February 20, 2019

Microsoft and Adobe release patches to fix critical vulnerabilities

(LiveHacking.Com) – For March’s Patch Tuesday Microsoft has released seven bulletins, four Critical-class and three Important-class. The bulletins address 20 vulnerabilities in total across several Microsoft products including Windows, Office, Internet Explorer, Server Tools, and Silverlight. Likewise Adobe has released a security update for its popular Flash Player to address vulnerabilities that could potentially allow a hacker to take control of a vulnerable system.

Microsoft

Among the fixes is a patch for an issue in the Kernel-Mode Drivers (KMD) where an attacker could gain administrator privileges by inserting a malicious USB flash drive into a Windows machine. Since the attack works even when no user is currently logged on, it means that anyone with casual access, such as a security guard, office cleaner or anyone with access to office space, could simply plug in a USB flash drive into a PC and perform any action as an administrator. In total MS13-027 resolves three privately reported vulnerabilities correcting the way that a Windows kernel-mode USB drivers handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

Nine issues have also been fixed in Internet Explorer. The most severe of these could allow remote code execution if a user views a specially crafted webpage using IE. Upon successful exploit An attacker could gain the same rights as the current owner. All but one of these issues were privately reported to Microsoft and there are no reports of these vulnerabilities being used in the wild.

Microsoft Silverlight has also been patched to fix a vulnerability that could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.

Adobe

adobe-logoAdobe has released a security update for Adobe Flash Player for Windows, OS X, Linux and Android. These update addresses vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected Versions

  • Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.273 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.597 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.597 SDK and earlier versions
  • Adobe AIR 3.6.0.599 SDK & Compiler and earlier versions

The update address four known vulnerabilities  an integer overflow vulnerability that could lead to code execution (CVE-2013-0646), a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650), a memory corruption vulnerability that could lead to code execution (CVE-2013-1371), a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-1375).

As a result of the update, Google has also released a new version of Chrome.

 

Microsoft fixes Critical remote code execution vulnerabilities

microsoft logo(LiveHacking.Com) – Microsoft has released 12 bulletins, five Critical and seven Important , to addressing 57 different vulnerabilities in Microsoft Windows, Office, Internet Explorer, Exchange and .NET Framework.

Among the fixes was a security update that resolves thirteen vulnerabilities in Internet Explorer. The most severe of these issues could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. As well as generally patching IE, the company also patched its implementation of the Vector Markup Language (VML) in its browser. If exploited the vulnerability could allow remote code execution if a user viewed a specially crafted webpage. Microsoft says that it is aware of this vulnerability being used as an information disclosure vulnerability in targeted attacks. It is therefore essential that this patch is applied as soon as possible.

There is also an update for Microsoft Windows Object Linking and Embedding (OLE) Automation. Again, the vulnerability could allow remote code execution, this time  if a user opens a specially crafted file. The fix corrects the way in which OLE Automation parses files. This security update is rated as Critical but only for Windows XP Service Pack 3. All other support versions of Microsoft Windows are not affected.

Similarly Microsoft fixed a vulnerability in how different types of media are decompressed. The remote code execution vulnerability could be exploited by tricking a user to open  a specially crafted media file (such as an .mpg file), open a Microsoft Office document (such as a .ppt file) that contains a maliciously crafted embedded media file, or if the user runs programs to receives streaming content designed to exploit the vulnerability.

There is also a fix for remote code execution vulnerabilities in Microsoft Exchange Server, the most severe of which could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing.

Microsoft to fix IE8 zero-day vulnerability today with out-of-band fix

security news at livehacking.com(LiveHacking.Com) –  Microsoft will release an update to Internet Explorer today to fix the zero-day vulnerability which was found at the end of last year. An exploit was found, in the wild, for a previously unknown (zero-day) vulnerability during the clean up of the Council on Foreign Relations (CFR) website, which had been compromised by hackers, probably from China. The exploit found used a heap spray attack against the zero-day vulnerability.

Microsoft issued  Security Advisory 2794220 which confirmed that the issue impacts Internet Explorer 6, 7, and 8. Internet Explorer 9 and 10 are not affected by this issue, so upgrading mitigates the problem, however neither IE 9 or IE 10 is available for Windows XP users.

