are in progress and will be released over the coming weeks (timelines are provided within Nvidia’s security advisory).

As was the case with November’s security updates all of these vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use the affected Nvidia graphics cards or software, please consider installing these updates.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories.

High
Intel CSME Advisory (Intel Management Engine (ME) Firmware)

Medium
Intel RWC3 Advisory
Intel RWC2 Advisory
Intel MPSS Advisory
Intel Renesas Electronics USB 3.0 Driver Advisory

Low
Intel SGX SDK Advisory

====================
VMware
====================
In the latter half of February, VMware released a critical security advisory to address vulnerabilities within the following product:

vRealize Operations for Horizon Adapter

If you use VMware vRealize Operations for Horizon Adapter, please install the applicable security updates (depending upon which version of this product you are using) as soon as possible.

====================
Wireshark
====================
In the final week of February, updates were released for Wireshark (I’ll detail only the 2 most recent versions here):

v3.2.2: Relating to 4 security advisories (relating to 4 CVEs)

v3.0.9: Relating to 3 security advisories (relating to 3 CVEs)

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.2 or v3.0.9). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Thank you.

Cable Modems Vulnerable to Cable Haunt Vulnerabilities

=====================
TL;DR
If you are cautious with the links you click and when processing your email, you will likely not be vulnerable to these flaws. If you use a cable modem for your internet connection, you should check if your modem is vulnerable and follow the step “What should I do” mentioned below.
=====================

In mid-January it was discovered the firmware (defined) of many internet service provider (ISP) modems (specifically combined modems and routers in the same device) was vulnerable to remote takeover by attackers. These vulnerabilities have been named Cable Haunt as an easier to remember reference.

How widespread are the affected modems?
At the least the following manufacturers are affected with up to 200 million vulnerable modems mainly based in Europe but other regions e.g. North America are also affected. Please see also the FAQ “Am I Affected” on the Cable Haunt website.

Arris
COMPAL
Netgear
Sagemcom
Technicolor

Other brands of modems confirmed by the wider community as being vulnerable are:

Cisco EPC3928AD
Cisco/Technicolor DPC3216
Humax HGB10R-02
SMC Electronics SMC D3-CCR-v2
Zoom 5370
Virgin Media’s Super Hub 3 and 4 do not appear to be vulnerable.

How serious are these vulnerabilities?
While the vulnerabilities are serious in their impact, namely complete remote compromise of the device, how an attacker could exploit the vulnerabilities to achieve that outcome is not trivial. As per the researchers:

“This could be exploited by an attacker if you visit a malicious website or if they embed the code, for instance in an advert, on a trusted website. It is important to point out that this is not the only attack vector that can be employed, vulnerable mail-clients, exploited IoT devices, public networks etc. are also viable attack vectors”.

Summary of the Technical Aspects of these vulnerabilities
The vulnerability designated formally as CVE-2019-19494 is a buffer overflow (defined) that if exploited could allow remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device) with kernel level (defined) privileges by using JavaScript (defined) within your web browser. The buffer overflow can be exploited using (according to the researchers: “a carefully crafted message the modem can be manipulated to execute arbitrary code specified by a remote attacker”.

An important aspect of the above described exploit is that while the attack is a remote attack (using a victim’s web browser) it results in the local compromise of the modems spectrum analyser. Linked to this; a DNS re-bind attack (defined) can be used to enable an attacker the ability to access the compromised spectrum analyser. The result of the above exploits provides the attackers with (according to the researchers): “full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP,”. This capability could be used to:

  1. Intercept private messages
  2. Redirect traffic
  3. Add the modems to botnets
  4. Replace the devices firmware
  5. Instruct the device to ignore remote system updates (which could be used to patch the vulnerabilities, complicating the resolution of a compromised device by its legitimate owner/user)

How can I protect my organisation or myself from these vulnerabilities?\
For in-depth answers from the researchers to answer this question in the context of an internet service provider (ISP), the user of the modem (e.g. within a small business), as an individual or a security researcher, please see the question “What Should I do” on the dedicated Cable Haunt website:

https://cablehaunt.com/

According to Graham Cluley: “Some ISPs in Scandinavia appear to have remotely patched the cable modems of their customers, but others have some catching up to do it seems.
If your cable modem contains a Broadcom chipset you might want to contact your ISP and ask them what they’re doing about this”.

Thank you.

