Tag Archives: micropatch

Adobe Reader Vulnerability Disclosed

====================
Updated: 26th February 2019
====================
After the update was issued by Adobe; the original researcher who disclosed it found a bypass and again reported it to Adobe. The bypass was assigned another CVE number; CVE-2019-7815

It has now been addressed by a further update made available by Adobe last Thursday. If you use Adobe Acrobat or Reader, please ensure it is up to date:

Thank you.

====================
Original Post
====================
Yesterday; the security firm 0patch released a micropatch for a vulnerability that was publicly disclosed (defined) in late January.

Why should this vulnerability be considered important?
The vulnerability allows for the extraction/disclosure of the NTLMv2 hashes (defined) associated with your Windows login account to be sent to an attacker when you open a specifically modified PDF document, The information is sent via the SMB protocol (defined) to the attacker essentially allowing the document “to phone home” to them.

Adobe Reader DC (2019.010.20069 and earlier) are affected. This vulnerability is similar to a now patched vulnerability from last year namely; CVE-2018-4993, The new vulnerability is caused by the fact that while a user is warned via a dialog box when opening an XML style sheet via the HTTP protocol; when using the SMB protocol and while following a UNC (defined) link; no such warning appears.

How can you protect your organisation and yourself from this vulnerability?
Please apply the update made available by Adobe earlier today. If for any  reason you cannot update right now, please consider the micropatch from 0patch. A YouTube video of the micropatch in action is available from the following link:

The micropatch does not require a reboot. The patch does not need to be uninstalled once you later install the update from Adobe.

Thank you.

December 2018: Further Zero Day Vulnerabilities Disclosed

=======================
Update: 6th February 2019
=======================
In mid-January; the security firm 0patch issued a micropatch for what I refer to as vulnerability 4 (discussed below). As before the patch can be applied and will protect your devices until Microsoft can issue a finalised update via the regular channels.

The patch is only available for Windows 10 Version 1803. 0patch have requested that you contact them if you wish to obtain a patch for another version of Windows 10. They have published a YouTube video of the patch preventing the proof of concept code from working as the attacker intended.

Approximately a week after this micropatch was issued; another micropatch was made available; this time for what I refer to as vulnerability 3 (discussed below). That patch is available for Windows 10 Version 1803 64 bit and Windows 7 bit. As before 0patch have requested that you contact them if you wish to obtain a patch for another version of Windows. Another YouTube video is available demonstrating the micropatch preventing the proof of concept code from reading any file on the system as the attacker intended. It does this by changing the permissions on the temporary MSI file created by Windows Installer. The micropatch was more complex than originally thought to create. 0patch wanted to issue their patch before the Holiday period in December but were unable to do so since it required more thorough testing before being made available but there was not enough time left for that testing.

The micropatch does not require a reboot. As before the patch does not need to be uninstalled once you later install the update from Microsoft.

At this time, it is assumed that Microsoft will issue a patch for these vulnerabilities in February but they may be more complex (similar to the previous JET vulnerability) and require further time to refine the fixes.

Thank you.

=======================
Original Post:
=======================
In the 3rd week of December; a security researcher using the name SandboxEscaper (who we have discussed twice before on this blog) announced a 3rd zero-day (defined) vulnerability followed by a 4th on the 30th of December.

For the 3rd vulnerability: Windows 7 and Windows 10 are confirmed as impacted. Windows 8.1 may also be vulnerable. For the 4th vulnerability; Windows 10 Version 1803 (Build 17134) has been confirmed as impacted (it’s unknown if newer builds of Window 10 or if Windows 7/8.1 are vulnerable).

How severe are these vulnerabilities and what is their impact?
I’ll break these into 2 sections:

=======================
Vulnerability 3:
Arbitrary file read issue: Uses MsiAdvertiseProduct:
=======================
From the limited information available this vulnerability does not appear to be remotely exploitable. The attacker would already need to have compromised an account on your Windows system in order to run the necessary proof of concept code. This vulnerability should be considered medium but not critical severity. When exploited it can allow an attacker to read/copy any files they choose using the permissions from the Windows Installer Service namely LocalSystem privileges (the highest level of privilege)(defined). The vulnerability makes use of a time to check to time to use (TOCTOU) race condition type.