A few days later, Microsoft published a Fix It as a temporary measure until the full patch is available. The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution. However once the Fix It was out, security information company Exodus Intelligence published details on how it had managed to bypass the shim and make IE vulnerable again. This placed greater pressure on Microsoft to issue an out-of-band fix, which it will now do today.

“While we have still seen only a limited number of customers affected by the issue, the potential exists that more customers could be affected in the future.  The bulletin has a severity rating of Critical, and it addresses CVE-2012-4792,” said Dustin Childs, Group Manager of Microsoft’s Trustworthy Computing unit.

The patch will be made available for Windows XP, Vista and Windows 7 along with Windows Server 2003 and 2008. Microsoft will release the out-of-band security update at 10 a.m. PST on Monday, January 14, 2013.

Someone has bypassed Microsoft’s Fix It for the IE 8 zero-day vulnerability already

security news at livehacking.com(LiveHacking.Com) – Security information company Exodus Intelligence has published a blog post claiming to have bypassed Microsoft’s Fix It for the current zero-day vulnerability in Internet Explorer 8. The official Fix It was released by Microsoft as a temporary workaround to the zero-day vulnerability found in Internet Explorer 6,7 and 8. The bug in IE can corrupt memory in such a way that it allows an attacker to execute arbitrary code in the context of the current user within IE. To exploit it, users are tricked into visiting a specially crafted website which uses either Flash or Javascript to generate a heap spray attack against IE. The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution.

According to Exodus Intelligence it is now possible to bypass the shim and compromise a fully-patched system. Due to the nature of its business, Exodus Intelligence has passed on the details about the bypass to its customers. Thankfully it has also notified Microsoft. The company promises to fully disclose the details of the bypass once Microsoft has fully addresses the issue.

“After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week,” said Exodus Intelligence on its blog.

Microsoft will release seven security bulletins today to address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools, Microsoft Server Software and the .NET Framework. However a fix for the Internet Explorer vulnerability will not be among the patches.

Internet Explorer 9 and 10 are immune to the attack and upgrading to the later versions of IE will protect users (as will using a different browser like Firefox or Chrome), the problem is that XP users can’t upgrade IE beyond 8. Also Enterprise users may still be stuck on older versions of IE due to legacy application support. In combination this means that pressure is now mounting on Microsoft to make an out-of-band release for IE to fix the vulnerability.

In Brief: Microsoft publishes official Fix It for IE 8 vulnerability

internet-explorer-logo(LiveHacking.Com) –  Microsoft has updated Security Advisory 2749920 to include new information about the official Fix It that the company said it would release.  The Fix It, which is a temporary measure issued by Redmond until a full patch can be delivered, is a response to the zero-day vulnerability found in Internet Explorer 6,7 and 8.

The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution. If triggered the browser will now just crash. Applying the Fix it does not require a reboot.

“While we have still observed only a few attempts to exploit this issue, we encourage all customers to apply this Fix it to help protect their systems,” said Dustin Childs from Microsoft’s Trustworthy Computing unit.

 

New Critical zero-day vulnerability found in IE 6,7 and 8

security news at livehacking.com(LiveHacking.Com) –  While investigating reports that the Council on Foreign Relations (CFR) website had been compromised, FireEye discovered that the site was hosting malware that exploited a previously unknown (zero-day) vulnerability in Internet Explorer 8. The attack seen by FireEye uses Adobe Flash to generate a heap spray attack against IE. According to Microsoft’s Security Advisory 2794220, the issue impacts Internet Explorer 6, 7, and 8 and that there are a small number of targeted attacks happening in the wild. A successful exploit, which is normally triggered by getting a victim using IE 8 to browse a malicious website, allows remote code execution. Internet Explorer 9 and 10 are not affected by this issue, so upgrading to these versions will help defend from this vulnerability. However neither IE 9 or IE 10 is available for Windows XP users.

The vulnerability exists because of the way that Internet Explorer accesses a previously deleted chunk of memory. The vulnerability can corrupt memory in such a way that it allows an attacker to execute arbitrary code in the context of the current user within IE. By making a specially crafted website, that is designed to trigger an exploit, the vulnerability can be used when an Internet Explorer 6,7 or 8 user is convinced/tricked into viewing the site.

