October 23, 2018

Microsoft fixes XML Core Services vulnerability as part of July’s Patch Tuesday

(LiveHacking.Com) – As expected, Microsoft has fixed the XML Core Services vulnerability which was being exploited in the wild using drive-by attacks.  The vulnerability allowed remote code execution if a user viewed a specially crafted webpage using Internet Explorer. Last month Microsoft issued a security advisory about the vulnerability along with a FixIt workaround, the exploit was also converted into a Metasploit module.

Microsoft Security Bulletin MS12-043 now fixes the problem. The Critical level update applies to Microsoft XML Core Services 3.0, 4.0, and 6.0 on all supported editions of Windows XP, Windows Vista, and Windows 7. It also applies to all supported editions of Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 (where it is rated as Moderate). The vulnerability also affects Microsoft XML Core Services 5.0 that is used in Microsoft Office 2003, Microsoft Office 2007, Microsoft Office Word Viewer, Microsoft Office Compatibility Pack, Microsoft Expression Web, Microsoft Office SharePoint Server 2007, and Microsoft Groove Server 2007.

July’s bulletins also covered two other Critical level vulnerabilities. The XML Core Services, isn’t the only drive-by vulnerability fixed by the Redmond giant. Microsoft Security Bulletin MS12-045 addresses the way that Microsoft Data Access Components handles objects in memory. Before the fix, a vulnerability existed that could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.

Microsoft also released a cumulative security update for Internet Explorer 9. The update fixes two privately reported vulnerabilities. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer 9. The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory.

Among the other updates, one is for the Mac. The update fixes a vulnerability in Microsoft Office for Mac 2011 that could allow elevation of privilege if a malicious executable is placed on an affected system by an attacker, and then another user logs on later and runs the malicious executable. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The fix corrects the permission settings on the Microsoft Office 2011 folder and other affected folders.

Microsoft to fix three critical remote code execution vulnerabilities on Tuesday

(LiveHacking.Com) – Microsoft has released its advance notification for what issues the company expects to fix during this month’s Patch Tuesday. The notice mentions nine bulletins of which three are marked as Critical and are connected with remote code execution vulnerabilities. The other six bulletins are marked as Important and concern remote code execution, information disclosure and elevation of privileges. The nine bulletins address a total of 16 vulnerabilities in a variety of Microsoft products including Microsoft Windows, Microsoft Office, Internet Explorer, and Visual Basic.

It is anticipated that Microsoft will patch the vulnerability in its XML Core Services which is being actively exploited on the Internet. Last month Microsoft issued a security advisory about the vulnerability that can allow remote code execution if a user views a specially crafted webpage using Internet Explorer and at the time it issued a FixIt workaround that basically disables the vulnerable component in IE. The vulnerability, which also affects  Office 2003 and Office 2007 , exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. A working exploit for the bug has also been converted into a Metasploit module.

The second of the nine bulletins is specifically for Internet Explorer 9. This is somewhat unusual as often errors found in IE are also applicable to IE 8 and sometimes IE 7. But this bulletin is only for IE 9. What is also interesting is that Microsoft updated all versions of Internet Explorer during last month’s patch Tuesday. IE 9, being the latest version, is meant to be the securest version.

Bulletins 4 and 8 address Microsoft Office flaws and affect Office 2003 Service Pack 3, Office 2007 Service Pack 2, Microsoft Office 2010 and Microsoft Office 2010 Service Pack 1. Both are marked as Important and one addresses a remote code vulnerability while the other is to do with elevation of privileges.

Finally it is worth noting that bulletin 9 addresses an Important level vulnerability in Microsoft Office for Mac 2011. This bulletin does not affect the Windows versions.

Microsoft are expected to release all nine bulletins on Tuesday at approximately 10 a.m. PDT.

Zero day vulnerability in Microsoft XML Core Services turned into Metasploit module

(LiveHacking.Com) – Details on how to exploit a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 have been posted on to the Internet and subsequently converted into a Metasploit module. Last week Microsoft issued a security advisory about a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 that can allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

The vulnerability, which also affects  Office 2003 and Office 2007 , exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. Microsoft does not yet have a  patch for this problem, but there is a FixIt workaround that basically disables the vulnerable component in IE. The vulnerability was discovered by Google, which said it saw the flaw being exploited in the wild in targeted attacks.

