Apple issues patch for BASH

AppleBashBug_SQApple has been all over the place in regard to the BASH/Shellshock vulnerability that has dominated the tech security news over the last week. Given that OS X uses the BASH shell as its default shell, when the bug was discovered the experts noted that Macs would be vulnerable, but Apple didn’t immediately offer any comment in response to queries.

After a few days, the company issued a statement saying that Macintosh computers were unlikely to be affected by the vulnerability.  According to that statement, their systems “are safe by default and are not exposed to remote exploits of Bash unless users configure advanced UNIX services.” The problem is that there’s no way of knowing how many OS X users have their Macs set up to be web servers or have enabled some sort of remote application that can hook into Bash.

Another problem is that different variations of this vulnerability keep popping up; that’s why the first patches that were issued by some of the major Linux vendors were found to be only partially effective and new patches had to be developed.

In any event, Apple has now issued its own patch for OS X Lion, Mountain Lion and Mavericks. It’s called OS X bash Update 1.0 and it can be downloaded from the Apple web site. The update is also available for OS X Lion Server. These are separate updates that are specific to the particular operating system version.

If you’re interested in the technical details, the update, according to Apple, improves the detection of the end of function statements when parsing environment variables, incorporates a change that resets the parser state, and adds a new namespace for exported functions by preventing unintended header passthrough to BASH via HTTP headers.

We should also note that those beta testers who are running OS X 10.10 (Yosemite) are out of luck at the moment when it comes to a patch. Yosemite is reportedly going to be released in October, and we would assume that the vulnerability will be fixed in the public release. However, with this OS version Apple has done something it usually doesn’t do: put out a public beta. That’s standard operating procedure for Microsoft, but it’s the first time Apple has done it in over a decade.

Those who beta test operating systems tend to be the most advanced users, and advanced users are the ones who would be most likely to enable the advanced UNIX services, play around with web services, and so forth – thus if you fall into that category, it’s important to be aware of your exposure. Luckily, most beta testers don’t use beta software for mission critical work or to process sensitive information.

The reason the BASH vulnerability has received so much attention is because it affects so many different systems, running so many different implementations of *NIX-based operating system code. That means a large number of software vendors scrambling in parallel to get their own patches out there for their own products. We’re glad Apple has joined the parade and made a patch available, even if “the vast majority of Macs are safe” without it.

Troubleshooting VPN client connectivity

Troubleshooting_SQThey say a picture is worth a thousand words, and I can think of no better example in IT where a screenshot can help troubleshoot an issue with VPN client connectivity. For something so crucial to remote users, it is sad that vendors still make troubleshooting VPN issues something that requires an admin to work with, and familiarity with arcane error messages. It’s a chicken vs. egg scenario, since for an admin to troubleshoot client VPN they need access to the client, which they cannot get until VPN is working! Relying on users to do the heavy lifting guarantees exasperation for both user and admin, but it’s the situation we’re all in. To help troubleshoot VPN client connectivity, here are some pointers that may save you some time.

Outbound connectivity

If a remote user doesn’t have Internet connectivity they are not going to be able to use the VPN. That sounds like an obvious thing, but far too often it is missed. Hotels’ captive portals are often the issue here. Ask the user to open a web browser and go to a website that you know they won’t have cached, like http://www.whattimeisit.com and have them tell you what time it is. If they are prompted to accept the T&Cs or enter their room number, then you know they haven’t Internet access yet.

Depending on the type of VPN you use, there may be a problem getting through the firewall on the required outbound ports and/or protocols. SSL VPNs just need outbound TCP 443. If your user can surf HTTPS websites then they can get out on the required ports for VPN. But PPTP VPNs need both TCP 1723 and IP GRE. Many IPSEC VPNs need UDP 1701 along with IP AH and ESP. Other VPN solutions may need UDP 10000, or other outbound connectivity that the hotel or coffee shop just won’t support. Even with Internet access, not all VPNs will work on all networks. Some guest networks permit web surfing and email protocols, but block everything else, or charge extra for full connectivity. They may be using a simple NAT solution that your VPN cannot work with.

Look for error messages that indicate connectivity issues (see below) and if that’s the problem, work on an alternate network connection.

Permissions

Not all companies provide users with VPN access. Don’t assume that your user is allowed to use VPN unless that is open to all users, and even then you may want to make sure they belong to the right group for access. A quick check of AD can save you a lot of troubleshooting later.

Name resolution

A very wise SysAdmin once said “If DNS ain’t happy, nothing’s going to be happy” and that’s a fact. Make sure that DNS is working, that the client is able to resolve names, and is using the “right” name for your VPN endpoint. Permit ping to that VPN endpoint so that you can easily talk the user through “ping vpn.example.com” both to validate name resolution and some basic connectivity. Just remember some captive portals will still permit ping and DNS while blocking the rest until you accept or pay up.

Client software

VPN client software needs installing, updating and patching just like any other software. If you’re using Microsoft’s built-in client software, Windows Updates will take care of that, and all clients should have VPN capabilities by default. If you are using a third-party solution though, you may need to install the client, or update it if it is already installed.

Username/password

Don’t automatically jump into capturing diagnostic logs and other advanced troubleshooting without first verifying the basics. That includes the user’s credentials. Are they omitting the domain name in their SAM, or using SAM instead of UPN? Do they have their password correct, or is Caps Lock on? It takes 10 seconds to verify that… do so before you spend an hour on a wild goose chase.

Pro tip

Make sure every remote user tests the VPN at least once a month to be sure it is working. For any user hitting the road for the first time, have them confirm VPN before they leave the office, because you don’t want them to find out something is wrong after they depart.

Reference table

Here is a handy table of client VPN error codes for Microsoft’s operating systems. Many of these will be displayed with third party VPN solutions.

