July 29, 2014

Internet Explorer attacked via multiple zero-day exploits

ie10-logoIt has been a rough week for Internet Explorer. Over the weekend Microsoft released Security Advisory 2963983 about a zero-day exploit in IE which is being used in the wild. Then yesterday Adobe released an emergency security update to fix a critical flaw in its Flash Player. As a result of Adobe’s patch, Microsoft has also updated the version of Adobe Flash Player built-in to Internet Explorer 10 and 11.

The zero-day exploit in IE allows attackers to execute arbitrary code if users visit a malicious website with an affected browser. In the worst case scenario the vulnerability can be used to silently install malware on a PC without any interaction with users, just because they visited a hacked or malicious site.

The vulnerability was found by FireEye which its own advisory. According to FireEye, the zero-day exploit affects IE6 through IE11, but the attacks seen in the wild are only targeting IE9 through IE11. “The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” wrote Xiaobo Chen, Dan Caselden and Mike Scott for FireEye.

Dustin Childs from Microsoft’s Security Response Center wrote that IE users should “exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders.” There is currently no Fix It or patch for this zero-day exploit, however Microsoft did release some workaround information as part of the security advisory.

The Flash Player vulnerability was discovered by Kaspersky Lab. According to Vyacheslav Zakorzhevsky, Kaspersky Lab detected two new Flash exploits which it hadn’t seen before. They sent the exploits off to Adobe and the company has now confirmed that they are indeed new zero-day vulnerabilities.

The Flash update for IE applies to Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT, and for Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Microsoft fixes Internet Explorer zero-day vulnerability

microsoft logoMicrosoft has released eight security bulletins to address 26 different security vulnerabilities in a range of its products including Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight.

The most important patch fixes the zero-day exploit which has been used by attackers in the wild since mid-September. Microsoft reports that there have been targeted attacks aimed at Internet Explorer 8 and 9 however the vulnerability is present in all versions of IE from 6 to IE 11. The vulnerability exists because of a use-after-free coding error in the JavaScript SetMouseCapture implementation in Internet Explorer. Microsoft’s patch (MS13-080) changes “the way that Internet Explorer handles objects in memory” meaning Microsoft fixed the user-after-free bug. The patch is Critical and all users should ensure that it is applied (normally via Windows Update).

The next patch resolves a vulnerability in some Windows kernel-mode drivers, specifically how these drivers handle specially crafted OpenType and  TrueType Font (TTF) files. If exploited the vulnerabilities, which were reported to Microsoft privately, could allow remote code execution and an attacker could take complete control of an affected system. According to Microsoft these bugs exist in all supported releases of Microsoft Windows from XP upwards, except Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Windows is updated again in the next patch (MS13-083) to fix a vulnerability in the Windows Common Control Library that could allow remote code execution. The patch actually updates a fix from 2010 where Microsoft corrected the way in which the Windows common controls handle messages passed from a third-party scalable vector graphics (SVG) viewer. At the time it was rated as Important, but the new patch is rated as Critical for all supported 64-bit editions of Microsoft Windows. The update has no severity rating for Windows RT and for all supported 32-bit editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows 8.

The final Critical level bulletin (MS13-082) fixes two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft’s .NET Framework. The worst of the vulnerabilities could allow remote code execution if a user visits a website containing a specially crafted OpenType font (OTF) file using a browser which is able to start XBAP applications. XBAP applications are Windows Presentation Foundation programs that run inside browsers such as Firefox or Internet Explorer. These applications run in a partial sandbox environment.

Microsoft October 2013-Priority.jpg-550x0

The remaining patches are rated as Important:

  • MS13-084 - Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution. The most severe vulnerability could allow remote code execution if a user opens a specially crafted Office file in an affected version of Microsoft SharePoint Server, Microsoft Office Services, or Web Apps.
  • MS13-085 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file with an affected version of Microsoft Excel or other affected Microsoft Office software.
  • MS13-086 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution. The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word or other affected Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS13-087 - Vulnerability in Silverlight Could Allow Information Disclosure. The vulnerability could allow information disclosure if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability.

 

Microsoft issues “Fix it” for zero-day exploit attack against IE

internetexplorer_logo(LiveHacking.Com) – Microsoft has issued an emergency “Fix it” to help fend off a zero-day vulnerability attack which is being exploited in the wild. Currently there are reports of targeted attacks specifically directed at Internet Explorer 8 and 9 however the vulnerability is present in all versions of IE from 6 and up to IE 11 – which is to be released to the public with Windows 8.1. The vulnerability is exploited when users visit a web page with malicious content and can allow remote code execution.

