Tag Archives: Responsible Disclosure

Pwn2Own 2018 Results

Earlier this month the annual Pwn2Own white hat (defined) hacking contest took place, shortened from 3 days to 2 days.

This year’s competition was also impacted by a recent regulatory change meaning that Chinese participants were unable to attend. This is unfortunate since previous yeas competitions have been excellent and this had a real impact on the success of this year’s competition; perhaps next years will be better? Further details of the regulatory change are detailed here.

The following products were successfully exploited this year resulting in USD$267k being awarded. Exploits which could not be completed in the allocated time of 30 minutes were also purchased; which is fair in my opinion since they could still be a threat and the researchers more than deserve the credit for the time and effort they invest.

Similar to previous years; kernel (defined) exploits were used each time to exploit the web browsers due to the sandboxing (defined) technology used to security harden them.

As noted in this article (and my previous blog posts) kernels are becoming even more complex and can easily consist of millions of lines of code. My previous advice of static analysis/auditing/fuzzing (defined here and here) still applies. These won’t detect every vulnerability but will significantly reduce them. As before writing more secure code using the development practices discussed in last year’s Pwn2Own post will reduce the vulnerability count even further; both now into the future.

Just like last year Mozilla updated Firefox very quickly; this time in less than a day to version 59.0.1 and 52.7.2 ESR.

I’ll update this post as the vulnerabilities disclosed during the contest are addressed. The full list of products exploited is provided below. Thank you.

=======================
Apple Safari (2 attempts were successful using macOS kernel elevation of privilege (defined) vulnerabilities

Microsoft Edge

Mozilla Firefox

Oracle VirtualBox
=======================

Large Numbers of Email Servers Need to be Patched

Earlier this week; a patch for a potentially serious security vulnerability was made available. This vulnerability affects the Exim Mail Transfer Agent (MTA)(defined).

Details of the vulnerability were privately disclosed (defined) to the application vendor Exim by a security researcher Meh Chang from security firm Devcore Security Consulting in early February.

Why should this vulnerability be considered important?
Due to the pervasiveness of this software across the wider internet and the potential impact an exploit for this issue could have; if you are using the Exim Mail Transfer Agent software within your organisation, it may be at risk of exploitation with the potential for an attacker to achieve remote code execution (RCE)(defined: the ability for an attacker to remotely carry out any action of their choice on your device).

The number of affected MTA server around the world range from 400k, 1.9 million up to approximately 3.8 million (from Shodan (defined).

While the proof of concept (PoC)(defined) exploit for this vulnerability (a one byte buffer overflow (defined) is not trivial (described as “difficult” by the vendor) attackers are likely to try to exploit it given the wide impact it could have if successful.

How can I protect myself from this vulnerability?
Please update any Exim Mail Transfer Agent (MTA) server to version 4.90.1 A useful FAQ which may assist is located here with a wider set of FAQs located here.

Thank you.

Responding to the Meltdown and Spectre Vulnerabilities

=======================
Please scroll down for more updates to this original post.
=======================
Earlier in January updates for Linux, Apple and Windows were made available to work towards addressing the 3 security vulnerabilities collectively known as Meltdown and Spectre.

Why should these vulnerabilities be considered important?
I’ll provide a brief summary of the two categories of vulnerabilities:

Meltdown (CVE-2017-5754): This is the name of the vulnerability discovered that when exploited by an attacker could allow an application running with standard privileges (not root or elevated privileges) to read memory only intended for access by the kernel.

Spectre (Variant 1: CVE-2017-5753 ; Variant 2: CVE-2017-5715): This is a category of two known vulnerabilities that erode the security boundaries that are present between applications running on a system. Exploitation can allow the gathering of information from applications which could include privileged information e.g. usernames, password and encryption keys etc. This issue can be exploited using a web browser (e.g. Apple Safari, Mozilla Firefox, Google Chrome, Microsoft Edge (or IE) by using it to record the current time at very short intervals. This would be used by an attacker to learn which memory addresses were cached (and which weren’t) allowing the attacker to read data from websites (violating the same-origin policy) or obtain data from the browser.