Error code Description Possible explanation
628/629 The port was disconnected (by the remote machine). Typically, this is because outbound TCP 1723 is permitted by the client network, but GRE is not. The client starts to make the VPN connection on 1723, outbound GRE is dropped silently, and the server disconnects the client’s TCP session when the LCP negotiation times out. Requires local LAN support to confirm, and to open IP type 47 outbound.
633 The modem (or other connecting device) is already in use or is not configured properly. You will see this message if you already have one VPN connection active, and try to start another. Ensure that another VPN connection is not already established, and verify network connectivity.
678 There is no answer. Commonly encountered in hotels and hotspots when a user tries to make a VPN connection but hasn’t agreed to the portal TOS yet, or when only HTTP and HTTPS traffic is allowed out. First, verify user can access websites on the Internet. Then ping the VPN FQDN. Telnet to the VPN FQDN on 1723 or use portqryui to verify connectivity.
692 Hardware failure in port or attached device. TCP 1723 is blocked, and the firewall sends back a RST/ACK. Consult local network support or switch to SSTP/SSL VPN if available.
711 RasMan initialization failure. Check for third party software such as IDS/IPS, antivirus software, etc. killing the connection and not notifying the user.
721 Remote PPP peer is not responding. Check client location firewall… connection was made on TCP 1723 but PPP could not negotiate LCP. Outbound GRE is either dropped silently, or is permitted but the responses are being blocked.
722 The PPP packet is invalid. Consult network support at client’s location. Fixup PPTP may be enabled on router and killing connections by borking data.
739 The remote server cannot use the Windows NT encrypted password. Configure client to use MS-CHAPv2 (uncheck SPAP, PAP).
741 The local computer does not support encryption. Check the client configuration for incorrect settings.
768 The connection attempt failed because of a failure to encrypt data. Data encryption is required; check settings of manually configured client.
785-793, 798 Various L2TP errors including Smart Cards. Check client configuration, especially if you are using a preshared key. IPSec encapsulated within UDP requires proper encapsulation setting (remember to reboot if changed).
800 Generic error. This is the client’s way of saying “Dude, eh?” when something fails but the operating system cannot determine what. Check for third-party software that could interfere with connection attempts.
806 A connection between your computer and the VPN server has been started, but the VPN connection cannot be completed. The most common cause is a firewall or IPS closing the GRE connection mid-way through negotiation. Check with local LAN support, especially if they are using an IPS, or Checkpoint firewall with smartdefense enabled.
807 The network connection between your computer and the VPN server was interrupted. Your client got a RST ACK when it tried to connect. Check to see if the firewall is blocking outbound VPN connections.
809 The network connection between your computer and the VPN server could not be established because the remote server is not responding. Assuming you didn’t just crash the VPN server, nothing is allowed outbound. Contact local network support for the client’s location.
868 The remote connection was not made because the name of the remote access server did not resolve. Check your DNS. If it is correct, then there is something wrong on the client’s network.

Troubleshooting VPN client connectivity doesn’t have to be a crap shoot. Follow a methodical approach, confirm the basics are in place, and you will usually find, and resolve, the issue in short order.

 

Third-party patch and vulnerabilities roundup – September 2014

3rdPartyRoundup_SQIt’s been another interesting month on the patch and vulnerability front, but this time the focus has been less on Microsoft products (although the company did have to pull one problematic non-security patch that was causing problems for OneDrive for Business customers. The big news when it comes to updating problems, though, was the release of iOS 8, which fixed more than 50 security vulnerabilities in Apple’s mobile operating system but which also introduced a multitude of bugs and functionality problems, and the resulting fiasco in which Apple released a fix that caused even bigger problems and then yanked the latter update on the same day it was released.

Then along came BASH, also known as Shellshock – a critical vulnerability in the BASH shell that is the default shell in most implementations of Linux/UNIX, including OS X – creating a double whammy for Apple users.

Meanwhile, Adobe took the conservative course and delayed the release of its patches this month. Instead of putting them out on Patch Tuesday as is their usual practice, they waited a week in order to do further testing. No doubt they were anxious to avoid the kind of problems (and resultant PR) that they saw Microsoft deal with in August. It’s likely they were doubly glad they went with the “better late than untested” philosophy after all the iOS troubles emerged.

Apple

Apple released a total of seven updates this month (eight if you count the short-lived and no-longer-available iOS 8.0.1 update), for various products. All seven were released on September 17.

  • iOS 8 was released for the iPhone 4, 5 and 6, iPod Touch 5th generation and later, and the iPad 2 and later. The major OS update added features and addressed 53 security vulnerabilities in the previous versions of the OS. I covered all the vulnerabilities in detail in my earlier blog post so I won’t repeat it all here.
  • Apple also released an update for OS X Mountain Lion and OS X Mavericks, the latest versions of its desktop/laptop operating system. It addressed more than 40 security vulnerabilities, including multiple issues in PHP in Apache, a validation in Bluetooth that could allow arbitrary code execution, an out-of-bounds memory read in CoreGraphics that could result in information disclosure upon opening a malicious PDF, a Foundation issue with the NSXML Parser that could result in information disclosure, a user space buffer overflow in the Intel Graphics driver that could lead to arbitrary code execution, an IOKit API vulnerability, an out-of-bounds read issue in the IOAccleratorFamily code, another in the IOHIDFamily code that could be used to bypass kernel ASLR, two IOKit issues that could allow arbitrary code execution with system privileges, a kernel vulnerability that could be used to bypass ASLR, a flaw in Libnotify by which malware could execute code with root privileges, multiple vulnerabilities in OpenSSL, three issues with QT Media Foundation and a heap buffer overlow issue in ruby.
  • Two updates were released for OS X Server, one for version 2.2.3 running on Mountain Lion and one for version 3.2.1 running on Mavericks. Both addressed multiple vulnerabilities that include a SQL injection issue in Wiki Server, a cross-site scripting issue in Xcode Server, and multiple vulnerabilities in PostgreSQL. These are critical vulnerabilities that could result in arbitrary execution of SQL queries, arbitrary code or arbitrary JavaScript. The fixes imposed additional validation of SQL queries, improved encoding of HTML output, and updated PostgreSQL to version 9.2.7.
  • An update for Safari 6.2 and 7.1 running on Mountain Lion and Mavericks addressed nine vulnerabilities in the web browser itself and in WebKit. The first vulnerability involved saved passwords that were autofilled on HTTP sites, HTTPS sites with broken trust and in iFrames, which could enable an attacker to intercept user credentials. It was fixed by restricting autofill to passwords in the main fame of HTTPS sites with valid certificate validation.  The WebKit vulnerabilities included multiple memory corruption issues that could be used to execute arbitrary code or could cause unexpected application crashes, as well as a flaw in the way web application could store cache data so that web sites could track users even with private browsing enabled. These were addressed by improving memory handling and disabling access to the cache in private browsing mode.
  • An update was released for Xcode running on Mavericks 10.9.4 or later, to address a single vulnerability by which an attacker could cuase Subversion to terminate unexpectedly, resulting in a denial of service.
  • Apple also issued an update for Apple TV (3rd generation and later), which addressed more than 30 separate vulnerabilities in various components of the Apple TV software, including those by which attackers could obtain users’ wi-fi credentials, access sensitive user information from logs, arbitrarily execute code, crash the system,  cause unexpected restarts, read data from kernel memory, create a denial of service, bypass kernel hardening measures, and change permissions on files.

