Tag Archives: VLC

May 2017 Security Updates Summary

Today Microsoft and Adobe made available their expected monthly security updates.

Microsoft’s updates address 57 vulnerabilities more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

At the time of writing there are no Known Issues for this month’s Microsoft updates. The IT Pro Patch Tuesday blog while not updated since last month doesn’t contain this months updates yet.
====================

Before continuing with this months updates I wanted to provide information on a critical out of band (un-scheduled) update made available by Microsoft yesterday to address a vulnerability responsibly disclosed (defined) by Google Project Zero researchers Natalie Silvanovich and Tavis Ormandy within Microsoft’s Malware Protection Engine. The full list of affected products is listed within their security advisory. The exploit code for this vulnerability was later published within a tweet (which will not exploit the vulnerability).

I recommend updating your version of the Malware Protection Engine as soon as possible to version 1.1.13704.0 (or later) since this vulnerability when exploited by an attacker will lead to them obtaining system level access (NT AUTHORITY\SYSTEM)(defined)(namely the highest level of privilege within a Windows system) over an affected system.

====================
Also today Adobe issued two security bulletins for the following products:

Adobe Experience Manager Forms (1x priority 2 CVE)
Adobe Flash Player (7x priority 1 CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated version installed automatically later this week.

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As always the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For the Microsoft updates this month, I will prioritize the order of installation for you below:
====================
Critical severity:
Microsoft Malware Protection Engine
Microsoft Office
Microsoft Edge
Internet Explorer
Microsoft SMB (CVE-2017-0277, CVE-2017-0278, CVE-2017-0279)
====================

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Update: 10th May 2017:
=======================
I wish to provide information on other notable updates from May 2017 which I would recommend you install if you use these software products. I only choose a small number of products to list here since it can easily become too many and I wish to highlight the security benefits of installing the latest version of applications many of us use everyday:

=======================
Mozilla Firefox:
=======================
Firefox 53.0.2

=======================
Mozilla Firefox ESR:
=======================
Firefox ESR 52.1.1

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google Chrome: includes 1 security fix.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Nvidia Geforce Drivers:
=======================
This update applies to Linux, FreeBSD, Solaris and Windows and resolves up to 15 security vulnerabilities. The steps to install the drivers are detailed here.

I detailed where Nvidia list their security advisories in a previous blog post.

=======================
Malwarebytes:
=======================
This update to Malwarebytes 3.1 (specifically v3.1.2.1733) resolves more than 1 security vulnerability (exact numbers and further details are not available).

Malwarebytes typically roll out updates in waves meaning it may be sometime before you receive this update. If the update is not automatically downloaded and installed in a timely manner, it is available from this link. Manual installation and general troubleshooting steps are available here.

=======================
Apple security updates:
=======================
Updates were made available by Apple on the 15th of May for iTunes for Windows, Safari, macOS Sierra, El Capitan and Yosemite, iOS, watchOS, tvOS, and iCloud for Windows.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page). This link details how to update your Apple Watch.

Further information on the content of these updates is available this blog post.

=======================
Hitman Pro:
=======================
As recommended on my Tools and Resources page, Hitman Pro (now part of Sophos Security) has been updated to version 3.7.20 (Build 286). This update resolves 3 important vulnerabilities relating to the driver the tool uses for scanning. Any previous version of the tool should update automatically when opened to the most recent version.

=======================
VideoLAN VLC:
=======================
=======================
Update: 25th May 2017:
=======================
Yesterday VideoLAN released version 2.2.6 of VLC for Windows only. It resolves the security issues listed below (assuming at least 2 heap overflows (given their use of the plural form)). This list came from the NEWS.txt file after installing version 2.2.6 since the detailed release notes on VideoLAN’s website have not yet been updated (and may not be until 2.2.6 is officially made available for macOS and Linux systems).