Windows XP systems can be exploited reliably without any third-party component, however Windows 7 and Windows Vista PCs need to be running an old Java virtual machine that came with a non-ASLR version of the msvcr71.dll. Systems without Java or where a different version of the msvcr71 DLL exists can’t be exploited, but IE will still crash.

McAfee says it found out about the vulnerability nearly three weeks ago. “The exploit works across all major Windows platforms, including Windows Vista and Windows 7. It leverages return-oriented programming (ROP) exploitation technology to bypass with data execution (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections,” wrote Yichong Lin. “On Windows XP, the vulnerability can be reliably exploited without any third-party component. We found the exploit tried to download and execute a binary from a remote server. The server was hosted by Yahoo and was taken down the same day we reported this to Microsoft.

There is also a demonstration of how to exploit the vulnerability using Metasploit on YouTube: MS12-037 Internet Explorer Same ID CVE-2012-1875 Vulnerability Metasploit Demo

System privilege escalation vulnerability found in XEN on 64-bit Intel hardware

(LiveHacking.Com) – Rafal Wojtczuk of Bromium, Inc. has found a new vulnerability that could possibility be exploited for local privilege escalation. The bug in several different operating systems and Hypevisors, like the XEN virtualization software, affects systems using 64-bit Intel CPU hardware. To exploit the vulnerability an attacker needs to create a special stack frame which will be executed by the kernel of the host operating system after a general protection fault. The problem is that the general protection fault will be handled before the stack switch, which means the exception handler will be run in the kernel of the host operating system using the specially created stack frame, in short – a privilege escalation.

The error only exhibts itself on Intel 64-bit CPUs. AMD CPUs are not affected. Also the vulnerability seems to exist only in the XEN hypervisor (or its variants). VMware is not vulnerable. According to Xen Security Advisory 7, the result of a successful exploitation is that administrators of guest OSes can gain control of the host OS.

Modern operating systems implement a rings model of security, where privileged operations are performed in RING 0 (the kernel). Most applications run in RING 3 and request access to RING 0 by making system calls. The calls put the CPU into the required privilege level and passes control to the kernel. By using the combination of a special stack frame and a general protection fault the attackers force the system to run their code in RING 0 rather than RING 3.

Microsoft released a patch for Windows a few days ago as part of June’s Patch Tuesday. According to Microsoft the fix changes the way that the Windows User Mode Scheduler handles a particular system request and the way that Windows manages BIOS ROM.

Vendor specific information on this vulnerability have been published by XenFreeBSD and Microsoft. Linux vendor Red Hat has also published two security advisories: RHSA-2012:0720-1 and RHSA-2012:0721-1.

On some operating systems, like FreeBSD, running the 32-bit variant of the OS on a 64 bit capable CPUs means the operating systems is not vulnerable.

Microsoft fixes critical RDP remote code execution vulnerability

Microsoft has released updates for its Windows operating system, and its components, to fix 26 different security related vulnerabilities. Among the bugs fixed is a vulnerability in the Remote Desktop Protocol. The vulnerability, which can be exploited by an attacker sending a sequence of specially crafted RDP packets to an affected system, can allow the attacker to execute code on the target machine.

Microsoft are rating the update as Critical and affected systems include all supported editions of Windows Server 2003 and Windows Server 2008, Windows Server 2008 R2 and Windows 7 SP1. For XP and Vista the vulnerability is less serious and Microsoft have lowered the rating to Moderate. interestingly Windows 7 PCs without SP1 are also rated as Moderate implying that code from Windows server was used in SP1 where as XP, Vista and Windows 7 without SP1 had a different, less vulnerable, code base. Microsoft point out that by default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Microsoft has also updated Internet Explorer. 13 vulnerabilities have been fixed that affect all supported versions of IE. The fixes include changes to the way that Internet Explorer handles objects in memory, HTML sanitization using toStaticHTML, the way that Internet Explorer renders data during certain processes, and the way that Internet Explorer creates and initializes strings. These problems have a severity rating of Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows XP, Vista and 7, and could result in remote code execution. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. For Windows Server platforms Microsoft have rated these issues as Moderate.

