Tag Archives: Malwarebytes

May 2017 Security Updates Summary

Today Microsoft and Adobe made available their expected monthly security updates.

Microsoft’s updates address 57 vulnerabilities more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

At the time of writing there are no Known Issues for this month’s Microsoft updates. The IT Pro Patch Tuesday blog while now updated since last month doesn’t contain this months updates yet.
====================

Before continuing with this months updates I wanted to provide information on a critical out of band (un-scheduled) update made available by Microsoft yesterday to address a vulnerability responsibly disclosed (defined) by Google Project Zero researchers Natalie Silvanovich and Tavis Ormandy within Microsoft’s Malware Protection Engine. The full list of affected products is listed within their security advisory. The exploit code for this vulnerability was later published within a tweet (which will not exploit the vulnerability).

I recommend updating your version of the Malware Protection Engine as soon as possible to version 1.1.13704.0 (or later) since this vulnerability when exploited by an attacker will lead to them obtaining system level access (NT AUTHORITY\SYSTEM)(defined)(namely the highest level of privilege within a Windows system) over an affected system.

====================
Also today Adobe issued two security bulletins to updates for the following products:

Adobe Experience Manager Forms (1x priority 2 CVE)
Adobe Flash Player (7x priority 1 CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated version installed automatically later this week.

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As always the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

=======================
For the Microsoft updates this month, I will prioritize the order of installation for you below:
====================
Critical severity:
Microsoft Malware Protection Engine
Microsoft Office
Microsoft Edge
Internet Explorer
Microsoft SMB (CVE-2017-0277, CVE-2017-0278, CVE-2017-0279)
====================

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Update: 10th May 2017:
=======================
I wish to provide information on other notable updates from May 2017 which I would recommend you install if you use these software products. I only choose a small number of products to list here since it can easily become too many and I wish to highlight the security benefits of installing the latest version of applications many of us use everyday:

=======================
Mozilla Firefox:
=======================
Firefox 53.0.2

=======================
Mozilla Firefox ESR:
=======================
Firefox ESR 52.1.1

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google Chrome: includes 1 security fix.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Nvidia Geforce Drivers:
=======================
This update applies to Linux, FreeBSD, Solaris and Windows and resolves up to 15 security vulnerabilities. The steps to install the drivers are detailed here.

I detailed where Nvidia list their security advisories in a previous blog post.

=======================
Malwarebytes:
=======================
This update to Malwarebytes 3.1 (specifically v3.1.2.1733) resolves more than 1 security vulnerability (exact numbers and further details are not available).

Malwarebytes typically roll out updates in waves meaning it may be sometime before you receive this update. If the update is not automatically downloaded and installed in a timely manner, it is available from this link. Manual installation and general troubleshooting steps are available here.

=======================
Apple security updates:
=======================
Updates were made available by Apple on the 15th of May for iTunes for Windows, Safari, macOS Sierra, El Capitan and Yosemite, iOS, watchOS, tvOS, and iCloud for Windows.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page). This link details how to update your Apple Watch.

Further information on the content of these updates is available this blog post.

=======================
Hitman Pro:
=======================
As recommended on my Tools and Resources page, Hitman Pro (now part of Sophos Security) has been updated to version 3.7.20 (Build 286). This update resolves 3 important vulnerabilities relating to the driver the tool uses for scanning. Any previous version of the tool should update automatically when opened to the most recent version.

=======================
VideoLAN VLC:
=======================
Late last week VideoLAN released version 2.2.5.1 of VLC. This update is available for Linux, Apple Mac OS X and Windows. It addresses (at least) 13 security issues mentioned here (I’ll explain my numbering using the list below). This update is available for download for the above operating systems from this page.

If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

1. Security hardening for DLL hijacking environments
2. Fix potential out-of-band dereference in flac decoder
3. Fix potential out-of-band reads in mpeg packetizers
4. Fix incorrect memory free in ogg demuxer
5. Fix potential out-of-band reads in subtitle decoders and demuxers
6. Fix ADPCM heap corruption (FG-VD-16-067)
7. Fix DVD/LPCM heap corruption (FG-VD-16-090)
8. Fix possible ASF integer overflow
9. Fix MP4 heap buffer overflows
10. Fix Flac metadata integer overflow
11. Fix flac null-pointer dereference
12. Fix vorbis and opus comments integer overflows and leaks
13. The plugins loading will not load external DLLs by default. Plugins will need to LoadLibrary explicitly.

=======================
Notepad++:
=======================
On the 14th of May, Notepad++ made available a new version updating it to version 7.4. While it is not a security update it includes a security related improvement namely: Improve certificate verifying method.