The vulnerability is exists because of a use-after-free coding error in the JavaScript SetMouseCapture implementation in Internet Explorer. Further details of the exploit have been posted on pastebin. Microsoft says it is actively working to develop a security update to address the vulnerability and in the mean time users should apply the “Fix it” and also set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones. Microsoft also recommends that users configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.

“We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our customers,” said Dustin Childs, Group Manager of Trustworthy Computing at Microsoft.

Microsoft hasn’t ruled out issuing an out-of-cycle security update to fix this bug, but it says it wants first to complete its investigation and may just provide a solution through its normal monthly Patch Tuesday bulletins, depending on customer needs and the extent of the attack.

Microsoft fixes critical flaws in Windows, IE and Office

microsoft logo(LiveHacking.Com) – Microsoft has released its security patches for September to address 47 different vulnerabilities in Microsoft Windows, Office, Internet Explorer and SharePoint. It total the company released 13 bulletins–four Critical and nine Important.

The first Critical bulletin fixes vulnerabilities in Microsoft SharePoint Server that could allow remote code execution if an attacker sends specially crafted content to the affected server. The vulnerability is present in Microsoft SharePoint Server 2007 and 2010, Microsoft SharePoint Services 2.0 and 3.0, and Microsoft SharePoint Foundation 2010. Also affected are Microsoft Office Services and Web Apps on supported editions of Microsoft SharePoint Server 2010. Although not rated as Critical the vulnerability is also present in Microsoft SharePoint Server 2013, Microsoft SharePoint Foundation 2013, and Excel Services on Microsoft SharePoint Server 2007.

Microsoft Outlook got updated in the second bulletin to fix a vulnerability that could allow remote code execution if a user opens or previews a specially crafted email message. The update, which is available for all supported editions of Microsoft Outlook 2007 and Microsoft Outlook 2010, corrects the way that Microsoft Outlook parses specially crafted S/MIME email messages.

Internet Explorer also got updated to resolves ten privately reported vulnerabilities, the most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage. Affected versions are  Internet Explorer 6, 7, 8, 9, and Internet Explorer 10. The vulnerabilities are related to memory corruptions as the fixes listed by Microsoft change the way that Internet Explorer handles objects in memory.

The final Critical update is for Windows itself and resolves a vulnerability that could allow remote code execution if a user opens a file that contains a specially crafted OLE object. Only Windows XP and Windows Server 2003 are the update fixes the way that OLE objects are handled in memory.

The remaining bulletins are all listed as Important:

  • MS13-071 - Vulnerability in Windows Theme File Could Allow Remote Code Execution
  • MS13-072 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
  • MS13-073 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
  • MS13-074 - Vulnerabilities in Microsoft Access Could Allow Remote Code Execution
  • MS13-075 - Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege
  • MS13-076 - Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege
  • MS13-077 - Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege
  • MS13-078 - Vulnerability in FrontPage Could Allow Information Disclosure
  • MS13-079 - Vulnerability in Active Directory Could Allow Denial of Service

Microsoft fixes 23 vulnerabilities in Windows, Internet Explorer and Exchange

microsoft logo(LiveHacking.Com) – Microsoft has released eight security updates that address 23 vulnerabilities in Microsoft Windows, Internet Explorer and Exchange. Three of the bulletins are rated as Critical and the remaining five are rated as Important.

The first of the Critical updates (MS13-059) is a cumulative patch for IE. It resolves eleven privately reported vulnerabilities in Microsoft’s browser, the most severe of which could allow remote code execution if a user views a specially crafted webpage. The update affects Internet Explorer 6, 7, 8, 9, and 10 on all supported versions of Windows including Windows 8 and Windows 8 RT. On Windows Server platforms the severity is only Moderate.

The next Critical patch (MS13-060) fixes a vulnerability in the Unicode Scripts Processor included in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts. The fix changes the way that Microsoft Windows parses specific characteristics of OpenType fonts. The bug only affects Windows XP and Windows Server 2003, all other supported versions of Windows are unaffected.