Browser vendors have responded by reducing the precision of JavaScript timing and making it more unpredictable while other aspects of JavaScript timing (using the SharedArrayBuffer feature) have been disabled.

More in-depth (while still being less technical) descriptions of these issues are available here , here and here.

How can I protect myself from these vulnerabilities?
Since these vulnerabilities are due to the fundamental architecture/design of modern CPUs; it is not possible to fully address them. Instead a combination of software fixes and microcode updates (defined) is more a viable alternative than re-designing the established architecture of modern CPUs.

In-depth lists of updates available from multiple vendors are available here and here. I would suggest glancing at the affected vendors and if you own a device/product from them; checking if you are affected by these vulnerabilities. A list of BIOS (defined) updates from multiple vendors are available here. Google Chrome has a Site Isolation mode that can mitigate these vulnerabilities which will be more comprehensively addressed in Chrome version 64 scheduled for release last this month.

At this time my systems required updates from Google, Mozilla, Microsoft, Apple, VMware, Asus, Lenovo and Nvidia. Many of many existing desktops are unlikely to receive microcode and BIOS updates due to be more than 3 years old. However my Windows 10 laptop has received a BIOS update from the manufacturer.

Are there disadvantages to installing these updates?
While these updates increase security against these vulnerabilities; performance issues and stability issues (Intel and AMD) after the installation of these updates have been reported. These vary in severity but according to Intel and Microsoft the updates will be refined/optimised over time.

Benchmarks (for desktops) made available by TechSpot show negligible impact on most tasks that would stress a CPU (defined). However any work that you perform which makes of large files e.g. databases may be significantly impacted by the performance impact these updates have when accessing files on disk (mechanical and solid state). For laptops the slowdown was felt across almost all workload types. Newer and older silicon were inconsistently impacted. At times even some Intel 8th generation CPUs were impacted more than 5th generation CPUs.

Details of the anticipated performance impact for Linux, Apple macOS (and iOS) and Windows are linked to. Further reports of reduced performance from Intel and Apple devices have also been recorded. Further details of a feature known as PCID (Process-Context Identifiers) within more recent CPUs which will help reduce the performance impact are provided here. For Intel CPUs, 4th generation Core CPUs and later should include it but any CPU manufactured after 2011 should have it (one of my CPUs; a Core i7 2600K has this feature, verified using Sysinternals Coreinfo). A full list of Intel CPUs affected by these vulnerabilities is here.

Conclusion:
With the widely reported stability and performance issues present it is your decision if you install the necessary updates now or wait until further refinements. If you experience issues, please report them to the manufacturers where possible and within online forums if not. More refined updates will only be created if a need to do so is established.

I’m in the process of updating my systems but will benchmark them before and after each updates to determine an impact and make a longer term decision to keep the updates or uninstall them until further versions become available. I’ll update this post as I gather more results.

=======================
Update: 16th January 2018:
=======================
A newly released free utility from Gibson Research (the same website/author as the well-known ShieldsUp firewall tester) named InSpectre can check if your Windows system has been patched against Meltdown and Spectre and can give an indication of how much the performance of your system will be affected by installing and enabling the Windows and/or the BIOS updates.

Please note: I haven’t tried this utility yet but will this weekend (it will help with the tests I’m carrying out (mentioned above). I’ll update this post when I have tried out this utility.

Thanks again.

