fbpx

Microsoft warns Windows 7 users of looming end to security updates

windows-7

Microsoft has rolled out a patch that will warn Windows 7 users that security updates will soon come to an end.

The patch rolled out Wednesday warning users of the impending deadline, January 14, 2020, when the software giant will no longer roll out fixes for security flaws and vulnerabilities. The deadline comes some 10 years after Windows 7 first debuted in 2009, more than half a decade before Microsoft’s most recent operating system Windows 10 was introduced.

Microsoft’s move to stop issuing security updates is part of the company’s ongoing effort to push users to its latest software, which stands on a greater security foundation and improvements to mitigate attacks.

Starting April 18, users on Windows 7 will begin receiving warnings about the approaching cut-off.

Windows 7 still commands some 40 percent of the desktop market, according to Net Applications. With exactly 300 days before the deadline, the clock is ticking on consumer security support.

Enterprise customers have the option to pay for extended security updates until 2023.

For years, Microsoft allowed Windows 7 users to upgrade to Windows 10 for free to try to encourage growth and upgrades. With those incentives gone, many only have the lack of security updates to look ahead to, which will put business data and systems at risk of cyber attack.

It’s almost unheard of for Microsoft to patch end-of-life software. In 2017, Microsoft released rare security patches for Windows XP — retired three years earlier — to prevent the spread of WannaCry, a ransomware strain that piggybacked off leaked hacking tools, developed by the National Security Agency.

The ransomware outbreak knocked schools, businesses, and hospitals offline.

Windows 7’s successor, Windows 8, will continue to receive updates until January 10, 2023.

Google Says Upgrade To Windows 10 After Critical Flaws Found In Chrome And Windows 7

windows7

GETTY

Earlier this week Google released an update for the Chrome web browser that it urged users to ensure was implemented immediately. That was because the Threat Analysis Group at Google had uncovered a critical zero-day vulnerability that was already being exploited in the wild. Now a Google security engineer, Clement Lecigne, has warned that another zero-day vulnerability that is also being exploited, impacting Windows 7 users, was being used together with the Chrome exploit to take over Windows systems. Google is now urging all Windows 7 users to upgrade to Windows 10, as well as make sure their Chrome browser is up to date, to escape the attention of the combined threat.

The Windows zero-day is a local privilege escalation in the win32k.sys kernel driver that allows it to escape the security sandbox. The vulnerability can be used to elevate system privileges by an attacker who might then be able to execute remote malicious code. “The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances” Clement Lecigne said, adding “we strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems.”

The Google Threat Analysis Group disclosed the zero-day to Microsoft who have said they are working on a fix but, as of yet, there is no indication of how long this might take. Currently, the status of this vulnerability has to remain as a critical and unpatched one. For this reason, Google is advising users of Windows 7 should upgrade to Windows 10 and apply patches from Microsoft as soon as they become available. “Not all vulnerabilities are created equal, and many, if considered on their own, are not cause for undue concern,” says Jim O’Gorman, president of Offensive Security, who continues “if they were flagged by the organization’s security solution, they likely would not have been prioritized in patching. It’s when a group of seemingly minor flaws are chained together that they can be used to devastating effect.”

You can follow Davey on Twitter, connect with him on LinkedIn and find more of his stories at happygeek.com

Update Google Chrome Now

google

Google Confirms Serious Chrome Security Problem – Here’s How To Fix It

The problem explained

Although information regarding CVE-2019-5786 remains scarce currently, Satnam Narang, a senior research engineer at Tenable, says it is a “Use-After-Free (UAF) vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user’s computer.” Some further digging by Catalin Cimpanu over at ZDNet suggests that there are malicious PDF files in the wild that are being used to exploit this vulnerability. “The PDF documents would contact a remote domain with information on the users’ device –such as IP address, OS version, Chrome version, and the path of the PDF file on the user’s computer,” Cimpanu says. These could just be used for tracking purposes, but there is also the potential for more malicious behavior. The ‘use-after-free’ vulnerability is a memory corruption flaw that carries the risk of escalated privileges on a machine where a threat actor has modified data in memory through exploiting it. That’s why Google has issued the urgent update warning, as the potential is there for exploits to be crafted that could enable an attacker to remotely run arbitrary code (a remote code execution attack) whilst escaping the browser’s built-in sandbox protection.