Adobe

As noted in my previous blog post, Adobe released two updates on September 16, a week past its normal schedule.

  • Update APSB14-20 is an update for Adobe Reader and Acrobat running on Windows and Macintosh OS X computers. This patch addresses 8 vulnerabilities in Reader X and XI and Acrobat X and XI. The vulnerabilities include a denial of service vulnerability, a heap overflow vulnerability, multiple memory corruption vulnerabilities and a use-after-free issue. The last three could all result in code execution. Also included are a universal cross-site scripting issue (on the Mac platform only), a sandbox bypass (on Windows only).  The update is given a priority rating of 1 and the severity rating is critical on both Windows and Mac.
  • Update APSB14-21 is an update for Adobe Flash Player on Windows, Macintosh OS X and Linux. It addresses 12 vulnerabilities that could potentially allow an attacker to take control of the system. The vulnerabilities include multiple memory leakage issues that could be used to bypass ASLR, a security bypass vulnerability, a use-after-free vulnerability that can be exploited to run code, and memory corruption vulnerabilities that also can lead to code execution, as well as a vulnerability that can be exploited to bypass the same origin policy and a heap buffer overflow vulnerability that could result in execution of arbitrary code. This update is assigned a priority rating of 1 for Adobe Flash Player on Windows and Mac machines and 3 for Flash Player on Linux and Adobe AIR. The severity rating is critical for all platforms.

Google

Google updated the Chrome web browser for Windows, Mac and Linux on September 9. The update fixes 4 security vulnerabilities, including a use-after-free vulnerability and various fixes from internal audits.  The new version of Chrome is 37.0.2062.120 and it includes an update for Adobe Flash.

Since this seems to be the season for problematic patches, it comes as no surprise that many users who updated to this version of Chrome were reporting issues, specifically a “Shockwave Flash has crashed” message. This isn’t an unusual occurrence; troubles with Shockwave on Chrome have been going on for a while. Here’s an article that explains a common cause of the crashes and how to fix it: How to stop Shockwave Flash crashing in Google Chrome.

Oracle

Oracle is on a quarterly release cycle, and July was the most recent month for updates. The next updates are scheduled to be released on October 14.

Mozilla

Mozilla released updates to fix a critical vulnerability in the Mozilla Network Security Services (NSS) cryptographic library, which could be exploited to create forged RSA certificates and trick users into revealing personal information to a fraudulent web site. The bug is being called BERserk, and the library is used by the Firefox browser, Thunderbird mail client and other Mozilla products.  The latest release of Firefox that fixes the issue is 32.0.3. It is also fixed in Thunderbird 31.1.2 and 24.8.1 and in SeaMonkey 2.29.1. SeaMonkey is a project to develop an all-in-one Internet application suite (browser, mail, newsgroups, HTML editor, chat and web development tools.

Linux

As usual, popular Linux distros saw a large number of updates issued in September. Ubuntu issued 40 patches between September 3 and September 25. This was eleven more than were issued in August. Other commercial Linux vendors issued similar updates.