=======================
Update: 24th January 2018:
=======================
As promised I gathered some early results from a selection of CPUs and the results for all but recent CPUs are evidence they will experience a potentially noticeable performance drop:

====================
CPUs supporting PCID (obtained using Sysinternals Coreinfo):
Intel Core i7 Extreme 980X @ 3.33 GHz
Intel Core i7 2600K @ 3.8 GHz
Intel Core i5 4590T @ 3.3 GHz
Intel Core i7 6500U (laptop CPU) @ 2.5 GHZ

CPUs supporting INVPCID (obtained using Sysinternals Coreinfo):
Intel Core i5 4590T @ 3.3 GHz
Intel Core i7 6500U (laptop CPU) @ 2.5 GHZ
====================

Explanations of the purpose and relevance of the PCID and INVPCID CPU instructions are available from this Ars Technica article. The results from InSpectre only show positive results when both PCID and INVPCID are present backing up the observations within the above linked to Ars Technica article (that the updates take advantage of the performance advantages of these instructions when both are present).

The results from InSpectre back up these findings by stating that the 980X and 2600K will not deliver high performance protection from Meltdown or Spectre. Since my PCs are mainly used for more CPU intensive tasks (rather than disk intensive) e.g. games and Folding@Home; I still don’t expect too much of a performance decrease. The older CPUs are due for replacement.

You may ask; “why am I so concerned with the performance impact of these updates?” The answer is that significant time and investment has been made into the above systems for them to perform at peak performance for the intended tasks I use them for. Performance and security are both very important to me and I believe there should only be a small trade off in performance for better security.

My next step will be to benchmark the CPU, hard disk and GPU of each system before and after installing each update. I will initially do this for the 6500U and 2600K systems and provide these results. The categories of updates are listed below. I will keep you informed of my findings.

Thank you.
====================
Update 1: Software updates from Microsoft for Meltdown and Spectre
Update 2: Firmware update (where available)
Update 3: Nvidia / AMD GPU driver update
====================

=======================
Update: 13th February 2018:
=======================
Sorry for the long delay (I was travelling again for my work). The above benchmarking is now taking place and I will make the results available as soon as possible. Thanks for your understanding.

=======================
Update: 27th February 2018
=======================
Earlier last week Intel made available further microcode updates for more CPUs. These updates seek to address variant 2 of the Spectre vulnerability (CVE-2017-5715). Updates are now available for the CPUs listed below.

As before, please refer to the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have to determine if these updates have been made available for your specific systems. Further information for corporate system administrators containing details of the patching process is available within this link (PDF):

  • Kaby Lake (Intel 7th Generation Core CPUs)
  • Coffee Lake (Intel 8th Generation Core CPUs)
  • Further Skylake CPUs (Intel 6th Generation Core CPUs)
  • Intel Core X series (Intel Core i9 CPUs e.g. in the 7900 and 7800 model range)
  • Intel Xeon Scalable (primarily targeted at data centres)
  • Intel Xeon D (primarily targeted at data centres)

Information on patches now available for OpenBSD and FreeBSD are located within the following links:

OpenBSD:
OpenBSD mailing list
The Register: OpenBSD Patch now Available

FreeBSD:
FreeBSD Wiki
Softpedia: Spectre and Meltdown mitigations now available

=======================
Update: 1st April 2018
=======================
As vendors have responded to these vulnerabilities; updates have been released for many products. I will describe these updates in more detail below. Apologies if I have omitted any, this isn’t intentional but the list below should still be useful to you:

=======================
Google ChromeOS:
=======================
Following the release of ChromeOS 64 in February which provided updates against the Meltdown and Spectre vulnerabilities, ChromeOS 65 includes further mitigations against these vulnerabilities including the more efficient Retpoline mitigation for Spectre variant 2.

=======================
Sony Xperia:
=======================
In late February Sony made available updates which include mitigations for Meltdown and Spectre for their Xperia X and Xperia X Compact phones which brings the build number to 34.4.A.2.19

=======================
Microsoft Issues Microcode Updates:
=======================
As previously mentioned when this blog post was first published; updates for the Meltdown and Spectre vulnerabilities are made up of software updates, microcode updates and firmware (BIOS updates) and GPU drivers.

