This month security patches from Microsoft have gained attention from the media as well as the information security community. Microsoft has pushed patches to address 79 vulnerabilities with 23 rated critical, 2 reported as publicly known, and 1 as being actively exploited in the wild but rated as Important. Here are the main highlights: 

1. Windows Remote Desktop Services (RDP) Remote Code Execution Vulnerability (CVE-2019-0708): This is the most critical vulnerability that poses a high risk on organizations. The vulnerability could provide an attacker full privileged access by sending a specially crafted request to the target systems Remote Desktop Service via RDP. It doesn’t require any user interaction to be exploited. This vulnerability is a Remote Code Execution (RCE) and is a ‘wormable’ vulnerability. The affected versions are Win7, Win2008, Win2008 R2. Microsoft has also issued patches for the Out-of-Support versions WinXP and Win2003. Affected versions with port 3389 open should install the patch ASAP. Some workarounds can be enabling NLA and blocking port 3389 at the edge router. Patches for the Out-of-Support version are available in a separate page (https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708)

2. Windows DHCP Server Remote Code Execution Vulnerability (CVE-2019-0725): similar to the previous months of 2019, DHCP is being under scrutiny by security researchers. The Remote Code Execution (RCE) vulnerability in DHCP Server could allow a remote unauthenticated attacker to execute arbitrary code by sending a specially crafted packet. Similar to the RDP vulnerability above, it doesn’t require user interaction to be exploited. There’s no publicly known exploit, however, this vulnerability is likely to be weaponized. 

3. Windows Error Reporting Elevation of Privilege Vulnerability (CVE-2019-0863): this is an Elevation of Privilege (EoP) vulnerability that exists in one of the Windows components. It could allow an attacker to execute arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Though, the attacker would need to log on to the system first.

4. Microsoft Guidance to Mitigate Microarchitectural Data Sampling (MDS) Vulnerabilities (ADV190013): this has been dubbed “ZombieLoad”. It is a subclass of the speculative execution vulnerabilities. It joins the CPU vulnerabilities Foreshadow, Meltdown, Spectre. There is currently no patches for this vulnerability. However, the MDS Vulnerabilities have been classified as low to medium severity. Also, there are no reports of any real world exploits of these vulnerabilities. The likelihood is low since exploiting the MDS vulnerabilities outside the controlled conditions of a research environment is a complex undertaking. 

The rest of the vulnerabilities could be new attack vectors for social engineering. We rate the MS patches for this month as “Patch as Scheduled” except for the RDP and DHCP which have been designated as “Patch Now”. The rest of the month’s vulnerabilities should be mitigated by user-education, and email and web-proxy hygiene in order to prevent users handling files or links from unknown or questionable sources.

Links:

·   https://portal.msrc.microsoft.com/en-us/security-guidance

·   https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/e5989c8b-7046-e911-a98e-000d3a33a34d 

·   CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability

·   CVE-2019-0725 | Windows DHCP Server Remote Code Execution Vulnerability

·   CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability

·   ADV190013 |Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities

·   MDS | https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html 

·   ZombieLoad | https://zombieloadattack.com/

 

Adobe: 

Adobe released patches to address vulnerabilities in Acrobat and Reader, Flash, and Adobe Media Encoder. In order to exploit the vulnerabilities, an attacker would need to convince the victim to click on a malicious link

The Adobe vulnerabilities receive the “Patch as Scheduled” designation.

·   https://helpx.adobe.com/security.html

 


 Meltdown/Spectre/ZombieLoad:

As mentioned above, Microsoft has released an Advisory for the Microarchitectural Data Sampling (MDS) Vulnerabilities (ADV190013) dubbed “ZombieLoad”. The guidance from InfoSec continues to fall into the broad outline of:

·   Consult with your vendors

·   Test aggressively (especially around the MS Reg-hack)

·   Patch and update your firmware

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002

Please always remember the rules of safe patching:

·   Deploy to test/dev environment before production

·   Deploy to a pilot/test group before the whole organization

·   Have a plan to roll back if something doesn’t work

·   Test, test, and test! 

 

Should you have any questions, please feel free to leave a comment. Also make sure you (Follow) if you would like to be aware of what Microsoft and Adobe release for patching security vulnerabilities regularly. 

 

Advertisements

Summary: The January MS Security update bundle is categorized as “Patch as Scheduled”, except for the DHCP client patch in Win10 version 1803 which is categorized as “Patch Now”. Adobe Flash is “Patch as Scheduled”.

