Monthly Archives: March 2020

Two unpatched remote code execution flaws in Adobe Type Manager Library affect all Windows Versions. Keep the mitigations forever!

29 March 2020

Mohit Kumar‘s post (1) that was published past Monday on The Hacker News should instill fright to all users who haven’t migrated to Windows 10 yet.

The good news is that this vulnerability requires user interaction. Microsoft states in security advisory ADV200006 (2) that “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.” As always, user training is as crucial!

In addition, the impact on Windows 10 users is limited because the malicious code runs in an AppContainer which is destroyed once the preview is closed.

The bad news is that Microsoft recognized attacks where this vulnerability is leveraged (the vulnerability is in the Wild). And, a patch is not available yet.

In the meantime, Microsoft provides important mitigations in ADV200006. These mitigations must be kept on all pre-Windows 10 systems where no Extended Security Update (ESU) support is available.

The most interesting mitigation is to “Disable the Preview Pane and Details Pane in Windows Explorer”. I always disable preview features in Explorer and Outlook. Simply put, preview requires that documents are “executed”, so preview may also execute embedded malicious code.

My advice for all critical infrastructure operators is:

  • Deactivate all preview features in the Windows OS and in all applications.
  • Deactivate any kind of macros and scripting without notification.
  • Deactivate all trusted locations in all applications.
  • And, of course, the user should not be able to reverse this settings.

With this, the security baseline is raised at moderate effort.

Have a great week.

1. Kumar M. Warning — Two Unpatched Critical 0-Day RCE Flaws Affect All Windows Versions [Internet]. The Hacker News. 2020 [cited 2020 Mar 29]. Available from: https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html

2. MSRC. ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability [Internet]. Microsoft Security Response Center. 2020 [cited 2020 Mar 29]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

CVE-2020-0796 – New Critical SMB V3 Vulnerability. Time to Panic?

22 March 2020

On March 12, 2020 Microsoft published a CVSS V3.1 severity 10 vulnerability in the SMBv3 protocol. CVE-2020-0796 (1), also called CoronaBlue, impacts the Windows 10 client and server versions 1903 and 1909.

The bad news first. CoronaBlue is like Eternalblue/WannaCry a wormable remote code execution vulnerability. A single Windows 10 system with SMBv3 protocol installed and port 445 open to the internet is enough for infiltration of a network.

The good news is that only few systems with Windows 10 version 1903 or 1909 have port 445 exposed to the internet. Theses Windows versions are just too new.

Nevertheless, immediate patching is required because a proof of concept exploit code was published on March 14, 2020.

In addition, Microsoft recommends deactivating SMBv3 compression unless the patches are installed and activated (2).

But the most important advice Microsoft gives is:

Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks.

This advice holds for all SMB versions. There is no need to access Windows systems through the SMB protocol from the internet. Therefore, this protocol should be blocked by the internet facing firewall of DMZs. No exceptions! Apparently, some thousand CISOs do not care:

Windows systems with SMB ports open to the internet.

Windows systems with SMB ports open to the internet.

Have a great week. And check your firewall rules!

References

  1. NIST NVD. NVD – CVE-2020-0796 [Internet]. NIST Information Technology Laboratory. 2020 [cited 2020 Mar 22]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2020-0796
  2. MSRC. CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability [Internet]. Microsoft Security. [cited 2020 Mar 22]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

Microsoft previews Microsoft Defender ATP for Linux – No reason to celebrate!

7 March 2020

At the Ignite 2019 Microsoft announced that “Defender ATP is coming to Linux in 2020” (1). The preview version is available since the end of February (2).

To be clear, I think Microsoft Defender ATP is a good product. It benefits from millions of sensors installed on consumer and company computers. And, with the entire Defender suite installed, companies can gain a good security level.

COVID-19 Virus ultrastructural morphology

COVID-19 Virus ultrastructural morphology. Picture by CDC/ Alissa Eckert, MS; Dan Higgins, MAMS

Just to recap on why we need anti-malware products: We live in an operating system monoculture. Windows is everywhere, on the clients, on the servers, in the cloud. All windows systems are networked for reasons of efficiency. The drawback of all mononcultures is that they are vulnerable against diseases. Covid-19 is a current example in the real world, WannaCry and NotPetya are well known examples in cyber space.

Microsoft loves Linux, and starts implanting genes from the Windows DNA into the Linux DNA; the .Net framework, PowerShell, Windows Defender ATP. Since the cost pressure in IT is high, companies will start using this products.

Good for the EBIT, bad for cyber security. PowerShell for example is often used in malware attacks (3). It’s merely a matter of time before cyber attackers start leveraging PowerShell on Linux. Living off the Land attacks will work on Linux and Windows, in the worst case with no changes to the code. With that, Linux is getting vulnerable against attacks that were so far only known from Windows.

Especially for operators of critical infrastructures is a clear strategy for operating Microsoft products on Linux required to keep the risk from this cross-over at an acceptable level.

For advice in securing PowerShell see publication “Securing PowerShell in the Enterprise” of the Australian Cyber Security Center (4).

Have a great weekend!

References

  1. Tung L. Microsoft: Defender ATP is coming to Linux in 2020 [Internet]. ZDNet. 2019 [cited 2020 Mar 7]. Available from: https://www.zdnet.com/article/microsoft-defender-atp-is-coming-to-linux-in-2020/
  2. Vaughan-Nichols SJ. Microsoft previews Microsoft Defender ATP for Linux [Internet]. ZDNet. 2020 [cited 2020 Mar 7]. Available from: https://www.zdnet.com/article/microsoft-previews-microsoft-defender-atp-for-linux/
  3. Help Net Security. 91% of critical incidents involve known, legitimate binaries like PowerShell [Internet]. Help Net Security. 2018 [cited 2020 Mar 6]. Available from: https://www.helpnetsecurity.com/2018/06/28/incidents-legitimate-binaries/
  4. Australian Cyber Security Center. Securing PowerShell in the Enterprise | Cyber.gov.au [Internet]. Australian Signals Directorate. 2019 [cited 2020 Mar 6]. Available from: https://www.cyber.gov.au/publications/securing-powershell-in-the-enterprise