Due to the complexity of updating the firmware of computer systems which is very specific and potentially error prone (if you apply the wrong update to your device it can render it useless, meaning it will need to be repaired/replaced (which is not always possible) Microsoft in early March began to issue microcode driver updates (as VMware describes they can be used as substitutes for firmware updates). Microcode updates have been issued in the past to address CPU reliability issues when used with Windows.

=======================
Intel Firmware Updates:
=======================
As with previous microcode updates issued by Intel in late February; these updates seek to resolve variant 2 of the Spectre vulnerability (CVE-2017-5715).

While Intel has issued these updates; they will be made available separately by the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have. You will have to determine from the updates those vendors issue if they are available for the products that you own.

Unfortunately not all systems will receive these updates e.g. most recent system was assembled in 2014 and has not received any updates from the vendor; the vendor has issued updates on their more recent motherboards. Only my 2016 laptop was updated. This means that for me; replacing the systems gradually is the only means of addressing variant 2 of the Spectre vulnerability.

Intel’s updates are for the Broadwell (5th generation CPUs i.e. 5000 series) and Haswell (4th generation CPUs i.e. 4000 series).

=======================
Microsoft Surface Pro:
=======================
Earlier this week Microsoft released firmware updates for their Surface Pro which mitigate the Meltdown and Spectre vulnerabilities. This link provides further details and how to install the updates.

=======================
Microsoft Issues Further Security Update on the 29th March:
=======================
As noted in my separate post; please refer to that post for details of a security update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit that resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of those Windows versions.

=======================
Microsoft Offers Bug Bounty for Meltdown and Spectre vulnerabilities:
=======================
Microsoft have announced bug bounties from $5000 to $250,000 to security researchers who can locate and provide details of exploits for these vulnerabilities upon Windows, Azure and Microsoft Edge.

If such a programme is successful it could prevent another instance of needing to patch further related vulnerabilities after the issues have been publicly disclosed (defined). This is sure to assist the system administrators of large organisations who currently in the process of deploying the existing updates or who may be testing systems on a phased basis to ensure performance is not compromised too much.

Further details are available from this link.

=======================
Update: 6th April 2018
=======================
Earlier this week, Intel issued a further progress update for the deployment of further microcode for their CPUs.

A further 5 families of CPUs have now completed testing and microcode updates are available. These families are:

    • Arrandale
    • Clarkdale
    • Lynnfield
    • Nehalem
    • Westmere

==================
However a further 9 families will not receive such updates for the reasons listed below. Those families are:

      • Micro-architectural characteristics that preclude a practical implementation of features mitigating [Spectre] Variant 2 (CVE-2017-5715)
      • Limited Commercially Available System Software support
      • Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.

==================

      • Bloomfield
      • Clarksfield
      • Gulftown
      • Harpertown Xeon
      • Jasper Forest
      • Penryn
      • SoFIA 3GR
      • Wolfdale
      • Yorkfield

This announcement from Intel means my Intel Core i7 Extreme 980X (from 2010) won’t receive an update. This system isn’t used very much on the internet and so the impact is limited. I am hoping to replace this system in the near future too.

Recommendations:

Please review the updated PDF made available by Intel (I can upload the PDF to this blog if Intel place it behind an account which requires sign in. At this time the PDF link still works).

As before; please monitor the websites for the manufacturer of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have to determine if these updates have been made available for your specific systems.

Thank you.

==================
BranchScope Vulnerability Disclosed:
In a related story; four security researchers from different universities responsibly disclosed (defined) a new side channel attack affecting Intel CPUs. This attack has the potential to obtain sensitive information from vulnerable systems (a similar result from the existing Meltdown and Spectre vulnerabilities).

Further details of this attack named “BranchScope” are available in this Softpedia article and this paper from the researchers. Within the above article Intel responded to this attack stating that this vulnerability is similar to known side channel and existing software mitigations (defined) are effective against this vulnerability. Their precise wording is provided below.

Thank you.

