April 16, 2014

Microsoft releases details of zero-day vulnerability in Word

Microsoft has published information about a new zero-day vulnerability in its Word product. There is a real-world exploit for the vulnerability and it is currently being exploited in the wild. Microsoft says it is “aware of limited, targeted attacks directed at Microsoft Word 2010.”

According to Microsoft’s Dustin Childs, the vulnerability can be exploited by an attacker and allow “remote code execution if someone was convinced to open a specially crafted Rich Text Format (RTF) file or a specially crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer.”

Microsoft-Word-LogoMicrosoft’s immediate response has been to publish a one-click Fix it  which basically disables support for RTF in Microsoft Word. Although Microsoft wants to “encourage all customers using Microsoft Word” to apply the Fix it, disabling RTF support could be troublesome for those who rely on this document format.

The vulnerability, which was reported to Microsoft by members of the Google Security Team, can be exploited via email or via the web. In the email scenario, the attacker sends a specially crafted RTF document as the contents of the message. The vulnerability is exploited when the message is previewed or opened in Outlook where Microsoft Word is the email viewer. An attacker could also exploit the vulnerability by sending a specially crafted RTF document as an attachment. In the web scenario, the attacker would need to trick the user into downloading the document and then opening it.

This remote code execution vulnerability exists because of bugs in the way that Word parses maliciously crafted RTF documents. The bugs cause a memory corruption and give the attacker a way to execute arbitrary code. The vulnerability can also be exploited through Microsoft Outlook if Word is used as the email viewer, which it is by default in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.

Microsoft is working on a full fix but it isn’t known if the Redmond company will be able to develop and test the fix by April 8th, the date of the company’s next Patch Tuesday. Patch Tuesday is the name given to Microsoft’s monthly security updates which patch Microsoft’s products to fix security issues.

Interestingly, support for Office 2003 ends April 8th and Microsoft has included Word 2003 Service Pack 3 in its list of affected products. If Microsoft doesn’t manage to release a full patch by April 8th then Office 2003 could remain vulnerable without any hope of a solution. Even if Microsoft does release a patch now, this incident highlights the dangers of using Microsoft products which have reached their end-of-life.

Microsoft stopping support for its anti-malware scanner on XP in 3 months time

microsoft logoThe bell has been tolling for Windows XP for a long time and even though Microsoft has given its 2001 operating system the occasional reprieve it looks like Redmond is set on ridding itself of arguably its most popular OS. As well as mainstream ending support, including security updates, from April 8th 2014, Microsoft will also stop supporting its anti-malware scanner – Security Essentials.

Microsoft Security Essentials helps guard against viruses, spyware, and other malicious software and new definitions files and updates are provided on a regular basis by Microsoft itself. At the moment the current minimum requirements for the malware scanner is Windows XP Service Pack 3, however according to Microsoft’s end of support for XP page, Microsoft will also stop providing Microsoft Security Essentials for download on Windows XP after April 8th.

According to the latest data from NetMarketShare Windows XP is still running on 29 percent of PCs that access the Internet. That is a staggeringly large number of PCs and makes XP Microsoft’s second most popular operating system in use today. More PCs run XP than Windows Vista and Windows 8/8.1 put together. Only windows 7 is more popular than XP with some 47 percent of PCs using it.

But despite its popularity Microsoft is pulling the plug in less than 90 days. Microsoft itself acknowledges that continuing to use Windows XP after the support ends will make your PC “more vulnerable to security risks and viruses.”

What makes this even more concerning is that XP is still very much under attack from cyber criminals and hackers. Only last month  Microsoft issued a warning about a zero-day vulnerability in XP that allows attackers to gain elevated privileges. Once the attackers have system level privileges they can install programs; view, change, or delete data; or create new accounts with full administrative rights. December’s security updates from Microsoft contained several patches, some Critical, for Windows and only one of those patches didn’t apply to Windows XP. Extrapolating from this shows that Windows related security bulletins to be released after April will likely also affect XP but the OS will be left vulnerable. This means that cyber criminals will have a wealth of clues available for creating new exploits knowing that XP hasn’t been and won’t be patched.