The update is currently being distributed via their automatic updater (upon opening VLC) and manually from their website (unexpectedly that page also contains tarballs for Linux):

Changes between 2.2.5.1 and 2.2.6:
———————————-

Video output:
* Fix systematic green line on nvidia
* Fix direct3d SPU texture offsets handling

Demuxer:
* Fix heap buffer overflows

———————————-

It was not known at the time version 2.2.5.1 was made available that the correction of “Fix potential out-of-band reads in subtitle decoders and demuxers” were actually security issues assigned to 4x CVEs discovered by CheckPoint security.

=================
Late last week VideoLAN released version 2.2.5.1 of VLC. This update is available for Linux, Apple Mac OS X and Windows. It addresses (at least) 13 security issues mentioned here (I’ll explain my numbering using the list below). This update is available for download for the above operating systems from this page.

If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

1. Security hardening for DLL hijacking environments
2. Fix potential out-of-band dereference in flac decoder
3. Fix potential out-of-band reads in mpeg packetizers
4. Fix incorrect memory free in ogg demuxer
5. Fix potential out-of-band reads in subtitle decoders and demuxers
6. Fix ADPCM heap corruption (FG-VD-16-067)
7. Fix DVD/LPCM heap corruption (FG-VD-16-090)
8. Fix possible ASF integer overflow
9. Fix MP4 heap buffer overflows
10. Fix Flac metadata integer overflow
11. Fix flac null-pointer dereference
12. Fix vorbis and opus comments integer overflows and leaks
13. The plugins loading will not load external DLLs by default. Plugins will need to LoadLibrary explicitly.

=======================
Notepad++:
=======================
On the 14th of May, Notepad++ made available a new version updating it to version 7.4. While it is not a security update it includes a security related improvement namely: Improve certificate verifying method.

This version has since been updated to version 7.4.1 to resolve a number of non-security issues. If you use Notepad++, please consider updating to the most recent version to benefit from the security improvement and the bug fixes it includes.

Please note, the 64 bit version of Notepad++ became available in September 2016. It allows the opening of larger files and includes High Entropy ASLR (Address Space Layout Randomization (defined)) on a 64 bit version of Windows. I have discussed HEASLR on this blog before and it’s an excellent security measure/control/mitigation (defined). Further information on HEASLR can be found on Alex Ionescu’s blog.

=======================
GIMP (photo editor):
=======================
The open source ((the source code (human readable code) is free to view and edit by the wider IT community) photo editor GIMP has made available version 2.8.22 which resolves one security vulnerability. If you use this editor, please update it to this version (or later).

VideoLAN Releases VLC Version 2.2.4

In early June the open source media player VLC created by the VideoLAN non-profit organization was updated to version 2.2.4.

This update is available for Linux, Apple Mac OS X and Windows. It addresses 2 security issues mentioned here (1x VLC issue and a 3rd party library issue detailed in this security advisory). This update is available for download for the above operating systems from this page.

One other noteworthy addition is that when VLC 3.0 is released it will feature High Entropy ASLR (Address Space Layout Randomization (defined)). I have discussed HEASLR on this blog before and it’s an excellent security measure/control/mitigation (defined). Further information on HEASLR can be found on Alex Ionescu’s blog. I will be very pleased to see it present in this upcoming version.

If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

Thank you.

VideoLAN Releases VLC Version 2.2.3

Last week the well-known open source media player VLC created by the VideoLAN non-profit organization was updated to version 2.2.3.

This update is available for Linux, Apple Mac OS X and Windows. It addresses at least 3 security issues (more details are not readily available) mentioned here (3rd party library security issues), here (stack overflow (defined) and here (RealRTSP module). This update is available for download for the above operating systems from this page.

If you use VLC, please update as soon as possible to benefit from the security fixes version 2.2.3 includes as well as the more than 30 general software bugs that were also addressed.

Thank you.

VideoLAN Releases VLC Version 2.2.2

Yesterday the popular open source media player VLC created by the VideoLAN non-profit organization was updated to version 2.2.2.

