Tag Archives: Zero Day

October 2017 Security Updates Summary

As scheduled Microsoft released their monthly security updates earlier today. They address 62 vulnerabilities; more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

This month there are 4 Known Issues (kb4041691, kb4042895 , kb4041676 and kb4041681) for this month’s Microsoft updates. 2 of these issues relate to an exception error dialog box appearing, with the others causing a black screen, updates not to install in express , a BSOD and changing of display languages. Microsoft states in each link above they are working on resolutions to these issues.

====================

Update: 18th October:

On the 16th of October Adobe released Flash Player v27.0.0.170 to address a critical zero day (defined) vulnerability being exploited in the wild (namely being exploited on computing devices used by the general public in their professional and personal lives)). The BlackOasis APT group are believed to operate in the Middle East. The group is using malicious Microsoft Office documents with embedded ActiveX controls which contain the necessary Flash exploit. This exploit later installs the FinSpy malware.

Please install this update as soon as possible for any device with Flash Player installed. Google Chrome has already automatically received the update while earlier today Windows 8.1 and Windows 10 began receiving it.

As always you can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For this month’s Microsoft updates, I will prioritize the order of installation for you below:
====================
Critical severity:

Microsoft Office Vulnerability : CVE-2017-11826 : While not critical severity since it is already being exploited by attackers namely a zero day (defined) vulnerability.

Windows DNS Vulnerabilities: Further details provided within this news article

Windows Search Service (CVE-11771): affects Windows 7 up to and including Windows 10

Windows Font Vulnerabilities: CVE-2017-11762 and CVE-2017-11763

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Nvidia Geforce Drivers:
=======================
This update (released in September 2017) applies to Linux, FreeBSD, Solaris and Windows and resolves up to 8 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.

=======================
Google Chrome:
=======================
Google Chrome: includes 35 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Wireshark 2.4.2 and 2.2.10
=======================
v2.4.2: 5 CVEs (defined) resolved

v2.2.10: 3 CVEs resolved

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.2) or v2.2.10). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
=======================

=======================
Oracle:
=======================
This month Oracle resolved 250 vulnerabilities. Further details and installation steps are available here. Within the 250 vulnerabilities addressed, 22 vulnerabilities were addressed in the Java runtime.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.
=======================

Proton Trojan targeting Apple macOS discovered

Earlier this month Sixgill, a cyber intelligence company provided information on a recently discovered trojan for Apple macOS systems. It is being sold on the underground Russian cybercrime forums and acts as a remote administration tool (RAT)(defined). It sells under the name of Proton for 100 Bitcoin (more than USD$100,000) but now allows unlimited installations for 40 Bitcoin or a single installation for 2 Bitcoin.

Since the trojan is a RAT (discussed above) it allows an attacker to have full control of a victim’s system which includes controlling file uploads and downloads, monitoring keyboard presses, taking screenshots and webcam surveillance.

Sixgill theorizes the trojans developers bypassed/worked around Apple’s Developer ID program allowing this “application” to appear harmless while possibly exploiting an unknown zero day vulnerability (defined) within macOS to root privileges (defined) over the victim system.

How can I protect myself from this malware?
Since the trojan allows full control of an over an infected system, this will complicate removal since the attackers could easily attempt to resist or undo removal actions. Malwarebytes state this trojan is not in widespread use and they have been unable so far to obtain a sample of it. Moreover, VirusTotal did not have a sample to provide to them.

Apple added detections for this trojan to their XProtect (defined) anti-malware security feature; however as detailed in this TechRepublic article the trojans creators can easily modify it to avoid Apple’s signatures.

Further information on this trojan is available in this Softpedia article. TechRepublic provides a detailed list of recommendations within their article to prevent infection by this threat.

Thank you.

US CERT Warns of Possible SMB Zero Day Vulnerability

Earlier this month saw the end of operations for a group known as the Shadow Brokers (who were responsible for the disclosure of critical security vulnerabilities in enterprise networking infrastructure). Their online auction of exploits remains open.