By removing support for Security Essentials it seems that Microsoft is sending a strong message to XP users that now is the time to upgrade.

Microsoft releases 11 bulletins including a patch for Vista zero-day exploit, but XP still under attack

microsoft logoMicrosoft has released 11 security bulletins to address 24 vulnerabilities in Windows, Internet Explorer, Office and Exchange. Among them is the fix for the TIFF file vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync. However a fix for the zero-day vulnerability in Windows XP, which is being actively exploited in the wild via a malicious PDF file, is missing.

MS13-096 fixes the publicly disclosed vulnerability that can allow remote code execution if a user views content that contains specially crafted TIFF files. According to Microsoft an attacker who successfully exploits this vulnerability can execute arbitrary code with the privileges of the user who viewed the TIFF file.

The vulnerability is currently being exploited in the wild and targeting PC users mainly in the Middle East and South Asia. The attack uses an email with a specially crafted Word attachment.  However the security bulletin points out that this isn’t the only possible attack vector. The vulnerability can be exploited in a web-based attack scenario, where an attacker creates a website that is designed to exploit this vulnerability and then convinces a user to view the website, or via email.

Another Critical rated fix is MS13-097, a cumulative update for Internet Explorer. The patch resolves seven privately reported vulnerabilities in IE, the most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage. The update affects Internet Explorer 6 through to Internet Explorer 11.

MS13-099 resolves a vulnerability in Microsoft Scripting Runtime Object Library that could allow remote code execution if a user visits a specially crafted website. The update is rated as Critical for Windows Script 5.6, Windows Script 5.7, and Windows Script 5.8 where affected on all supported releases of Microsoft Windows.

Security Bulletin MS13-106 fixes a publicly disclosed vulnerability in a Microsoft Office shared component that is currently being exploited in the wild. The problem exists because hxds.dll in Microsoft Office 2007 SP3 and 2010 SP1 and SP2 do not implement the ASLR protection mechanism, which makes it easier for remote attackers to execute arbitrary code via a crafted COM component on a web site that is visited with IE. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.

patch.tuesday.dec.2013.deployment

The other Critical bulletins are:

  • MS13-098 - Resolves a privately reported vulnerability in Microsoft Windows that could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.
  • MS13-105  – Resolves three publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server. The most severe of these vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server.

The Important bulletins from Microsoft are:

  • MS13-100 - Resolves multiple privately reported vulnerabilities in Microsoft Office server software. These vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a SharePoint server.
  • MS13-101 - Resolves five privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.
  • MS13-102 - Addresses a privately reported vulnerability in Microsoft Windows that could allow elevation of privilege if an attacker spoofs an LRPC server and sends a specially crafted LPC port message to any LRPC client.
  • MS13-103 - Fixes a privately reported vulnerability in ASP.NET SignalR. The vulnerability could allow elevation of privilege if an attacker reflects specially crafted JavaScript back to the browser of a targeted user.
  • MS13-104 - Resolves a privately reported vulnerability in Microsoft Office that could allow information disclosure if a user attempts to open an Office file hosted on a malicious website.

Zero-day vulnerability in Windows XP being exploited via a malicious PDF file

microsoft logoMicrosoft has issued a warning to all users of its aging Windows XP operating system about a zero-day vulnerability that allows attackers to gain elevated privileges. Once the attackers have system level privileges they can install programs; view, change, or delete data; or create new accounts with full administrative rights.

The vulnerability is in the Windows kernel and affects Windows Server 2003 as well as XP. Once exploited an attacker can run arbitrary code in kernel mode which automatically gives them full administrative rights.

According to CVE-2013-5065 NDProxy.sys in the kernel of Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application. The vulnerability is being exploited in the wild.