  • 363-2: Bash vulnerability – 25th September 2014. USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the patch for CVE-2014-7169 didn’t get properly applied in the Ubuntu 14.04 LTS package. This update fixes the problem.
  • USN-2363-1: Bash vulnerability – 25th September 2014. Tavis Ormandy discovered that the security fix for Bash included in USN-2362-1 was incomplete. An attacker could use this issue to bypass certain environment restrictions.
  • USN-2360-2: Thunderbird vulnerabilities – 24th September 2014. USN-2360-1 fixed vulnerabilities in Firefox. This update provides the corresponding updates for Thunderbird. Original advisory details: Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled parsing ASN.1 values. An attacker could use this issue to forge RSA certificates.
  • USN-2360-1: Firefox vulnerabilities – 24th September 2014. Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled parsing ASN.1 values. An attacker could use this issue to forge RSA certificates.
  • USN-2361-1: NSS vulnerability – 24th September 2014. Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled parsing ASN.1 values. An attacker could use this issue to forge RSA certificates.
  • USN-2362-1: Bash vulnerability – 24th September 2014. Stephane Chazelas discovered that Bash incorrectly handled trailing code in function definitions. An attacker could use this issue to bypass environment restrictions, such as SSH forced command environments.
  • USN-2359-1: Linux kernel vulnerabilities – 23rd September 2014. Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl Virtual Machine) subsystem in the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service (host OS memory corruption) or possibly have other unspecified impact on the host OS.
  • USN-2358-1: Linux kernel (Trusty HWE) vulnerabilities – 23rd September 2014. Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl Virtual Machine) subsystem in the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service (host OS memory corruption) or possibly have other unspecified impact on the host OS.
  • USN-2357-1: Linux kernel (OMAP4) vulnerabilities – 23rd September 2014. Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl Virtual Machine) subsystem in the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service (host OS memory corruption) or possibly have other unspecified impact on the host OS.
  • USN-2356-1: Linux kernel vulnerabilities – 23rd September 2014. Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl Virtual Machine) subsystem in the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service (host OS memory corruption) or possibly have other unspecified impact on the host OS.
  • USN-2355-1: Linux kernel (EC2) vulnerabilities – 23rd September 2014. Chris Evans reported an flaw in the Linux kernel’s handling of iso9660 (compact disk filesystem) images. An attacker who can mount a custom iso9660 image either via a CD/DVD drive or a loopback mount could cause a denial of service (system crash or reboot).
  • USN-2354-1: Linux kernel vulnerabilities – 23rd September 2014. Chris Evans reported an flaw in the Linux kernel’s handling of iso9660 (compact disk filesystem) images. An attacker who can mount a custom iso9660 image either via a CD/DVD drive or a loopback mount could cause a denial of service (system crash or reboot).
  • USN-2353-1: APT vulnerability – 23rd September 2014. It was discovered that APT incorrectly handled certain http URLs. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to cause APT to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-2352-1: DBus vulnerabilities – 22nd September 2014. Simon McVittie discovered that DBus incorrectly handled the file descriptors message limit. A local attacker could use this issue to cause DBus to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-2351-1: nginx vulnerability – 22nd September 2014. Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that nginx incorrectly reused cached SSL sessions. An attacker could possibly use this issue in certain configurations to obtain access to information from a different virtual host.
  • USN-2350-1: NSS update – 22nd September 2014. The NSS package contained outdated CA certificates. This update refreshes the NSS package to version 3.17 which includes the latest CA certificate bundle.
  • USN-2349-1: Libav vulnerabilities – 17th September 2014. It was discovered that Libav incorrectly handled certain malformed media files. If a user were tricked into opening a crafted media file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program.
  • USN-2319-3: OpenJDK 7 update – 16th September 2014. USN-2319-1 fixed vulnerabilities in OpenJDK 7. This update provides stability fixes for the arm64 and ppc64el architectures. Original advisory details: Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability.
  • USN-2348-1: APT vulnerabilities – 16th September 2014. It was discovered that APT did not re-verify downloaded files when the If-Modified-Since wasn’t met. (CVE-2014-0487) It was discovered that APT did not invalidate repository data when it switched from an unauthenticated to an authenticated state. (CVE-2014-0488) It was discovered that the APT Acquire::GzipIndexes option caused APT to skip checksum.
  • USN-2347-1: Django vulnerabilities – 16th September 2014. Florian Apolloner discovered that Django incorrectly validated URLs. A remote attacker could use this issue to conduct phishing attacks. (CVE-2014-0480) David Wilson discovered that Django incorrectly handled file name generation. A remote attacker could use this issue to cause Django to consume resources, resulting in a denial of service.
  • USN-2346-1: curl vulnerabilities – 15th September 2014. Tim Ruehsen discovered that curl incorrectly handled partial literal IP addresses. This could lead to the disclosure of cookies to the wrong site, and malicious sites being able to set cookies for others. (CVE-2014-3613) Tim Ruehsen discovered that curl incorrectly allowed cookies to be set for Top Level Domains (TLDs).
  • USN-2330-1: Thunderbird vulnerabilities – 11th September 2014. Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong, Jesse Ruderman and JW Wang discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service.
  • USN-2344-1: PHP vulnerabilities – 9th September 2014. It was discovered that the Fileinfo component in php5 contains an integer overflow. An attacker could use this flaw to cause a denial of service or possibly execute arbitrary code via a crafted CDF file. (CVE-2014-3587) It was discovered that the php_parserr function contains multiple buffer overflows.
  • USN-2343-1: NSS vulnerability – 9th September 2014. Tyson Smith and Jesse Schwartzentruber discovered that NSS contained a race condition when performing certificate validation. An attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-2342-1: QEMU vulnerabilities – 8th September 2014. Michael S. Tsirkin, Anthony Liguori, and Michael Roth discovered multiple issues with QEMU state loading after migration. An attacker able to modify the state data could use these issues to cause a denial of service, or possibly execute arbitrary code.
  • USN-2341-1: CUPS vulnerabilities – 8th September 2014. Salvatore Bonaccorso discovered that the CUPS web interface incorrectly validated permissions and incorrectly handled symlinks. An attacker could possibly use this issue to bypass file permissions and read arbitrary files, possibly leading to a privilege escalation.
  • USN-2306-3: GNU C Library regression – 8th September 2014. USN-2306-1 fixed vulnerabilities in the GNU C Library. On Ubuntu 10.04 LTS, the fix for CVE-2013-4357 introduced a memory leak in getaddrinfo. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Maksymilian Arciemowicz discovered that the GNU C Library incorrectly handled the getaddrinfo() function.
  • USN-2340-1: procmail vulnerability – 4th September 2014. Tavis Ormandy discovered that the formail tool incorrectly handled certain malformed mail headers. An attacker could use this flaw to cause formail to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-2339-2: Libgcrypt vulnerability – 3rd September 2014. Daniel Genkin, Adi Shamir, and Eran Tromer discovered that Libgcrypt was susceptible to an adaptive chosen ciphertext attack via physical side channels. A local attacker could use this attack to possibly recover private keys.
  • USN-2339-1: GnuPG vulnerability – 3rd September 2014. Daniel Genkin, Adi Shamir, and Eran Tromer discovered that GnuPG was susceptible to an adaptive chosen ciphertext attack via physical side channels. A local attacker could use this attack to possibly recover private keys.
  • USN-2338-1: Lua vulnerability – 3rd September 2014. It was discovered that Lua incorrectly handled certain vararg functions with a large number of fixed parameters. An attacker could use this issue to cause Lua applications to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-2326-1: Oxide vulnerabilities – 2nd September 2014. A use-after-free was discovered in the SVG implementation in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code with the privileges of the sandboxed render process.
  • USN-2329-1: Firefox vulnerabilities – 2nd September 2014. Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong, Jesse Ruderman, JW Wang and David Weir discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service.
  • USN-2337-1: Linux kernel vulnerabilities – 2nd September 2014. A flaw was discovered in the Linux kernel virtual machine’s (kvm) validation of interrupt requests (irq). A guest OS user could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0155) Andy Lutomirski discovered a flaw in the authorization of netlink socket operations.
  • USN-2336-1: Linux kernel (Trusty HWE) vulnerabilities – 2nd September 2014. A flaw was discovered in the Linux kernel virtual machine’s (kvm) validation of interrupt requests (irq). A guest OS user could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0155) Andy Lutomirski discovered a flaw in the authorization of netlink socket operations when a socket.
  • USN-2335-1: Linux kernel (OMAP4) vulnerabilities – 2nd September 2014. A flaw was discovered in the Linux kernel’s audit subsystem when auditing certain syscalls. A local attacker could exploit this flaw to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS).
  • USN-2334-1: Linux kernel vulnerabilities – 2nd September 2014. A flaw was discovered in the Linux kernel’s audit subsystem when auditing certain syscalls. A local attacker could exploit this flaw to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS).
  • USN-2331-1: LibreOffice vulnerability – 2nd September 2014. Rohan Durve and James Kettle discovered LibreOffice Calc sometimes allowed for command injection when opening spreadsheets. If a user were tricked into opening a crafted Calc spreadsheet, an attacker could exploit this to run programs as your login.
  • USN-2333-1: Linux kernel (EC2) vulnerabilities – 2nd September 2014. A bug was discovered in the handling of pathname components when used with an autofs direct mount. A local user could exploit this flaw to cause a denial of service (system crash) via an open system call.
  • USN-2332-1: Linux kernel vulnerabilities – 2nd September 2014. A bug was discovered in the handling of pathname components when used with an autofs direct mount. A local user could exploit this flaw to cause a denial of service (system crash) via an open system call.

