Showing posts with label Vulnerability. Show all posts
Showing posts with label Vulnerability. Show all posts

Friday 26 January 2018

Windows Patches for Meltdown and Spectre remediation

Or, All you need to know about windows patches for Meltdown and Spectre vulnerabilities

Or, Microsoft Windows Operating Systems Patches for Meltdown and Spectre Vulnerabilities

Descriptions
Microsoft's process for releasing Windows updates addressing Meltdown and Spectre has been a good and well as problematic causing high-profile incompatibility issues with third-party antivirus (AV) software and AMD processors. In some cases, delivery of the latest security update has been restricted or suspended by Microsoft.


More details and direct download links to the updates below:  
What they addressed in these fixes
  • Spectre variant 1, bounds check bypass (CVE-2017-5753)
  • Meltdown, rogue data cache load (CVE-2017-5754)

    UPDATE (1/17/18): As readers have pointed out, it appears Windows patches for 32-bit systems (x86-based systems) do not provide Meltdown mitigations.
    Per Microsoft:
The existing 32 bit update packages listed in this advisory fully address CVE-2017-5753 and CVE-2017-5715, but do not provide protections for CVE-2017-5754 at this time. Microsoft is continuing to work with affected chip manufacturers and investigate the best way to provide mitigations for x86 customers, which may be provided in a future update.


What they don't address in these fixes:
  • Spectre variant 2, branch target injection (CVE-2017-5715) — firmware updates are required to fully address Spectre variant 2. 
Known issues with AV agents (also explained in MS Advisory):
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Data="0x00000000”
This has created a lot of confusion, especially since the response from AV vendors has varied, with some setting the registry key for their customers and others recommending users set it, themselves, manually. The situation only gets more complicated considering many organizations have more than one AV solution installed. 
Update: Microsoft has clarified that Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are compatible with the update and do set the required registry key.

That means as long as you have one of these built-in Microsoft protections enabled the registry key should be set automatically — no further, manual action should be necessary. 

Be careful: If you are using third party software that Microsoft offically recognizes as AV, it is important to note that, by default, Windows Defender and Microsoft Security Essentials will turn themselves off. That means the registry key won't be added unless you or your AV actively do it. 
It’s better approach that, you first reach out to your AV vendor and ask for AV update/upgrade patches which ensures the compatibility with these MS updates. After installing AV patches, you should proceed with windows patches installation for smooth deployment. This means not that, you can’t update windows patches without updating AV.

Some Additional References:

ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

Question: I have an AMD-based device and compatible antivirus software, but I am not getting the January 2018 Windows Security Update. Why is that?

Answer: Microsoft has received reports that some devices using certain AMD processors can enter an unbootable state after installing the January Windows security updates. To prevent this, Microsoft has temporarily suspended automatically sending the following Windows security updates to devices with affected AMD processors:
·         KB4056892
·         KB4056891
·         KB4056890
·         KB4056888
·         KB4056893
·         KB4056898
·         KB4056897
·         KB4056894
·         KB4056895

Microsoft is working with AMD to resolve this issue and to resume offering Windows security updates to the affected AMD devices via Windows Update and WSUS as soon as possible. For AMD device-specific information please contact AMD.


Server Operating Systems (Affected Table):


Operating system version
Update KB
Windows Server, version 1709 (Server Core Inst..)
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Not available
Windows Server 2008 R2
Windows Server 2008
Not available

Windows Client:

AV Agent Relational Advisory by MS:

Unbootable state for AMD devices in Windows 8.1 and Windows Server 2012 R2

Reference KBs

KB4073576 is not applicable for Intel platform

KB4073576 is applicable for Client machines on Windows 8.1 AMD platform


Cheers, Please write me back if you have any feedback or suggestions..

Friday 24 November 2017

US-CERT Windows ASLR Vulnerability (registry fix)

Or, How to fix Windows ASLR vulnerability on multiple domain computers

Vulnerability Notification Summary

Original release date: November 20, 2017
The CERT Coordination Center (CERT/CC) has released information on a vulnerability in Windows Address Space Layout Randomization (ASLR) that affects Windows 8, Windows 8.1, and Windows 10. A remote attacker could exploit this vulnerability to take control of an affected system.

US-CERT encourages users and administrators to review CERT/CC VU #817544 and apply the necessary workaround until a patch is released.

How to fix this vulnerability?

Open a Notepad > Copy and Paste the contents given below:
----------------------------------------------------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]

"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00
--------------------------------------------------------------------------------------------------------------------------------









Save this notepad file as .reg (In my case, I saved this file with name as ASLAR.reg)

To deploy this registry setting on single computer, just double click on this file and Say Yes if prompted.

You can use the same registry key values in GPO to apply it on multiple domain computers.

GPO registry configurations should appear like below:

























Cheers, let me know if you have any query of feedback on this..

Wednesday 7 June 2017

How to fix unquoted service path vulnerabilities?

Or, Unquoted service path vulnerability
Or, Mitigate unquoted service path vulnerabilities

Descriptions: Unquoted service path vulnerabilities are rated as highly critical vulnerability in windows. Don’t worry it is really very easy to fix.

If you have the vulnerability scan report with you, the report contains following information about this reported vulnerability:

Vulnerability Name: Microsoft Windows Unquoted Service Path Enumeration

Vulnerability Synopsis: The remote Windows host has at least one service installed that uses an unquoted service path.

Vulnerability Description: The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service.  Note that this is a generic test that will flag any application affected by the described vulnerability.

Vulnerability Solution: Ensure that any services that contain a space in the path enclose the path in quotes.

IMP Note: There are two stages to fix this vulnerabilities, 1. finding the unquoted path on the affected server and 2. Fixing the unquoted paths.

Steps-1: How to find the unquoted service paths
Login to affected server with administrative privileges > run CMD as Administrator > run the following command:

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Once the command is executed successfully, you will be able to see one or more unquoted service paths. Result may look like the below reference screenshot:




Copy all the result to a text or excel file and move to the step-2.


Steps-2: Fixing unquoted service path vulnerabilities 
Search for the unquoted registry entry of the affected service under HKLM\System\CurrentControlSet\Services registry path > Double Click the Image Path key > fix comma like “servicepath” at the beginning and end of the path

Examples:
Unquoted service path: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Quoted service path: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"

The correct quoted service path image reference:












Cheers, Please write me back if you have any query or feedback..