This version has since been updated to version 7.4.1 to resolve a number of non-security issues. If you use Notepad++, please consider updating to the most recent version to benefit from the security improvement and the bug fixes it includes.

Please note, the 64 bit version of Notepad++ became available in September 2016. It allows the opening of larger files and includes High Entropy ASLR (Address Space Layout Randomization (defined)) on a 64 bit version of Windows. I have discussed HEASLR on this blog before and it’s an excellent security measure/control/mitigation (defined). Further information on HEASLR can be found on Alex Ionescu’s blog.

=======================
GIMP (photo editor):
=======================
The open source ((the source code (human readable code) is free to view and edit by the wider IT community) photo editor GIMP has made available version 2.8.22 which resolves one security vulnerability. If you use this editor, please update it to this version (or later).

Microsoft Announces End of Support for EMET

====================
Update: 13th December:
Shortly after publishing this blog post, I received a response (apologies for not posting this update sooner) from the Microsoft EMET team to some questions that I had asked with regard to how to harden applications that do not incorporate security mitigations be default on Windows 10 once EMET has reached it’s end of support. These can be used with any applications, not just legacy applications.

They suggested using the Process Mitigation Options GPO which is described in the link provided by them below. This can be used to apply mitigations such as DEP, SEHOP, Mandatory/Force ASLR, and Bottom-up ASLR to a process without using EMET. They also mentioned this GPO should be receiving further usability improvements in the future.

While the above mitigations don’t provide the same level of protection that EMET offered, they offer an improvement over not using them. From their message there appears to be a possibility that further mitigations will be available in later updates to Windows 10.

I have provided the text of their message below.

====================
Thank you for your support and for providing this helpful feedback! We will consider these suggestions as we develop our documentation and continue to evolve our security and mitigation features in future releases of Windows 10.

Today, the Process Mitigation Options GPO documented below can be used to configure certain in-box Windows 10 mitigations for particular processes.

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/override-mitigation-options-for-app-related-security-policies

These mitigations include DEP, SEHOP, Mandatory/Force ASLR, and Bottom-up ASLR. Though we’re aware that this GPO presents some UX challenges, we’re actively working to improve our mitigation management experience for future releases.
====================

Once again shortly after publishing this post, I came across this blog post from the CERT/CC team of Carnegie-Mellon University. They recommend using EMET on Windows 10 after the end of support deadline in July 2018 to protect applications that do not incorporate security mitigations.

This is of course assuming that future builds/versions of Windows 10 allow EMET to continue to function. If this is not the case, the alternatives discussed above could be considered.

The CERT blog post also provides the steps to enable system-wide DEP an ASLR if EMET (or the alternatives) cannot be used. That post also provides a comparison table of Windows 7 and Windows 10 with and without EMET to better display the benefits EMET offers.

How the CERT/CC team align to the US CERT team is mentioned in this Sophos blog post.

I hope that you find this additional information useful. Thank you.

====================
Original Post:
====================
Early last week Microsoft extended the support deadline of their exploit mitigation tool, Enhanced Mitigation Experience Toolkit (EMET). The final support deadline is now the 31st of July 2018 (originally 27th January 2017).

Why Should This Announcement Be Considered Important?
At this time there are known bypasses for EMET e.g. this and this. While a competitor to EMET, SurfRight HitmanPro.Alert mitigated the WoW64 bypass, Microsoft never incorporated such changes (or at least never documented such improvements). In addition in their most recent blog post concerning EMET; Microsoft states that EMET’s effectiveness against modern exploit kits (defined) has not been proven and were not designed to be a long term solution just a “stop gap” to add extra protection to older versions of Windows without necessitating upgrading to a newer version of Windows.

In addition, Microsoft mentioned that EMET can reduce the performance of the applications that it protects. Moreover it can impact their reliability since it hooks into the operating system at a low level in order to add its protection to the applications chosen by a system administrator or individual user.


You recommend EMET a lot on this blog; is that going to change?

In the short term, no. In the long-term, yes. While EMET is still supported I will recommend its use but will note that its end of support date is approaching.

I still believe that EMET can provide value by adding mitigations to commonly used applications both for enterprise/business users and individual user applications when those applications don’t include mitigations such as DEP or ASLR etc. by default after installing them. I don’t agree with Microsoft’s decision to end support for EMET for this reason.