Microsoft’s initial investigation has shown that at least four attacks exist in the wild, each exploiting the vulnerability using a different attack method. Along with the Flash based heap spray, Microsoft have also seen some obfuscated Javascript that can be to trigger the vulnerability, an ASLR bypass using either Java6 MSVCR71.DLL or Office 2007/2010 hxds.dll and a DEP bypass via a chain of ROP gadgets.

What can you do?

Aside from upgrading to IE9 and IE 10 and while IE 8 users are waiting for a patch, IE users can can block the current targeted attacks by disabling the attack vectors:

    • Disabling Javascript will prevent the vulnerability from being triggered initially.
    • Disabling Flash will prevent the ActionScipt-based heap spray from preparing memory such that the freed object contains exploit code.
    • Disabling the ms-help protocol handler AND ensuring that Java6 is not allowed to run will block the ASLR bypass and the associated ROP chain.

Of course trying to use IE8 with Javascrit disabled is probably next to impossible. So while Microsoft are working on a comprehensive update to IE there is a trick which Microsoft is releasing as a Fix It. The trick does not address the vulnerability but does prevent the vulnerability from being exploited for code execution by making a two-byte change  (to replace a je instruction with a jmp) to mshtml.

Known as a shim, the change may have the side effect in some circumstances of the default form button not being selected by default.

The shim is currently being packaged and code-signed as a one-click, deployable Microsoft Fix It tool. The 32-bit and 64-bit shims are attached to this blog post and also available at the following URLs:

 

IE lets web pages track mouse movements, bad news for virtual keyboards, great news for unscrupulous ad companies

(LiveHacking.Com) –  Details have emerged about how Microsoft Internet Explorer allows web pages with JavaScript to track the whereabouts of the mouse anywhere on the screen, even outside of the currently viewed web page. The ramifications of this are two fold. First those using virtual keyboard as a way to avoid possible keyloggers can now no longer assume that the virtual keyboard is safe. Secondly it appears that unscrupulous ad companies have been using this flaw for a while to  measure the viewability of display ads.

Spider.io, a web analytics firm, told Microsoft about the flaw in October, but Redmond has done nothing about it. The issues affects all version of Internet Explorer from version 6 to version 10 and only since the finding have been made public has Microsoft commented on the vulnerability. At the moment Microsoft has no plans to patch the flaw.

The team at Spider.io have created a game to illustrate how easy it is to exploit IE and compromise the security of virtual keyboards. The game may be found at iedataleak.spider.io. There is also a demonstration showing how the flaw can be used to track the mouse over the Skype keypad despite the fact that the Internet Explorer window is not active.

According to  Doug de Jager, chief executive of spider.io, the vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.

“The vulnerability is being exploited rather mischievously by these companies to measure the viewability of display ads – arguably the hot topic in display advertising at the moment,” de Jager told the Guardian. “Almost every US-based user of Internet Explorer will have their mouse cursor tracked via this exploit almost every day they browse the web.”

Microsoft’s lack of action is a little surprising and it is Redmond’s indifference that has caused Spider.io to disclose the details of the flaw. “We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected,” Microsoft said in a statement, adding that it would take “appropriate action to protect our customers”.

Details of the vulnerability

Due to a design flaw, Internet Explorer is populating the global Event object with attributes relating to mouse events, even when it shouldn’t. This means that a web page can be created which uses the fireEvent() method to poll for the mouse position anywhere on the screen and at any time. The reason why the flaw allows programs like Skype to be tracked is that the fireEvent() method and the mouse positions are processed even when the page isn’t active or focused.

Microsoft to patch critical bugs including first fixes for Windows 8 and Windows 8 RT

(LiveHacking.Com) – Microsoft has published its advance notification for November’s Patch Tuesday. This month the company plans to release six bulletins which will fix 19 separate vulnerabilities. Four of the six bulletins are ranked at Critical and will  address 13 vulnerabilities in Microsoft Windows, Internet Explorer and the .NET Framework. Of the remaining two, the first is rated as Important and will address four vulnerabilities in Microsoft Office and finally, the last bulletin is rated as moderate and will address two issues in Microsoft Windows.

