August 20, 2014

Microsoft to fix IE8 zero-day vulnerability today with out-of-band fix

security news at livehacking.com(LiveHacking.Com) –  Microsoft will release an update to Internet Explorer today to fix the zero-day vulnerability which was found at the end of last year. An exploit was found, in the wild, for a previously unknown (zero-day) vulnerability during the clean up of the Council on Foreign Relations (CFR) website, which had been compromised by hackers, probably from China. The exploit found used a heap spray attack against the zero-day vulnerability.

Microsoft issued  Security Advisory 2794220 which confirmed that the issue impacts Internet Explorer 6, 7, and 8. Internet Explorer 9 and 10 are not affected by this issue, so upgrading mitigates the problem, however neither IE 9 or IE 10 is available for Windows XP users.

A few days later, Microsoft published a Fix It as a temporary measure until the full patch is available. The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution. However once the Fix It was out, security information company Exodus Intelligence published details on how it had managed to bypass the shim and make IE vulnerable again. This placed greater pressure on Microsoft to issue an out-of-band fix, which it will now do today.

“While we have still seen only a limited number of customers affected by the issue, the potential exists that more customers could be affected in the future.  The bulletin has a severity rating of Critical, and it addresses CVE-2012-4792,” said Dustin Childs, Group Manager of Microsoft’s Trustworthy Computing unit.

The patch will be made available for Windows XP, Vista and Windows 7 along with Windows Server 2003 and 2008. Microsoft will release the out-of-band security update at 10 a.m. PST on Monday, January 14, 2013.

Microsoft to patch five critical security flaws in time for the holidays

(LiveHacking.Com) –  Microsoft has published its advance notification for the security vulnerabilities it will fix in December’s patch Tuesday. This month it will release seven security bulletins, five of which are rated as Critical and two as Important. In total these bulletins will address 11 vulnerabilities. The five Critical bulletins will fix security vulnerabilities in Microsoft Windows, Word, Windows Server and Internet Explorer. While the two Important-rated bulletins will resolve issues in Microsoft Windows.

Six of the seven bulletins address vulnerabilities that could allow an attacker to execute arbitrary code on the affected PC. While the other bulletin addresses a “Security Feature Bypass.” When Microsoft talk about a Critical rated vulnerabilities it means a flaw which can be exploited and allow arbitrary code execution without any user interaction. These vulnerabilities can allow self-propagating malware to spread. These types of vulnerabilities are normally exploited without warnings or prompts and can be triggered by browsing to a web page or opening email.

Windows XP is affected by all but one of the Windows related bulletins, as its Windows Server 2003.  Windows Vista, Windows 7 and Windows Server 2008 are likewise affected by four of the five fixes for Windows. For each of the previously mentioned operating systems  bulletin seven (which is rated as Important)  doesn’t apply. However bulletin seven does affect Windows Server 2008 R2 and Windows Server 2012.

Windows 8, Microsoft’s latest operating system which was released in October, is affected by two of the Critical bulletins and just one of Important ones.

Microsoft Office 2003, 2007 and 2010 are all affected by the Critical rated bulletin number three as is Microsoft SharePoint Server 2010 and Microsoft Office Web Apps 2010. Bulletin four deals with Critical issues in Microsoft Exchange Server 2007 and 2010.

“While it may be the most wonderful time of the year, we know it can also be the busiest time of the year,” wrote Dustin Childs from Microsoft. “We recommend that customers pause from searching for those hot new gadgets and review the ANS summary page for more information. Please prepare for bulletin testing and deployment as soon as possible to help ensure a smooth update process.”

Microsoft has scheduled the bulletin release for the second Tuesday of the month, at approximately 10 a.m. PST.

Microsoft updates Windows 8 and Internet Explorer but comes under critisim for poor Windows Defender performance

(LiveHacking.Com) – Microsoft has released six bulletins to address multiple vulnerabilities in Microsoft Windows Shell, .NET Framework, Windows Kernel-Mode drivers, Excel, Internet Information Services (IIS), and cumulative security updates for Internet Explorer as part of  November’s Patch Tuesday.

