November 28, 2014

Microsoft issues “Fix it” for zero-day exploit attack against IE

internetexplorer_logo(LiveHacking.Com) – Microsoft has issued an emergency “Fix it” to help fend off a zero-day vulnerability attack which is being exploited in the wild. Currently there are reports of targeted attacks specifically directed at Internet Explorer 8 and 9 however the vulnerability is present in all versions of IE from 6 and up to IE 11 – which is to be released to the public with Windows 8.1. The vulnerability is exploited when users visit a web page with malicious content and can allow remote code execution.

The vulnerability is exists because of a use-after-free coding error in the JavaScript SetMouseCapture implementation in Internet Explorer. Further details of the exploit have been posted on pastebin. Microsoft says it is actively working to develop a security update to address the vulnerability and in the mean time users should apply the “Fix it” and also set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones. Microsoft also recommends that users configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.

“We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our customers,” said Dustin Childs, Group Manager of Trustworthy Computing at Microsoft.

Microsoft hasn’t ruled out issuing an out-of-cycle security update to fix this bug, but it says it wants first to complete its investigation and may just provide a solution through its normal monthly Patch Tuesday bulletins, depending on customer needs and the extent of the attack.

Microsoft fixes critical flaws in Windows, IE and Office

microsoft logo(LiveHacking.Com) – Microsoft has released its security patches for September to address 47 different vulnerabilities in Microsoft Windows, Office, Internet Explorer and SharePoint. It total the company released 13 bulletins–four Critical and nine Important.

The first Critical bulletin fixes vulnerabilities in Microsoft SharePoint Server that could allow remote code execution if an attacker sends specially crafted content to the affected server. The vulnerability is present in Microsoft SharePoint Server 2007 and 2010, Microsoft SharePoint Services 2.0 and 3.0, and Microsoft SharePoint Foundation 2010. Also affected are Microsoft Office Services and Web Apps on supported editions of Microsoft SharePoint Server 2010. Although not rated as Critical the vulnerability is also present in Microsoft SharePoint Server 2013, Microsoft SharePoint Foundation 2013, and Excel Services on Microsoft SharePoint Server 2007.

Microsoft Outlook got updated in the second bulletin to fix a vulnerability that could allow remote code execution if a user opens or previews a specially crafted email message. The update, which is available for all supported editions of Microsoft Outlook 2007 and Microsoft Outlook 2010, corrects the way that Microsoft Outlook parses specially crafted S/MIME email messages.

Internet Explorer also got updated to resolves ten privately reported vulnerabilities, the most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage. Affected versions are  Internet Explorer 6, 7, 8, 9, and Internet Explorer 10. The vulnerabilities are related to memory corruptions as the fixes listed by Microsoft change the way that Internet Explorer handles objects in memory.

The final Critical update is for Windows itself and resolves a vulnerability that could allow remote code execution if a user opens a file that contains a specially crafted OLE object. Only Windows XP and Windows Server 2003 are the update fixes the way that OLE objects are handled in memory.

The remaining bulletins are all listed as Important:

  • MS13-071 – Vulnerability in Windows Theme File Could Allow Remote Code Execution
  • MS13-072 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
  • MS13-073 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
  • MS13-074 – Vulnerabilities in Microsoft Access Could Allow Remote Code Execution
  • MS13-075 – Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege
  • MS13-076 – Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege
  • MS13-077 – Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege
  • MS13-078 – Vulnerability in FrontPage Could Allow Information Disclosure
  • MS13-079 – Vulnerability in Active Directory Could Allow Denial of Service

Third time’s a charm for Microsoft’s recent security patches

microsoft logo(LiveHacking.Com) – Just under two weeks ago Microsoft released its regular set of patches for Windows and other Microsoft products to fix the current security vulnerabilities. Some of these patches were deemed as Critical because the vulnerabilities could allow a hacker to execute arbitrary code on an affected PC and gain remote access to the machine.