==================
An Intel spokesperson has provided the following statement:

“We have been working with these researchers and have determined the method they describe is similar to previously known side channel exploits. We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper. We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers.”
==================

=======================
Update: 13th April 2018
=======================
AMD have issued microcode (defined) updates for Windows 10 Version 1709 to enhance the protection of their customer’s against variant 2 (CVE-2017-5715) of the Spectre vulnerability. Further details of these updates are available within these KB articles: KB4093112 and KB3073119

Thank you.

Intel works with system vendors to address AMT vulnerability

In early May, Intel began the process of making available updates to resolve 2 critical security vulnerabilities within the hardware of corporate Intel systems. Security researchers located vulnerabilities within the co-processor which has the role of a management engine and to provide further features as part of Intel’s vPro technology. vPro allows IT teams to remotely administer systems (e.g. determine a systems status regardless of its condition, power on/power off, restart etc.) and provides capabilities including secure wiping of data should the device be lost or stolen.

Why should these vulnerabilities be considered important?
As documented within Intel’s advisory: The first vulnerability allows a remote attacker to gain system level privileges (the highest privileges available)(defined) thus allowing them to make any changes they wish to the affected system. This applies to systems with Intel Active Management Technology (AMT) or Intel® Standard Manageability (ISM) enabled.

The second vulnerability allows an attacker already located within your internal/corporate network to gain network or local system privileges on affected systems. This vulnerability affects AMT and systems with Intel Small Business Technology (SBT) enabled. Definitions for AMT, ISM and SBT are available from Intel. A useful FAQ on the vulnerabilities is available here.

Vulnerable systems are very likely to be in use by many corporate organisations and small businesses. The version numbers of the affected Intel technologies are listed within US-CERTs advisory. All Intel systems which have Intel Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology enabled are vulnerable. Such systems have been in production for more than nine years.

It should be noted that only business configured devices have such enablement capabilities, the same vulnerabilities do not exist on consumer devices.  However, given the increasingly blurry distinction between user and business devices, especially with concepts such as Bring your own device (BYOD)(defined) these issues can easily be widespread and will take time to address. Intel has published steps which will help to identify affected systems.  A tool is also available from Intel’s download center.

For this vulnerability to be successfully exploited the Active Management Technology (AMT) must be configured to support remote administration.  This tool is not configured by default.

Moreover while the above mentioned three management technologies are vulnerable, the first vulnerability can only be exploited if Active Management Technology (AMT) is provisioned. If not provisioned, the second vulnerability applies.

These vulnerabilities are particularly severe since the management engine co-processor (mentioned above) can access any memory region within an affected system without the primary Intel processor (CPU)(defined) being aware of it. The co-processor can send, receive, read/write data travelling on your network below the level at which firewalls operate thus bypassing them. The management engine can also read and write to the systems storage device (a hard drive) upon the successful authorisation of a user. The co-processor also has read and write access to the devices screen (your monitor) all while remaining undetected and unlogged (events are not captured within the logs of your operating systems making detection by SIEMs (defined) unviable).

How can I protect myself from these vulnerabilities?
Intel has created a list of affected vendors which links to their respective websites including the status of the availability of updates as well as already completed/available updates.

While the preparation of updates is in progress, the following mitigation options are available:

  1. Un-provisioning Intel manageability SKU (stock keeping unit) clients to mitigate unprivileged network attacker from gaining system privileges (Unprovisioning Tool v1.0)
  2. Disabling or removing the Local Manageability Service (LMS) to mitigate unprivileged local attacker from gaining system privileges
  3. Optionally configuring local manageability configuration restrictions

Unfortunately it will take time for vendors to issue updates for all affected systems. If you are in any doubt if your systems are affected, please contact them. In addition, please continue to access the list of vendor websites (provided above) to monitor when the updates to your systems become available. If due dates are instead present at this time, you can schedule a downtime window for these systems to be updated.

Thank you.

=======================
Aside:
What is a stock keeping unit (SKU)?