As expected, four of the bulletins are ranked as Critical, one is Important, and the other one is rated as Moderate. Microsoft are suggesting that customers focus on the following two Critical level patches:

  • MS12-071 (Internet Explorer): This bulletin addresses three privately disclosed issues, none of which are currently known to be used in the wild. Successful exploitation of these issues could result in code execution with the current user’s privileges. These issues do not affect Internet Explorer 10.
  • MS12-075 (Windows Kernel): This security update addresses three privately reported issues, none of which are currently known to be used in the wild. This bulletin affects all supported versions of Microsoft Windows, including Windows 8. The most severe issue could result in remote code execution if an attacker is able to lure a user to a website with a maliciously crafted TrueType font file embedded. The patch fixes the vulnerabilities by correcting the way that the Windows kernel-mode drivers handle objects in memory.

Another issue that affects Windows 8 is MS12-072 (Vulnerabilities in Windows Shell Could Allow Remote Code Execution). The patch fixes two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user browses to a specially crafted briefcase in Windows Explorer.

Without these latest patches the affected Microsoft products (including Windows 8) are vulnerable to attack and could allow the attacker to execute arbitrary code remotely, operate with elevated privileges, or access sensitive information.

Windows 8 and Windows Defender

Microsoft’s patch come a few days after anti-virus company Bitdefender released information about the quality of Windows Defender, the built-in security application for Windows 8. According to Bitdefender 61 viruses, out of a total of 385, were able to infect a computer running Windows 8 with the Windows Defender application security enabled.

To set a baseline, Bitdefender conducted tests on Windows 7 and Windows 8 with the built-in antivirus disabled. It seems that without any anti-malware protection both operating systems are equally susceptible. Of the 385 viruses, 234 successfully infected Windows and continued to run until the machine was cleaned with Bitdefender. What this baseline test showed is that Windows 8 isn’t inherently more secure than Windows 7.

Bitdefender however acknowledged that Windows 8 did bring some new security features but running antivirus software is essential.

 

Microsoft to release out-of-band fix for Internet Explorer

(LiveHacking.Com) – Microsoft has announced that it will release an out-of-band update to Internet Explorer to fix the recently found zero-day vulnerability that affects IE 6, 7, 8 and 9. The flaw was discovered by Eric Romang, a security researcher, who was monitoring some servers suspected of serving malware. On one of the server he found four files which upon analysis turned out to be a zero-day vulnerability exploit for Internet Explorer.

Microsoft subquently published Security Advisory 2757760 which confirms that the flaw exists in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Then it published the “Prevent Memory Corruption via ExecCommand in Internet Explorer” Fix it solution, designed to be a easy-to-use, one-click, workaround for the vulnerability.

“A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

Now, Microsoft has released details of an out-of-band update to Internet Explorer to fully address the issue as well as four other Critical-class remote code execution issues. Microsoft will release the cumulative update for IE today at 10 a.m. PDT. The update applies to IE 6, 7, 8 and 9 on all supported versions of Windows (XP, Vista, 7, Windows server). It will be made available through Windows Update and it is recommended that you install it as soon as it is available. If you have automatic updates enabled you won’t need to take any action. Microsoft has previously reported that there are targeted attacks, that attempt to exploit this vulnerability, happening in the wild.

Microsoft to release “Fix it” as workaround for IE zero-day vulnerability

(LiveHacking.Com) – In the next few days Microsoft will release a “Fix it” as a workaround for the recently discovered IE zero-day vulnerability. Previously Microsoft had urged user to install the Enhanced Mitigation Experience Toolkit (EMET) to help to prevent a malicious website from exploiting the vulnerability. However many commentors have pointed out that the EMET needs to be installed and configured manually, a task would could be beyond some users.

“The Fix it is an easy-to-use, one-click, full-strength solution any Internet Explorer user can install. It will not affect your ability to browse the Web, and it will provide full protection against this issue until an update is available. It won’t require a reboot of your computer,” said Microsoft in a statement.

The German government is taking this vulnerability very seriously, so much so its Federal Office for Information Security (BSI) has published an advisory, telling Internet Explorer users to switch to alternative browsers until a patch is released for IE. Microsoft is saying that it has only seen a “few attempts to exploit the issue” and that it has impacted “an extremely limited number of people,” however it is still working to fix the issue.