Among the original updates was MS13-066, a patch rated as Important which fixed a vulnerability in the Active Directory Federation Services. The original vulnerability could allow information disclosure. Unfortunately after its release, Microsoft discovered that the patch could cause the AD FS to stop working. As a result Microsoft removed the update. Then last week Microsoft re-released the bulletin with a fix for the fix. It turns out that systems without the RU3 rollup QFE installed experienced the problems. The new patch should work with or without RU3.

That was strike one.

August’s Patch Tuesday also contained MS13-061 a Critical patch to fix vulnerabilities in Microsoft’s Exchange Server. If exploited these vulnerabilities could allow remote code execution. Like for MS13-066, after the release of the patch Microsoft discovered some problems. Specifically that after the update Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2 would stop indexing mail. Today Microsoft released MS13-061 to fix the bug that stopped the indexing of messages.

That was strike two.

The next (and last?) patch that caused trouble for Microsoft was MS13-057, a Critical patch from July which addressed a vulnerability in the Windows Media Format Runtime. The vulnerability could allow remote code execution if a user opens a specially crafted media file. Just before August’s Patch Tuesday Microsoft re-released it to address an application compatibility issue in which WMV encoded video could fail to properly render during playback. Originally this only affected Windows 7 and Windows Server 2008 R2. Today Microsoft released the patch (third time’s a charm – we hope) for Windows XP, Windows Server 2003 and Windows Vista to address the same WMV playback error.

And that was strike three? Any more swings at the ball Microsoft???

Microsoft fixes 23 vulnerabilities in Windows, Internet Explorer and Exchange

microsoft logo(LiveHacking.Com) – Microsoft has released eight security updates that address 23 vulnerabilities in Microsoft Windows, Internet Explorer and Exchange. Three of the bulletins are rated as Critical and the remaining five are rated as Important.

The first of the Critical updates (MS13-059) is a cumulative patch for IE. It resolves eleven privately reported vulnerabilities in Microsoft’s browser, the most severe of which could allow remote code execution if a user views a specially crafted webpage. The update affects Internet Explorer 6, 7, 8, 9, and 10 on all supported versions of Windows including Windows 8 and Windows 8 RT. On Windows Server platforms the severity is only Moderate.

The next Critical patch (MS13-060) fixes a vulnerability in the Unicode Scripts Processor included in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts. The fix changes the way that Microsoft Windows parses specific characteristics of OpenType fonts. The bug only affects Windows XP and Windows Server 2003, all other supported versions of Windows are unaffected.

The final Critical bulletin (MS13-061) is a patch for Exchange that addresses three publicly disclosed vulnerabilities in the WebReady Document Viewing and Data Loss Prevention features of Exchange Server. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using the Outlook Web App (OWA). Also the Data Loss Prevention feature contains code that could allow remote code execution in the security context of the Filtering Management service if a specially crafted message is received by the Exchange server. Exchange 2007, 2010 and 2013 are all affected, only Exchange 2003 is unaffected.

The remaining bulletins are all rated as Important and cover two sets of elevation of privilege bugs, two denial of service vulnerabilities and an information disclosure issue in Active Directory Federation Services (AD FS).

Microsoft patches Windows Kernel-Mode Driver vulnerability which is being exploited in the wild

microsoft logo(LiveHacking.Com) – Among the six Critical security bulletins issued by Microsoft, during its regular Patch Tuesday updates for July, was a fix for  CVE-2013-3660 a vulnerability in win32k.sys that allows remote code execution if a user views shared content that embeds TrueType font files. The vulnerability allows hackers to take complete control of an affected PC and Microsoft are reporting that it is being used in the wild in “limited, targeted attacks.”

The Windows Kernel-Mode Driver vulnerability, which affects all supported versions of Windows from XP SP2 on-wards (including Windows 8 and Windows 8 RT), exists because of an uninitialized pointer bug in the EPATHOBJ::pprFlattenRec function. The security patch fixes the way Windows handles specially crafted TrueType Font (TTF) files and by correcting the way that Windows handles objects in memory (in other words by fixing the uninitialized pointer bug).