Microsoft has issued a workaround for the vulnerability however by implementing it services that rely on the Windows Telephony Application Programming Interfaces (TAPI) to not function, this includes Remote Access Service (RAS), dial-up networking, and virtual private networking (VPN). Full details of the workaround, which disables NDProxy.sys and reroute all calls to Null.sys, can be found in Microsoft’s security advisory.

According to Symantec there have been a “small number” of in-the-wild attacks happening since early November. Users in the U.S., India, Australia, Saudi Arabia and throughout Europe were targeted.

This is the second zero-day vulnerability to be recently exposed in Windows. At the beginning of November Microsoft released  a security advisory about a vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync, that is being exploited in the wild and targeting PC users mainly in the Middle East and South Asia.

Microsoft releases warning as hackers attack vulnerability in Vista and Office

Windows-Vista-command-promptMicrosoft has released  Security Advisory 2896666 about a vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync, that is being exploited in the wild and targeting PC users mainly in the Middle East and South Asia.

The attack uses an email with a specially crafted Word attachment.  If the user opens the attachment it will try to exploit the vulnerability via a malformed image embedded in the document. If successful the attackers gain the same user rights as the logged on user.

According to Microsoft the remote code execution vulnerability exists because of bugs in the code which handles badly formed TIFF images. Only Windows Vista is affected and the current versions of Microsoft Office are not vulnerable.

The current attacks use the Word document attached to the email as a container for the specially crafted TIFF file. However, Microsoft says that hackers could also exploit the issue via a web-based attack. ”An attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website,” it said.

While Microsoft is working to fix the error and release a security update it recommends the following actions:

  • Apply the Microsoft Fix it solution, “Disable the TIFF Codec” that prevents exploitation of the issue. See Microsoft Knowledge Base Article 2896666 to use the automated Microsoft Fix it solution to enable this workaround.
  • Deploy the Enhanced Mitigation Experience Toolkit (EMET). This will help prevent exploitation by providing mitigations to protect against the issue and should not affect usability of any programs.  An easy guide for EMET installation and configuration is available inKB2458544.

Microsoft fixes Internet Explorer zero-day vulnerability

microsoft logoMicrosoft has released eight security bulletins to address 26 different security vulnerabilities in a range of its products including Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight.

The most important patch fixes the zero-day exploit which has been used by attackers in the wild since mid-September. Microsoft reports that there have been targeted attacks aimed at Internet Explorer 8 and 9 however the vulnerability is present in all versions of IE from 6 to IE 11. The vulnerability exists because of a use-after-free coding error in the JavaScript SetMouseCapture implementation in Internet Explorer. Microsoft’s patch (MS13-080) changes “the way that Internet Explorer handles objects in memory” meaning Microsoft fixed the user-after-free bug. The patch is Critical and all users should ensure that it is applied (normally via Windows Update).

The next patch resolves a vulnerability in some Windows kernel-mode drivers, specifically how these drivers handle specially crafted OpenType and  TrueType Font (TTF) files. If exploited the vulnerabilities, which were reported to Microsoft privately, could allow remote code execution and an attacker could take complete control of an affected system. According to Microsoft these bugs exist in all supported releases of Microsoft Windows from XP upwards, except Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Windows is updated again in the next patch (MS13-083) to fix a vulnerability in the Windows Common Control Library that could allow remote code execution. The patch actually updates a fix from 2010 where Microsoft corrected the way in which the Windows common controls handle messages passed from a third-party scalable vector graphics (SVG) viewer. At the time it was rated as Important, but the new patch is rated as Critical for all supported 64-bit editions of Microsoft Windows. The update has no severity rating for Windows RT and for all supported 32-bit editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows 8.

The final Critical level bulletin (MS13-082) fixes two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft’s .NET Framework. The worst of the vulnerabilities could allow remote code execution if a user visits a website containing a specially crafted OpenType font (OTF) file using a browser which is able to start XBAP applications. XBAP applications are Windows Presentation Foundation programs that run inside browsers such as Firefox or Internet Explorer. These applications run in a partial sandbox environment.

