Tag Archives: Microsoft

Microsoft Ends Support for Windows Vista

As detailed in the news online Microsoft is ending the support lifecycle of Windows Vista today. It will no longer receive security updates going forward.

With the installation share of Windows Vista being only approximately 1% of all installed operating systems, the number of users/systems affected is small. However they should still seriously consider migrating to newer operating systems and possibly newer hardware to support their new choice of operating systems.

Since this is a consumer oriented operating system, the recommendations previously provided for Windows Server 2003 do not apply here. Check if your current applications are compatible with newer operating systems and migrate at your earliest convenience to minimise future since the support lifecycle has ended.

Thank you.

Disclosed Microsoft Zero Day Under Attack By APT Group

====================
Update: 8th November:
The Microsoft zero day vulnerability discussed in this post has now been patched. Please refer to this post for the appropriate information and download links.

Thank you.

====================
Original Post:
====================
Earlier this week Google publicly disclosed (defined) details of a new zero day (defined) vulnerability affecting supported versions of Windows up to Windows 10. Fortunately, the disclosure only included minimal details.

Why Should These Issues Be Considered Important?
The vulnerability disclosed by Google could result with an attacker being able to elevate their privileges (defined) on an affected system. However, when used in combination with a previously patched Adobe Flash Player vulnerability (reference previous post) this could result in a Windows system under your responsibility or in your ownership to have a backdoor (defined) installed.

Some good news is that this new exploit primarily targets organisations that operate in the following sectors (thus all other organisations are at somewhat reduced risk): government, intelligence or military organisations.

The nature of the backdoor is the decision of the attacker but would usually include a means of remaining persistent on the system and allowing the attacker to remote access the infected system. This backdoor can then be used to move data of the attacker’s choice off the affected system. The APT group known as STRONTIUM by Microsoft (other aliases used in the wider cyber security industry are APT28, also aka Sofacy aka Fancy Bear aka TsarTeam aka Sednit aka PawnStorm). STRONTIUM is also known for moving laterally throughout the network which they compromise (where the pass the hash (PtH) (defined) technique is the method of choice to do so).

How Can I Protect Myself From This Issue?
While a patch from Microsoft is in progress (scheduled for release on the 8th of November): follow safe email guidelines namely don’t click on unexpected/unsolicited links or open potentially dangerous email attachments to prevent the execution (carrying out of) the exploits actions in the first instance.

If you use the Microsoft Edge or Google Chrome web browsers the exploit for the local elevation of privilege vulnerability will be mitigated. This is due to Chrome’s sandbox (defined) blocking the use of API (defined) calls to the win32k.sys driver (defined). This in addition to its existing mitigations when installed on Windows 10 which I previously discussed.

Microsoft Edge on the other hand implements Code Integrity to prevent the next steps of exploitation.

To protect endpoints within your organisation you could consider utilising the logging capabilities of Microsoft EMET and Systinternals’ Sysmon by processing their logs using a SIEM (defined) and taking action when that SIEM a alerts you to suspicion activity. This is especially true since this exploit can occur from within web browsers, the Java JRE, Microsoft Word and Microsoft PowerPoint (namely that these applications are used to open suspicious/untrusted files).

My thanks to a colleague (you know who you are!) for compiling very useful information for this blog post.

Thank you.

September 2016 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s updates consist of 14 security bulletins. These bulletins address 50 vulnerabilities more formally known as CVEs (defined)(not including the Adobe vulnerabilities mentioned below).

Only the Internet Explorer security bulletin currently lists a Known Issue (discussed below). However as always please double check the IT Pro Patch Tuesday blog to ensure that there are no issues being experienced before you begin installing the new updates. At this time it does not list any Known Issues.

Update: 15th September 2016:

It has been reported that the security updates for Internet Explorer MS16-104 and Microsoft Edge (MS16-105) patches a zero-day (defined) vulnerability that has been publicly exploited. Further details of this vulnerability have since been disclosed and are available in this ThreatPost article.

The Known Issue for this update now mentions “Microsoft is aware of limited issues in which an ActiveX install may fail when using the ActiveX Installer Service (AXIS) with Internet Explorer 10 or Internet Explorer 11.” However, at this time no workaround or solution is available.

