May 17, 2012

You are here: Home / Archives for Vulnerability / Microsoft

Microsoft Fixes Duqu Vulnerability But Drops SSL Changes at Last Minute

December 14, 2011 By

(LiveHacking.Com) - As expected Microsoft has released its Patch Tuesday security updates for December. Originally Microsoft were going to release 14 bulletins but instead released only 13. The missing update was intended to make changes to the way Windows works with SSL/TLS to try and minimize the recently discovered weaknesses of the security protocol as highlighted by the BEAST (Browser Exploit Against SSL/TLS) hacking tool. However Microsoft discovered some compatibility issues with their changes and “a major third-party vendor.” Microsoft are “working with that vendor to address the issue.”

Microsoft however did fix the kernel-mode driver vulnerability that allows the Duqu malware to spread. The vulnerability allows remote code execution if a user opens a specially crafted document or visits a malicious Web page that embeds TrueType font files.

Microsoft also fixed a vulnerability in Windows Media Player and Windows Media Center that can allow remote code execution. Bulletin MS11-092  resolves a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so.

The other “Critical” level update is for a  remote code execution vulnerability if a user views a specially crafted Web page that uses a specific binary behavior in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.

 

Filed Under: Microsoft, Microsoft, Vulnerability Tagged With: , , , , , , ,

Microsoft to Fix 20 Vulnerabilities Next Tuesday

December 9, 2011 By

(LiveHacking.Com) - Microsoft will fix 20 vulnerabilities for December’s Patch Tuesday. According to the Microsoft security bulletin advance Notification for December 2011, the Redmond company will release 14 bulletins addressing 20 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Microsoft Publisher, and Windows Media Player.

Although Microsoft doesn’t release details of the bulletins until they are posted, pundits are suggesting that among the patches will be a fix for the vulnerability that allows the Duqu intelligence-gathering Trojan to spread, and a fix for the SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 flaws popularized a few months ago by the BEAST (Browser Exploit Against SSL/TLS) hacking tool.

Three of the 14 bulletins are marked as “critical” (the highest threat ranking) and the remaining 11 are tagged as “important” (the second-highest rating). Release of the bulletin is scheduled for Tuesday, December 13, 2011.

Filed Under: Intenet Explorer, Microsoft, Microsoft, Vulnerability Tagged With: , , , , , ,

Microsoft Releases Hotfix for AppLocker Flaw

November 10, 2011 By

(LiveHacking.Com) - Microsoft has released a hotfix for a flaw in AppLocker that allows AppLocker rules to be circumvented with an Office macro. The vulnerability affects Windows 7 or Windows Server 2008 R2.

With AppLocker users can define rules that control which applications can run, however, it turns out that an attacker could create a macro in Microsoft Office  to circumvent the AppLocker rules. As a result malware in the %TEMP% or %system drive%:\Users directory can be executed by using the SANDBOX_INERT and LOAD_IGNORE_CODE_AUTHZ_LEVEL flags, even if access to these directories is limited by AppLocker rules.

To apply this hotfix, you must be running one of the following operating systems:

  • Windows 7
  • Windows 7 Service Pack 1 (SP1)
  • Windows Server 2008 R2
  • Windows Server 2008 R2 Service Pack 1 (SP1)
Filed Under: Microsoft, Microsoft, Vulnerability Tagged With: , , ,

Microsoft Plugs TCP/IP Hole While Adobe Fixes Critical Vulnerabilities in Shockwave

November 9, 2011 By

(LiveHacking.Com) - Microsoft has issued four security bulletins to address four vulnerabilities in its Windows operating system including a ‘Critical’ vulnerability in TCP/IP.

The networking flaw, which was reported privately to Microsoft, could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Successful exploitation of MS11-083 would let an attacker run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The flaw exists in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 but not in Windows XP or Windows Server 2003.

The remaining three bulletins are as follows:

MS11-085Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .eml or .wcinv file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Mail or Windows Meeting Space could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .eml or .wcinv file) from this location that is then loaded by a vulnerable application.

MS11-086< – Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837) – This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow elevation of privilege if Active Directory is configured to use LDAP over SSL (LDAPS) and an attacker acquires a revoked certificate that is associated with a valid domain account and then uses that revoked certificate to authenticate to the Active Directory domain. By default, Active Directory is not configured to use LDAP over SSL.