=====================

My sincere thanks to the Cable Haunt researchers Alexander Dalsgaard Krog (Lyrebirds), Jens Hegner Stærmose (Lyrebirds), Kasper Kohsel Terndrup (Lyrebirds) and Simon Vandel Sillesen (Independent) as well as Graham Cluley for the excellent information which this blog post is built upon.

NoScript Extension Made Available for Google Chrome

In early April the very well-known Firefox extension NoScript became available for Google Chrome. This extension should still be considered beta as detailed in this ZDNet article but it’s fast approaching a stable status expected later this month.

This extension helps to reduce the attack surface of your web browser by only executing (allowing to run) JavaScript (defined) for the websites that you have allowed. This reduces the possibility of exploitation of vulnerabilities and reduces/eliminated online adverts. Unfortunately, due to limitations within Chrome; the anti-XSS (cross site scripting)(defined) filter of NoScript cannot be implemented at this time). Further background on NoScript is available from here.

Thank you.

Responding to the Intel Spoiler Vulnerability

====================
Updated: 20th March 2019
====================
TL DR:
The Intel Spoiler vulnerability is not as bad as predicted. Software developers should continue to use safer code development practices.

====================
After the disclosure earlier this month of this vulnerability Intel have provided further information on how it affects their microprocessors. They have clarified that the Spoiler exploit by itself does not reveal secret data and is not a speculative execution side channel method:

Other good news is that existing mitigations such as KPTI (kernel page table isolation) reduce the risk of leaking data across privilege levels. They again confirmed that side channel safe software development practices such as “ensuring execution time and control flows are identical regardless of secret data” will mitigate classic side channel methods enabled by the Spoiler exploit. Furthermore, they confirmed memory modules which are already mitigated against Rowhammer attacks remain protected against the Spoiler exploit.

Lastly AMD provided formal confirmation that their microprocessors are not vulnerable after preliminary findings suggested they weren’t vulnerable. AMD’s statement is available from this link.

Thank you.

====================
Original Post:
====================
Earlier this month a new vulnerability was disclosed in a research paper titled “Spoiler: Speculative load hazards boost Rowhammer and cache attacks”.

TL DR: Mitigating this newly disclosed vulnerability is the job of software developers to work around using safer code development practices. Mitigating this issue in hardware will take longer since current measures cause too much of a performance penalty.

Why should this vulnerability be considered important?
Using this new method; attackers are likely to find existing cache and memory Rowhammer attacks easier to carry out. In addition, JavaScript (defined) attacks which can take long periods of time may be shortened to mere seconds. The paper contains a cache prime and probe technique to leak sensitive data using JavaScript.

This Spoiler vulnerability can be used by attackers (who MUST have already compromised your system) to extract sensitive information from the systems memory (RAM). An attack does not require elevated privileges.

What CPUs (microprocessors / computer chips) are affected?
This vulnerability affects Intel processors only; first generation Intel Core (from early 2006) and later are affected. ARM and AMD processors are not affected. Any system with an Intel Core processor is affected regardless of the operating they are using namely Linux, Unix, Apple macOS and Windows can be all affected.

How does this vulnerability achieve the above results?
The security researchers who authored the paper found a vulnerability in the memory order buffer that can be used to gradually reveal information about the mappings of physical memory to non-privileged software processes (in other words; applications). This technique also affects virtual machine (VM) and sandboxed (defined) environments.

The technique works by understanding the relationship between virtual and physical memory by timing the speculative load and store operations to these areas while looking out for discrepancies which disclose the memory layout to you. With this information an attacker knows where to focus their efforts.

Intel’s proprietary implementation of the memory subsystem (memory disambiguation) is the root cause of the vulnerability. When a physical address conflict (the address/area is already in use) occurs, the algorithm leaks the access timings. The algorithm in the researcher’s words works as follows “Our algorithm, fills up the store buffer within the processors with addresses that have the same offset but they are in different virtual pages. Then, we issue a memory load that has the same offset similarly but from a different memory page and measure the time of the load. By iterating over a good number of virtual pages, the timing reveals information about the dependency resolution failures in multiple stages.”

How can this vulnerability be mitigated/patched?
This vulnerability lies within the memory disambiguation algorithm which won’t be trivial to resolve anytime soon. Since this vulnerability is not related to last years Spectre vulnerability; mitigations for that vulnerability don’t help here. Current Spoiler mitigations have too much of performance penalty. At this time, Intel has issued the following statement:

“Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.”

The side channel safe development practices are linked to below:

Software Guidance for Security Advisories

Addressing Hardware Vulnerabilities

Thank you.