This update is available for Linux, Apple Mac OS X and Windows. It addresses several security issues mentioned here and here. Among them is the Logjam security issue. This update is available for download for the above operating systems from this page.

If you use VLC, please update as soon as possible to benefit from the security fixes version 2.2.2 includes as well as the more than 100 general software bugs that were also addressed.

Thank you.

The Logjam Attack: What You Need To Know

A new attack against the Diffie Hellman protocol has been made public. This weakness allows an attacker (a man in the middle (MITM)) to downgrade the key exchange protocol Diffie Hellman to 512-bit export-grade cryptography. When the TLS (Transport Layer Security) connection is secured using this few bits, it becomes vulnerable to being broken (i.e. obtaining the session key) meaning that the connection can then be eavesdropped upon.

Why is this important?
The Diffie Hellman protocol is used to secure many everyday websites using HTTPS (this makes the lock icon appear or for your browser address bar to display green). Samples of what Extended Validation certificates look like within your web browser are shown on this page. EV certificates are less common than standard single domain name certificates but these images should assist in conveying how widely used HTTPS really is. More information on TLS/SSL is available in this podcast.

Diffie Hellman is also frequently used when accessing servers remotely using SSH and within VPNs (including IPSec VPNs). VPNs are commonly used to access servers in your workplace from outside of your workplace or when using a public internet connection e.g. a coffee shop’s free WiFi.

As detailed in a technical report on this attack (see Page 3: Table 1) since a large number of devices use the same prime number (upon which the most efficient algorithm namely number field sieve for breaking a Diffie Hellman secured connection is based) this means that the time needed to break the connection is significantly reduced. Using this attack (see Page 7: Table 2), the times for breaking common Diffie Hellman secured connections are shown below:

512 bit: Linear Algebra Stage: 7.7 years; Descent Time: 10 minutes

768 bit: Linear Algebra Stage: 28,500 years; Descent Time: 2 days (within reach of academic researchers)

1024 bit: Linear Algebra Stage: 35 million years; Descent Time: 30 days (within reach of a nation state)

Source: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

Excellent articles on the impact of this attack and other background information can be found in this blog post and this post.

Recommended Actions:
I refer you to the section titled “What should I do?” within this page for advice on next steps.

Today I tested Mozilla Firefox (v38.0.1), Google Chrome (v43.0.2357.73, 64 bit, Beta Channel) and Internet Explorer (v11.0.19) to check if they were vulnerable to this attack.

You can check your browser by the visiting this page (also mentioned above). The result will be shown at the top of the page for you.

Both Firefox and Chrome at the time of writing were vulnerable, this is likely to be resolved very soon by both browser vendors.

IE 11 was not vulnerable to this attack (most likely since Microsoft issued MS15-055 as part of its May security updates). However since Microsoft Research is credited as a contributor along with many other computer scientists of the above mentioned report its plausible that this gave them advance notice of the issue to resolve it sooner.

If you use WinSCP, you should ensure you have the latest version installed so that you are no longer vulnerable to Logjam and other more recent OpenSSL vulnerabilities.

Update: 20th May 2015: A ComputerWorld blog post provides a table showing which browsers are currently patched against this flaw.

Update: 2nd June 2015: VideoLAN, the creators of VLC have created a ticket within their bug tracker concerning proposed changes to VLC in response to the Logjam flaw.

Update: 7th February 2016:
VideoLAN have updated their VLC media player to version 2.2.2 which addresses the Logjam security issues within their product. Further details are available in a more recent blog post.

Update: 21st May 2015: OpenSSL has published a blog post with a discussion of the Logjam attack, upcoming changes in OpenSSL in response to this attack and provides a means to check if your OpenSSL server installation is vulnerable.

Update: 31st January 2016: To further protect against the Logjam attack the OpenSSL project have now increased the length of the Diffie-Hellman handshake parameters to 1024 bits. Further details are available in this security advisory.