What to do next

Luckily this is an easy problem to fix, just make sure you do it as soon as you’ve finished reading this! First, head over to the drop-down menu in Chrome (you’ll find it at the far right of the toolbar – click on the three stacked dots) and select Help|About Google Chrome. You could also type chrome://settings/help in the address bar if you prefer, which takes you to the same dialog box. This will tell you if you have the current version running or if there is an update available. To be safe from this zero-day exploit, make sure that it says you are running version 72.0.3626.121 (Official Build). If not, then Chrome should go and fetch the latest version and update your browser for you automatically.

Travis Biehn, technical strategist and research lead at Synopsys, said “Google Chrome is some of the most robustly engineered C and C++ code on the planet, the security teams working on Chrome are world-class. Despite Google’s security program, and despite their active collaboration with leading security researchers through generous bug bounty programs, it still suffers from memory corruption attacks related to the use of C and C++. Luckily for the public, Chrome ships with an effective mechanism for update and patching – one that can get a critical fix out to end users in real time.”

You can follow me on Twitter, connect with me on LinkedIn and find more of my stories at happygeek.com

These are Google’ instructions:

Get a Chrome update when available

Normally updates happen in the background when you close and reopen your computer’s browser. But if you haven’t closed your browser in a while, you might see a pending update:

  1. On your computer, open Chrome.
  2. At the top right, look at More More.
  3. If an update is pending, the icon will be colored:
    • Green: An update’s been available for 2 days.
    • Orange: An update’s been available for 4 days.
    • Red: An update’s been available for 7 days.

To update Google Chrome:

  1. On your computer, open Chrome.
  2. At the top right, click More More.
  3. Click Update Google Chrome. If you don’t see this button, you’re on the latest version.
  4. Click Relaunch.

The browser saves your opened tabs and windows and reopens them automatically when it restarts. If you’d prefer not to restart right away, click Not now. The next time you restart your browser, the update will be applied.

RUSSIA’S ELITE HACKERS HAVE A CLEVER NEW TRICK THAT’S VERY HARD TO FIX

old-style-computer

RUSSIA’S ELITE HACKERS HAVE A CLEVER NEW TRICK THAT’S VERY HARD TO FIX

ALYSSA FOOTE/GETTY IMAGES

By 

THE FANCY BEAR hacking group has plenty of tools at its disposal, as evidenced by its attacks against the Democratic National Committee, the Pyeongchang Olympics, and plenty more. But cybersecurity firm ESET appears to have caught the elite Russian team using a technique so advanced, it hadn’t ever been seen in the wild until now.

ESET found what’s known as a UEFI rootkit, which is a way to gain persistent access to a computer that’s hard to detect and even harder to clean up, on an unidentified victim’s machine. The technique isn’t unheard of; researchers have explored proofs of concept in the past and leaked files have indicated that both the CIA and the independent exploit-focused company Hacking Team have had the capability. But evidence that it has happened, in the form of malware called LoJax, represents a significant escalation in the Fancy Bear—which ESET calls Sednit—toolkit.

In a Flash

If “LoJax” sounds vaguely familiar, it’s because you might recall LoJack—formerly known as Computrace—security software that lets you track your laptop in the event of theft. LoJack turns out to be potent stuff. It sits in a computer’s firmware, making regular calls back to a server to announce its location. Crucially, that also means you can’t get rid of it by reinstalling your operating system or swapping in a new hard drive.


“It allows the attacker to take over the machine and download whatever they want.”