Are you prepared for Microsoft Forefront’s EOL?

MicrosoftForefrontEOL_SQYou’ve probably heard that Microsoft Forefront, including MS Forefront Protection 2010 for Exchange Server, will be discontinued.  Instead, Microsoft has launched a new product line called Exchange Online Protection. Can existing Microsoft Forefront Protection customers simply migrate to the new Exchange Online Protection solution? Unfortunately for many the answer will be ‘no’. The new Exchange Online Protection solution is a paradigm shift that is likely to be incompatible with the majority of Microsoft Forefront Protection for Exchange Server customers.

Microsoft Forefront Protection for Exchange is an on-premise solution. Hosted solutions may be popular, but people who decide to go for on-premise solutions do so for a variety of good business reasons. Exchange Online Protection on the other hand is a hosted email security solution.

Considerations

When your vendor changes direction in such a way that their product line becomes incompatible with your business needs, you need to consider a few things:

  • Do you keep using the existing product line?
  • Do you change your business strategy so you’re able to use their new product?
  • Do you stop using the old product and not replace it with anything else?
  • Do you switch vendors?

It’s easy to dismiss the points ‘use the existing product line’ or ‘simply stop using a solution altogether’. Using an old product will not offer you the level of protection your business requires – especially in the case of Microsoft Forefront Protection for Exchange. The protection it provides is dependent on content updates which will be stopped as soon as the product line is discontinued. Likewise, a company’s change in direction does not remove the risks their previous product line used to address. Those risks which were mitigated using the old software didn’t reach their EOL with the old product line, they still exist and are a risk.

This brings us to the crux of the matter.

Should you change business strategy or vendor?

Both are viable options of course but changing business strategy might be tricky to implement.

For some organizations it makes more sense to go for an on-premise solution. In most cases, the choice to opt for an on-premise solution is based on the need to mitigate risks by limiting the exposure of important data. Emails can contain confidential information and when using hosted solutions to process that data a business opens itself to various risks, such as a disgruntled employee using the content (without having permission to do so) and making money from it.

So is switching vendor the right answer?

Switching vendors can still be risky. You have no guarantees that vendor will not change direction in the future and there is a new product that needs to be installed and mastered by your IT team. That said, it’s not all bad. Other vendors can offer you the same feature set you are already accustomed to. Some might also offer features over and above what Microsoft Forefront had, thus making your security model more robust. Perhaps most importantly, you’re not exposing your business to new risks just to keep the old risks associated with using an Exchange Server mitigated. That, in my opinion, is a major advantage.

If you’re a MS Forefront user you should be considering your options. GFI MailEssentials is a robust anti-spam and email filtering solution that protects your network from email-borne threats. Click here for more information

Dangerous Bash Bug lurking in Linux and OS X

BashBug_SQA newly discovered bug in the Bash shell can be exploited to run malicious code immediately after the shell is invoked in Linux and UNIX-based operating systems. Bash shell is one of the most-used utilities for Linux/UNIX. Some security experts are calling this bug “bigger than Heartbleed.”

For those not familiar with the term, the shell is the command language interpreter that executes the commands from input devices and files. In other words, it’s the software that acts as liaison between the keyboard, mouse, or executable file and the operating system kernel. Bash stands for Bourne Again Shell and was created way back in 1989 to replace the Bourne shell. It’s a default shell on Linux and OS X, so that means many or most non-Windows systems are vulnerable.

Red Hat and Fedora have already come out with patches for the bug. These are popular distros in the enterprise environment so they needed to get the fixes to their customers as quickly as possible, and it was a Red Hat security researcher who uncovered the vulnerability in the first place. Ubuntu, one of the most popular distros among home users of Linux, has also released a patch. US-CERT released a bulletin, however, saying that the fixes that were initially released were incomplete and could still allow for attacks. Apple had not, as of the morning of September 25, responded to media inquiries regarding the bug, but security researchers have reportedly run tests and confirmed that OS X Mavericks is vulnerable.