Among the exploits for sale is a possible zero day (defined) SMB (defined) exploit for Windows. With the potential use of this exploited predicted, the US-CERT issued a security advisory, which suggested disabling SMB version 1 and disabling the use of SMB version 2 at the network perimeter (preventing external access or internal traffic reaching outside of the corporate network). As previously noted on this blog, securing the use of SMB version 2 in this manner will also protect against the Redirect to SMB vulnerability.

These recommendations should better secure your corporate network against this exploit as well as future vulnerabilities.

Thank you.

December 2016 Security Updates Summary

Today Microsoft and Adobe released their scheduled monthly security updates, the final scheduled set from both vendors for 2016.

Microsoft’s made 12 bulletins available. These updates address 47 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

As with previous months, fortunately this month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring that page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages should be your first places to check for solutions.

====================
Adobe made available 9 security bulletins which included their regular Flash Player update. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

The Flash Player update addresses 17x priority 1 CVEs. All of Adobe’s priority rating are explained in the previous link. The other 8 security bulletins can be summarised as follows:

Adobe Animate (APSB16-38): Addresses 1x priority 3 CVE.
Adobe Experience Manager Forms (APSB16-40): Addresses 2x priority 3 CVEs.
Adobe DNG Converter (APSB16-41): Addresses 1x priority 3 CVE.
Adobe Experience Manager (APSB16-42): Fixes 4x priority 2 CVEs.
Adobe InDesign (APSB16-43): Fixes 1x priority 3 CVE.
Adobe ColdFusion Builder (APSB16-44): Fixes 1x priority 2 CVE.
Adobe Digital Editions (APSB16-45): Fixes 2x priority 3 CVEs.
Adobe RoboHelp (APSB16-46): Fixes 1x priority 3 CVE.

If you use Flash or any of the above products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

As always; to assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month is a little different than before since the Microsoft Internet Explorer and Microsoft Edge bulletins when combined address 6 vulnerabilities that are already publicly disclosed (defined). These should be followed by the Adobe Flash update which addresses a zero day vulnerability (defined). Next up would be Microsoft Office, the Windows Graphics component and the Microsoft Uniscribe update due to their criticality.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

November 2016 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s made available many bulletins, 14 in total. These updates address 67 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

Once again this month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring this page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages should be your first places to check for solutions.

====================

Today Adobe made available one other security bulletin by Adobe affecting Adobe Connect (resolving 1x priority 3 issue) in addition to their regular Flash Player update. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which was made available very shortly after Adobe’s update.

The Flash Player update addresses 9 priority 1 CVEs. If you use either of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month the previously disclosed zero day (defined) vulnerability under attacker should take first priority, it is addressed in MS16-135 Next, please prioritise the deployment of the following updates:

Microsoft Internet Explorer, Microsoft Edge, Microsoft Graphics Component , Microsoft Office, Microsoft Video Control and the Windows Security Update bulletin.

Businesses and enterprise should priorities the deployment of the SQL Server update since it addresses 6 important vulnerabilities.

As always Adobe’s Flash Player update (to version 23.0.0.207) should also be on your shortlist this month.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Disclosed Microsoft Zero Day Under Attack By APT Group

====================
Update: 8th November:
The Microsoft zero day vulnerability discussed in this post has now been patched. Please refer to this post for the appropriate information and download links.

Thank you.

====================
Original Post:
====================
Earlier this week Google publicly disclosed (defined) details of a new zero day (defined) vulnerability affecting supported versions of Windows up to Windows 10. Fortunately, the disclosure only included minimal details.

Why Should These Issues Be Considered Important?
The vulnerability disclosed by Google could result with an attacker being able to elevate their privileges (defined) on an affected system. However, when used in combination with a previously patched Adobe Flash Player vulnerability (reference previous post) this could result in a Windows system under your responsibility or in your ownership to have a backdoor (defined) installed.