Microsoft October 2013-Priority.jpg-550x0

The remaining patches are rated as Important:

  • MS13-084 - Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution. The most severe vulnerability could allow remote code execution if a user opens a specially crafted Office file in an affected version of Microsoft SharePoint Server, Microsoft Office Services, or Web Apps.
  • MS13-085 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file with an affected version of Microsoft Excel or other affected Microsoft Office software.
  • MS13-086 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution. The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word or other affected Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS13-087 - Vulnerability in Silverlight Could Allow Information Disclosure. The vulnerability could allow information disclosure if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability.

 

Microsoft issues “Fix it” for zero-day exploit attack against IE

internetexplorer_logo(LiveHacking.Com) – Microsoft has issued an emergency “Fix it” to help fend off a zero-day vulnerability attack which is being exploited in the wild. Currently there are reports of targeted attacks specifically directed at Internet Explorer 8 and 9 however the vulnerability is present in all versions of IE from 6 and up to IE 11 – which is to be released to the public with Windows 8.1. The vulnerability is exploited when users visit a web page with malicious content and can allow remote code execution.

The vulnerability is exists because of a use-after-free coding error in the JavaScript SetMouseCapture implementation in Internet Explorer. Further details of the exploit have been posted on pastebin. Microsoft says it is actively working to develop a security update to address the vulnerability and in the mean time users should apply the “Fix it” and also set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones. Microsoft also recommends that users configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.

“We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our customers,” said Dustin Childs, Group Manager of Trustworthy Computing at Microsoft.

Microsoft hasn’t ruled out issuing an out-of-cycle security update to fix this bug, but it says it wants first to complete its investigation and may just provide a solution through its normal monthly Patch Tuesday bulletins, depending on customer needs and the extent of the attack.

Microsoft fixes critical flaws in Windows, IE and Office

microsoft logo(LiveHacking.Com) – Microsoft has released its security patches for September to address 47 different vulnerabilities in Microsoft Windows, Office, Internet Explorer and SharePoint. It total the company released 13 bulletins–four Critical and nine Important.

The first Critical bulletin fixes vulnerabilities in Microsoft SharePoint Server that could allow remote code execution if an attacker sends specially crafted content to the affected server. The vulnerability is present in Microsoft SharePoint Server 2007 and 2010, Microsoft SharePoint Services 2.0 and 3.0, and Microsoft SharePoint Foundation 2010. Also affected are Microsoft Office Services and Web Apps on supported editions of Microsoft SharePoint Server 2010. Although not rated as Critical the vulnerability is also present in Microsoft SharePoint Server 2013, Microsoft SharePoint Foundation 2013, and Excel Services on Microsoft SharePoint Server 2007.

Microsoft Outlook got updated in the second bulletin to fix a vulnerability that could allow remote code execution if a user opens or previews a specially crafted email message. The update, which is available for all supported editions of Microsoft Outlook 2007 and Microsoft Outlook 2010, corrects the way that Microsoft Outlook parses specially crafted S/MIME email messages.

Internet Explorer also got updated to resolves ten privately reported vulnerabilities, the most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage. Affected versions are  Internet Explorer 6, 7, 8, 9, and Internet Explorer 10. The vulnerabilities are related to memory corruptions as the fixes listed by Microsoft change the way that Internet Explorer handles objects in memory.

The final Critical update is for Windows itself and resolves a vulnerability that could allow remote code execution if a user opens a file that contains a specially crafted OLE object. Only Windows XP and Windows Server 2003 are the update fixes the way that OLE objects are handled in memory.