The Bash bug is being referred to as “Shellshock” and its effects on unpatched machines can be devastating. Attackers can use it to take complete control over a system by remotely executing malicious code. The vulnerability itself isn’t new but has apparently been lurking in Linux and OS X for years prior to being discovered.

Reports have come in that an exploit is already in use “in the wild” against some web servers to make them zombies in a botnet, and some experts are fearful that it could be used to create a worm targeted at public web servers.  Now that the news about the vulnerability has exploded all over the Internet, it won’t take long for more of the bad guys to create code to exploit it.

Linux aficionados like to brag that UNIX-based operating systems are inherently secure more secure than Windows and in the distant past, they did have some security advantages.  Most of those advantages were based on the fact that in old versions of Windows, users often routinely had administrative privileges. With the advent of UAC in modern versions of Windows, and admin accounts that run with limited user privileges except when administrative tasks are performed, much of this advantage has disappeared.

To some extent, Linux has also enjoyed the benefits of “security through obscurity” (something, ironically, that its fans have accused proprietary software of depending on). Because the market share for the Linux OS on the desktop has been so small (still under 2 percent as of August 2014 according to NetMarketShare), attackers and malware authors haven’t focused on it because Windows – with over 85 percent of the market – makes a much more attractive target.

Even that hasn’t been working so well lately. A glance through our monthly Third Party Patch Roundup posts here shows that a typical Linux distro (Ubuntu is the one I report on because it’s one of the most popular) routinely needs more than thirty security patches per month to fix various vulnerabilities. Android, which is the most popular mobile OS in the world and is based on Linux code, is also known to be the favorite of malicious software distributors who exploit its many vulnerabilities.

The Bash bug has the potential to have a far-reaching impact because so many of the “Internet of Things” (IoT) devices use Linux-based software and web-enabled bash scripts, and they are less likely to be patched in a timely manner than traditional computers. Because the bug has existed in the bash shell for so long, many of the older devices that are still out there on the Internet are vulnerable, but probably won’t be updated because of their age. There are also many Linux and UNIX servers out there that are vulnerable to the exploit of this bug, as well as many home and some business routers and switches that run on Linux/UNIX software.

No matter what operating system you run, it’s essential to stay on top of the latest security news and install updates for critical flaws when they become available. This latest discovery reinforces the idea that security is and always will be an on-going process, not a destination.

Note: GFI LanGuard yesterday released update #763 with dedicated vulnerability checks to detect whether devices under management are vulnerable to this weakness. Click here for more info on how you can use GFI LanGuard to prevent this bug causing havoc on your network.

iOS update fiasco: now it’s Apple’s turn

iOS8FiascoFixes_SQDid you think Microsoft’s updates were the only ones you had to worry might make things worse instead of better? Think again. Apple’s self-described “biggest iOS release ever”, iOS 8, is turning into the company’s biggest headache ever.

The new version of the OS is both a security update that fixes a whopping 50+ vulnerabilities, many of them critical, and a features update that adds a new photos app, new functionality for messages and mail management, an improved on-screen keyboard and more. Apple generally doesn’t issue fixes for all the security flaws in their old versions of iOS when they release a new version, encouraging and expecting everyone to upgrade to the new version instead in order to fix security vulnerabilities.

This time, doing so brought with it a plethora of problems. Soon after the release came a barrage of complaints from users, on Twitter and in other forums, reporting a wide variety of troubles. Their Wi-Fi slowed down to a crawl and/or dropped the connection when it hadn’t done so before and when other devices connected to the same access points were performing normally. Overall performance got more sluggish. Battery life took a dismal turn for the worse, with some losing a full charge within a few hours.

Some folks found that their sound no longer worked, although rebooting fixed this one for many users. But speaking of rebooting, probably the most serious of the reported problems was the frequent random system crashes and reboots that many users reported. There were other, more minor problems, as well, with negative effects on music sync, iMessages, uploading of photos in Safari, and the Personal Hotspot feature – at least ten significant problems in all.

Not all iOS users experienced all of these problems, and some escaped them entirely, but the bugs were widespread enough that Apple came out with another update, iOS 8.0.1, just one week after releasing iOS 8. Unfortunately for those who installed it, the cure turned out to be worse than the disease. Instead of making things better, the new update introduced a whole new slew of disastrous effects. After installing iOS 8.0.1, many users of Apple’s brand new shiny iPhone 6 and 6 plus models found that their iPhones no longer functioned as phones; they were unable to get any cellular signal – just a “no service” message displayed.

Other consequences of installing the fix included breaking the TouchID fingerprint sensor. At this point, the blowback was so bad that Apple, for the first time in recent memory, actually went so far as to recall the patch and remove it from availability after only an hour or so, and issued a workaround for those who had already downloaded it which consisted of reinstalling iOS 8.0 through iTunes. That presumably will leave you with “only” the original ten problems but at least you’ll be able to make a phone call again. The company also put out a statement that they are “working around the clock to prepare iOS 8.0.2 with a fix for the issue”. I would imagine some iOS users can’t help wondering what that update will break.

Of course, this isn’t the first time Apple has released a half-baked product. Those who have followed the company’s rise to dominance (and then somewhat decline) in the mobile market remember the iPhone 4 “antennagate” issue, when Steve Jobs (in)famously blamed the phone’s reception problems on users who were “holding it wrong”.  That one resulted in a class action suit that was eventually settled with affected users receiving $15 each (and mass torts attorneys undoubtedly profiting handsomely, but that’s a different topic for a different time and place).

More recently, Apple patched iOS 7 just a few days after it was released (7.0.1) and then a few days after that they did it again (7.0.2) but the bugs fixed in those were relatively minor compared to iOS 8’s problems.