MS11-084Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a user opens a specially crafted TrueType font file as an e-mail attachment or navigates to a network share or WebDAV location containing a specially crafted TrueType font file. For an attack to be successful, a user must visit the untrusted remote file system location or WebDAV share containing the specially crafted TrueType font file, or open the file as an e-mail attachment. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an e-mail message or Instant Messenger message.

Adobe Shockwave Player

Whilst Microsoft was busy fixing its networking code, Adobe posted a security bulletin about its Shockwave Player.

Critical vulnerabilities exist in Adobe Shockwave Player 11.6.1.629 and earlier versions on the Windows and OS X. Successful exploitation would let an attacker run arbitrary code.

A new version of Shockwave Player is available which:

  • Resolves a memory corruption vulnerability in the DIRapi library that could lead to code execution (CVE-2011-2446).
  • Fixes a memory corruption vulnerability that could lead to code execution (CVE-2011-2447).
  • Resolves a memory corruption vulnerability in the DIRApi library that could lead to code execution (CVE-2011-2448).
  • Fixes multiple potential memory corruption vulnerabilities in the TextXtra module that could lead to code execution (CVE-2011-2449).
Filed Under: Adobe, Adobe, Microsoft, Microsoft, Vulnerability Tagged With: , , , ,

Light Patch Tuesday Ahead With No Fix For Duqu TrueType Font Vulnerability

November 7, 2011 By

(LiveHacking.Com) - Microsoft has published its advance notification of the security bulletins that Microsoft is intending to release for November’s Patch Tuesday (November 8, 2011).

Microsoft will issue four bulletins: one for a ‘Critical’ remote code execution vulnerability, two ‘Important’ fixes for remote code execution and elevation of privilege flaws and a ‘Moderate’ denial-of-service vulnerability.

The ‘Critical’ bulletin affects Windows 7, Vista, Server 2008 and Server 2008 R2 but not XP and Server 2003. This probably means that the flaw is in newer functionality which isn’t included XP or Server 2003. In fact, only one of the four bulletins affects XP and Windows Server 2003. The other three are only found in Windows Vista or above.

Microsoft have already said that a fix for the Windows’ TrueType font parsing engine vulnerability, that is used by the Duqu malware, will not be ready for this month’s bulletin release:

Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.

Filed Under: Microsoft, Microsoft, Vulnerability Tagged With: , ,

Microsoft Releases Security Advisory And ‘Fix it’ to Combat Duqu

November 4, 2011 By

(LiveHacking.Com) - It was revealed a couple of days ago that the new Duqu malware (which many see as related to the infamous Stuxnet trojan) spreads via a zero day vulnerability in the Windows kernel. Microsoft have now issued a security advisory and “fix it” workaround.

Microsoft has revealed in the advisory that the problem is with the Windows’ TrueType font parsing engine. An attacker who exploits this vulnerability can run their own code in kernel mode and then proceed, unhindered to  install programs; modify data; or create new accounts.

The vulnerability is in every supported version of Windows including the desktop versions (XP, Vista and Windows 7) along with the server variants (Windows Server 2003 and Windows Server 2008). The vulnerability affects both 32 bit and 64 bits systems.

The vulnerability can be exploited in multiple ways including  providing documents or convincing users to visit a Web page that embed specially crafted TrueType fonts. The vulnerability is caused when a Windows kernel-mode driver fails to properly handle the TrueType font type.

Workaround

A temporary workaround is to block access to t2embed.dll. Blocking access to this dll does not correct the underlying issue but it will help block known attack vectors before Microsoft issue a security update.

The security advisory provides a workaround that can be applied to any Windows system. To make it easy for users to install, Microsoft has released a Fix it that will allow one-click installation of the workaround and an easy way for enterprises to deploy.

No fix for November’s Patch Tuesday

Microsoft have said that a fix for this vulnerability will not be ready for this month’s bulletin release:

Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.

Filed Under: Malware, Microsoft, Microsoft, Vulnerability Tagged With: , ,

Microsoft Fix 23 Security Issues in October’s Patch Tuesday

October 12, 2011 By

(LiveHacking.Com) - Microsoft has released its patches for Microsoft Windows, Internet Explorer, .NET Framework, Silverlight, Forefront United Access Gateway, and Microsoft Host Integration Server as part of October’s patch Tuesday.