It refers to a specific item stored to a specific location. The SKU is intended as the most disaggregated level when dealing with inventory (Source)
=======================

May 2017 Security Updates Summary

Today Microsoft and Adobe made available their expected monthly security updates.

Microsoft’s updates address 57 vulnerabilities more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

At the time of writing there are no Known Issues for this month’s Microsoft updates. The IT Pro Patch Tuesday blog while not updated since last month doesn’t contain this months updates yet.
====================

Before continuing with this months updates I wanted to provide information on a critical out of band (un-scheduled) update made available by Microsoft yesterday to address a vulnerability responsibly disclosed (defined) by Google Project Zero researchers Natalie Silvanovich and Tavis Ormandy within Microsoft’s Malware Protection Engine. The full list of affected products is listed within their security advisory. The exploit code for this vulnerability was later published within a tweet (which will not exploit the vulnerability).

I recommend updating your version of the Malware Protection Engine as soon as possible to version 1.1.13704.0 (or later) since this vulnerability when exploited by an attacker will lead to them obtaining system level access (NT AUTHORITY\SYSTEM)(defined)(namely the highest level of privilege within a Windows system) over an affected system.

====================
Also today Adobe issued two security bulletins for the following products:

Adobe Experience Manager Forms (1x priority 2 CVE)
Adobe Flash Player (7x priority 1 CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated version installed automatically later this week.

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As always the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For the Microsoft updates this month, I will prioritize the order of installation for you below:
====================
Critical severity:
Microsoft Malware Protection Engine
Microsoft Office
Microsoft Edge
Internet Explorer
Microsoft SMB (CVE-2017-0277, CVE-2017-0278, CVE-2017-0279)
====================

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Update: 10th May 2017:
=======================
I wish to provide information on other notable updates from May 2017 which I would recommend you install if you use these software products. I only choose a small number of products to list here since it can easily become too many and I wish to highlight the security benefits of installing the latest version of applications many of us use everyday:

=======================
Mozilla Firefox:
=======================
Firefox 53.0.2

=======================
Mozilla Firefox ESR:
=======================
Firefox ESR 52.1.1

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google Chrome: includes 1 security fix.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Nvidia Geforce Drivers:
=======================
This update applies to Linux, FreeBSD, Solaris and Windows and resolves up to 15 security vulnerabilities. The steps to install the drivers are detailed here.

I detailed where Nvidia list their security advisories in a previous blog post.

=======================
Malwarebytes:
=======================
This update to Malwarebytes 3.1 (specifically v3.1.2.1733) resolves more than 1 security vulnerability (exact numbers and further details are not available).

Malwarebytes typically roll out updates in waves meaning it may be sometime before you receive this update. If the update is not automatically downloaded and installed in a timely manner, it is available from this link. Manual installation and general troubleshooting steps are available here.

=======================
Apple security updates:
=======================
Updates were made available by Apple on the 15th of May for iTunes for Windows, Safari, macOS Sierra, El Capitan and Yosemite, iOS, watchOS, tvOS, and iCloud for Windows.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page). This link details how to update your Apple Watch.

Further information on the content of these updates is available this blog post.

=======================
Hitman Pro:
=======================
As recommended on my Tools and Resources page, Hitman Pro (now part of Sophos Security) has been updated to version 3.7.20 (Build 286). This update resolves 3 important vulnerabilities relating to the driver the tool uses for scanning. Any previous version of the tool should update automatically when opened to the most recent version.

=======================
VideoLAN VLC:
=======================
=======================
Update: 25th May 2017:
=======================
Yesterday VideoLAN released version 2.2.6 of VLC for Windows only. It resolves the security issues listed below (assuming at least 2 heap overflows (given their use of the plural form)). This list came from the NEWS.txt file after installing version 2.2.6 since the detailed release notes on VideoLAN’s website have not yet been updated (and may not be until 2.2.6 is officially made available for macOS and Linux systems).