The other five Critical bulletins also outline fixes for vulnerabilities which can lead to unauthorized remote code execution. MS13-052 fixes vulnerabilities in the Microsoft .NET Framework and Microsoft Silverlight, while MS13-054 addresses a vulnerability in Microsoft Windows, Microsoft Office, Microsoft Lync, and Microsoft Visual Studio – again connected with content that embeds TrueType font files.

There is also a cumulative security update for Internet Explorer. It resolves seventeen vulnerabilities in the browser. The most severe of these could allow remote code execution if a user views a specially crafted webpage. The security update is rated Critical for Internet Explorer 6, 7, 8, 9 and 10 on desktop versions of Windows and Moderate on Windows servers.

The only non-Critical patch was for a vulnerability in Windows Defender for Windows 7. The vulnerability could allow a hacker to gain elevated of privilege due to the way pathnames are used by Windows Defender, however an attacker must have valid logon credentials to exploit this vulnerability.

In total Microsoft addressed 34 vulnerabilities across its products. The software giant is recommending that system administrators who need to prioritize the role out of these patches should focus on the Windows Kernel-Mode Driver vulnerability and the updates to IE.

Microsoft clarifies position on passing vulnerability information to US government

microsoft logo(LiveHacking.Com) – The repercussions of Edward Snowden revelations about the National Security Agency’s Prism surveillance system are still occurring and attention has now turned to the role that security vulnerabilities play in the surveillance done by the NSA.

A few days ago US news agency Bloomberg claimed that Microsoft provides the US government with information on security vulnerabilities in Windows and other of its products before it tells it customers. Bloomberg’s Michael Riley wrote, “Microsoft provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix. That information can be used to access the computers of terrorists or military foes.”

To clarify the situation Microsoft has released a statement in which it confirms the existence of several security related programs including the Microsoft Active Protections Program (MAPP) and the Security Cooperation Program (SCP) for Governments. These programs aren’t secret and the confirmation of their existence isn’t a new revelation. According to the statement, “Microsoft communicates with program participants after our engineering cycle is completed to ensure delivery of the most current information. While timing varies slightly each month, disclosure takes place just prior to our security update for billions of customers.”

What this means is that Microsoft reveals details of the vulnerabilities to its partners, including the US government, just a few days before the public patches are available. The real question is not the timing but the level of detail that Microsoft gives it partners. Many of the vulnerabilities fixed by Microsoft are either privately reported or found by Microsoft. This means that details on how to exploit the vulnerabilities are rarely revealed to the public.

It would seem that members of the Microsoft programs get full access to details on the vulnerabilities as, “Membership provides key technical information on security vulnerabilities prior to the security update being publically available”

Microsoft disrupts half billion dollar Citadel botnet

typing on keyboard-300px(LiveHacking.Com) – Microsoft’s Digital Crimes Unit, together with the the FBI and several different financial services companies, has disrupted more than 1,400 Citadel botnets that were responsible for over half a billion dollars in losses to individuals and businesses worldwide.

The massive cybercrime operation was responsible for stealing people’s online banking information and personal identities. Citadel used a remotely installed keylogging program to steal data from about five million machines. Money was then stolen as the criminals used the usernames and passwords to illegally enter online bank accounts. No particular bank was targeted and cash from taken from well known institutions including American Express, Bank of America, PayPal, HSBC, Royal Bank of Canada and Wells Fargo.

Microsoft outlined how Citadel used PCs bundled with pirated versions of Windows to pre-infect PC. “We also found that cybercriminals are using fraudulently obtained product keys created by key generators for outdated Windows XP software to develop their malware and grow their business, demonstrating another link between software piracy and global cybersecurity threats,” said Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.