In the same manner as the previous vulnerabilities it may be leveraged in the wild before it is patched by Microsoft; this is my reason for advising exercising caution with email and clicking unexpected links (within emails, links within IM clients or social networks). Security researcher Will Dormann found this exploit inconsistent when used. Meanwhile Acros Security CEO Mitja Kolsek stated It was very likely a micropatch for this exploit would be available before the holiday period.

=======================
Vulnerability 4:
Arbitrary file overwrite issue: Proof of concept overwrites pci.sys
=======================
As above; this vulnerability does not appear to be remotely exploitable. The attacker would already need to have compromised an account on your Windows system in order to run the necessary proof of concept code. This vulnerability should be considered medium but not critical severity. When exploited it can allow an attacker to overwrite pci.sys with information about software and hardware problems, collected through the Windows Error Reporting (WER) but the attacker can also influence what data is used to overwrite the original file. The vulnerability again makes use of a race condition which means that the exploit doesn’t always provide the attacker with the intended result. This is especially true for systems with a single CPU core.

However; the choice of pci.sys for the proof of concept was an example; any file could be used (confirmed by Will Dormann).

How can I protect my organization/myself from these vulnerabilities?
The same advice issued for the first two zero day disclosures again applies here. This US-CERT advisory also provides advice for safely handling emails.

If you wish to deploy the micropatch from the firm 0patch; please test how well it works in your environment thoroughly BEFORE deployment in your production environment.

It can be obtained by installing and registering 0patch Agent from https://0patch.com Such micropatches usually install and need no further action when Microsoft officially patches the vulnerability since the micropatch is only active when a vulnerable version of the affected file is used; once patched the micropatch has no further effect (it is then unnecessary).

Thank you.

Protecting Against the Microsoft JET Database Zero Day Vulnerability

====================
Update: 9th January 2019:
====================
Microsoft have now resolved the unpatched JET vulnerability. It has been designated as CVE-2019-0579. It appears it took extra time since binary differential analysis shows that larger sections of the file msrd3x40.dll have been re-designed to proactively mitigate future vulnerabilities.

Further details are located here. Thank you.

====================
Update: 3rd January 2019:
====================
As of the 19th of December; the firm 0patch have confirmed the incomplete patch for this vulnerability has not yet been revised by Microsoft.

====================
Update: 24th October 2018:
====================
According to Acros Security CEO Mitja Kolsek the fix for this vulnerability from Microsoft is incomplete and mitigates but does not resolve the vulnerability.

As before; my assessment of the difficulty an attacker would face in exploiting this vulnerability remains accurate. The attack first needs you to take an action you wouldn’t otherwise take; if you don’t they can’t compromise your system.

Details of the incomplete nature of the vulnerability are not being disclosed while the patch is re-evaluated. Acros Security has notified Microsoft of this incomplete fix and is awaiting a response. In the meantime; their micropatch completely mitigates the vulnerability.

I’ll keep this post updated as more details become available. Thank you.

=======================
Update: 9th October 2018:
=======================
Microsoft’s scheduled updates for October 2018 resolve this vulnerability. Thank you.

=======================
Original Post:
=======================
In the latter half of last week; Trend Micro’s Zero Day Initiative publically disclosed (defined) a zero day vulnerability (defined) within the Microsoft JET Database Engine (defined).

Why should this vulnerability be considered important?
This vulnerability should be considered high but not critical severity. When exploited it can allow an attacker to execute code (to carry out any action of their choice) but they cannot initiate this automatically/remotely. They must socially engineer a potential victim into opening an attachment ( most likely sent over email or via instant messaging etc.). This attachment would need to be a specific file containing data stored in the JET database format. Another means would be visiting a webpage but 0patch co-founder Mitja Kolsec could not successfully test this means of exploit.

This vulnerability exists on Windows 7 but is believed to also exist on all versions of Windows including the Server versions.