The update is currently being distributed via their automatic updater (upon opening VLC) and manually from their website (unexpectedly that page also contains tarballs for Linux):

Changes between 2.2.5.1 and 2.2.6:
———————————-

Video output:
* Fix systematic green line on nvidia
* Fix direct3d SPU texture offsets handling

Demuxer:
* Fix heap buffer overflows

———————————-

It was not known at the time version 2.2.5.1 was made available that the correction of “Fix potential out-of-band reads in subtitle decoders and demuxers” were actually security issues assigned to 4x CVEs discovered by CheckPoint security.

=================
Late last week VideoLAN released version 2.2.5.1 of VLC. This update is available for Linux, Apple Mac OS X and Windows. It addresses (at least) 13 security issues mentioned here (I’ll explain my numbering using the list below). This update is available for download for the above operating systems from this page.

If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

1. Security hardening for DLL hijacking environments
2. Fix potential out-of-band dereference in flac decoder
3. Fix potential out-of-band reads in mpeg packetizers
4. Fix incorrect memory free in ogg demuxer
5. Fix potential out-of-band reads in subtitle decoders and demuxers
6. Fix ADPCM heap corruption (FG-VD-16-067)
7. Fix DVD/LPCM heap corruption (FG-VD-16-090)
8. Fix possible ASF integer overflow
9. Fix MP4 heap buffer overflows
10. Fix Flac metadata integer overflow
11. Fix flac null-pointer dereference
12. Fix vorbis and opus comments integer overflows and leaks
13. The plugins loading will not load external DLLs by default. Plugins will need to LoadLibrary explicitly.

=======================
Notepad++:
=======================
On the 14th of May, Notepad++ made available a new version updating it to version 7.4. While it is not a security update it includes a security related improvement namely: Improve certificate verifying method.

This version has since been updated to version 7.4.1 to resolve a number of non-security issues. If you use Notepad++, please consider updating to the most recent version to benefit from the security improvement and the bug fixes it includes.

Please note, the 64 bit version of Notepad++ became available in September 2016. It allows the opening of larger files and includes High Entropy ASLR (Address Space Layout Randomization (defined)) on a 64 bit version of Windows. I have discussed HEASLR on this blog before and it’s an excellent security measure/control/mitigation (defined). Further information on HEASLR can be found on Alex Ionescu’s blog.

=======================
GIMP (photo editor):
=======================
The open source ((the source code (human readable code) is free to view and edit by the wider IT community) photo editor GIMP has made available version 2.8.22 which resolves one security vulnerability. If you use this editor, please update it to this version (or later).

Pwn2Own 2017 Results

The final day of competition within Pwn2Own 2017 took place on Friday, 17th March. Full details of how the individual teams performed and how many exploits were successful are available here , here and here.

In summary the following products were successfully exploited:

Adobe Flash
Adobe Reader
Apple Safari
Apple macOS (mostly the macOS kernel)(defined)
Microsoft Edge
Microsoft Windows kernel
Mozilla Firefox
Ubuntu Linux
VMware Workstation

The contest saw 51 vulnerabilities used and a total of USD$833,000 awarded to the contestants (a very large increase over last year’s USD$460K). As I noted last year, many vulnerabilities once again were present within the macOS and Windows kernels specifically:

Apple macOS kernel:
race condition (defined)
information disclosures (defined)
out of bounds (OOB) bug (defined)

Microsoft Windows kernel:
integer overflows (defined)
buffer overflows (defined)
uninitialised buffers (discussed here)
use-after-free (defined here and here)
information disclosures
out of bounds (OOB) bug
race condition

As before Microsoft and Apple need to do more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel to find and resolve vulnerabilities before they are exploited. It is a surprise this year again highlights this short coming which secure coding practices e.g. Microsoft’s SDL and Adobe’s SPLC (among others) were intended to reduce.