Update: 11th June 2015:
OpenSSL released a security advisory today to resolve 7 CVEs one of which was a workaround for the Logjam security flaw. The change made to resolve this flaw was to reject Diffie-Hellman handshake requests for parameters shorter than 768 bits. A later release of OpenSSL will extend this to 1024 bits. I would advice updating your OpenSSL installations as soon as possible to mitigate these vulnerabilities (usually by using your Linux package manager to install the applicable updates).

Update: 2nd July 2015: On the 30th of June, Apple released fixes for OS X and iOS to address the Logjam flaw within those products.

Update: 3rd July 2015: Today Mozilla released Firefox 39 and Firefox ESR (Extended Support Release) 38.1 and ESR 31.8 to address the Logjam flaw within those products.

Update: 10th July 2015: I have verified that the Opera web browser is not vulnerable to Logjam since version 30.0.1835.52 released on the 9th of June 2015.

In addition, at the time of writing (10th July 2015), Google Chrome v43.0.2357.132 (Stable, 64 bit) and Google Chrome v44.0.2403.81 (Beta, 64 bit) remain vulnerable to Logjam.

Update: 24th July 2015: At the time of writing (24th July 2015), Google Chrome v44.0.2403.107 (Stable, 64 bit) and Google Chrome v44.0.2403.89 (Beta, 64 bit) remain vulnerable to Logjam.

Update: 28th July 2015: Google Chrome v44.0.2403.125 (Stable, 64 bit) remains vulnerable to Logjam. However Google Chrome v45.0.2454.15 (Beta, 64 bit) includes a fix for Logjam. I have verified it is no longer vulnerable.

Update: 12th August 2015: Google Chrome v44.0.2403.155 (Stable, 64 bit) remains vulnerable to Logjam.

Update: 13th August 2015: OpenSSH has released v7.0 which addresses the Logjam issue within it’s implementation.

Update: 25th August 2015: VideoLAN, the creators of VLC have closed the ticket that I mentioned above (see update: 2nd June 2015) since they have resolved the Logjam issue within their code for the upcoming version 2.2.2 of VLC. A related ticket involving a regression (an unintentional introduced software bug/error) caused by the changes they made was also resolved.

Update: 3rd September 2015: Google Chrome v45.0.2454.85 (Stable, 64 bit) is no longer vulnerable to the Logjam issue since it includes the fix mentioned in the 28th of July entry (above).

I hope that the above advice assists you in securing your servers and computer systems from this new attack. I will update this article when more information concerning updates for web browsers becomes available.

Thank you.

April 2015 Security Updates Summary

On Tuesday the 14th of April Microsoft made available its anticipated security updates resolving 26 CVEs. The individual products affected are detailed in the Security Bulletin Summary. Any Known Issues are also summarized there.

In addition, Adobe also made available updates for Flash Player, ColdFusion and Adobe Flex. Further details are available in the Adobe PSIRT blog post. 24 CVEs in total were resolved.

Oracle (includes Oracle Java) (98 CVEs resolved), Google Chrome (45 security fixes) and VideoLAN VLC for Windows (1 CVE resolved) were also updated last week. For VLC I would recommend that you update to 2.2.1 if you have not already done so since 2.2.0 also included fixes for 5 other CVEs.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————-
Security Updates Calendar (as mentioned within the heading “Information on Security Updates” within the Protecting Your PC page):
http://www.calendarofupdates.com/updates/index.php?act=calendar

US Computer Emergency Readiness Team (CERT) (as mentioned within the heading “Information on Security Updates” within the Protecting Your PC page):
https://www.us-cert.gov/
—————-

If you use any of the above software, please install the appropriate updates as soon as possible. I would like to mention that Microsoft’s MS15-034 update should be prioritized for installation before all other updates due to its severity and ease of exploitation.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.