May 2018 Update Summary

====================
Update: 5th June 2018:
====================
As discussed in the post below, the zero day vulnerability (defined) designated as CVE-2018-8174 (defined) patched by Microsoft last month has since been incorporated into the RIG exploit kit (defined). The attackers have used the extra detail provided from anti-malware vendors, GitHub (the popular source code repository) and MetaSploit (defined) to create this exploit.

As detailed below, the vulnerability is considered medium severity; however it also requires actions from the user before it take any malicious action usually opening a malicious file or visiting a malicious website.

Please use caution for any email that you receive with an attachment you weren’t expecting. Thank you.

====================
Update: 31st May 2018:
====================
A vulnerability in the JScript (Microsoft’s implementation of JavaScript (defined) has been responsibility disclosed (defined) by Dmitri Kaslov of Telspace Systems, who passed it along to Trend Micro’s Zero-Day Initiative (ZDI). At this time, this vulnerability is un-patched and is thus a zero day vulnerability (defined).

The vulnerability allows a remote attacker to execute malicious instructions of their choice on the victim’s system but only in the context of a sandboxed (defined) environment. In other words, the code cannot itself be used to fully compromise a system. It must be leveraged with another vulnerability to have the potential of fully compromising a system making the vulnerability less serious.

At this time, components within Windows such as wscript.exe and Internet Explorer should not not permitted to run untrusted JScript code. This mitigation (please see the heading near the end of the page named: “How To Tell Explorer To Open .JS Files With Notepad”) may be of assistance with implementing this recommendation.

I will update this post when this vulnerability is patched by Microsoft or when further information becomes available.

Thank you.

====================
Update: 18th May 2018:
====================
Other updates made available by Microsoft for the Spectre Variant 2 vulnerability are:

kb4100347

This update was not offered to my Windows laptop running Version 1803. As you know it contains an Intel Core i7 6500U CPU. I downloaded the version 1803 update from the Microsoft Catalog and it installed successfully. My system is showing the full green result when the PowerShell command Get-SpeculationConntrolSetting is run. It results in the final screenshot shown with this article. Further tips on running this useful command are provided in this Microsoft support article, please see the headings “PowerShell Verification using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)” or “PowerShell Verification using a download from Technet (earlier operating system versions and earlier WMF versions)” depending on your version of Windows.

Microsoft have also issued an update for Windows version 1709 to resolve a vulnerability again introduced by their previous patch. This resolution was provided in update kb4103727. Further details are available in Alex Ionescu’s tweet (a security architect with CrowdStrike and Windows Internals expert). Previous Spectre V2 patches were kb4091666 and kb4078407

This issue was already addressed in version 1803 of Windows.

If any of the above updates apply for your version of Windows, please install them. If the updates are already present or are not required; the installation will not proceed when you manually attempt it.

Thank you.

====================
Update: 17th May 2018:
====================
Adobe have since issued further updates to resolve critical vulnerabilities within Adobe Acrobat DC, Adobe Reader DC and Photoshop. Further details of the zero day (defined) vulnerabilities addressed in Adobe Acrobat/Reader are available here and here.

Adobe Acrobat and Reader (priority 1, 47 CVEs)

Adobe Photoshop CC 2018 and 2017 (priority 3, 1 CVE).

Further updates are listed at the end of this post. Thank you.

====================
Update: 10th May 2018:
====================
Further details have emerged of another zero day (defined) vulnerability affecting Windows Server 2008 R2 and Windows 7.

CVE-2018-8120 is an elevation of privilege (defined) vulnerability but can only be exploited if the attacker has already compromised the user account of the system allowing the attacker to log in when they choose. Upon logging in the attacker could obtain kernel level access/permissions (defined) by elevating their privileges to carry out any action they choose.

The prioritised list below has been updated to reflect this. Thank you.
====================

====================
Original Post:
====================

====================
Apologies for only posting an update summary last month. Other commitments meant I didn’t have the bandwidth to contribute more. I’ll try to make more time this month. Thanks.
====================

Earlier today Microsoft released their scheduled monthly security updates resolving 67 vulnerabilities. Notably Windows 10 Version 1803 receives it’s first update this month. Windows Server 2016 Version 1803 remains in testing in advance of it’s upcoming release. As always Microsoft have provided further details are provided within their Security Updates Guide.

