Tag Archives: Valve

August 2019 Update Summary

====================
Update: 13th August 2019
====================
Earlier today Adobe and Microsoft released large collections of security updates. They resolve 119 and 93 vulnerabilities (respectively).

====================
Adobe After Effects: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Character Animator: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Premiere Pro CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Prelude CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Creative Cloud Application: 4x Priority 2 vulnerabilities resolved (2x Critical and 2 Important severity)

Adobe Acrobat and Reader: 76x Priority 2 vulnerabilities resolved (76x Important severity)

Adobe Experience Manager:1x priority 1 vulnerability resolved (1x Critical severity)

Adobe Photoshop CC: 34x priority 3 vulnerabilities resolved (22x Critical and 12x Important)

If you use any of these Adobe products, please apply the necessary updates as soon as possible especially for Adobe Acrobat/Reader, Photoshop CC and Experience Manager

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. The up to date list is available from their summary page. For Windows 7, for customers with Symantec Antivirus or Norton Antivirus, a hold has been put on the updates from being offered in Windows Updates due to ”The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start”. The Symantec article linked to at this time is a blank template.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Remote Desktop Services (RDS):  CVE-2019-1181 CVE-2019-1182  CVE-2019-1222, and CVE-2019-1226 (CVE, defined)

Microsoft Graphics Component CVE-2019-1144  CVE-2019-1152  CVE-2019-1150 CVE-2019-1145 CVE-2019-1149

Microsoft Word CVE-2019-1201 CVE-2019-1205

Microsoft Outlook CVE-2019-1200 CVE-2019-1199

Scripting Engine CVE-2019-1133

Chakra Scripting Engine CVE-2019-1141 CVE-2019-1131 CVE-2019-1196 CVE-2019-1197 CVE-2019-1140 CVE-2019-1139

LNK Remote Code Execution Vulnerability CVE-2019-1188

Windows DHCP Client CVE-2019-0736 CVE-2019-1213

Windows Hyper-V CVE-2019-0720 CVE-2019-0965

Windows VBScript Engine CVE-2019-1183

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
In mid-August Mozilla released Firefox 68.0.2 and Firefox ESR 68.0.2 to resolve a moderate information disclosure vulnerability. Please make certain your installation is version 68.0.2 or above to resolve this issue.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
Google Chrome
=======================
In late August the Centre for Internet Security released a security advisory for users of Google Chrome to update to version 76.0.3809.132 or later. Prior versions were vulnerable to a use-after-free (defined) vulnerability which could have allowed remote code execution (allowing an attacker to carry out any action of their choice).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMware earlier this month released a security advisory to resolve 2 Important severity vulnerabilities within the following products:

VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

An attacker could leverage the vulnerability CVE-201-5521 (from the above linked to advisory) to also exploit CVE-2019-5684 to exploit Nvidia’s GPU driver (see below) to gain arbitrary code execution on a system.

If you use the above VMware products particularly with a Nvidia GPU, please review the advisory and apply the necessary updates.

=======================
Nvidia
=======================
Nvidia late last week issued a related security advisory to that of the above VMware advisory. Nvidia’s advisory resolves 5 locally exploitable vulnerabilities meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges (defined). The steps to install the drivers are located here. If you use affected Nvidia graphics cards, please consider updating your drivers (defined) to the most recent available.

=======================
Canon Digital Cameras PTP (Picture Transfer Protocol) Vulnerabilities
=======================
Canon digital cameras utilising this protocol are potentially vulnerable to a complete takeover of the device while connected to a host PC or a hijacked mobile device.

As per this Canon advisory, please ensure your camera is using the most recent firmware update and that you follow the workarounds listed in the above advisory.

=======================
VideoLAN VLC
=======================
On the 19th of August, VideoLAN released VLC version 3.0.8 resolving 13 security issues (some assigned more than one CVE). In a recent presentation their President, Jean-Bapiste Kempf explains the challenges they face in maintaining the security of the project. The short slide deck gives a behind the scenes look at their work including the tools they use to make their code safer.

The list of challenges isn’t too dissimilar from a regular commercial company e.g.: a complex piece of software (15 million lines of code) with approximately 100 dependencies but does highlight issues with hostile bug bounty hunters etc. Future releases will include security bulletins where relevant.

=======================
Valve Steam Gaming Client
=======================
In late August, Valve released 2 security updates for their Steam gaming client. Further information on the disclosure (defined) is detailed here while details of the updates are available here and here (albeit in summary only). The Steam client by default updates automatically. Please open it and allow it to update to resolve these vulnerabilities.

