April 17, 2014

Microsoft patches Windows Kernel-Mode Driver vulnerability which is being exploited in the wild

microsoft logo(LiveHacking.Com) – Among the six Critical security bulletins issued by Microsoft, during its regular Patch Tuesday updates for July, was a fix for  CVE-2013-3660 a vulnerability in win32k.sys that allows remote code execution if a user views shared content that embeds TrueType font files. The vulnerability allows hackers to take complete control of an affected PC and Microsoft are reporting that it is being used in the wild in “limited, targeted attacks.”

The Windows Kernel-Mode Driver vulnerability, which affects all supported versions of Windows from XP SP2 on-wards (including Windows 8 and Windows 8 RT), exists because of an uninitialized pointer bug in the EPATHOBJ::pprFlattenRec function. The security patch fixes the way Windows handles specially crafted TrueType Font (TTF) files and by correcting the way that Windows handles objects in memory (in other words by fixing the uninitialized pointer bug).

The other five Critical bulletins also outline fixes for vulnerabilities which can lead to unauthorized remote code execution. MS13-052 fixes vulnerabilities in the Microsoft .NET Framework and Microsoft Silverlight, while MS13-054 addresses a vulnerability in Microsoft Windows, Microsoft Office, Microsoft Lync, and Microsoft Visual Studio – again connected with content that embeds TrueType font files.

There is also a cumulative security update for Internet Explorer. It resolves seventeen vulnerabilities in the browser. The most severe of these could allow remote code execution if a user views a specially crafted webpage. The security update is rated Critical for Internet Explorer 6, 7, 8, 9 and 10 on desktop versions of Windows and Moderate on Windows servers.

The only non-Critical patch was for a vulnerability in Windows Defender for Windows 7. The vulnerability could allow a hacker to gain elevated of privilege due to the way pathnames are used by Windows Defender, however an attacker must have valid logon credentials to exploit this vulnerability.

In total Microsoft addressed 34 vulnerabilities across its products. The software giant is recommending that system administrators who need to prioritize the role out of these patches should focus on the Windows Kernel-Mode Driver vulnerability and the updates to IE.

Microsoft clarifies position on passing vulnerability information to US government

microsoft logo(LiveHacking.Com) – The repercussions of Edward Snowden revelations about the National Security Agency’s Prism surveillance system are still occurring and attention has now turned to the role that security vulnerabilities play in the surveillance done by the NSA.

A few days ago US news agency Bloomberg claimed that Microsoft provides the US government with information on security vulnerabilities in Windows and other of its products before it tells it customers. Bloomberg’s Michael Riley wrote, “Microsoft provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix. That information can be used to access the computers of terrorists or military foes.”

To clarify the situation Microsoft has released a statement in which it confirms the existence of several security related programs including the Microsoft Active Protections Program (MAPP) and the Security Cooperation Program (SCP) for Governments. These programs aren’t secret and the confirmation of their existence isn’t a new revelation. According to the statement, “Microsoft communicates with program participants after our engineering cycle is completed to ensure delivery of the most current information. While timing varies slightly each month, disclosure takes place just prior to our security update for billions of customers.”

What this means is that Microsoft reveals details of the vulnerabilities to its partners, including the US government, just a few days before the public patches are available. The real question is not the timing but the level of detail that Microsoft gives it partners. Many of the vulnerabilities fixed by Microsoft are either privately reported or found by Microsoft. This means that details on how to exploit the vulnerabilities are rarely revealed to the public.

It would seem that members of the Microsoft programs get full access to details on the vulnerabilities as, “Membership provides key technical information on security vulnerabilities prior to the security update being publically available”

Microsoft disrupts half billion dollar Citadel botnet

typing on keyboard-300px(LiveHacking.Com) – Microsoft’s Digital Crimes Unit, together with the the FBI and several different financial services companies, has disrupted more than 1,400 Citadel botnets that were responsible for over half a billion dollars in losses to individuals and businesses worldwide.

The massive cybercrime operation was responsible for stealing people’s online banking information and personal identities. Citadel used a remotely installed keylogging program to steal data from about five million machines. Money was then stolen as the criminals used the usernames and passwords to illegally enter online bank accounts. No particular bank was targeted and cash from taken from well known institutions including American Express, Bank of America, PayPal, HSBC, Royal Bank of Canada and Wells Fargo.

Microsoft outlined how Citadel used PCs bundled with pirated versions of Windows to pre-infect PC. “We also found that cybercriminals are using fraudulently obtained product keys created by key generators for outdated Windows XP software to develop their malware and grow their business, demonstrating another link between software piracy and global cybersecurity threats,” said Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.

To avoid detection Citadel blocked victims’ access to many legitimate anti-virus/anti-malware sites which meant that they could not easily remove the threat from their PC. As part of the disruptive action Microsoft has restored access to these previously blocked sites.