If there’s a lesson to be learned, it’s probably that writing software code is a very imperfect science and no matter what the fanboys (and girls) might say or think, no software vendor and no operating system is immune when it comes to getting faulty updates. By their very nature, updates and patches are often put together quickly and even when tested thoroughly in-house, there is no way to completely emulate the “real world” environment in a lab.

Apple and its proponents have long propagated the belief that their devices are more secure and more problem-free than those of other vendors, and as the manufacturer with total control over both the hardware and software, the company does have an undeniable advantage. That also means when things go wrong, they bear all of the responsibility. Maybe it’s time for all vendors to stop spending their time pointing out the problems with their competitors’ products and start focusing on fixing their own – without breaking them in the process.

The best 24 free tools for troubleshooting

24ToolsForTroubleshooting_SQTroubleshooting computer problems is both a subtle science and an exact art, and you need both a knack for it and the right tools for the job. The knack is part talent, part experience, but the right tools are just a click away. Here is a list of the best 24 free tools for troubleshooting.

1. Err tool 
The Microsoft Exchange Server Error Code look-up tool is for much more than Exchange, as it can read the errors from the headers of the operating system as well as other installed products. Just drop to a command prompt and enter “err #” where the # is whatever hex error code you get, and see what that code really means.

2. Wireshark 
The protocol analyzer that sets the bar is still free, easy to use, and extremely well documented.

3. PSTools  
This suite of tools from the guys who first created SysInternals contains tools to troubleshoot practically any aspect of the Windows operating system or programs running on Windows.

4. Exchange Remote Connectivity Analyzer 
This set of tests from Microsoft helps you to evaluate Exchange, Lync, and Office 365 connectivity, including Autodiscover, ActiveSync, EWS, and more. It also has a great SMTP header analyzer.

5. Is It Down or Is It Just Me?  
Have you ever wondered if a website is really down, or if you are dealing with a local problem? Use this site to see if your desired destination is the problem, or if you are.

6. What Is My IP? 
WIMI is helpful not only for figuring out what your NATed address is, but it can also detect if you are going through a proxy server. It also has a collection of other useful tools, including WHOIS, Headers check, Blacklist Check, Traceroute, and User Agent Info.

7. Diff online 
Lots of tools have DIFF functions built-in, but you have to save files to get them to work. Copy/Paste your snippets into this site and get a DIFF without having to save junk files.

8. PSPad 
For when you want to use a text editor that has syntax checking, automatic saving of previous versions, and yes, DIFF, PSPad is my go-to text editor.

9. BlueScreenView 
This tool is very useful for figuring out why a system continues to bluescreen. It can search the dump files and help you find the Bug Check Code, as well as look up possible resolutions.

10. NK2Edit 
From the same company that makes BlueScreenView, this tool can help you remove bad entries in Outlook’s nickname cache, which is far preferable to destroying the entire file when you just have a couple of bad entries you want to purge.

11. WinDirStat 
Ever wondered where all your hard disk space has gone? Can’t find those giant files that are clogging up your spindles? Use WinDirStat to give you a graphical layout of your disk and find everything that is taking up space.

12. System File Checker 
If you suspect your install of Windows has corrupt or missing files, use the SFC to find and restore them. It works on all supported Windows client operating systems.

13. Free IP Tools 
A free suite of 12 tools to help you troubleshoot networking issues, including a port scanner, ping monitor, SNMP scanner, NetBIOS scanner, and more.

14. Troubleshoot computer problems (built into Windows)
Windows has a number of built-in tools for troubleshooting, including tools for program compatibility, hardware, network settings, and system settings. Just go into Control Panel, Troubleshooting.

15. Iperf 
If you’re trying to troubleshoot network throughput, there’s really no better tool than Iperf. Set up the client and the server and you can stress test your network to its maximum bandwidth.

16. TamoSoft Throughput Test 
Another great tool for testing network throughput is TamoSoft’s Throughput Test. It is very similar to Iperf but with a really nice GUI. The charts can make it easier to explain to non-network types what is going on too.

17. Kismet 
Got Wi-Fi? Then you probably have challenges with interference, overlapping APs, and more. We used to use inSSIDer, but now that it is no longer free, Kismet is our go-to tool. The only downside on this one is the Windows version requires Cygwin.

18. Recuva 
With so many calls for help involving deleted data, a good undeletion tool is critical. Recuva portable is really nice because you can run it from USB, so you don’t have to install something that might overwrite that crucial file you are trying to recover.

19. GeekUninstaller 
When you want to dust off and nuke it from high orbit, and you want to be sure, then you need a tool that can really get the job of uninstalling some nasty piece of junk done right. GeekUninstaller is that tool and can help you purge systems of anything left behind by a bad app that just won’t go away.

20. GPU Shark 
If you are tweaking out a really sweet gaming rig but running into problems with your graphics card, the best way to see just what is going on is with GPU Shark. Built for both AMD and Nvidia cards, it can give you detailed information on the card and chips, including the all important temperature and wattage so you can tell if you are dealing with a cooling or power problem.

21. System Restore Manager 
This tool helps you manage your system restore points in a more user-friendly and feature-rich tool that what comes with Windows. You can delete unneeded restore points to free up space, or quickly turn the clock back to an older restore point if something is wrong.

22. WinAudit
WinAudit can give you a complete report on a system, from hardware and operating system versions to installed software. A great use is to compare a problem system to a reference system to see what has changed, which so often is the cause of the problem.

23. Patch My PC 
This tool can quickly and easily identify unpatched and out-of-date third-party applications and help you find and install the required updates. Often, a problem stems from an out-of-date piece of software, and being able to take care of that immediately can save you hours of hunting online.

24. Housecall 
Think that PC is perhaps a bit “buggy?” Wonder what might be digitally crawling around on the inside, and you notice that it either has no antivirus software, or the last time it updated, the US had a different President? Housecall is a quick and free online scanner that can do a “deep dive” into a suspect machine to seek and destroy any pesky malware that might be on it.

