July 30, 2014

Microsoft Addresses Twenty One Vulnerabilities in Windows, IE and .NET

(LiveHacking.Com) – Microsoft has released fixes to address multiple vulnerabilities as part of its February’s Patch Tuesday. The fixes affect Microsoft Windows, Internet Explorer, .Net Framework, Silverlight, Office, and Windows Server Software. These vulnerabilities may allow an attacker to execute arbitrary code or operate with elevated privileges.

Twenty one vulnerabilities were addressed. Microsoft recommends that customers focus on the first two critical updates:

  • MS12-010 (Internet Explorer): Cumulative Security Update for Internet Explorer. This bulletin addresses two Critical, one Important and one Moderate issues affecting all versions of Internet Explorer. The most severe of these could allow for remote code execution, if an attacker were to convince a user to visit a maliciously constructed Web page. All of these issues were cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. We recommend that customers read through the bulletin information concerning MS12-010 and apply it as soon as possible.
  • MS12-013 (C Runtime Library): Vulnerabilities in C Run-Time Library Could Allow Remote Code Execution. This bulletin addresses an issue that could arise if a would-be attacker sent a malicious media file to a targeted user, or convinced the user to visit a Web page hosting such a file. The issue was cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. As with MS12-010, though, we recommend that customers read through the bulletin information and apply it as soon as possible.

The other critical bulletins include MS12-008, which addresses vulnerabilities that could allow remote code execution if a user visits a website containing specially crafted content or if a specially crafted application is run locally, and MS12-016, which fixes issues affecting the .NET Framework and Microsoft Silverlight that can be exploited to allow an attacker to remotely execute code.

Microsoft Preparing Nine Bulletins for February’s Patch Tuesday

(LiveHacking.Com) – Microsoft has released its advance notification of the security bulletins it will issue for February’s patch Tuesday. There will be nine bulletins, addressing 21 vulnerabilities, with severity ratings of critical and important for Microsoft Windows, Internet Explorer, Microsoft Silverlight, Microsoft Server Software, Microsoft Office, and Microsoft .NET Framework.

Seven of the nine bulletins cover remote code execution vulnerabilities while the other two are elevation of privilege vulnerabilities. As is often the case with these bulletins all support versions of Windows are affected including XP, Vista and Windows 7 as well as Windows Server 2003 & 2008. The exceptions to this are bulletin 2 (which only affects Vista onwards) and bulletin 7 which only affects Windows Server 2003 and 2008.

The Internet Explorer remote code execution vulnerability is rated Critical and should be considered a mandatory update for all IE users. Affected versions include IE 6, IE 7, IE 8 and IE 9.

Patch Tuesday is scheduled for Tuesday, February 14, 2012.

Microsoft Fixes Eight Security Vulnerabilities in its Products

(LiveHacking.Com) – Microsoft has released seven security bulletins as part of its Patch Tuesday program. One of seven bulletins is rated Critical, with the remaining six classified as Important. The Critical bulletin addresses two issues in Windows Media Player. If exploited these vulnerabilities would allow remote code execution on the affected PC. Although there are no known active exploitations of these bugs, they can be triggered by a hacker crafting a malicious MIDI or DirectShow file. If the user then opened this file their PC would become vulnerable as the attacker could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The remaining fixes are:

  • Vulnerability in Windows Object Packager That Could Allow Remote Code Execution – The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file.
  • Vulnerability in Windows Client/Server Run-time Subsystem That Could Allow Elevation of Privilege – The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. The attacker could then take complete control of the affected system and install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability can only be exploited on systems configured with a Chinese, Japanese, or Korean system locale.
  • Vulnerability in Microsoft Windows That Could Allow Remote Code Execution – The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application.
  • Vulnerability in SSL/TLS Could Allow Information Disclosure – This vulnerability affects the SSL 3.0 and TLS 1.0 protocols and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. This should protect users  from the tool known as BEAST (Browser Exploit Against SSL/TLS).
  • Vulnerability in AntiXSS Library Could Allow Information Disclosure – The vulnerability could allow information disclosure if a an attacker passes a malicious script to a website using the sanitization function of the AntiXSS Library.