There are two Critical level fixes, one for .NET Framework & Silverlight and the other for Internet Explorer:

MS11-078 – Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution. This security update resolves a privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

MS11-081 - Cumulative Security Update for Internet Explorer. This security update resolves eight privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The remaining advisories are all rated as Important:

  • MS11-075 - Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution
  • MS11-076 - Vulnerability in Windows Media Center Could Allow Remote Code Execution
  • MS11-077 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
  • MS11-079 - Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution
  • MS11-080  - Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege
  • MS11-082 - Vulnerabilities in Host Integration Server Could Allow Denial of Service
Filed Under: Intenet Explorer, Microsoft, Microsoft, Vulnerability Tagged With: , , , , , , ,

Microsoft Releases Details of Two Upcoming Critical Security Fixes

October 7, 2011 By

(LiveHacking.Com) - As usual, Microsoft has issued its advanced notification for this month’s ‘Patch Tuesday’. This month Microsoft will issue eight security bulletins, two rated ‘Critical’ and six rated ‘Important’ which will address a total of 23 vulnerabilities in a variety of Microsoft products including the Microsoft .NET Framework, Silverlight, Windows, Internet Explorer, the Microsoft Forefront Unified Access Gateway, and the Microsoft Host Integration Server.

The Critical vulnerabilities which will be patched affect the Microsoft .NET Framework,
Microsoft Silverlight, Microsoft Windows and Internet Explorer 6, 7, 8 and 9 (depending on the Windows version). Successful exploitation of these vulnerabilities could lead to remote code execution.

Bulletins 3, 4, 5 and 6 also deal with possible remote code execution vulnerabilities for Windows and the Microsoft Forefront Unified Access Gateway. Although these are rated as Important (and not Critical) it still means that their  exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.

Bulletin 7 deals with a possible Elevation of Privilege in Windows XP and Window Server 2003 (but not Windows 7 or Windows Server 2008), while Bulletin 8 addresses Denial of Service issues with the Microsoft Host Integration Server.

Patch Tuesday this months falls on October 12, 2011.

Filed Under: Microsoft, Microsoft, Vulnerability Tagged With: ,

Patch Tuesday Blocks More DigiNotar Certificates

September 14, 2011 By

(LiveHacking.Com) - As anticipated Microsoft has issued five security bulletins bringing a number of updates to Windows and Office. At the same time it has released a new update  (2616676) that blocks six additional DigiNotar root certificates. These new certificates are ones that are cross-signed by Entrust and GTE. They are:

  • DigiNotar Root CA Issued by Entrust (2 certificates)
  • DigiNotar Services 1024 CA Issued by Entrust
  • Diginotar Cyber CA Issued by GTE CyberTrust (3 certificates)

The security bulletins issued are

  1. MS11-070 Vulnerability in WINS Could Allow Elevation of Privilege
  2. MS11-071 Vulnerability in Windows Components Could Allow Remote Code Execution
  3. MS11-072 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
  4. MS11-073 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
  5. MS11-074 Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege

None of the bulletins are rated as Critical but the affected software includes all of Microsoft’s currently supported versions of Windows including XP, Vista, Windows 7 and Windows Server 2003/2008 as well Office 2003, 2007 and 2010.

MS11-071, 072 and 073 all relate to vulnerabilities could allow remote code execution if a user opens a specially crafted file. In some cases, for .doc., .rtf and .txt files, the document needs to be the located in the same network directory as a specially crafted library file for the exploit to work.

Filed Under: Cryptography, Microsoft, Security, Vulnerability Tagged With: , , , ,

September’s Patch Tuesday to Contain 5 Bulletins

September 9, 2011 By

(LiveHacking.Com) - Microsoft has issued a Security Bulletin Advance Notification  for September’s patch Tuesday. The advanced notification mentions five security bulletins, addressing 15 vulnerabilities, all rated as Important. Under Microsoft’s rankings Important means “a vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.”

The five bulletins address vulnerabilities which if exploited could lead to Elevation of Privilege or Remote Code Execution. Affected software includes Windows, Office and Microsoft Server Software.

Release of these bulletins is scheduled for Tuesday, September 13, 2011.

Filed Under: Microsoft, Microsoft, Vulnerability Tagged With: ,
« Older Posts
Newer Posts »