Microsoft and Adobe release patches for Critical vulnerabilities

microsoft logo(LiveHacking.Com) – Two of the biggest names in PC software have released patches for a variety of their respective software products to fix critical security related issues. Microsoft has released 10 security bulletins to address 33 vulnerabilities Microsoft Windows, Internet Explorer, .NET Framework, Lync, Office, and Windows Essentials. While Adobe has issued security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

Among the Microsoft patches are two cumulative updates for Internet Explorer. The first (MS13-037) resolves 11 issues in IE that could allow remote code execution if a user visits a specially crafted Web page using the browser. The second (MS13-038) addresses the Internet Explorer 8 remote code execution vulnerability that could affect users if they mistakenly follow a link, in an email or instant message, to a malicious website. This update to IE8 is important as it is the only currently supported version of IE that users of Windows XP can use.

Another interesting patch from Redmond is a security update that resolves an issue in Windows that could allow denial of service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client.

Adobe’s updates include security updates for Adobe Flash Player for Windows, Macintosh, Linux and Android.  These updates address vulnerabilities that could cause a crash or potentially allow an attacker to take control of the affected system. The updates also affect Adobe AIR. All the patches are related to memory corruption issues that could be exploited allow an attacker to execute arbitrary code.

Adobe also updated Adobe Reader and Acrobat for Windows, OS X and Linux. As with the updates to flash, these patches address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. The following versions are affected:  Adobe Reader and Acrobat XI (11.0.02) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.4 and earlier 9.x versions for Linux.

 

Microsoft releases Fix It for critical Internet Explorer 8 vulnerability

fix_it(LiveHacking.Com) – Less than a week ago Microsoft revealed that version 8 of its web browser Internet Explorer suffers from a nasty remote code execution vulnerability that could catch users if they mistakenly follow a link, in an email or instant message, to a malicious website. Microsoft’s initial recommendation was to upgrade to IE 9 or IE 10 which unfortunately isn’t possible for Windows XP users.

For those stuck with IE 8, Microsoft suggested setting the Internet and local intranet security zone settings to “High” and configuring Internet Explorer to prompt before running any Active Scripting. Microsoft didn’t however mention one other important option – switch to Google Chrome or Mozilla Firefox!

If switching isn’t a option and you don’t know how to fiddle with the security zone settings, Microsoft has now released an “easy, one-click Fix it” to help mitigate this problem. The MSHTML Shim Workaround isn’t intended to be a replacement for a proper security update and Microsoft is suggesting that we all wait a day or two to see what it has planned for May’s Patch Tuesday, the implication being that the IE8 bug will be fixed then.

Microsoft patches Kernel-Mode driver after blue screen of death issues

microsoft logo(LiveHacking.Com) – Microsoft has released a new patch to replace the Kernel-Mode driver update which was released as part of April’s Patch Tuesday. Problems started to arise with the update and Microsoft had to pull the patch. Peculiar to Windows 7, the patch could put systems into a situation where they failed to recover from a reboot (as they just keep rebooting) or make certain applications (specifically from Kaspersky) fail.

According to a Microsoft knowledge base article the symptoms are either an Event ID 55 or a 0xc000021a Stop error during the boot process. The Event ID 55 will wrongly claim that file system structure on the disk is corrupt and unusable and force the run of the Chkdsk utility. The Stop error will simply say that the Session Manager Initialization system process terminated unexpectedly and the system will shutdown. Any attempt to reboot will likely results in the same stop code.

The new update, KB2840149, has been rebuilt and still addresses the Moderate security issue described in MS13-036 but without the previous problems. For those with automatic updates enabled, you won’t need to take any actions. If you are applying updates manually Microsoft recommends you apply this update as soon as possible.

Microsoft’s Patch Tuesday Kernel-Mode driver update causing problems

stop-_c000021a(LiveHacking.Com) – Last Tuesday Microsoft released nine security bulletins to address 14 different vulnerabilities in its products including one to fix vulnerabilities in Windows’ Kernel-Mode Driver that could allow an attacker to gain elevated privileges. Following the released of the patches reports started to appear about Windows 7 systems that fail to recover from a reboot (as they just keep rebooting) or applications (specifically from Kaspersky) that fails after the security update is applied. Microsoft recommends that customers uninstall this update and it has removed the download links to the update while it investigates.

According to a Microsoft knowledge base article the symptoms are either you receive an Event ID 55 or a 0xc000021a Stop error during the boot process. The Event ID 55 will wrongly claim that file system structure on the disk is corrupt and unusable and force the run of the Chkdsk utility. The Stop error will simply say that the Session Manager Initialization system process terminated unexpectedly and the system will shutdown. Any attempt to reboot will likely results in the same stop code.

According to Microsoft, systems with the update applied that use Kaspersky Anti-Virus for Windows Workstations or Kaspersky Anti-Virus for Windows Servers versions 6.0.4.1424 and 6.0.4.1611 may display an error message saying that the license for the product is not valid.