=======================
Software Updates for HP , Lexmark, Kyocera , Brother , Ricoh and Xerox Printers
=======================
The following links details the vulnerabilities found by security researchers within these printers and link to the relevant software updates:

HP
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-hp-printers/?research=Technical+advisories

Lexmark
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-lexmark-printers/?research=Technical+advisories

Kyocera
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-kyocera-printers/

Brother
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-brother-printers/

Ricoh
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-ricoh-printers/

Xerox (PDF)
https://securitydocs.business.xerox.com/wp-content/uploads/2019/08/cert_Security_Mini_Bulletin_XRX19R_for_P3320.pdf

https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-xerox-printers/

=======================
Security Updates for Corporate and Consumer 4G Modems
=======================
G Richter a security researcher from Pen Test Partners disclosed the following vulnerabilities during DEF CON:

Netgear
Netgear Nighthawk M1 Mobile router (currently no vendor advisory):
Cross-site request forgery (CSRF)(defined) bypass: CVE-2019-14526
Post-authentication command injection: CVE-2019-14527

TP-Link
TP-Link’s M7350 4G LTE Mobile wireless router (currently no vendor advisory):
CVE-2019-12103 – Pre-Authentication Command Execution
CVE-2019-12104 – Post-Authentication Command Execution

ZTE
MF910 and MF65+ Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010203

MF920 Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010686

=======================
HTTP/2 Vulnerabilities
=======================
8 HTTP/2 DoS (defined) vulnerabilities have been responsibly disclosed by Netflix and Google. According to CloudFlare these vulnerabilities are already being exploited “We have detected and mitigated a handful of attacks but nothing widespread yet”.

Please review the affected vendors matrix within the following CERT advisory and apply the necessary updates:

https://kb.cert.org/vuls/id/605641/

Further information
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

https://www.theregister.co.uk/2019/08/14/http2_flaw_server/

https://www.bleepingcomputer.com/news/security/new-http-2-flaws-expose-unpatched-web-servers-to-dos-attacks/

Thank you.

Botnet Targeted Unpatched Counter-Strike Vulnerabilities

In mid-March the security firm Dr. Web published details of a botnet (defined) they were able to shut down affecting players of the classic first-person shooter (FPS) game; Counter-Strike 1.6.

Why should this development be considered significant?
The report made available by Dr. Web showed that at it’s height the botnet resulting from the distribution of the Trojan (defined) Belonard numbered up to 39% of all the available game servers (1951 out of 5000) listed for Counter-strike gamers to choose from.

How were gamers systems infected?
One of the popular services offering servers to play on exploited 2 zero day (defined) remote code execution vulnerabilities within the 1.6 version of the Counter-Strike client to install Trojan Belonard within a gamer’s system. Researchers from Dr. Web found that this game remains very popular and can be played by 20,000 individuals on average at a time.

Counter-Strike can make use of dedicated servers that gamers can choose to connect to. These servers offer reduced lag, greater reliability while some monetised servers offer access to special weapons and protection against bans.

In an example scenario, a gamer might launch the official Steam gaming client. The client automatically will display a list of servers the player can connect to. Those with the lowest (lower is better) ping rate will be displayed at the top of the list. This list will also contain publicly available Valve (the company which created and maintains the Steam client) servers. However, the Trojan Belonard once it has infected a system it re-orders the servers offered to another system (placing them high in the list you see) in order to spread further. You may think you are connecting to a server with a low ping when in fact connecting to a malicious server which then infects your system with the Trojan. It does this by exploiting a remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device) vulnerability within the Counter-Strike client. A more detailed description and diagram is available from Dr. Web’s analysis of this threat. Your system will now contribute to spreading the Trojan by re-ordering the server list we discussed above.

The botnet herder did this in order to make more money since their other more legitimate servers would also be displayed high in the list of servers and those charge a fee for their use.

What happened to this botnet?
Dr. Web was successful in disrupting this botnet by coordinating with the registrar of the reg.ru domain name to shut down the websites used by the Trojan thus protecting new gamers from becoming infected. Furthermore, the domain generation algorithm (DGA)(defined); is being monitored by Dr. Web in order to continue to sinkhole (defined) the domains the malware attempts to use to continue spreading itself.

How can I protect myself from this threat or clean it from my system if I am already infected?
Unfortunately; the only way to prevent this botnet from being re-activated by whoever created it is for the zero-day vulnerabilities within the Counter-Strike client to be patched. Given the age and lack of financial reward to Valve to do this; that is unlikely.

If you suspect or know your system is infected with this malware; update your anti-malware software and run a full system scan. If this does not remove the malware you can use the free version of Malwarebytes to perform a scan and remove the malware. If you suspect any remnants remain you can use the additional anti-malware scanners linked to on this blog to remove them. In this case; RogueKiller, AdwCleaner and PowerEraser would be the most suitable for this malware.

Thank you.

Valve Resolves Steam Gaming Client Vulnerability

The games company Valve Corporation known primarily for their gaming client Steam have updated it to resolve a critical vulnerability which has been inadvertently present within Steam for the last 10 years.

Why should this vulnerability be considered important?
Due to the many millions of Steam users and the fact this vulnerability is remotely exploitable (since the attacker does not need to first have access to the victim system) makes this vulnerability more serious. An attacker would only have needed to send malformed UDP (defined) packets to a victim system for it to have Steam carry out instructions of their choice.

This vulnerability was a buffer overflow (defined) within one of Steam’s internal libraries (the general concept of a code library is defined here); more specifically code that dealt with UDP datagram reassembly.

How can I protect myself from this vulnerability?
In July 2017, the Steam client added Address Space Layout Randomisation (ASLR)(defined) making exploitation of the vulnerability more difficult which would then only crash the Steam client. If however an attacker combined an information leak which exposed the memory address of vulnerable library, even with ASLR enabled the result would have been the same.

Valve patched this vulnerability on April 4th. The Steam client by default updates automatically. Please open it and allow it to update to resolve this vulnerability.

Thank you.