To avoid detection Citadel blocked victims’ access to many legitimate anti-virus/anti-malware sites which meant that they could not easily remove the threat from their PC. As part of the disruptive action Microsoft has restored access to these previously blocked sites.

Microsoft and Adobe release patches for Critical vulnerabilities

microsoft logo(LiveHacking.Com) – Two of the biggest names in PC software have released patches for a variety of their respective software products to fix critical security related issues. Microsoft has released 10 security bulletins to address 33 vulnerabilities Microsoft Windows, Internet Explorer, .NET Framework, Lync, Office, and Windows Essentials. While Adobe has issued security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

Among the Microsoft patches are two cumulative updates for Internet Explorer. The first (MS13-037) resolves 11 issues in IE that could allow remote code execution if a user visits a specially crafted Web page using the browser. The second (MS13-038) addresses the Internet Explorer 8 remote code execution vulnerability that could affect users if they mistakenly follow a link, in an email or instant message, to a malicious website. This update to IE8 is important as it is the only currently supported version of IE that users of Windows XP can use.

Another interesting patch from Redmond is a security update that resolves an issue in Windows that could allow denial of service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client.

Adobe’s updates include security updates for Adobe Flash Player for Windows, Macintosh, Linux and Android.  These updates address vulnerabilities that could cause a crash or potentially allow an attacker to take control of the affected system. The updates also affect Adobe AIR. All the patches are related to memory corruption issues that could be exploited allow an attacker to execute arbitrary code.

Adobe also updated Adobe Reader and Acrobat for Windows, OS X and Linux. As with the updates to flash, these patches address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. The following versions are affected:  Adobe Reader and Acrobat XI (11.0.02) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.4 and earlier 9.x versions for Linux.


Microsoft releases Fix It for critical Internet Explorer 8 vulnerability

fix_it(LiveHacking.Com) – Less than a week ago Microsoft revealed that version 8 of its web browser Internet Explorer suffers from a nasty remote code execution vulnerability that could catch users if they mistakenly follow a link, in an email or instant message, to a malicious website. Microsoft’s initial recommendation was to upgrade to IE 9 or IE 10 which unfortunately isn’t possible for Windows XP users.

For those stuck with IE 8, Microsoft suggested setting the Internet and local intranet security zone settings to “High” and configuring Internet Explorer to prompt before running any Active Scripting. Microsoft didn’t however mention one other important option – switch to Google Chrome or Mozilla Firefox!

If switching isn’t a option and you don’t know how to fiddle with the security zone settings, Microsoft has now released an “easy, one-click Fix it” to help mitigate this problem. The MSHTML Shim Workaround isn’t intended to be a replacement for a proper security update and Microsoft is suggesting that we all wait a day or two to see what it has planned for May’s Patch Tuesday, the implication being that the IE8 bug will be fixed then.

Microsoft patches Kernel-Mode driver after blue screen of death issues

microsoft logo(LiveHacking.Com) – Microsoft has released a new patch to replace the Kernel-Mode driver update which was released as part of April’s Patch Tuesday. Problems started to arise with the update and Microsoft had to pull the patch. Peculiar to Windows 7, the patch could put systems into a situation where they failed to recover from a reboot (as they just keep rebooting) or make certain applications (specifically from Kaspersky) fail.

According to a Microsoft knowledge base article the symptoms are either an Event ID 55 or a 0xc000021a Stop error during the boot process. The Event ID 55 will wrongly claim that file system structure on the disk is corrupt and unusable and force the run of the Chkdsk utility. The Stop error will simply say that the Session Manager Initialization system process terminated unexpectedly and the system will shutdown. Any attempt to reboot will likely results in the same stop code.

The new update, KB2840149, has been rebuilt and still addresses the Moderate security issue described in MS13-036 but without the previous problems. For those with automatic updates enabled, you won’t need to take any actions. If you are applying updates manually Microsoft recommends you apply this update as soon as possible.