RICHARD HUMMEL, ARBOR NETWORKS


That’s an intentional security feature: If someone steals your computer, you want to make it as hard as possible for them to evade detection. But it also presents a unique opportunity to bad actors, as outlined in a 2016 presentation at a security conference called Zero Nights, and again in more detail this May by researchers at security firm Arbor Networks. Essentially, Fancy Bear figured out how to manipulate code from a decade-old version of LoJack to get it to call back not to the intended server, but one manned instead by Russian spies. That’s LoJax. And it’s a devil to get rid of.

“Whenever a computer infected with a UEFI malware boots, it will place the LoJax agent on the Windows file system, so that when Windows boots, it’s already infected with the LoJax agent. Even if you clean LoJax from Windows, as soon as you reboot, the UEFI implant will reinfect Windows,” says Alexis Dorais-Joncas, ESET’s security intelligence team lead.

It is possible to remove LoJax from your system entirely, but doing so requires serious technical skills. “You can’t just restart. You can’t just reinstall your hard drive. You can’t replace your hard drive. You actually have to flash your firmware,” says Richard Hummel, manager of threat intelligence for Arbor Networks. “Most people don’t know how to do that. The fact that it gets into that spot where it’s really difficult to use makes it really insidious.”

Most antivirus scanners and other security products also don’t look for UEFI issues, making it even harder to detect whether malicious code is there. And if it is, you’re in trouble.

“Decade-old software and hardware vulnerabilities are easily exploited by modern attackers, so companies must use good endpoint hygiene best practices including ensuring endpoints and firmware are up-to-date, leveraging anti-malware, and confirming other endpoint protection agents are always present and healthy,” says Dean Ćoza,  executive vice president of products at LoJack developer Absolute. “We take the security of our platform extremely seriously, and are working to confirm these issues do not impact our customers or partners.”

Takeover

The malware ESET observed does not itself actively steal data from an infected device. Think of it not as a robber, but as a door into your house that’s so hidden, you can’t see it even if you pore over every wall. LoJax gives Fancy Bear constant, remote access to a device, and the ability to install additional malware on it at any time.

“In effect, it allows the attacker to take over the machine and download whatever they want,” says Hummel. “They can also use the original intent of the malware, which is to track the location of the infected machines, possibly to specific owners that may be of interest to the attackers.”


“Probably more attacks will take place.”

ALEXIS DORAIS-JONCAS, ESET


Several details about the Fancy Bear UEFI attack remain either vague or unknown. ESET’s Dorais-Joncas confirmed that the device they spotted it on was “infected by several pieces of malware,” and that the hacking group targeted government entities in Europe. They don’t know exactly how Fancy Bear hackers gained access to the victim’s device in the first place, but Dorais-Joncas suggests that they likely followed their typical strategy of a spearphishing attack to gain an initial foothold, followed by movement through a network to locate more high-value targets.

The security firm has more specificity, though, in terms of how exactly Fancy Bear operated once it got that initial control. First, the hackers used a widely available tool to read the UEFI firmware memory, to better understand what specific device they were attacking. Once in possession of that image, they modified it to add the malicious code and then rewrote the infected image back to the firmware memory. The process was not automated, says Dorais-Joncas; a human behind a keyboard went through every step.

Those details offer some hope for future potential victims. Namely, the attackers were only able to write onto the target computer’s firmware in the first place because it was an older device; Intel and others have baked in better protections against that behavior, especially after the Hacking Team and CIA revelations. Using the Windows Secure Boot feature, too, would prevent this type of attack, since it checks to make sure that the firmware image on your computer matches up with the one the manufacturer put there.

“On the other hand,” says Dorais-Joncas, “probably more attacks will take place,” given that Fancy Bear has figured out how to do it successfully. And now that it’s widely known that Fancy Bear did it, copycats may not be far behind.

“Whenever we see these new tactics, it does not take long for other hackers to figure out how they did it and to mimic it,” says Hummel.

Russia’s hackers already have an elaborate hacking toolkit. But the introduction of a UEFI rootkit—stealthy, complex, pernicious—affirms just how advanced their capabilities have become. And more importantly, how hard they are to defend against.