Moreover, the Microsoft Office security bulletin resolves an Important severity level ASLR (defined) bypass designated CVE-2016-0137 within the Microsoft Detours DLL (defined) that applications such as Microsoft App-V use. This issue has the potential to affect a lot of other 3rd party products and is discussed in more detail in this ThreatPost article. Further information/resources concerning this vulnerability are available on this GitHub page. A possibly related issue was found in Nvidia’s graphics driver (defined) (within detoured.dll) late last year which they issued a patch for.

This month also marks the final month that Windows 7 and Windows 8.1 will receive security updates packaged in the traditional format. From October the updates will be offered in packages similar to that of Windows 10 which will mean fewer individual updates will need to be installed to bring systems up to date. The updates will also replace updates from previous months again reducing the volume of updates needing to be installed. There will be single security and reliability updates.

While I am in favour of the simplification of updates, the “Known Issues” that I mention each month will become even more important since you won’t have the option of choosing which updates to install. This will lead to more outages and compatibility issues especially for corporate environments which is discussed in this article. Microsoft provides more details of these changes in their Windows IT Pro blog post. This additional Microsoft blog post and this Windows IT Pro blog post provide further coverage.

Further to this, next month Microsoft plans to begin to block out dated versions of Adobe Flash Player ActiveX controls (defined). Further details are available in their blog post.

====================
For Adobe’s scheduled released they made available an updated version of Flash Player that addresses 29 priority 1 vulnerabilities.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome released today.

Adobe also released a security bulletin for Adobe AIR SDK and compiler (AIR is its application runtime) to address a single priority 3 vulnerability. More information as well as installation steps are available in the relevant security bulletin. Finally, Adobe released a security bulletin for Digital Editions that addresses 8 priority 3 vulnerabilities.

If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

With Adobe’s Flash Player update (to version 23.0.0.162) addressing 29 critical vulnerabilities, this should be installed first if you already have a previous version installed.

For the Microsoft updates, for corporate environments/server operating systems please first install the Microsoft Exchange update (if you use it within your environment). This should be followed by Microsoft Office, Security Update for Windows (MS16-110) and the Microsoft Graphics Component.

For desktop workstations / small business environments please make Internet Explorer, Microsoft Edge, Microsoft Office and the Microsoft Graphics Component your first priorities due to their severities and prevalent use. The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is available in this Computerworld article (a new article is published each month within their Patch Tuesday Debugged column).

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

August 2016 Security Updates Summary

Yesterday was Microsoft’s Update Tuesday and they made available their scheduled monthly security updates.

Microsoft’s updates consist of 9 security bulletins. These bulletins resolve 33 vulnerabilities more formally known as CVEs (defined).

Microsoft’s Security bulletin summary lists Known Issues for bulletins MS16-100 (Update for Secure Boot, kb3179577) and MS16-101 (Security update for Windows authentication methods, kb3178465).

The first issue is more informational rather than an error/interruption to your work. While the second known issue is notifying you that this update “disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations”.

The IT Pro Patch Tuesday blog is also a very useful resource to check before installing the updates to better inform you of whether to proceed or not.

====================
For the first time since January Adobe has not published a Flash Player security bulletin. However, they did release a priority 2 update for Adobe Experience Manager, resolving 4 CVEs.

If you use any the above Adobe products, please review the security bulletins linked to above and apply the necessary updates as soon as possible.

====================
You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying this month’s Microsoft updates, I will prioritise the updates for you below:

Please make the updates for Microsoft Office, Microsoft Internet Explorer, Microsoft Edge your first priorities since they all address critical severity vulnerabilities. Please follow these with the Microsoft Graphics Component update (since it addresses a critical font handling issue (font vulnerabilities are discussed in a previous blog post)). All remaining security updates can be installed when you have the time available.

A final security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

July 2016 Security Updates Summary

Earlier today Microsoft released their scheduled monthly security updates.

Microsoft’s updates consist of 10 security bulletins (not including the Adobe Flash Player update (more details below)). These bulletins resolve 49 vulnerabilities more formally known as CVEs (defined).

Just like last month at the time of writing there are Known Issues for this month’s updates (although last month’s summary was later updated to include 3 Known Issues including the well-known issues with the Group Policy update). However please double check the IT Pro Patch Tuesday blog to ensure that there are no issues being experienced before you begin installing the new updates.

As I mentioned above one of Microsoft’s bulletins relates to Adobe’s Flash Player update. This update addresses a massive 52 critical CVEs.