Some good news is that this new exploit primarily targets organisations that operate in the following sectors (thus all other organisations are at somewhat reduced risk): government, intelligence or military organisations.

The nature of the backdoor is the decision of the attacker but would usually include a means of remaining persistent on the system and allowing the attacker to remote access the infected system. This backdoor can then be used to move data of the attacker’s choice off the affected system. The APT group known as STRONTIUM by Microsoft (other aliases used in the wider cyber security industry are APT28, also aka Sofacy aka Fancy Bear aka TsarTeam aka Sednit aka PawnStorm). STRONTIUM is also known for moving laterally throughout the network which they compromise (where the pass the hash (PtH) (defined) technique is the method of choice to do so).

How Can I Protect Myself From This Issue?
While a patch from Microsoft is in progress (scheduled for release on the 8th of November): follow safe email guidelines namely don’t click on unexpected/unsolicited links or open potentially dangerous email attachments to prevent the execution (carrying out of) the exploits actions in the first instance.

If you use the Microsoft Edge or Google Chrome web browsers the exploit for the local elevation of privilege vulnerability will be mitigated. This is due to Chrome’s sandbox (defined) blocking the use of API (defined) calls to the win32k.sys driver (defined). This in addition to its existing mitigations when installed on Windows 10 which I previously discussed.

Microsoft Edge on the other hand implements Code Integrity to prevent the next steps of exploitation.

To protect endpoints within your organisation you could consider utilising the logging capabilities of Microsoft EMET and Systinternals’ Sysmon by processing their logs using a SIEM (defined) and taking action when that SIEM a alerts you to suspicion activity. This is especially true since this exploit can occur from within web browsers, the Java JRE, Microsoft Word and Microsoft PowerPoint (namely that these applications are used to open suspicious/untrusted files).

My thanks to a colleague (you know who you are!) for compiling very useful information for this blog post.

Thank you.

October 2016 Security Updates Summary

====================
Update: 2nd November:
Last week Adobe made available an out of band (unscheduled) security update to Adobe Flash. This was due to a zero day (defined) vulnerability being exploited in limited targeted attacks (using spear phishing (defined) emails sometimes originating from previous victims of this vulnerability).

To protect your organisation or yourself from this vulnerability please install the Adobe Flash update if you make use of Flash Player on your organisations devices or your own individual systems. This link can be used to test if Flash Player is already installed.

This vulnerability is related to an APT (defined) group’s activity that is detailed in a more recent post.

Thank you.

====================
Original Post:
====================
Yesterday Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s made available 10 security bulletins. These updates address 36 vulnerabilities listed within Microsoft’s security bulletin summary (excluding the Adobe bulletin). These are more formally known as CVEs (defined).

This month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring this page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages are the best first places to check for solutions.

====================
Tuesday also saw the release of 3 security bulletins by Adobe affecting Adobe Flash Player, Adobe Acrobat/Adobe Reader and Adobe Creative Cloud Desktop.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome released today.

The Flash Player update addresses 12 priority 1 CVEs while the Adobe Acrobat/Adobe Reader security bulletin resolves 71 priority 2 CVEs. The final security bulletin published by Adobe this month fixes 1 priority 3 CVE in the Adobe Creative Cloud Desktop application.

If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month saw an unusually high number of 5 Microsoft zero day (defined) vulnerabilities being addressed. For this reason, please prioritise the deployment of the following updates: Microsoft Graphics Component, Microsoft Internet Explorer, Microsoft Edge, Microsoft Internet Messaging API and Microsoft Office.

Once these updates are deployed, please move onto Adobe’s Flash Player update (to version 23.0.0.185) addressing 12 critical vulnerabilities, should be installed next if you already have a previous version installed. Due to the high number of vulnerabilities patched this month in Adobe Acrobat/Adobe Reader this should be installed next if you use their PDF creation/reader software.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.