Microsoft will release the “Fix it” for everyone to download and install within the next few days.

Microsoft releases security advisory about zero day vulnerability in IE

(LiveHacking.Com) – I wrote yesterday about a new zero-day vulnerability in Internet Explorer that was discovered by security researcher Eric Romang while he was monitoring some servers suspected of serving malware. He discovered four files which upon analysis turned out to be a zero-day vulnerability in Internet Explorer. As a response to these reports, Microsoft has published  Security Advisory 2757760 which confirms that the flaw exists in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Microsoft also reports that there are targeted attacks, that attempt to exploit this vulnerability, happening in the wild.

The vulnerability leads to corrupt memory which can then allow an attacker to execute arbitrary code. It exists because of the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated.

“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer need,” wrote Microsoft in a statement.

As this is a zero day vulnerability there is currently no fix, but Microsoft are recommending that users deploy the Enhanced Mitigation Experience Toolkit (EMET) to help to prevent a malicious website from successfully exploiting the vulnerability.

The advisory also details a full set of alternative workarounds, to deploying EMET, which include:

  • Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
    This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
  •  Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
    This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

 

New zero-day vulnerability discovered for Internet Explorer

(LiveHacking.Com) – Security researcher Eric Romang was monitoring some infected servers, allegedly being used by the Nitro gang for targeted attacks using the recent Java 7 zero-day vulnerabilities, when he found four files on the server which have turned out to be an unknown exploit for IE 7 , IE8 and IE9. The four files (an executable, a Flash Player movie and two HTML files called exploit.html and protect.html) are used in conjunction to download a malicious executable on to the victim’s computer.

The attackers can upload any executable of their choosing and use sthe victim’s machine as part of a botnet or install a banking information stealing trojan. According to a tweet by Malc0de the currently used payload could be Poison Ivy (http://bit.ly/PkRPIP).

Eric discussed his findings with a variety of security researchers @binjo and @_sinn3r. He also got further help from those who frequent the Metasploit IRC channel. The conclusion is that the files represent a vulnerablity in all versions of Internet Explorer, from IE 7 onwards, that is not dependent on any known Adobe Flash vulnerabilities.

It appears as if his actions haven’t gone unnoticed:

The guys who developed this new 0day were not happy to have been caught, they have removed all the files from the source server just 2 days after my discovery. But more interestingly, they also removed a Java 0-day variant from other folders.

It is thought that a Metasploit exploit module will be released sometime today and progress on the module is going well.

No Critical priority vulnerabilities to be fixed by Microsoft for September’s Patch Tuesday

(LiveHacking.Com) – Microsoft has issued its advanced nofiticaton outlining the security bulletins that it will release for September’s Patch Tuesday. This month’s release will only contain two bulletins, both of which have the severity ratings of important. The bulletins affect Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1, Microsoft Systems Management Server 2003 Service Pack 3 and Microsoft System Center Configuration Manager 2007 Service Pack 2. Both bulletins address elevation of privileges vulnerabilities.

Microsoft has also published a heads-up concerning the minimum key length of  Public Key Infrastructure (PKI) certificates. Microsoft is increasing the requirement for certificates used in PKI to an RSA key length minimum of 1024 bits. In June, Microsoft  announced the availability of an update to Windows (via the Download Center as well as the Microsoft Update Catalog) that restricts the use of certificates with RSA keys less than 1024 bits in length. Microsoft is now planning to release this update through Microsoft Update in October, 2012.

“By raising the bar of our certificate requirements, as part of our ongoing work to evaluate Microsoft’s security efforts and make improvements, we aim to help create a safer more trusted Internet for everyone,” wrote Angela Gunn on the Microsoft Security Response Center blog.

“We recommend that you evaluate your environments with the information provided in Security Advisory 2661254 and your organisation is aware of and prepared to resolve any known issues prior to October,” continued the post.

The release of September’s bulletins is scheduled for Tuesday, September 11, 2012.

Microsoft fixes remote code execution vulnerabilities some of which are already being exploited

(LiveHacking.Com) – As anticipated, Microsoft has released nine security bulletins as part of Patch Tuesday. Of the nine bulletins five are rated as Critical and four as Important. In total they address 26 vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office. All of the Critical level bulletins fix Remote Code Execution vulnerabilities.

