Tag Archives: Windows Print Spooler

May 2020 Update Summary

I hope this posts finds you doing well in these difficult times.

I’m writing this post early to highlight the availability of 2 important updates, for Mozilla Firefox and Google Chrome. I’ll update the post when Adobe and Microsoft release their expected security updates.

Thank you and please stay safe.

====================
Update: 19th May 2020
====================
Sorry for not updating this post sooner.

As scheduled both Adobe and Microsoft released their monthly security updates addressing 36 vulnerabilities and 111 vulnerabilities (respectively). These vulnerabilities are more formally known as CVEs (defined).

Adobe’s updates for this month are as following:

Adobe Acrobat and Reader: 24x Priority 2 CVEs resolved (12x Critical and 12x Important severity)

Adobe DNG Software Development Kit (SDK): 12x Priority 3 CVEs resolved (4x Critical and 8x Important severity)

Adobe have since released further security updates:

Adobe Audition: 1x Priority 3 CVE resolved (1x Important severity)

Adobe Character Animator: 1x Priority 3 CVE resolved (1x Critical severity)

Adobe Premiere Pro: 1x Priority 3 CVE resolved (1x Important severity)

Adobe Premiere Rush: 1x Priority 3 CVE resolved (1x Important severity)

Adobe Acrobat and Reader: 24x Priority 2 CVEs resolved (12x Critical and 12x Important severity)

If you use the above Adobe products, please install these updates as soon as possible since they resolve multiple critical vulnerabilities. Similar to January, March and April no updates for Adobe Flash were released.

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows Graphics Component: CVE-2020-1135

Visual Studio Code Python Extension: CVE-2020-1058, CVE-2020-1060, CVE-2020-1171 , CVE-2020-1192

Microsoft Internet Explorer: CVE-2020-1062

VBScript Remote Code Execution Vulnerability: CVE-2020-1035

Microsoft Edge CVE-2020-1056 , CVE-2020-1059 , CVE-2020-1096

Microsoft SharePoint: CVE-2020-1023 , CVE-2020-1024, CVE-2020-1102

Windows kernel: CVE-2020-1054CVE-2020-1143

Windows Media Foundation: CVE-2020-1126

Microsoft Color Management: CVE-2020-1117

Windows Print Spooler: CVE-2020-1048

Microsoft Windows Transport Layer Security Denial of Service Vulnerability: CVE-2020-1118

Please install the remaining updates at your earliest convenience.

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, I hope you are staying safe during these challenging times. Thank you.

====================
Mozilla Firefox
====================
In the first week of May, Mozilla released Firefox 76 and Firefox ESR (Extended Support Release) 68.8 to resolve the following vulnerabilities:

Firefox 76.0: Addresses 3x critical severity CVEs, 2x high severity CVEs, 4x moderate CVEs and 1x low CVE

Firefox 68.8 ESR: Addresses 3x critical severity CVEs, 2x high severity CVEs and 2x moderate severity CVEs

Firefox 76 introduces a new password manager (with the ability to generate difficult to guess passwords) which includes a means of detecting if a password was part of a password breach and now requires changing or the use of the same password on multiple websites.

An improved picture in picture experience is also included. Firefox 76.0.1 has since been released resolving non-security issues such as crashing add-ons e.g. the Amazon Assistant extension and crashing with Nvidia GPU drivers on Windows 7 32 bit (my thanks to Bogdan Popa of Softpedia.com and Mozilla for this information).

====================
Google Chrome
====================
Early last week, Google released Chrome version 81.0.4044.138 for Linux, Mac and Windows to resolve 3 security vulnerabilities with the most severe 2 issues being of high severity.

In mid-May, Google released version 83 of Google Chrome for Linux, Mac and Windows resolves 38 security vulnerabilities and adds multiple security features and features such as tab groups.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
VMware
====================

VMware released 3 security advisories this month to resolve vulnerabilities within the following products:

====================

Advisory 1: Severity: Critical:

VMware vRealize Operations Application Remote Collector (ARC)

Advisory 2: Severity: Important

VMware Cloud Director

Advisory 3: Severity: Important

VMware ESXi

VMware Workstation Pro / Player (Workstation)

VMware Fusion Pro / Fusion (Fusion)

VMware Remote Console for Mac (VMRC for Mac)

VMware Horizon Client for Mac

====================

If you use any of the above products, please review the above advisories and install the applicable security updates as soon as possible.

Protecting Against the Windows 10 Task Scheduler Zero Day Vulnerability

====================
Update: 5th September 2018:
====================
As previously advised; exercising caution when receiving emails with attachments will keep you safe from the following malware now exploiting this vulnerability.

Your anti-malware software will likely also protect you from this exploit since the majority of vendors are detecting (verified using VirusTotal) the file hashes listed in the security firm Eset’s blog post:

Eset have detected attackers delivering an exploit for this vulnerability via email. The exploit targets victims in the following countries:

  • Chile
  • Germany
  • India
  • Philippines
  • Poland
  • Russia
  • Ukraine
  • United Kingdom
  • United States

The attackers have made small changes of their own to the published proof of concept code. They have chosen to replace the Google Updater (GoogleUpdate.exe)(which runs with admin privileges (high level of integrity)) usually located at:

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

They replace the updater with a backdoor application of their own that is run with the highest privilege namely System level integrity. This is a stage one of their attack. If the attackers find anything of interest on the infected system a second stage is downloaded allowing them to carry out any commands they choose, upload and download files, shutting down an application or parts of Windows of their choice and listing the contents of the data stored on the system.

The attackers also use the following tools to move from system to system across (laterally) a network: PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

Thank you.

====================
Original Post:
====================
With the disclosure early last week of zero day vulnerability (defined) I wanted to provide some advice on staying safe while a patch from Microsoft is being developed.

What systems are affected and how can an attacker use this vulnerability to compromise systems?
Once this pre-developed working exploit is delivered to a 64 bit Windows 10 system it can be used to provide an attacker with the highest level of privilege (System level access) on that system allowing them to carry out any action they choose. They can achieve this by changing permissions on any file stored on a system thus giving them the ability to replace/change any file. When a system service executes what it believes to be a legitimate file but is instead the attacker substituted file; the attacker obtains the privileged access of that service.

The effectiveness of this exploit has been verified by Will Dorman from the CERT/CC. 32 bit versions of Windows are also affected. For Windows 8.1 and Windows 7 systems; the exploit would require minor changes before it can result in the same level of effectiveness (but may be inconsistent on Windows 7 due to the hardcoded XPS printer driver (defined) name within the exploit).

An attacker must already have local access to the systems they wish to compromise but could obtain this using an email containing an attachment or another means of having a user click on a link to open a file. The base CVSS score of this vulnerability is 6.8 making it make of medium severity for the above reasons.

How can I protect myself from this vulnerability?
Standard best practice/caution regarding the opening of email attachments or clicking links within suspicious or unexpected email messages or links from unknown sources will keep you safe from the initial compromise this exploit code requires to work correctly.

The advisory from the CERT/CC has also been updated to add additional mitigations. BEFORE deploying these mitigations please test them thoroughly since they can “reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates”.

A further option you may wish to consider is the deployment of the following micropatch from 0Patch. This patch will automatically cease functioning when the relevant update from Microsoft is made available. As with the above mitigations; if you wish to deploy this micropatch please test how well it works in your environment thoroughly BEFORE deployment.

Further advice on detecting and mitigating this exploit is available from Kevin Beaumont’s post.

Thank you.