*******

Microsoft: MS addressed 48 vulnerabilities with 7 rated critical, 1 publicly disclosed, and none are reported as being actively exploited. There is a particular vulnerability discovered affecting the DHCP client in Win10 and Server version 1803 (CVE-2019-0547). This DHCP Client vulnerability is considered a “wormable” bug because the code execution will happen through a widely available listening service. Given the expected impact, the patch should be prioritized. On the other hand, the publicly disclosed vulnerability is (CVE-2019-0579) Jet Database Engine Remote Code Execution Vulnerability.

The vulnerabilities could be new attack vectors for social engineering. However, there are no exploits currently in the wild for the publicly disclosed vulnerability. We rate the January MS patches as “Patch as Scheduled” except for the DHCP Client patch. This month’s vulnerabilities should be mitigated by user-education, email and web-proxy hygiene in order to prevent users handling files or links from unknown or questionable sources.

Links:

 Known Issues:

 

Adobe: In addition to the unscheduled patch released on Jan 3rd for Acrobat reader, Adobe released additional security patches for Flash, Connect, and Adobe Digital Editions. The Flash patch does not address any security bugs but only provides bug fixes. The Connect patch addresses a single CVE correcting a security token exposure. Similarly, the patch for Digital Editions patches a single CVE fixing an out of bounds read. None of these issues are listed as being publicly known or under active attack at the time of release. The Adobe vulnerabilities receive the “Patch as Scheduled” designation.

 

Meltdown/Spectre: The guidance from InfoSec continues to fall into the broad outline of:

  • Consult with your vendors
  • Test aggressively (especially around the MS Reg-hack)
  • Patch everything

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002

******

Please always remember the rules of safe patching:

  • Deploy to test/dev environment before production
  • Deploy to a pilot/test group before the whole organization
  • Have a plan to roll back if something doesn’t work
  • Test, test, and test!

 

Press:

 

Legend:

  • Patch Now: 1-2 weeks
  • Patch as scheduled: 4-6 weeks

The Yoga 2 Pro from Lenovo (Model# 20266) has a known issue with constant flashing that doesn’t stop unless you close the lid or shut down the system. The flashing didn’t start until I upgraded from 8.1 to Windows 10 (Home & Pro).

Well, after intense research for over 2 years, I’ve finally figured it out. Here are the magic steps:

  • Run the Intel HD Graphics utility (GfxUIEx.exe) as an Administrator (or it will crash). You can do this by either one of the following:
    • From the Windows menu (Press the Windows logo on your keyboard and type “GfxUIEx.exe”. Then right click to Run As Administrator.
    • From CMD.exe, run this command (runas /user:Administrator GfxUIEx.exe). Then you will have to enter the admin’s password.
  •  

    After you open the Intel HD Graphics Utility, do the following:

    • Click on Display -> Change the Refresh Rate to 48p Hz -> Click APPLY
    • Click on Power -> On Battery -> disable the “Panel Self-Refresh” option -> Click APPLY

 

Updating the BIOS, and all other drivers updates didn’t really make a difference. All you have to do is apply the steps above and your problem should be solved. Next time you wanna buy a device, make sure you buy reliable hardware 🙂

 

 

It’s always good to have a one-stop-shop when you try to host a website or application online. But, that might not be the best bang for your buck. So, you will end up hosting the application with a vendor, having your domain managed by a different one, and maybe you’re using G-suite or O-365 as your email system; and this is my case to pick and choose the best options depending on business requirements and potential growth. So, I’ve decided to use https://domains.google to be my domain registrar for a client that I worked with. Though, it comes with challenges sometimes.

Google domains provide cheap, lightning-fast, and intuitive service as compared to other service providers. It cost me $12 a year per domain. You get all features offered by other registrars plus 2-factor authentication to protect your dashboard.

One of the challenges would be the need to create manually MX records based on your service provider, create A records for your domain as well as sub-domains. When you create a sub-domain from cPanel, you need to create a record to point to the newly created folder (sub-domain). To do so, follow the steps below:

  1. Login to https://domains.google
  2. Go to DNS
  3. Scroll down until you get Custom records
  4. In the first box type the name of the sub-domain (in my case, the sub-domain is “test.mysite.com” so you should type test)
  5. In the second box select the record type which is (A record)
  6. In the third box, you can leave the default value (1H)
  7. In the fourth box, type in the IP address of the server (this should be the same as the IP address in www and @)
  8. Now, save and test by going to the link from a browser (http://test.mysite.com). It should work like a charm!