There are 4 knowledge base articles detailing potential issues (all of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4103712

4103718

4103723

4103727

====================

Separately, Adobe released updates for 3 of their products, namely:

Adobe Creative Cloud Desktop Application (priority 2 (overall), 3x CVEs)

Adobe Connect (priority 2, 1x CVE)

Adobe Flash Player (priority 2, 1x CVE)

Non-Microsoft browsers should update automatically e.g. Google Chrome should release a browser update in the coming days or will use their component update feature (the update was not available at the time of writing). Like last month; Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI was phased out on the 20th of April):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:
====================

Windows VBScript Engine Remote Code Execution Vulnerability (a zero day (defined) vulnerability)

Win32k Elevation of Privilege Vulnerability

Microsoft Edge and Internet Explorer (similar to last month multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Microsoft Hyper-V (Update 1 and Update 2)

Microsoft Office (detailed list available here)
====================
Please install the remaining updates at your earliest convenience.

One of the vulnerabilities addressed by Microsoft this month, namely CVE-2081-8897: Windows Kernel Elevation of Privilege Vulnerability arose due to the misinterpretation of documentation from Intel regarding how a CPU (defined) raise a debug (defined) exception to transfer control to debugging software (usually used by a software developer). The specific instructions were the assembly language instructions (defined) MOV to SS and POP to SS.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Malwarebytes Anti-Malware
=======================
Last week Malwarebytes updated their anti-malware product to version 3.5.1. The full list of improvements is available here but it also updated their include 7-Zip to version 18.05. I verified this manually since the above release notes did not make reference to it. Further details of the 7-Zip update are available in my April blog post.

Moreover; Directory Opus updated their product to version 12.8.1. Beta adding new DLLs (defined) for 7-Zip and UnRAR once again to address the vulnerabilities found within the UnRAR DLL also used by 7-Zip.

=======================
Mozilla Firefox:
=======================
This month Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

9th May: Firefox 60.0: Resolves 2x critical CVEs, 6x high, 14 moderate CVEs and  4x low severity CVEs

9th May: Firefox ESR 52.8: Resolves 2x critical, 5x high, 3x moderate CVEs

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google released Google Chrome version 66.0.3359.170 to address 4 number of vulnerabilities and to include a newer version of Adobe Flash Player.

One of the four vulnerabilities addressed relates to how Chrome handles browser extensions resolving a privilege escalation issue (defined). Further details are availability here.

=======================
Wireshark 2.4.7 and 2.6.1
=======================
v2.4.7: 6 security advisories

v2.6.1: 9 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.6.1) or v2.4.7). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

=======================
USB Denial of Service (DoS) Will not Receive a Fix
=======================
In other vulnerability related news; a denial of service issue (defined) privately/responsibly disclosed (defined) by a security researcher Marius Tivadar will not fixed by Microsoft with a security update since the vulnerability requires physical access to the target system or social engineering (defined) and does not result an attacker being able to execute code of their choice on the affected system.

In my opinion; this is justified since if an attacker can obtain physical access to your system it significantly enhances the damage they can do. This statement also forms part of Microsoft’s 10 Immutable Laws of Security.

====================
Update: 31st May 2018
====================

=======================
VideoLAN VLC:
=======================
Yesterday VideoLAN made available VLC version 3.0.3 for Linux, Windows, macOS, BSD, Android, iOS, UWP and Windows Phone. It’s release notes detail one potential security issue (buffer overread  (defined)) and other 3rd party libraries being updated to address security issues. No specific numbers were provided. A large number of non-security issues were also resolved.

Please update to version 3.0.3 to benefit from these improvements.

=======================
Google Chrome:
=======================
Earlier this month Google made available version  67 delivering 34 security issues. The improvements part of this new version are discussed in this Bleeping Computer article.

Moreover this version includes an early implementation of a new user interface for the tabs, address bar, settings button (sometimes referred to as the “chrome” (no pun intended) of an application). This article provides more details and includes steps to enable the new UI. I have done so and it’s a subtle difference but I already really like it. The Incognito mode is even more noticeable. The UI also seems more responsive (but that may be placebo effect).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================

=======================
Apple Security Updates:
=======================
In late May Apple made available the following updates. Interestingly while the updates were available; no specific details of the improvements they include (security or otherwise) are yet available.

Initially, further details of the updates made available by Apple are emerging. Sophos have theroized that Apple have made improvements to the iOS Messages app making it more stable and less susceptible to crashing. They are thus recommending that you install the iOS 11.4 update as soon as possible.

They also discuss the addition of a new security feature which blocks access to a mobile device if the passcode has not been entered within the last seven days. This change is expected to become part of 11.4.1 and a stricter form for iOS 12. After this time the Apple Lightning cable will only charge the device and not allow data access. This appears to be part of Apple’s response to law enforcement and forensics firms accessing Apple devices attempting to collect evidence of the device’s owner’s wrongdoings.