How can I protect my organization/myself from this vulnerability?
At this time; a patch/update from Microsoft is pending and is expected to be made available in October’s Update Tuesday (9th October).

In the meantime; please continue to exercise standard vigilance in particular when using email; e.g. don’t click on suspicious links received within emails, social media, via chat applications etc. Don’t open attachments you weren’t expecting within an email (even if you know the person; since their email account or device they access their email may have been compromised) and download updates for your software and devices from trusted sources e.g. the software/device vendors. This US-CERT advisory also provides advice for safely handling emails.

If you choose to; the firm 0patch has also issued micro-patch for this vulnerability as a group of two patches. This was the same firm who micro-patched the recent Windows Task Scheduler vulnerability. As with the above mitigations; if you wish to deploy this micropatch please test how well it works in your environment thoroughly BEFORE deployment.

Thank you.

Protecting Against the Windows 10 Task Scheduler Zero Day Vulnerability

====================
Update: 5th September 2018:
====================
As previously advised; exercising caution when receiving emails with attachments will keep you safe from the following malware now exploiting this vulnerability.

Your anti-malware software will likely also protect you from this exploit since the majority of vendors are detecting (verified using VirusTotal) the file hashes listed in the security firm Eset’s blog post:

Eset have detected attackers delivering an exploit for this vulnerability via email. The exploit targets victims in the following countries:

  • Chile
  • Germany
  • India
  • Philippines
  • Poland
  • Russia
  • Ukraine
  • United Kingdom
  • United States

The attackers have made small changes of their own to the published proof of concept code. They have chosen to replace the Google Updater (GoogleUpdate.exe)(which runs with admin privileges (high level of integrity)) usually located at:

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

They replace the updater with a backdoor application of their own that is run with the highest privilege namely System level integrity. This is a stage one of their attack. If the attackers find anything of interest on the infected system a second stage is downloaded allowing them to carry out any commands they choose, upload and download files, shutting down an application or parts of Windows of their choice and listing the contents of the data stored on the system.

The attackers also use the following tools to move from system to system across (laterally) a network: PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

Thank you.

====================
Original Post:
====================
With the disclosure early last week of zero day vulnerability (defined) I wanted to provide some advice on staying safe while a patch from Microsoft is being developed.

What systems are affected and how can an attacker use this vulnerability to compromise systems?
Once this pre-developed working exploit is delivered to a 64 bit Windows 10 system it can be used to provide an attacker with the highest level of privilege (System level access) on that system allowing them to carry out any action they choose. They can achieve this by changing permissions on any file stored on a system thus giving them the ability to replace/change any file. When a system service executes what it believes to be a legitimate file but is instead the attacker substituted file; the attacker obtains the privileged access of that service.

The effectiveness of this exploit has been verified by Will Dorman from the CERT/CC. 32 bit versions of Windows are also affected. For Windows 8.1 and Windows 7 systems; the exploit would require minor changes before it can result in the same level of effectiveness (but may be inconsistent on Windows 7 due to the hardcoded XPS printer driver (defined) name within the exploit).

An attacker must already have local access to the systems they wish to compromise but could obtain this using an email containing an attachment or another means of having a user click on a link to open a file. The base CVSS score of this vulnerability is 6.8 making it make of medium severity for the above reasons.

How can I protect myself from this vulnerability?
Standard best practice/caution regarding the opening of email attachments or clicking links within suspicious or unexpected email messages or links from unknown sources will keep you safe from the initial compromise this exploit code requires to work correctly.

The advisory from the CERT/CC has also been updated to add additional mitigations. BEFORE deploying these mitigations please test them thoroughly since they can “reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates”.

A further option you may wish to consider is the deployment of the following micropatch from 0Patch. This patch will automatically cease functioning when the relevant update from Microsoft is made available. As with the above mitigations; if you wish to deploy this micropatch please test how well it works in your environment thoroughly BEFORE deployment.

Further advice on detecting and mitigating this exploit is available from Kevin Beaumont’s post.

Thank you.