The final Critical bulletin (MS13-061) is a patch for Exchange that addresses three publicly disclosed vulnerabilities in the WebReady Document Viewing and Data Loss Prevention features of Exchange Server. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using the Outlook Web App (OWA). Also the Data Loss Prevention feature contains code that could allow remote code execution in the security context of the Filtering Management service if a specially crafted message is received by the Exchange server. Exchange 2007, 2010 and 2013 are all affected, only Exchange 2003 is unaffected.

The remaining bulletins are all rated as Important and cover two sets of elevation of privilege bugs, two denial of service vulnerabilities and an information disclosure issue in Active Directory Federation Services (AD FS).

Microsoft patches Windows Kernel-Mode Driver vulnerability which is being exploited in the wild

microsoft logo(LiveHacking.Com) – Among the six Critical security bulletins issued by Microsoft, during its regular Patch Tuesday updates for July, was a fix for  CVE-2013-3660 a vulnerability in win32k.sys that allows remote code execution if a user views shared content that embeds TrueType font files. The vulnerability allows hackers to take complete control of an affected PC and Microsoft are reporting that it is being used in the wild in “limited, targeted attacks.”

The Windows Kernel-Mode Driver vulnerability, which affects all supported versions of Windows from XP SP2 on-wards (including Windows 8 and Windows 8 RT), exists because of an uninitialized pointer bug in the EPATHOBJ::pprFlattenRec function. The security patch fixes the way Windows handles specially crafted TrueType Font (TTF) files and by correcting the way that Windows handles objects in memory (in other words by fixing the uninitialized pointer bug).

The other five Critical bulletins also outline fixes for vulnerabilities which can lead to unauthorized remote code execution. MS13-052 fixes vulnerabilities in the Microsoft .NET Framework and Microsoft Silverlight, while MS13-054 addresses a vulnerability in Microsoft Windows, Microsoft Office, Microsoft Lync, and Microsoft Visual Studio – again connected with content that embeds TrueType font files.

There is also a cumulative security update for Internet Explorer. It resolves seventeen vulnerabilities in the browser. The most severe of these could allow remote code execution if a user views a specially crafted webpage. The security update is rated Critical for Internet Explorer 6, 7, 8, 9 and 10 on desktop versions of Windows and Moderate on Windows servers.

The only non-Critical patch was for a vulnerability in Windows Defender for Windows 7. The vulnerability could allow a hacker to gain elevated of privilege due to the way pathnames are used by Windows Defender, however an attacker must have valid logon credentials to exploit this vulnerability.

In total Microsoft addressed 34 vulnerabilities across its products. The software giant is recommending that system administrators who need to prioritize the role out of these patches should focus on the Windows Kernel-Mode Driver vulnerability and the updates to IE.

Microsoft releases Fix It for critical Internet Explorer 8 vulnerability

fix_it(LiveHacking.Com) – Less than a week ago Microsoft revealed that version 8 of its web browser Internet Explorer suffers from a nasty remote code execution vulnerability that could catch users if they mistakenly follow a link, in an email or instant message, to a malicious website. Microsoft’s initial recommendation was to upgrade to IE 9 or IE 10 which unfortunately isn’t possible for Windows XP users.

For those stuck with IE 8, Microsoft suggested setting the Internet and local intranet security zone settings to “High” and configuring Internet Explorer to prompt before running any Active Scripting. Microsoft didn’t however mention one other important option – switch to Google Chrome or Mozilla Firefox!

If switching isn’t a option and you don’t know how to fiddle with the security zone settings, Microsoft has now released an “easy, one-click Fix it” to help mitigate this problem. The MSHTML Shim Workaround isn’t intended to be a replacement for a proper security update and Microsoft is suggesting that we all wait a day or two to see what it has planned for May’s Patch Tuesday, the implication being that the IE8 bug will be fixed then.

Microsoft to patch critical flaws in Windows and IE on Tuesday

microsoft logo(LiveHacking.Com) – Microsoft has released its customary advanced warning about security vulnerabilities that it plans to fix during its next Patch Tuesday. April’s update will contain nine bulletins, two of which are marked as Critical. The Critical bulletins address vulnerabilities in Microsoft Windows and Internet Explorer. The remaining seven are tagged as Important and will address issues in Microsoft Windows, Office, Anti-malware Software, and Server Software.