Further details have since emerged for these Apple security updates:

Apple iOS v11.4 (resolves 35x CVEs (defined))

Apple tvOS 11.4 (resolves 24x CVEs)

Apple watchOS 4.3.1 (resolves 20x CVEs)

Apple iTunes version 12.7.5 for Windows (resolves 16x CVEs)

Moreover, BleepingComputer have discussed two of the vulnerabilities patched were buffer overflows (defined) both present in the kernels (defined) of iOS, macOS, tvOS and watchOS.

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
Hitman Pro:
=======================
As recommended on my Tools and Resources page, Hitman Pro (now part of Sophos Security) has been updated to version 3.8.20 (Build 294). This update resolves a vulnerability relating to DLL hijacking (defined)(apologies; for this link you may need to dismiss several adverts before the requested page loads). Any previous version of the tool should update automatically when opened to the most recent version.

WordPress Releases Security Update (February 2016)

On the 3rd of February WordPress released a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.4.2.

This is a critical security update that resolves 2 security issues. One is a server-side request forgery (SSRF) attack that could allow information disclosure since it has the potential to bypass normal access controls. The remaining issue was present on the login page of WordPress which could have been used to cause a redirect for a user trying to login.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

Separately a ransomware (defined) campaign is compromising very large numbers of WordPress websites by adding obfuscated (defined within this post) JavaScript (defined) to the websites that results in visitors to those sites being redirected to a website of the attacker’s choice. The JavaScript can deliver the ransomware to a victim system if it is using outdated versions of Adobe Flash Player/Reader, Microsoft Internet Explorer or Silverlight since it makes uses of the Nuclear exploit kit (defined). At this time there is very little detection of the exploit code using VirusTotal.com

A shortlist of recommendations to protect your WordPress website against this ransomware campaign is shown below (for your convenience). This list including further details of this threat is available from Heimdal Security’s blog post (I wish to express my sincere thanks to them for making such detailed information available to protect against this threat):

  • Keep software and your operating system updated at all times
  • Backup your data, do it often and in multiple locations
  • Use a security tool that can filter your web traffic and protect you against ransomware, which traditional antivirus cannot detect or block.

Moreover; a technical description of how this attack occurs against a WordPress website is available within this Sucuri blog post. Malwarebytes also provide advice and a further technical description in their blog post as they describe how the exploits have switched from the Nuclear exploit kit (defined) the to the Angler exploit kit.

As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For more information on installing updates to commonly used software, this blog can assist. Please see the “Protecting Your PC” page for how to keep software updated. Moreover; specific information on Adobe updates is available here with Microsoft updates discussed here.

Thank you.

JavaScript Ransomware Poses Increased Risk of Data Loss

On January the 1st this year, security software vendor Emsisoft presented an analysis of a new variant of ransomware (defined in a previous post of mine) that demonstrates a concerning evolution in this type of malware. This type of ransomware is available for purchase by those with malicious intent following the growing popularity of the Software as a Service (SaaS)(defined) model.

Why Should I Be Concerned About This Malware?
This new variant is written in JavaScript (defined) but uses the NW.js framework to allow JavaScript apps to be installed and run (execute/carry out their purpose) just like traditional desktop applications (that you use every day) on your computer. This flexibility is also what makes this malware of particular concern since the NW.js framework is a portable framework it has the potential to enable this malware to spread to Linux and Apple OS X computers (however as noted by Emsisoft so far no such malware has been seen “in the wild” (namely being present on computing devices used by the general public in their professional and personal lives)).

Initially the number of anti-malware signatures for this variant was very low (3) but has since increased significantly to 32 (out of a possible 57) anti-malware vendors on the Virustotal website (at the time of writing).

Moreover, this malware arrives within spam email which begins the download of the complete malware package. Once the malware has encrypted your files you will be unable to retrieve them since the encryption is well-implemented (i.e. has no implementation flaws). Recovering the files from a backup is the best option. Paying the ransom doesn’t necessarily mean you will be able to retrieve your files.

How Can I Protect Myself From This Malware?
The advice within my previous posts on ransomware still applies. Emsisoft again emphasized the importance of backing up your files to avoid the loss of your data from these kind of infections. Their advice of how to access/use your backup after it’s been created may also be of assistance to you.

I hope that you find the above information useful in preventing infection from this malware and/or recovering from an infection.

Thank you.