For Windows 8.1 and later Microsoft have released a corresponding Adobe Flash security bulletin MS16-093. As expected, it includes the same fixes within the above mentioned Adobe bulletin.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically alongside the updated version of Chrome.

Adobe also released a large security update for Adobe Acrobat DC, Acrobat XI, Acrobat Reader DC and Adobe Reader XI addressing 30 CVEs within those products. These vulnerabilities have been classified as critical but have been assigned Priority 2 by Adobe, meaning that these updates should be installed sometime within the next 30 days. Further details of these updates are available in this security bulletin.

Finally, Adobe published an update for it’s XMP Toolkit for Java affecting versions prior to 5.1.2. Adobe has classified this as a priority 3 update that addresses an information disclosure issue.
====================
If you use any of the above Adobe products, please review the security bulletins linked to above and apply the necessary updates as soon as possible. This is especially true for Adobe Flash.

Whether you are an individual, a large or small organization you should be aim to deploy Flash updates within 1 week in order to reduce the possibility of being affected by exploit kits (defined) that may seek to take advantage of these newly disclosed issues.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

Please make the updates for Microsoft Office, Microsoft Internet Explorer, Microsoft Edge your first priorities since they all address critical severity vulnerabilities. Please follow these with Windows Print Spooler Components (please see this link for an explanation of why this update is of critical severity) and finally Microsoft Jscript and VBScript due to their severities and prevalent use. All remaining security updates can be installed when you have the time available.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

June 2016 Security Updates Summary

Yesterday Microsoft released their scheduled monthly security updates.

Microsoft’s updates consist of 16 security bulletins (not yet included is the upcoming Adobe Flash Player update (more details below)). These bulletins resolve 44 vulnerabilities more formally known as CVEs (defined).

One helpful point to note that should make deploying these updates easier is that Microsoft’s Security Bulletin Summary doesn’t list any Known Issues at this time. However please double check the IT Pro Patch Tuesday blog to ensure that there are no issues being experienced before you begin installing the new updates.

As briefly discussed above one of Microsoft’s bulletins relates to Adobe’s Flash Player update; however, that update will be made available later this week (scheduled to arrive on the 16th of June) according to Adobe). Similar to last month this update will resolve a zero day (defined) vulnerability that is currently being exploited. I will update this post when more information becomes available.

====================
Update: 17th June 2016:
As scheduled Adobe released an updated version of Flash Player to address the zero-day vulnerability currently being used by an APT (Advanced Persistent Threat) (defined) group to attack systems belonging high profile targets.

This update also addresses 35 other critical CVEs. For Google Chrome, I have confirmed that version 51.0.2704.103 released yesterday contains the appropriate updated version of Flash Player.

For Windows 8.1 and later Microsoft have released a security bulletin MS16-083 (which is not yet listed on their security bulletin page at the time of writing). It includes the same fixes within the above mentioned Adobe bulletin.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Chrome. Further discussion of this update is available in this blog post.

Adobe also released a security bulletin for Adobe AIR (its application runtime) to address a priority 3 vulnerability in the AIR installer. More information as well as installation steps are available in the relevant security bulletin.

If I can clarify any of the above update installation steps, please let me know. I am always more than happy to assist.

Thank you.
====================

Adobe did however have make available four security bulletins yesterday that address vulnerabilities in Adobe DNG SDK (1 CVE addressed), Adobe Brackets (2 CVEs addressed), Adobe Creative Cloud Desktop (2 CVEs addressed ) and ColdFusion (1 CVE addressed of higher priority than all others). If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

Please make the Update for DNS Server your first priority since it is not only of critical severity but DNS (defined) is a business critical service used by business of all sizes making it a higher risk. Follow this with Microsoft Office, Microsoft Internet Explorer, Microsoft Edge and Microsoft Jscript and VBScript due to their severities and prevalent use. All remaining security updates can be installed when time allows.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Aside:
=======================
Apologies for not posting new content in such a long time. With other commitments that needed my attention as well as resolving the hardware failure issue 2 weeks ago (that I mentioned previously) led to this delay. I will post more content soon. Thank you for your understanding.

May 2016 Security Updates Summary

Earlier today Microsoft and Adobe made their scheduled monthly security updates available.

Microsoft’s updates consist of 17 security bulletins one of which relates to an upcoming Adobe Flash Player update (more details below). These bulletins resolve 36 vulnerabilities more formally known as CVEs (defined).