The first Critical set of fixes (MS12-052) is for Internet Explorer, the most severe of which could allow remote code execution if a user views a specially crafted webpage. The vulnerabilities are rated as Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows XP, Vista and 7. The fix modifies the way that Internet Explorer handles objects in memory.

The second Critical bulletin addresses issues with in the Remote Desktop Protocol. This isn’t the first time Microsoft have had to fix the protocol which is used by millions to control remote machines (including web server running and exposed on the Internet). Back in March, Microsoft fixed a bug in RDP which exposed over 5 million machines on the Internet after an exploit was developed for the vulnerability. The latest set of fixes (MS12-053) sounds very similar to previous RDP bugs. According to Microsoft, “The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.” However one bit of good news is that the bug only affects Windows XP. To fix the problem, Microsoft has changed the way that the Remote Desktop Protocol processes packets in memory.

The next Critical bulletin (MS12-054) resolves four privately reported vulnerabilities in the Windows print spooler. These vulnerabilities could allow remote code execution if an attacker sends a specially crafted response to the spooler. This security update is rated Critical for all supported editions of Windows XP and Windows Server 2003; Important for all supported editions of Windows Vista; and Moderate for all supported editions of Windows Server 2008, Windows 7, and Windows 2008 R2. As part of the fix the code has been changed to correct the way the Windows Print Spooler handles specially crafted responses and how Windows networking components handle Remote Administration Protocol (RAP) responses.

The fourth bulletin (MS12-060) is already seeing some targeted attacks attempting to exploit this vulnerability, but there is no public proof-of-concept code published yet. This security update resolves a vulnerability in the Windows common controls and since multiple software products utilize Windows Common Controls , and the issues addressed in this bulletin affect Microsoft Office, SQL Server, Server Software, and Developer Tools. The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability.

Finally, MS12-058 resolves publicly disclosed vulnerabilities in Microsoft Exchange Server WebReady Document Viewing. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA).  The vulnerabilities are actually in Oracle’s Outside In libraries, that are used in Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and FAST Search Server 2010 for SharePoint. The Outside In libraries were recently updated as part a Critical Patch Update released by Oracle.

Microsoft releases Exchange Server security advisory due to vulnerabilities in Oracle libraries

(LiveHacking.Com) – Microsoft has released a security advisory detailing vulnerabilities in the Microsoft Exchange and FAST Search Server 2010 for SharePoint. The vulnerabilities are in Oracle’s Outside In libraries, that are used in Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and FAST Search Server 2010 for SharePoint. The Outside In libraries were updated earlier this month as part a Critical Patch Update released by Oracle.

The Oracle Outside In libraries, that are designed to parse and decode over 500 different file formats, contain several exploitable vulnerabilities which can allow a remote, unauthenticated attacker to run arbitrary code on a vulnerable system. Outside In 8.3.7.77 and earlier fail to properly handle multiple file types when the data is malformed. The file types that have vulnerable parsers are: .VSD, .WSD, .JP2, .DOC, .SXD, .LWP, .PCX, .SXI, .DPT, .PDF, .SAM, .ODG, and .CDR.

Since Exchange uses these libraries it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file. An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do.

Workarounds

For Exchange Server 2007/2010 Microsoft recommends disabling the WebReady Document Viewing on the VDir of all CAS Servers. To do this:

  • Launch Exchange Management Shell as a user with Exchange Administrator privileges.
  • Issue the following Powershell Command:
    Get-OwaVirtualDirectory | where {$_.OwaVersion -eq 'Exchange2007' -or $_.OwaVersion -eq 'Exchange2010'} | Set-OwaVirtualDirectory -WebReadyDocumentViewingOnPublicComputersEnabled:$False -WebReadyDocumentViewingOnPrivateComputersEnabled:$False

This will disable the in-browser document preview functionality. Users could still open and view attachments using the local application.

Microsoft’s Security Research & Defense team has posted a blog that provides more information on the matter as well as details about the workarounds. US-CERT has also published more information on the vulnerabilities.