The other Critical update is for .NET to fix a vulnerability that could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). The vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

As well as releasing these patch Microsoft also issued a security advisory about a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 that is being exploited in the wild. Hackers can execute code on a victim’s PCs who visit a web site, using IE, that has specially crafted webpages. The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007.

Microsoft does not yet have a  patch for this problem, but there is a FixIt workaround tha basically disables the vulnerable component in IE. The vulnerability was discovered by Google, which said it saw the flaw being exploited in the wild in targeted attacks.

Microsoft Fixes Three Critical Issues

(LiveHacking.Com) – Microsoft has issued updates for May’s Patch Tuesday covering vulnerabilities in Microsoft Windows, Office, .NET Framework, and Silverlight. There are a total of seven security bulletins, three Critical and four Important, which address 23 issues.

The first of the Critical level updates is MS12-034, which affects Microsoft Office, Windows, .NET Framework, and Silverlight. This security update addresses 10 issues, the most severe of which could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files.

Microsoft Word is also affected by another Critical issue that could allow remote code execution. MS12-029 addresses a privately reported vulnerability in the processing of RTF files. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The third, and final, Critial level update, MS12-035, fixes two remote code execution vulnerabilities in the .NET Framework. The two privately reported vulnerabilities could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The remaining four bulletins are as follows:

  • MS12-030 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution – This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS12-031 – Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution – This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS12-032 – Vulnerability in TCP/IP Could Allow Elevation of Privilege – This security update resolves one privately reported and one publicly disclosed vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.
  • MS12-033 – Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

 

Microsoft Fixes Four Critical Vulnerabilities for April’s Patch Tuesday

(LiveHacking.Com) – Microsoft has released six security bulletins, four of which are rated Critical in severity, and two Important. The bulletins fix vulnerabilities in Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server, Server Software, Developer Tools, and Forefront United Access Gateway.

The first Critical severity bulletin (MS12-023) patches Internet Explorer to fix five vulnerabilities in Internet Explorer. The most severe of these could allow remote code execution if a user views a specially crafted webpage designed to exploit the vulnerability. The hacker would then gain the same user rights as the current user.

Next Microsoft fixed a remote code execution vulnerability in Microsoft Windows (MS12-024). The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.

Remote code execution vulnerabilities were also fixed in the .NET framework (MS12-025):

  1. If a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs) then an attacker could execute arbitrary code on the PC.
  2. Remote code execution could also occur on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a web hosting scenario.
  3. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. In a web browsing attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability.
  4. Finally, a compromised website or a  website that accepts user-provided content or advertisements could host specially crafted content to exploit this vulnerability.

The fourth and finally Critical severity vulnerability fixed is in the Windows common controls (MS12-027). The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability. The Windows common controls are installed on a PC with software like Microsoft Office, Microsoft SQL Server and  Microsoft Visual FoxPro.

Microsoft’s RDP Bug Exposing 5 Million Hosts to Potential Attack

(LiveHacking.Com) – The impact of the RDP bug which Microsoft patched as part of this month’s Patch Tuesday is continuing to grow. Dan Kaminsky, who is best known for his work finding a critical DNS and for helping to fix it, has initiated a scan of the Internet and by extrapolating the data from the 8% sample (some 300 million IP addresses) it seems that there are about five million RDP endpoints on the Internet today.

With a proof of concept exploit already circulating in the wild this means that, unless updated to apply the latest patches, these five million servers are vulnerable to a real, palpable attack. Not a theoretical vulnerability but real exposure. Since RDP is the way most Windows systems are remotely administered, this vulneravility is now being seen on a whole different scale.

“There’s a very good chance that your network is exposing some RDP surface. If you have any sort of crisis response policy, and you aren’t completely sure you’re safe from the RDP vulnerability, I advise you to invoke it as soon as possible,” wrote Dan on his blog.