Of note is; Mozilla Firefox released Firefox 52.0.1 to resolve an integer flow vulnerability in less than 1 day after it’s disclosure during Pwn2Own; a fantastic response time.

=======================
Update: 28th March 2017:
=======================
On the 28th of March, VMware made available security updates to address the vulnerabilities discovered during Pwn2Own.

Apple have also made available updates (listed in this post) to resolve the vulnerabilities discovered in Pwn2Own 2017. It is unclear if all vulnerabilities are now addressed.

=======================
Update: 11th April 2017:
=======================
In late March, the Linux kernel vulnerability disclosed during Pwn2Own was resolved very quickly with Ubuntu also releasing their fix for this issue.

Adobe have released updates for Flash and Acrobat/Reader to address what appears to be 5 vulnerabilities in Flash and 6  in Acrobat/Reader (assuming near sequential CVEs and the team names attributed top them) disclosed during Pwn2Own.

We can again look forward to these vulnerabilities being addressed over the coming months; helping to make our products more secure.

Thank you.

March 2017 Security Updates Summary

As you know Microsoft and Adobe released their scheduled monthly security updates. For Microsoft this release was anticipated especially since last month’s set was delayed.

Within the above linked to post I predicted Microsoft would make a large number of updates and they did just that. 17 bulletins in total are now available. These updates address 138 vulnerabilities listed within Microsoft’s new Security Update Guide. These vulnerabilities are more formally known as CVEs (defined).

Once again; there are no Known Issues listed within their March summary page. At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues. However, please check it before deploying your security updates just to be sure. As always, if any issues do arise, those pages should be your first places to check for solutions.
====================

Adobe issued two security bulletins today. One affecting Adobe Flash and the other for Adobe Shockwave Player. The Flash Player bulletin resolves 8x priority 1 vulnerabilities. While the Shockwave bulletin resolves 1x priority 2 vulnerability. These priority rating are explained in the previous link.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which was made available last week.

If you use Flash or Adobe Shockwave, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

=======================
Update: 22nd March 2017:
=======================
I wish to provide information on other notable updates from this month which I would recommend you install if you use these software products:

Notepad++ version 7.3.3

VideoLAN VLC Media version 2.2.5 (release currently in progress)

Malwarebytes Anti-malware version 3.0.6 CU3 (with Component package version: 1.0.75):
It is unknown how many vulnerabilities this addresses but this forum post mentions their resolution.

Malwarebytes Anti-malware version 3.0.6 CU4 addresses further vulnerabilities.

More details of the vulnerabilities resolved by Malwarebytes 3.0.6 CU3 have emerged. Researchers responsibly disclosed a technique which uses Microsoft’s Application Verifier to hijack an anti-malware application. More details of this vulnerability are available here and here.

Mozilla Firefox 52.0.1 (more details in this post on Pwn2Own 2017)

VMware Workstation 12.5.4 (relevant security advisories are here and here)

VMware ESXi, Fusion and VMware Workstation 12.5.5 (the relevant security advisory is here). This advisory resolves the vulnerabilities disclosed during Pwn2Own 2017 for the above listed products.

Wireshark 2.2.5 and 2.0.11

Putty 0.68 (while released in February; it contains important security changes)

Apple Security Updates: updates are available for iTunes, iTunes for Windows, Pages, Numbers, Keynote (for macOS and iOS), Safari, macOS Sierra, El Capitan and Yosemite, iOS, watchOS, tvOS, macOS Server, iCloud for Windows.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page). This link details how to update your Apple Watch.

=======================

For the 17 Microsoft bulletins this month, I will prioritize the order of updates for you below:

====================
Critical severity:
Windows Graphics Component

Windows SMB Server

Microsoft Edge

Internet Explorer

Windows Hyper-V

Windows PDF

====================
Important Severity
====================
The update for Microsoft Office should be installed next due to it’s criticality. With the follow updates after it:

Microsoft Exchange

Microsoft IIS

Active Directory Federation Server

As always you can find detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.