Five of the six bulletins fix vulnerabilities which could allow remote code execution. If exploited it would mean that attackers could use this bugs to install malware on to a vulnerable PC. The first bulletin is for Internet Explorer 9 and applies to Windows Vista and above (as IE9 isn’t available for XP) except for Windows 8 which runs IE10 by default, similarly bulletin three (the moderate update that addresses two issues in Windows) only applies to Windows Vista and above except Windows 8. However the remaining three Windows related bulletins affect all supported versions of Windows from XP upwards.

Microsoft’s latest operating system is not immune to these bugs as Windows 8 receives three critical updates this month. This isn’t surprising as large parts of the code (especially the various libraries  are common across many versions of Windows. What is more surprising is that Windows 8 RT (the version that runs on ARM tablets) receives one critical and one important update. This again highlights the amount of source code shared between the different version and the bugs are related to the platform.

The bulletins are scheduled for release on the second Tuesday of this month, November 13, 2012, at approximately 10 a.m. PST.

Microsoft fixes remote code execution vulnerabilities some of which are already being exploited

(LiveHacking.Com) – As anticipated, Microsoft has released nine security bulletins as part of Patch Tuesday. Of the nine bulletins five are rated as Critical and four as Important. In total they address 26 vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office. All of the Critical level bulletins fix Remote Code Execution vulnerabilities.

The first Critical set of fixes (MS12-052) is for Internet Explorer, the most severe of which could allow remote code execution if a user views a specially crafted webpage. The vulnerabilities are rated as Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows XP, Vista and 7. The fix modifies the way that Internet Explorer handles objects in memory.

The second Critical bulletin addresses issues with in the Remote Desktop Protocol. This isn’t the first time Microsoft have had to fix the protocol which is used by millions to control remote machines (including web server running and exposed on the Internet). Back in March, Microsoft fixed a bug in RDP which exposed over 5 million machines on the Internet after an exploit was developed for the vulnerability. The latest set of fixes (MS12-053) sounds very similar to previous RDP bugs. According to Microsoft, “The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.” However one bit of good news is that the bug only affects Windows XP. To fix the problem, Microsoft has changed the way that the Remote Desktop Protocol processes packets in memory.

The next Critical bulletin (MS12-054) resolves four privately reported vulnerabilities in the Windows print spooler. These vulnerabilities could allow remote code execution if an attacker sends a specially crafted response to the spooler. This security update is rated Critical for all supported editions of Windows XP and Windows Server 2003; Important for all supported editions of Windows Vista; and Moderate for all supported editions of Windows Server 2008, Windows 7, and Windows 2008 R2. As part of the fix the code has been changed to correct the way the Windows Print Spooler handles specially crafted responses and how Windows networking components handle Remote Administration Protocol (RAP) responses.

The fourth bulletin (MS12-060) is already seeing some targeted attacks attempting to exploit this vulnerability, but there is no public proof-of-concept code published yet. This security update resolves a vulnerability in the Windows common controls and since multiple software products utilize Windows Common Controls , and the issues addressed in this bulletin affect Microsoft Office, SQL Server, Server Software, and Developer Tools. The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability.

Finally, MS12-058 resolves publicly disclosed vulnerabilities in Microsoft Exchange Server WebReady Document Viewing. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA).  The vulnerabilities are actually in Oracle’s Outside In libraries, that are used in Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and FAST Search Server 2010 for SharePoint. The Outside In libraries were recently updated as part a Critical Patch Update released by Oracle.

Microsoft to Fix 20 Vulnerabilities Next Tuesday

(LiveHacking.Com) – Microsoft will fix 20 vulnerabilities for December’s Patch Tuesday. According to the Microsoft security bulletin advance Notification for December 2011, the Redmond company will release 14 bulletins addressing 20 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Microsoft Publisher, and Windows Media Player.

Although Microsoft doesn’t release details of the bulletins until they are posted, pundits are suggesting that among the patches will be a fix for the vulnerability that allows the Duqu intelligence-gathering Trojan to spread, and a fix for the SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 flaws popularized a few months ago by the BEAST (Browser Exploit Against SSL/TLS) hacking tool.

Three of the 14 bulletins are marked as “critical” (the highest threat ranking) and the remaining 11 are tagged as “important” (the second-highest rating). Release of the bulletin is scheduled for Tuesday, December 13, 2011.