GREM test-taking guide

Posted: January 7, 2018 in Defense, Misc
Tags: , , ,

When I decided to take this course, I signed up for the one OnDemand. What I like about these OnDemand courses is that the course is available for 4 months. Not just that, but you will have access to a group of great mentors available at the tip of your fingers. Those mentors will try to answer your questions and help you understand any point you face that you can’t figure out. I strongly urge you to use their services to ask any question or discuss any related topic that crosses your mind as you are going through the course.

Now, remember, if you intend to take the course, you need to know that this course is a bit dense and requires technical “understanding” of programming languages, computer architecture, and software engineering in general. Though, you don’t need to be a developer to bloom in this field, but the more knowledge you have in these different areas, the easier it is to absorb the material and apply it to your future investigations. By taking this course you will be able to do the following:

  • Set up a Malware Analysis Lab
  • Learn how to use debuggers and disassemblers
  • Perform behavior analysis of a malware sample
  • Perform static analysis of a malware sample
  • Learn the fundamentals of Assembly language
  • Analyze Microsoft Office files with Macros (doc, xl, ppt), PDF files, Win32 samples, memory analysis with Volatility
  • Analyze unpacked and packed malware
  • Learn about common malware obfuscation and de-obfuscation methods

Note that the list above is not an exhaustive list. There are more topics, tips, and tricks in the course. Always remember the course itself is not your only resource to learn the material. In often instances, I’ve found myself on YouTube searching for multiple explanations for technical terms or further details on assembly instructions. It’s part of the course to pause the SANS video and do some searching to better understand the material. You should find yourself repeating video segments multiple times to ensure you understand that point, otherwise, you won’t be able to apply it in real life.

On the other hand, you need to complete 2 tasks as you go through the study material:

  1. Create your own summary of concepts, principles, how-to, and your understanding of any methodology learned throughout the course. This becomes handy as your play-book and as your future reference. Personally, I keep a notebook with hand written notes. Future plan is to digitize my notes so that it’s accessible and available with higher retention period.
  2. Create your index for the test. My strategy was having an Excel spreadsheet open. Any term, command, or concept that I feel is of importance, I highlight on the book with a highlighter and type that word in my excel file along with the book number and page number.

I can’t stress enough that I found myself still using my notes and index. It’s not for passing the test, it’s your reference when you need it.

The key to any technical course is practicing. Find a good reverse engineering CTF to hone your skills and remember, “Practice makes Perfect!”

1. Check the hash of the downloaded file before you get started to ensure the file isn’t corrupt. If you’re having issues with downloading large files, try using Firefox or a download manger.

2. Download (VMware OVF tool)

3. From your Windows machine, run CMD.exe and execute the following commands:

– >>>> cd “C:\Program Files\VMware\VMware OVF Tool\”

– Note:This step should take up to 5 minutes. If you get error messages in this step, go back to step 1 and download the OVA file and make sure it’s not corrupt by comparing the hash of the downloaded file with the hash posted from the file owner >>>> ovftool.exe “D:\HoneyDrive_3_Royal_Jelly.ova” “D:\HoneyDrive_3_Royal_Jelly.ovf”

– Open VMware, From the Home Screen, Choose Open Virtual Machine, select the file with the OVF extention, and click open.

—> If you get an error message, click Retry. If you get another error message, then the file HoneyDrive file you downloaded must be corrupt.

Source: http://www.unixarena.com/2014/03/vmware-ovf-tool-convert-ova-ovf.html

One cheap and easy way for a disk acquisition without the need to buy an expensive physical write-blocker is using a USB external drive or a cable-connecting device (USB IDE/SATA external connector) along with changing the Windows Registry key to enable write-protection.

To update the registry, there are 3 tasks:

  1. Backup the Registry in case something fails while modifying the keys.
  2. Modify the Registry key to enable the write-protection feature.
    1.   Go to (\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet)
    2. Right-Click the Control Key -> New -> Key
    3. Type in the Key Name: StorageDevicePolicies
    4. Press Enter
    5. Right-Click the newly created key called StorageDevicePolicies -> New -> DWORD Value
    6. Type at the right side, WriteProtect
    7. Press Enter
    8. Right-Click the newly created Dword value and click on Modify
    9. Change the value from 0 to 1
    10. Click OK

NOTE: you can export the key and save it for future uses to simplify the process of updating the Registry Key and also to minimize error every time you need to write-block a USB device.

  1. Save the exported Registry Files for future uses.

 

For more information, search for “USB Registry write-blocker”

 

 

Source: GCFI, ed4, Ch4