The remaining bulletins are all listed as Important:

  • MS13-071 - Vulnerability in Windows Theme File Could Allow Remote Code Execution
  • MS13-072 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
  • MS13-073 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
  • MS13-074 - Vulnerabilities in Microsoft Access Could Allow Remote Code Execution
  • MS13-075 - Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege
  • MS13-076 - Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege
  • MS13-077 - Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege
  • MS13-078 - Vulnerability in FrontPage Could Allow Information Disclosure
  • MS13-079 - Vulnerability in Active Directory Could Allow Denial of Service

Third time’s a charm for Microsoft’s recent security patches

microsoft logo(LiveHacking.Com) – Just under two weeks ago Microsoft released its regular set of patches for Windows and other Microsoft products to fix the current security vulnerabilities. Some of these patches were deemed as Critical because the vulnerabilities could allow a hacker to execute arbitrary code on an affected PC and gain remote access to the machine.

Among the original updates was MS13-066, a patch rated as Important which fixed a vulnerability in the Active Directory Federation Services. The original vulnerability could allow information disclosure. Unfortunately after its release, Microsoft discovered that the patch could cause the AD FS to stop working. As a result Microsoft removed the update. Then last week Microsoft re-released the bulletin with a fix for the fix. It turns out that systems without the RU3 rollup QFE installed experienced the problems. The new patch should work with or without RU3.

That was strike one.

August’s Patch Tuesday also contained MS13-061 a Critical patch to fix vulnerabilities in Microsoft’s Exchange Server. If exploited these vulnerabilities could allow remote code execution. Like for MS13-066, after the release of the patch Microsoft discovered some problems. Specifically that after the update Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2 would stop indexing mail. Today Microsoft released MS13-061 to fix the bug that stopped the indexing of messages.

That was strike two.

The next (and last?) patch that caused trouble for Microsoft was MS13-057, a Critical patch from July which addressed a vulnerability in the Windows Media Format Runtime. The vulnerability could allow remote code execution if a user opens a specially crafted media file. Just before August’s Patch Tuesday Microsoft re-released it to address an application compatibility issue in which WMV encoded video could fail to properly render during playback. Originally this only affected Windows 7 and Windows Server 2008 R2. Today Microsoft released the patch (third time’s a charm – we hope) for Windows XP, Windows Server 2003 and Windows Vista to address the same WMV playback error.

And that was strike three? Any more swings at the ball Microsoft???

Microsoft fixes 23 vulnerabilities in Windows, Internet Explorer and Exchange

microsoft logo(LiveHacking.Com) – Microsoft has released eight security updates that address 23 vulnerabilities in Microsoft Windows, Internet Explorer and Exchange. Three of the bulletins are rated as Critical and the remaining five are rated as Important.

The first of the Critical updates (MS13-059) is a cumulative patch for IE. It resolves eleven privately reported vulnerabilities in Microsoft’s browser, the most severe of which could allow remote code execution if a user views a specially crafted webpage. The update affects Internet Explorer 6, 7, 8, 9, and 10 on all supported versions of Windows including Windows 8 and Windows 8 RT. On Windows Server platforms the severity is only Moderate.

The next Critical patch (MS13-060) fixes a vulnerability in the Unicode Scripts Processor included in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts. The fix changes the way that Microsoft Windows parses specific characteristics of OpenType fonts. The bug only affects Windows XP and Windows Server 2003, all other supported versions of Windows are unaffected.

The final Critical bulletin (MS13-061) is a patch for Exchange that addresses three publicly disclosed vulnerabilities in the WebReady Document Viewing and Data Loss Prevention features of Exchange Server. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using the Outlook Web App (OWA). Also the Data Loss Prevention feature contains code that could allow remote code execution in the security context of the Filtering Management service if a specially crafted message is received by the Exchange server. Exchange 2007, 2010 and 2013 are all affected, only Exchange 2003 is unaffected.

The remaining bulletins are all rated as Important and cover two sets of elevation of privilege bugs, two denial of service vulnerabilities and an information disclosure issue in Active Directory Federation Services (AD FS).