For those who haven’t yet applied Microsoft’s patches there is a way to substantially reduce the risk on Windows Vista and later systems where RDP is enabled: By enabling Remote Desktop’s Network Level Authentication (NLA) users are forced to authenticate before a remote desktop session is established. On systems with NLA enabled, the vulnerable code is still present and could potentially be exploited for code execution. However, NLA would require an attacker to first authenticate to the server before attempting to exploit the vulnerability.  You can find instructions here to enable NLA.

Hackers Trying to Build Exploit for RDP Vulnerability

(LiveHacking.Com) – On Tuesday Microsoft patched all currently supported version of Windows to fix a vulnerability in the Remote Desktop Protocol. At the time of the patch there was no actual known exploit but now a $1467 reward has been offered to develop a working module for Metasploit that exploits this vulnerability.

The vulnerability, which is now patched, in the Remote Desktop Protocol (RDP) exists because of the way Windows processes RDP packets in memory. In theory remote attackers can execute arbitrary code by sending crafted RDP packets triggering access to an object that was not properly initialized or has been deleted.

According to SC Magazine a proof of concept exploit has been shown to trigger a blue screen of death on Windows XP and Windows Server 2003 machines. The first proof of concept to be published was posted briefly on a Chinese website before disappearing. The second, based off the Chinese POC, was described by Accuvant researcher Josh Drake.

In a lighthearted tweet Chaouki Bekrar of VUPEN wrote “writing a remote exploit for MS12-020 / RDP for Windows 7 is definitely a challenge for Chuck Norris or Steven Seagal.” Which underlines the complexity of writing an exploit for a known vulnerability.

“However, due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days.” said Microsoft on its Security Research & Defense blog.

For organisations which haven’t yet applied Microsoft’s patches there is a way to substantially reduce the risk on Windows Vista and later systems where RDP is enabled: You can enable Remote Desktop’s Network Level Authentication (NLA) to require authentication before a remote desktop session is established to the remote desktop server. On systems with NLA enabled, the vulnerable code is still present and could potentially be exploited for code execution. However, NLA would require an attacker to first authenticate to the server before attempting to exploit the vulnerability.

Microsoft Release a Critical Remote Desktop Fix for Patch Tuesday

(LiveHacking.Com) – Microsoft’s ‘Patch Tuesday’ was relatively small this month with just one Critical bulletin issued. The patch (MS12-020) addresses an issue in the Remote Desktop Protocol (RDP). The vulnerability, which was privately reported to Microsoft, could allow an attacker to achieve remote code execution on a machine running RDP. If the machine does not have Network Level Authentication (NLA) enabled, the attacker would not require authentication for RCE access. To launch the attack, the hacker needs to send a sequence of specially crafted RDP packets to an affected system. However by default the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system and therefore systems that do not have RDP enabled are not at risk.

The rest of the bulletins issued by Microsoft comprise of four Important issues and a single Moderate one. In total these bulletins address seven issues in Microsoft Windows, Visual Studio, and Expression Design.

The remaining bulletins are:

  • MS12-017 – Vulnerability in DNS Server Could Allow Denial of Service. This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote unauthenticated attacker sends a specially crafted DNS query to the target DNS server.
  • MS12-018 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege. This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
  • MS12-021 – Vulnerability in Visual Studio Could Allow Elevation of Privilege. This security update resolves one privately reported vulnerability in Visual Studio. The vulnerability could allow elevation of privilege if an attacker places a specially crafted add-in in the path used by Visual Studio and convinces a user with higher privileges to start Visual Studio. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
  • MS12-022 – Vulnerability in Expression Design Could Allow Remote Code Execution. This security update resolves one privately reported vulnerability in Microsoft Expression Design. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .xpr or .DESIGN file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Microsoft Expression Design could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .xpr or .DESIGN file) from this location that is then loaded by a vulnerable application.
  • MS12-019 – Vulnerability in DirectWrite Could Allow Denial of Service. This security update resolves a publicly disclosed vulnerability in Windows DirectWrite. In an Instant Messager-based attack scenario, the vulnerability could allow denial of service if an attacker sends a specially crafted sequence of Unicode characters directly to an Instant Messenger client. The target application could become unresponsive when DirectWrite renders the specially crafted sequence of Unicode characters.