So with 24 great free tools to help you troubleshoot almost any issue, you should have the makings of a really great digital toolkit now. Download the installables and bookmark the online tools.

Did we leave out one of your favorites? Leave a comment and let us know which tool or tools help you use!

Security 101: Introductions and vocabulary

Security101NewSeries_SQWith security being such an important part of every task a sysadmin undertakes, and with the stakes so high, we are starting a new series on the GFI Blog that deals with Security 101. The last week of every month, we will cover something along the lines of a “Security 101” topic to help those who need security, but don’t have the background, to improve their skills.

Those of you who are security sysadmins, or who have been managing systems for years, may find this to be a bit too basic, but we encourage you to follow this series anyway, and contribute your wisdom and share your opinions on the topics we cover. Everyone, from the new sysadmin to the 10-year veteran, can benefit from the knowledge of others, and who knows, the story you tell about when something bad happened to you might just save someone else from making the same mistake!

In this first post, we’re going to lay some groundwork for future articles by starting with some definitions. In fact, there’s so much vocabulary in and around security that our next several posts will security vocabulary.

Anonymization

The practice of removing anything from a dataset that could be used to identify an individual, group, or organization.

Antivirus software

A software application that runs on a computer to protect it from malware. Antivirus software can scan files on access or download, running processes and other applications, and removable media to detect and either remove or quarantine malware. Antivirus software can detect malware based on patterns in the code (signatures) or by detecting anomalous behavior by executables and scripts.

Cracker

The preferred term for a hacker (see below) with malicious intent, who attempts to gain unauthorized access to systems or data for financial gain, to destroy data or prevent authorized users from accessing a system, to deface websites, raise awareness for a political or social cause, or as part of state sponsored activity against others.

Endpoint protection

Software applications and/or services installed on a system to protect it against malware and attempts to gain unauthorized access.

Hacker

An individual who attempts to learn more about a system by exploring its parameters or capabilities, or by evaluating its code or inputs. Hackers are usually well-intentioned and are attempting to increase their skills or knowledge, but the media and popular culture have misappropriated the term and use it to denote only malicious individuals, more appropriately referred to as crackers.

Host (network)

Any system on a network that can communicate on the network, and offers services or uses them as a client. Workstations, servers, firewalls, routers, switches, load balancers and more are all considered hosts on a network.

Host (virtualization)

In virtualization, the physical computer that runs software designed to run virtual machines is called the host computer, or simply the host. Hosts can run VMware, Microsoft’s Hyper-V, VirtualBox, or other host software. See also VM.

Least privilege

The practice of assigning the absolute minimum rights and privileges to a user necessary for them to perform their primary job. Administrators who perform their normal work using unprivileged accounts, and only log onto systems with their administrative account when needing to perform administrative actions, are practicing the minimum form of least privilege. Removing administrative access from end users to their own workstations is a more common implementation of least privilege. While a popular approach to restricting access and reducing risk in information security, many enterprise applications require users to have administrative rights, making least privilege very difficult to implement for many organizations.

Malware

Any software designed to intentionally steal, damage, destroy, or deny access to data, or to provide unauthorized users with access to a system or data, either directly or by compromising or stealing credentials used to access a system.

NPI

An acronym for Non Public Information, NPI is any data about an individual (customer, patient, taxpayer, user, et al.) that is not public record, or that can be used to specifically identify an individual. See also PHI, and PII.

PHI

Another acronym related to NPI and PII, PHI stands for personally identifiable health information or more simply Personal Health Information. PHI includes patients’ medical records, health history, diagnoses and information on medical treatments or prescriptions. See also NPI and PII.

Phishing

An attack that targets a user and attempts to convince them to reveal sensitive information, such as passwords or bank accounts, to a site or individual that the victim believes to be entitled to such information. Spear phishing specifically targets an individual, compared to phishing which is more indiscriminate.

PII

An acronym that stands for personally identifiable information. PII is any data that can be used to specifically identify an individual, such as full name, address, telephone number, etc. See also NPI and PHI.

Piracy

The act of obtaining copies of software or media (movies, television shows, music) without paying the creator, producer, publisher, or copyright holder is referred to as piracy. Many will dispute calling this stealing or theft, as the act of piracy does not prevent the legitimate owner from using or selling the item, but only denies them payment.

Spam

The popular name for unsolicited commercial email (UCE,) spam is any email that is sent with the hope that the recipient will click a link or purchase something of value. Call it spam, UCE, or junk mail, you probably get some of it in your mailbox daily.

VM

An acronym for Virtual Machine, a VM is an operating system that runs wholly in software on a Host (virtualization.) VMs can be used to make the most of hardware, or to quickly stand up machines for testing. See also Host (virtualization.)

In our next post, we will list those terms and phrases used when discussing encryption.

iphone6-blanc-02

iOS 8 fixes 53 security flaws in iPhone and iPad

iOS8Fixes_SQApple hasn’t released many security updates in the last couple of months, despite some high-profile discussion in the tech press about vulnerabilities in their popular mobile software. Most notably, Jonathan Zdziarski’s paper on back doors and attack points in iOS generated a good deal of controversy, and a presentation from Georgia Tech researchers at Black Hat USA at the end of July discussed multiple unpatched vulnerabilities in iOS.  Nonetheless, Apple issued no patches at all in July and only one – a fix for Safari running on OS X – in August.
Continue reading

In search of the perfect form factor

PerfectFormFactor_SQLike Diogenes in his quest for an honest man, or an Arthurian knight in pursuit of the Holy Grail, I’ve been looking – for what seems like forever – for a computing device that doesn’t seem to exist. All I want is a machine that’s as compact, thin and light as my Galaxy Note, has a built-in screen that’s as gorgeous as that on my Tab S, has a fantastic keyboard that weighs almost nothing like my Surface Pro, and has processor and memory power equivalent to my desktop tower. Is that really too much to ask?
Continue reading