I believe that they were overly critical of EMET in their most recent blog post. Yes it can cause performance issues (usually disabling one or both EAF and EAF+ mitigations resolves this) and can cause compatibility issues. In general, this depended on the set up of your individual applications. E.g. if you don’t install add-ons into Microsoft Word, Excel etc. they are far more likely to work with EMET without any changes. In many business and enterprise environments I realise this isn’t an option.

In my experience, accepting the defaults of the EMET configuration and adding all but EAF and EAF+ to custom applications would almost always work. Adding EAF and/or EAF+ was appropriate if they didn’t cause performance issues. A further reference regarding EMETs mitigations and another application compatibility list is available here.

I always believed that if you were going to deploy EMET across an organisation that you had to extensively test it. This could possibly involve testing it on hardware and software that mostly (or exactly if possible) emulates each type of server and workstation in use across each team in your organisation. Using just one configuration across your organisation would not work or if it did, it would be sub-optimal since you would likely have to disable many more mitigations to make it work smoothly across all systems in use.

How secure non-best practice applications (namely that they don’t include mitigations such as DEP or ASLR) are when installed on Windows 10 is uncertain. However given the continuing work that Microsoft is doing with Windows 10 and their recent publishing of details concerning the new mitigations available in Windows 10 (the original security benefits are discussed in a previous blog post) Windows 10 in the long term is the way forward. Overall however the Windows 10 without any additions is more secure by default than Windows 7 or Windows 8.1. Just one example would be the disabling of LDR Hotpatching which mitigates the issues caused by abusing its functionality discussed here and here.


If I can’t upgrade to Windows Server 2016 or Windows 10 before the support for EMET ends, what would you recommend?

If your business applications already include security mitigations such as DEP and ASLR, you may not need EMET and can simply ignore it. EMET and indeed the competitors to EMET are only necessary if the applications you use need hardening.

For business, enterprises and individuals Alternatives to EMET are Malwarebytes Anti-Exploit (Business and Personal editions) and HitmanPro.Alert. Malwarebytes Anti-Exploit can be used to protect custom applications and thus can take that role over from EMET. I am currently testing Malwarebytes Anti-Exploit and HitmanPro.Alert and will comment on their resource usage and any drawbacks they may have. I will update this post when I have completed this testing.

Alternatively try to contact the developers of the custom business applications that you are using and request that they enable some security mitigations e.g. DEP and ASLR. Visual Studio 2015 is required for adding CFG but DEP and ASLR can be added using compilers like Mono and mingw (example 2 and example 3).

I contacted the developer of a 64 bit open source tool and he mentioned that since he still supports Windows XP migrating to a newer version of Visual Studio is not an option right now but would consider it for the future. Another small but commercial application developer (a 64 bit utility for Windows) was very enthusiastic about a new version of Visual Studio offering extra mitigations and promised to add these to the next major release of his product which is currently in beta and moving towards a release candidate.

Thank you.

Malwarebytes Releases Security Update For Consumer Products

As originally discussed in a previous blog post, Malwarebytes last Friday made available a security update for their Anti-Malware product used by consumers. The update brings it to version 2.2.1.

While Malwarebytes originally mentioned that the products client had more than one vulnerability, the release notes of v2.2.1 only mention one vulnerability being resolved.

In order to resolve the reported vulnerability(ies), please install the updated version of Malwarebytes Anti-Malware (available from the above v2.2.1 link) as soon as possible. Automatic upgrades will take place later this week.

Thank you.

Malwarebytes Announces Upcoming Security Update / Bug Bounty Programme

Update: 20th March 2016:
A more recent blog post provides details of the now released security update.

Thank you.

=======================
Original Post
=======================
On Wednesday of last week the anti-malware organization Malwarebytes published a blog post to inform it’s customers that they are working to resolve several security vulnerabilities responsibly disclosed (defined) to them.

The well-known Google security researcher Tavis Ormandy disclosed these issues to them in November 2015. Malwarebytes is currently working to have an updated version of it’s anti-malware product version 2.2.1 available in the next 3 to 4 weeks.

If you are a Malwarebytes business or consumer customer/or make use of their free anti-malware software please monitor the Malwarebytes blog for announcements as well continuing to keep your Malwarebytes product up to date in order to be protected against these security issues. Users of the Premium version of Malwarebytes can enable self-protection in mitigate (protect against) these issues until the appropriate update is made available. Further details of how to enable this security feature are available here.

Malwarebytes also took the opportunity within the above mentioned blog post to announce their Bug Bounty program. This should ensure that such vulnerabilities are disclosed and resolved sooner in the future. Further details of their bug bounty program are available here.

I will update this post when version 2.2.1 of Malwarebytes is made available.

Thank you.