One point to note that should make deploying these updates easier is that Microsoft’s Security Bulletin Summary doesn’t list any Known Issues at this time. However please double check the IT Pro Patch Tuesday blog to ensure that there are no issues being experienced before you begin installing the new updates.

====================
Update: 25th June 2016:
Microsoft’s Security Bulletin Summary was updated to include known issues with the Microsoft .Net Framework update. Workarounds and resolutions to these issues are available here.
====================

As mentioned above one of Microsoft’s bulletins relates to Adobe’s Flash Player update; however, that update will be made available later this week (scheduled for May 12th according to Adobe). This update will resolve a zero day (defined) vulnerability that is currently being exploited.

In addition, Microsoft made available a security advisory yesterday applicable to Windows 8.1 (and later)(and equivalent Windows Server OSes) for the FalseStart facility of TLS. Please review the advisory and install the applicable update for your systems.

It wasn’t just Flash Player being updated by Adobe today; updates for Adobe Acrobat DC, Acrobat XI, Acrobat Reader DC and Adobe Reader XI address 92 CVEs within those products. These vulnerabilities have been classified as critical but have been assigned Priority 2 by Adobe, meaning that these updates should be installed sometime within the next 30 days. Further details of these updates are available in this security bulletin. An update for Adobe ColdFusion was also made available resolving 3 high severity CVEs.

====================
Update: 11th May 2016:
Microsoft have released their Adobe Flash Player (for Windows 8.1 and later) security bulletin earlier than anticipated. It addresses 24 critical CVEs. Please re-run a check for updates on your Windows PC and install any necessary updates for Flash Player. Further information is available in the relevant security bulletin.

Thank you.
====================

====================
Update: 12th May 2016:
As scheduled Adobe have released an updated version of Flash Player v21.0.0.242 as well as Adobe AIR (its application runtime). It addresses 25 CVEs (the extra CVE is the zero-day vulnerability that Adobe has now resolved). It’s unclear when Microsoft will re-release their update to address this remaining CVE or if the existing update already includes it. However, Google Chrome’s update earlier this week already includes Flash Player v21.0.0.242.

Further information about the Flash Player update is available in this Sophos blog post. Separately, I will continue to update this post as more information becomes available. Thank you.
====================

====================
Update: 15th May 2016:
As expected Microsoft revised their security bulletin for Adobe Flash to include the update that Adobe made available last Thursday. Their update now addresses 25 CVEs rather than the previous 24 CVEs.

Please ensure that you install this update as soon as possible. Thank you.
====================

If you use any of Adobe’s PDF applications mentioned above or Adobe ColdFusion, please follow the above product links to the appropriate security bulletins and apply the necessary updates. This is especially important for the Adobe Reader update since it resolves a very large number of critical severity vulnerabilities among them use-after-free vulnerabilities (defined), heap (defined) overflows and an integer overflow (defined).

As mentioned in January; Adobe no longer supports Acrobat X and Adobe Reader X. They did not receive any updates within that bulletin and will no longer do so. Please upgrade to Adobe Acrobat DC/Acrobat Reader DC or Acrobat XI/Adobe Reader according to your preference.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

Please make the Microsoft Internet Explorer update your first priority since CVE-2016-0189 (which it resolves) is currently under attack in the wild (namely being exploited on computing devices used by the general public in their professional and personal lives)). Follow this with Microsoft Edge, Microsoft Office, Microsoft Graphics Component, Windows Shell, Windows Kernel-Mode Drivers (defined), JScript and VBScript, Windows Journal and Windows IIS due to their severities and prevalent use.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Aside:
=======================
I wanted to apologise for the lack of recent blog posts being published. The PC that I primarily use to write and publish the content for this blog has suffered a hard disk failure. While I have not lost any data (which is a relief!); the system is non-operational until a suitable replacement can be obtained and installed.

That may be sometime in the next 2 weeks. In the meantime, I will continue to publish using an alternate personal system of mine. This may sound like a perfect substitute, but for a number of reasons I have been finding it far from ideal. But not to worry.

However, posts will be sporadic and will not be as timely as I would like. Some interesting high impact vulnerabilities have been disclosed since my most recent blog post (in April) as well as a large number of security updates. I will endeavour to discuss all of these with you as soon as possible.

Thank you for your understanding and patience as I resolve this issue.