Microsoft to Fix Eight Vulnerabilities Next Tuesday

(LiveHacking.Com) – Microsoft has published its advance notification for January’s Patch Tuesday. The software giant will release seven bulletins to address eight vulnerabilities in Microsoft Windows and Microsoft Developer Tools And Software. Only one of the bulletins is rated as Critical, the rest are rated as Important. However Important bulletins are still serious as Microsoft defines them as “a vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.”

The types of vulnerabilities fixes include remote code execution, elevation of privilege, information disclosure and the less common security feature bypass. A security feature bypass vulnerability can not themselves used by an attacker they can be used to enable the use of another exploit.

Affected Software includes Windows XP, Windows Vista, Windows 7 and Windows Server 2003 and 2008. The security bulletins will be published on January 10, 2012.

New “Highly Critical” Windows 7 Vulnerability

(LiveHacking.Com) – Microsoft are investigating a new vulnerability in Windows 7 which causes a blue screen of death (BSoD). A “researcher” named webDEVIL posted to twitter that “<iframe height=’18082563′></iframe> causes a BSoD on win 7 x64 via Safari. Lol!”  Security company Secunia then posted an advisory rating the issue as “Highly critical” as the fault can lead to system compromise and successful exploitation does not require any user interaction.

The vulnerability is due to an error in win32k.sys and can be used to corrupt memory via a specially crafted web page. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges. It isn’t clear yet if an actual exploit exists or if this is just a potential hole to launch an attack.

“We are currently examining the issue and will take appropriate action to help ensure customers are protected,” Jerry Bryant, group manager of response communications for Microsoft’s Trustworthy Computing Group, said in a statement to SecurityWeek. The vulnerability is confirmed on a fully patched Windows 7 Professional 64-bit. Other versions may also be affected.

Microsoft Fixes Duqu Vulnerability But Drops SSL Changes at Last Minute

(LiveHacking.Com) - As expected Microsoft has released its Patch Tuesday security updates for December. Originally Microsoft were going to release 14 bulletins but instead released only 13. The missing update was intended to make changes to the way Windows works with SSL/TLS to try and minimize the recently discovered weaknesses of the security protocol as highlighted by the BEAST (Browser Exploit Against SSL/TLS) hacking tool. However Microsoft discovered some compatibility issues with their changes and “a major third-party vendor.” Microsoft are “working with that vendor to address the issue.”

Microsoft however did fix the kernel-mode driver vulnerability that allows the Duqu malware to spread. The vulnerability allows remote code execution if a user opens a specially crafted document or visits a malicious Web page that embeds TrueType font files.

Microsoft also fixed a vulnerability in Windows Media Player and Windows Media Center that can allow remote code execution. Bulletin MS11-092  resolves a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so.

The other “Critical” level update is for a  remote code execution vulnerability if a user views a specially crafted Web page that uses a specific binary behavior in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.

 

Microsoft to Fix 20 Vulnerabilities Next Tuesday

(LiveHacking.Com) - Microsoft will fix 20 vulnerabilities for December’s Patch Tuesday. According to the Microsoft security bulletin advance Notification for December 2011, the Redmond company will release 14 bulletins addressing 20 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Microsoft Publisher, and Windows Media Player.

Although Microsoft doesn’t release details of the bulletins until they are posted, pundits are suggesting that among the patches will be a fix for the vulnerability that allows the Duqu intelligence-gathering Trojan to spread, and a fix for the SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 flaws popularized a few months ago by the BEAST (Browser Exploit Against SSL/TLS) hacking tool.

Three of the 14 bulletins are marked as “critical” (the highest threat ranking) and the remaining 11 are tagged as “important” (the second-highest rating). Release of the bulletin is scheduled for Tuesday, December 13, 2011.

Microsoft Releases Hotfix for AppLocker Flaw

(LiveHacking.Com) - Microsoft has released a hotfix for a flaw in AppLocker that allows AppLocker rules to be circumvented with an Office macro. The vulnerability affects Windows 7 or Windows Server 2008 R2.

With AppLocker users can define rules that control which applications can run, however, it turns out that an attacker could create a macro in Microsoft Office  to circumvent the AppLocker rules. As a result malware in the %TEMP% or %system drive%:\Users directory can be executed by using the SANDBOX_INERT and LOAD_IGNORE_CODE_AUTHZ_LEVEL flags, even if access to these directories is limited by AppLocker rules.

To apply this hotfix, you must be running one of the following operating systems:

  • Windows 7
  • Windows 7 Service Pack 1 (SP1)
  • Windows Server 2008 R2
  • Windows Server 2008 R2 Service Pack 1 (SP1)

Microsoft Plugs TCP/IP Hole While Adobe Fixes Critical Vulnerabilities in Shockwave

(LiveHacking.Com) - Microsoft has issued four security bulletins to address four vulnerabilities in its Windows operating system including a ‘Critical’ vulnerability in TCP/IP.

The networking flaw, which was reported privately to Microsoft, could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Successful exploitation of MS11-083 would let an attacker run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The flaw exists in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 but not in Windows XP or Windows Server 2003.

The remaining three bulletins are as follows:

MS11-085Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .eml or .wcinv file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Mail or Windows Meeting Space could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .eml or .wcinv file) from this location that is then loaded by a vulnerable application.

MS11-086< – Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837) – This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow elevation of privilege if Active Directory is configured to use LDAP over SSL (LDAPS) and an attacker acquires a revoked certificate that is associated with a valid domain account and then uses that revoked certificate to authenticate to the Active Directory domain. By default, Active Directory is not configured to use LDAP over SSL.

MS11-084Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a user opens a specially crafted TrueType font file as an e-mail attachment or navigates to a network share or WebDAV location containing a specially crafted TrueType font file. For an attack to be successful, a user must visit the untrusted remote file system location or WebDAV share containing the specially crafted TrueType font file, or open the file as an e-mail attachment. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an e-mail message or Instant Messenger message.

Adobe Shockwave Player

Whilst Microsoft was busy fixing its networking code, Adobe posted a security bulletin about its Shockwave Player.

Critical vulnerabilities exist in Adobe Shockwave Player 11.6.1.629 and earlier versions on the Windows and OS X. Successful exploitation would let an attacker run arbitrary code.

A new version of Shockwave Player is available which:

  • Resolves a memory corruption vulnerability in the DIRapi library that could lead to code execution (CVE-2011-2446).
  • Fixes a memory corruption vulnerability that could lead to code execution (CVE-2011-2447).
  • Resolves a memory corruption vulnerability in the DIRApi library that could lead to code execution (CVE-2011-2448).
  • Fixes multiple potential memory corruption vulnerabilities in the TextXtra module that could lead to code execution (CVE-2011-2449).

Light Patch Tuesday Ahead With No Fix For Duqu TrueType Font Vulnerability

(LiveHacking.Com) - Microsoft has published its advance notification of the security bulletins that Microsoft is intending to release for November’s Patch Tuesday (November 8, 2011).

Microsoft will issue four bulletins: one for a ‘Critical’ remote code execution vulnerability, two ‘Important’ fixes for remote code execution and elevation of privilege flaws and a ‘Moderate’ denial-of-service vulnerability.

The ‘Critical’ bulletin affects Windows 7, Vista, Server 2008 and Server 2008 R2 but not XP and Server 2003. This probably means that the flaw is in newer functionality which isn’t included XP or Server 2003. In fact, only one of the four bulletins affects XP and Windows Server 2003. The other three are only found in Windows Vista or above.

Microsoft have already said that a fix for the Windows’ TrueType font parsing engine vulnerability, that is used by the Duqu malware, will not be ready for this month’s bulletin release:

Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.