Microsoft fixes Critical IE and Remote Desktop flaws

Windows(LiveHacking.Com) – Microsoft has released a series of nine security bulletins, (two Critical and seven Important) to fix 14 different vulnerabilities in a range of its products including Microsoft Windows, Internet Explorer, Microsoft Antimalware and Windows Server Software.

The first of the two Critical level bulletins patches Internet Explorer against a remote code execution attack which could occur if users visited a specially crafted webpage using IE. A successful exploited would mean that the attacker would gain the same rights as the current user. The good news is that both of these IE issues were privately disclosed and Microsoft has not detected any attacks or customer impact. The vulnerabilities affect Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10.

There is also a remote code execution patch for Windows in connection with the Windows Remote Desktop Client ActiveX control. As with the IE bugs, this vulnerability could allow remote code execution if an attacker convinces a customer to view a website containing specially crafted content that exploits the vulnerability. This bug is seen as Critical for the Remote Desktop Connection 6.1 Client and the Remote Desktop Connection 7.0 Client on Windows XP, Windows Vista, and Windows 7.

Although Windows 8 was not affected by the Remote Desktop vulnerability, it isn’t immune to other problems including an exclusive patch for problems with the Windows 8 antimalware client used in Windows Defender.

Microsoft received a private report about a vulnerability that could allow elevation of privilege due to the pathnames used by the Microsoft Antimalware Client. If successfully exploited an attacker could execute arbitrary code and take complete control of an affected system. This would allow them to install programs and create new accounts. The bulletin is marked as Important (and not Critical)  for Windows 8 and Windows RT as an attacker must have valid logon credentials to exploit the vulnerability.

Microsoft to patch critical flaws in Windows and IE on Tuesday

microsoft logo(LiveHacking.Com) – Microsoft has released its customary advanced warning about security vulnerabilities that it plans to fix during its next Patch Tuesday. April’s update will contain nine bulletins, two of which are marked as Critical. The Critical bulletins address vulnerabilities in Microsoft Windows and Internet Explorer. The remaining seven are tagged as Important and will address issues in Microsoft Windows, Office, Anti-malware Software, and Server Software.

The IE bulletin affects all supported versions of Microsoft’s browser from IE 6 on XP to IE 10 on Windows 8 and RT. These vulnerabilities in IE could allow hackers to remotely execute arbitrary code (often used to infect a PC with malware via a drive-by download) on unpatched machines.

The Critical patches for Windows, which are also to fix remote code execution vulnerabilities, affects only the older versions of Windows from Windows 7 back to Windows XP. Windows 8, Windows Server 2012 and the version of Windows for tablets, Windows RT, are not affected.

Bulletin 7 only affects Windows 8 and Windows 8 RT and applies to some flaws in Windows Defender which could allow a hacker to run programs at an elevated privilege. Paul Henry, security and forensic analyst at Lumension, told The Register that “Windows Defender is an important security component for the new operating systems, so it’s a little concerning to see it impacted here, even if only at an ‘important’ rather than critical level. If you’re running either of those systems, I would patch this important bulletin first.

Microsoft plans to publish the bulletins on April 9, 2013 at approximately 10 a.m. PDT.

Microsoft and Adobe release patches to fix critical vulnerabilities

(LiveHacking.Com) – For March’s Patch Tuesday Microsoft has released seven bulletins, four Critical-class and three Important-class. The bulletins address 20 vulnerabilities in total across several Microsoft products including Windows, Office, Internet Explorer, Server Tools, and Silverlight. Likewise Adobe has released a security update for its popular Flash Player to address vulnerabilities that could potentially allow a hacker to take control of a vulnerable system.

Microsoft

Among the fixes is a patch for an issue in the Kernel-Mode Drivers (KMD) where an attacker could gain administrator privileges by inserting a malicious USB flash drive into a Windows machine. Since the attack works even when no user is currently logged on, it means that anyone with casual access, such as a security guard, office cleaner or anyone with access to office space, could simply plug in a USB flash drive into a PC and perform any action as an administrator. In total MS13-027 resolves three privately reported vulnerabilities correcting the way that a Windows kernel-mode USB drivers handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

Nine issues have also been fixed in Internet Explorer. The most severe of these could allow remote code execution if a user views a specially crafted webpage using IE. Upon successful exploit An attacker could gain the same rights as the current owner. All but one of these issues were privately reported to Microsoft and there are no reports of these vulnerabilities being used in the wild.

Microsoft Silverlight has also been patched to fix a vulnerability that could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.

Adobe

adobe-logoAdobe has released a security update for Adobe Flash Player for Windows, OS X, Linux and Android. These update addresses vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected Versions

  • Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.273 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.597 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.597 SDK and earlier versions
  • Adobe AIR 3.6.0.599 SDK & Compiler and earlier versions

The update address four known vulnerabilities  an integer overflow vulnerability that could lead to code execution (CVE-2013-0646), a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650), a memory corruption vulnerability that could lead to code execution (CVE-2013-1371), a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-1375).

As a result of the update, Google has also released a new version of Chrome.