The IE bulletin affects all supported versions of Microsoft’s browser from IE 6 on XP to IE 10 on Windows 8 and RT. These vulnerabilities in IE could allow hackers to remotely execute arbitrary code (often used to infect a PC with malware via a drive-by download) on unpatched machines.

The Critical patches for Windows, which are also to fix remote code execution vulnerabilities, affects only the older versions of Windows from Windows 7 back to Windows XP. Windows 8, Windows Server 2012 and the version of Windows for tablets, Windows RT, are not affected.

Bulletin 7 only affects Windows 8 and Windows 8 RT and applies to some flaws in Windows Defender which could allow a hacker to run programs at an elevated privilege. Paul Henry, security and forensic analyst at Lumension, told The Register that “Windows Defender is an important security component for the new operating systems, so it’s a little concerning to see it impacted here, even if only at an ‘important’ rather than critical level. If you’re running either of those systems, I would patch this important bulletin first.

Microsoft plans to publish the bulletins on April 9, 2013 at approximately 10 a.m. PDT.

Microsoft and Adobe release patches to fix critical vulnerabilities

(LiveHacking.Com) – For March’s Patch Tuesday Microsoft has released seven bulletins, four Critical-class and three Important-class. The bulletins address 20 vulnerabilities in total across several Microsoft products including Windows, Office, Internet Explorer, Server Tools, and Silverlight. Likewise Adobe has released a security update for its popular Flash Player to address vulnerabilities that could potentially allow a hacker to take control of a vulnerable system.

Microsoft

Among the fixes is a patch for an issue in the Kernel-Mode Drivers (KMD) where an attacker could gain administrator privileges by inserting a malicious USB flash drive into a Windows machine. Since the attack works even when no user is currently logged on, it means that anyone with casual access, such as a security guard, office cleaner or anyone with access to office space, could simply plug in a USB flash drive into a PC and perform any action as an administrator. In total MS13-027 resolves three privately reported vulnerabilities correcting the way that a Windows kernel-mode USB drivers handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

Nine issues have also been fixed in Internet Explorer. The most severe of these could allow remote code execution if a user views a specially crafted webpage using IE. Upon successful exploit An attacker could gain the same rights as the current owner. All but one of these issues were privately reported to Microsoft and there are no reports of these vulnerabilities being used in the wild.

Microsoft Silverlight has also been patched to fix a vulnerability that could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.

Adobe

adobe-logoAdobe has released a security update for Adobe Flash Player for Windows, OS X, Linux and Android. These update addresses vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected Versions

  • Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.273 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.597 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.597 SDK and earlier versions
  • Adobe AIR 3.6.0.599 SDK & Compiler and earlier versions

The update address four known vulnerabilities  an integer overflow vulnerability that could lead to code execution (CVE-2013-0646), a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650), a memory corruption vulnerability that could lead to code execution (CVE-2013-1371), a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-1375).

As a result of the update, Google has also released a new version of Chrome.

 

Microsoft fixes Critical remote code execution vulnerabilities

microsoft logo(LiveHacking.Com) – Microsoft has released 12 bulletins, five Critical and seven Important , to addressing 57 different vulnerabilities in Microsoft Windows, Office, Internet Explorer, Exchange and .NET Framework.

Among the fixes was a security update that resolves thirteen vulnerabilities in Internet Explorer. The most severe of these issues could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. As well as generally patching IE, the company also patched its implementation of the Vector Markup Language (VML) in its browser. If exploited the vulnerability could allow remote code execution if a user viewed a specially crafted webpage. Microsoft says that it is aware of this vulnerability being used as an information disclosure vulnerability in targeted attacks. It is therefore essential that this patch is applied as soon as possible.

There is also an update for Microsoft Windows Object Linking and Embedding (OLE) Automation. Again, the vulnerability could allow remote code execution, this time  if a user opens a specially crafted file. The fix corrects the way in which OLE Automation parses files. This security update is rated as Critical but only for Windows XP Service Pack 3. All other support versions of Microsoft Windows are not affected.

Similarly Microsoft fixed a vulnerability in how different types of media are decompressed. The remote code execution vulnerability could be exploited by tricking a user to open  a specially crafted media file (such as an .mpg file), open a Microsoft Office document (such as a .ppt file) that contains a maliciously crafted embedded media file, or if the user runs programs to receives streaming content designed to exploit the vulnerability.

There is also a fix for remote code execution vulnerabilities in Microsoft Exchange Server, the most severe of which could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing.