Tag Archives: TPM

November 2019 Update Sumamry

Apologies this notification is late due to my professional commitments.

As expected, on Tuesday 12th November Adobe and Microsoft made available their scheduled security updates. Adobe addressed 11 vulnerabilities with Microsoft also addressing 74 vulnerabilities more formally known as CVEs (defined).

====================
Adobe Animate CC: 1x Priority 3 CVE resolved (1x Important severity)

Adobe Bridge CC: 2x Priority 3 CVEs resolved (2x Important severity)

Adobe Illustrator CC:  3x Priority 3 CVEs resolved (1x Critical severity and 2x Important severity)

Adobe Media Encoder: 5x Priority 3 CVEs resolved (1x Critical severity and 4x Important severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities).
====================

Within Microsoft’s monthly summary; there are Known Issues for 13 Microsoft products but all have workarounds or updates available to resolve  them.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================

Microsoft Graphics Component (Win32k Graphics): CVE-2019-1441

Microsoft Graphics Component (OpenType font Parsing): CVE-2019-1419

Microsoft Scripting Engine: CVE-2019-1429 , CVE-2019-1426 , CVE-2019-1427

Microsoft Exchange Server: CVE-2019-1373

Windows Media Player: CVE-2019-1430

Windows Hyper-V: CVE-2019-1398 , CVE-2019-0719 , CVE-2019-1397 , CVE-2019-0721 , CVE-2019-1389

STMicroelectronics TPM (defined) Security Advisory

Please install the remaining less severe updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Google Chrome
====================
Google made available two security updates during November; the first resolves 4 vulnerabilities while the second resolves  5 vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Intel Security Advisories:
====================
Intel have released a series of security advisories this month. The critical and high priority advisories are the following:

Critical
2019.2 IPU – Intel® CSME, Intel® SPS, Intel® TXE, Intel® AMT, Intel® PTT and Intel® DAL Advisory

High
2019.2 IPU – Intel® Graphics Driver for Windows* and Linux Advisory

2019.2 IPU – Intel® SGX and TXT Advisory

2019.2 IPU – Intel® Processor Security Advisory

The remaining advisories are of medium priority:
2019.2 IPU – Intel® Processor Machine Check Error Advisory

2019.2 IPU – Intel® Processor Graphics Update Advisory

2019.2 IPU – Intel® TXT Advisory

2019.2 IPU – Intel® SGX with Intel® Processor Graphics Update Advisory

2019.2 IPU – Intel® Processor Graphics SMM Advisory

If you use any of the affected software or products, please update them as soon as possible especially in the case of the critical and high severity advisories.

====================
VMware
====================
VMware made available two security advisories, one of Important severity and the other of Moderate severity to addresses vulnerabilities within the following products:

Important Severity Advisory:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

Moderate Severity Advisory:
VMware ESXi
VMware Workstation
VMware Fusion

If you use the above VMware products, please review the advisories and apply the necessary updates.

====================
Nvidia
====================
In early November Nvidia made available Windows driver updates for their Geforce, Tesla and Quadro/NVS GPUs as well as their vGPU software (for Linux and Windows).  All vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the Nvidia vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use the affected Nvidia graphics cards or software, please consider updating your drivers to the most recent available.

Further updates were made available for the NVFlash tool (not applicable to end users) and Nvidia Geforce Experience. To resolve the local vulnerabilities within Geforce Experience  apply the necessary update by opening Geforce Experience which will automatically update it or the update can be obtained from here.

Infineon TPM Chips Patched Against Disclosed Vulnerability

With the release of Microsoft’s security updates last week; Infineon published a security advisory relating to a vulnerability discovered by security researchers in 2012.

Why should this vulnerability be considered important?
The vulnerable hardware is mostly to be found within corporate computers from manufacturers such as HP, Fujitsu and Lenovo. Google Chromebooks, routers and some Internet of Things (IoT)(defined). The vulnerability allows an attacker to determine a private (defined) encryption key when it has been generated by a vulnerable TPM (Trusted Platform Module) using only the public key (defined). Once the private key has been obtained it can be used by an attacker to decrypt the contents of a Microsoft BitLocker encrypted hard drive, to digitally sign fake software releases, to sign malware (making it appear more legitimate) as well impersonating the legitimate owner of the private key.

This vulnerability also affects cryptographic smart cards, security tokens and other secure hardware chips manufactured by Infineon. An estimate 760k devices are thought to be vulnerable while the true number could be up to three times that amount.

While the researchers were able to verify an attacker could derive the private key from 1024 and 2048 but public key, they were unable to do so for 4096 bit key since “a 4096-bit RSA key is not practically factorizable now, but “may become so, if the attack is improved.” For 1024 and 2048 bit keys, the factorisation can be easily parallelised by x number of CPUs, reducing the time taken by x times (where x is the number of cores a CPU has) allowing completion in hour or days.

How can I protect myself from this vulnerability?
Microsoft’s advisory provides the recommended steps for systems using Windows or other Microsoft products e.g. Active Directory Certificate Services (ADCS), Active Directory Directory Services (ADDS) (among others). The updates they recommend are only a workaround for the vulnerability. The vulnerability must still be resolved by applying updates to the vulnerable TPM chips. This advice also includes clearing the TPM and re-generating the necessary keys only after applying the updates from Microsoft.

Similarly Google made available Chrome OS M60 to mitigate this vulnerability. Further links to other affected vendors are listed below:

Fujitsu

HP Customer Support

HP Enterprise Support

Lenovo

Toshiba

Thank you.