December 18, 2018

Microsoft to fix IE8 zero-day vulnerability today with out-of-band fix

security news at livehacking.com(LiveHacking.Com) –  Microsoft will release an update to Internet Explorer today to fix the zero-day vulnerability which was found at the end of last year. An exploit was found, in the wild, for a previously unknown (zero-day) vulnerability during the clean up of the Council on Foreign Relations (CFR) website, which had been compromised by hackers, probably from China. The exploit found used a heap spray attack against the zero-day vulnerability.

Microsoft issued  Security Advisory 2794220 which confirmed that the issue impacts Internet Explorer 6, 7, and 8. Internet Explorer 9 and 10 are not affected by this issue, so upgrading mitigates the problem, however neither IE 9 or IE 10 is available for Windows XP users.

A few days later, Microsoft published a Fix It as a temporary measure until the full patch is available. The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution. However once the Fix It was out, security information company Exodus Intelligence published details on how it had managed to bypass the shim and make IE vulnerable again. This placed greater pressure on Microsoft to issue an out-of-band fix, which it will now do today.

“While we have still seen only a limited number of customers affected by the issue, the potential exists that more customers could be affected in the future.  The bulletin has a severity rating of Critical, and it addresses CVE-2012-4792,” said Dustin Childs, Group Manager of Microsoft’s Trustworthy Computing unit.

The patch will be made available for Windows XP, Vista and Windows 7 along with Windows Server 2003 and 2008. Microsoft will release the out-of-band security update at 10 a.m. PST on Monday, January 14, 2013.

Someone has bypassed Microsoft’s Fix It for the IE 8 zero-day vulnerability already

security news at livehacking.com(LiveHacking.Com) – Security information company Exodus Intelligence has published a blog post claiming to have bypassed Microsoft’s Fix It for the current zero-day vulnerability in Internet Explorer 8. The official Fix It was released by Microsoft as a temporary workaround to the zero-day vulnerability found in Internet Explorer 6,7 and 8. The bug in IE can corrupt memory in such a way that it allows an attacker to execute arbitrary code in the context of the current user within IE. To exploit it, users are tricked into visiting a specially crafted website which uses either Flash or Javascript to generate a heap spray attack against IE. The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution.

According to Exodus Intelligence it is now possible to bypass the shim and compromise a fully-patched system. Due to the nature of its business, Exodus Intelligence has passed on the details about the bypass to its customers. Thankfully it has also notified Microsoft. The company promises to fully disclose the details of the bypass once Microsoft has fully addresses the issue.

“After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week,” said Exodus Intelligence on its blog.

Microsoft will release seven security bulletins today to address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools, Microsoft Server Software and the .NET Framework. However a fix for the Internet Explorer vulnerability will not be among the patches.

Internet Explorer 9 and 10 are immune to the attack and upgrading to the later versions of IE will protect users (as will using a different browser like Firefox or Chrome), the problem is that XP users can’t upgrade IE beyond 8. Also Enterprise users may still be stuck on older versions of IE due to legacy application support. In combination this means that pressure is now mounting on Microsoft to make an out-of-band release for IE to fix the vulnerability.

In Brief: Microsoft publishes official Fix It for IE 8 vulnerability

internet-explorer-logo(LiveHacking.Com) –  Microsoft has updated Security Advisory 2749920 to include new information about the official Fix It that the company said it would release.  The Fix It, which is a temporary measure issued by Redmond until a full patch can be delivered, is a response to the zero-day vulnerability found in Internet Explorer 6,7 and 8.

The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution. If triggered the browser will now just crash. Applying the Fix it does not require a reboot.

“While we have still observed only a few attempts to exploit this issue, we encourage all customers to apply this Fix it to help protect their systems,” said Dustin Childs from Microsoft’s Trustworthy Computing unit.

 

New Critical zero-day vulnerability found in IE 6,7 and 8

security news at livehacking.com(LiveHacking.Com) –  While investigating reports that the Council on Foreign Relations (CFR) website had been compromised, FireEye discovered that the site was hosting malware that exploited a previously unknown (zero-day) vulnerability in Internet Explorer 8. The attack seen by FireEye uses Adobe Flash to generate a heap spray attack against IE. According to Microsoft’s Security Advisory 2794220, the issue impacts Internet Explorer 6, 7, and 8 and that there are a small number of targeted attacks happening in the wild. A successful exploit, which is normally triggered by getting a victim using IE 8 to browse a malicious website, allows remote code execution. Internet Explorer 9 and 10 are not affected by this issue, so upgrading to these versions will help defend from this vulnerability. However neither IE 9 or IE 10 is available for Windows XP users.

The vulnerability exists because of the way that Internet Explorer accesses a previously deleted chunk of memory. The vulnerability can corrupt memory in such a way that it allows an attacker to execute arbitrary code in the context of the current user within IE. By making a specially crafted website, that is designed to trigger an exploit, the vulnerability can be used when an Internet Explorer 6,7 or 8 user is convinced/tricked into viewing the site.

Microsoft’s initial investigation has shown that at least four attacks exist in the wild, each exploiting the vulnerability using a different attack method. Along with the Flash based heap spray, Microsoft have also seen some obfuscated Javascript that can be to trigger the vulnerability, an ASLR bypass using either Java6 MSVCR71.DLL or Office 2007/2010 hxds.dll and a DEP bypass via a chain of ROP gadgets.

What can you do?

Aside from upgrading to IE9 and IE 10 and while IE 8 users are waiting for a patch, IE users can can block the current targeted attacks by disabling the attack vectors:

    • Disabling Javascript will prevent the vulnerability from being triggered initially.
    • Disabling Flash will prevent the ActionScipt-based heap spray from preparing memory such that the freed object contains exploit code.
    • Disabling the ms-help protocol handler AND ensuring that Java6 is not allowed to run will block the ASLR bypass and the associated ROP chain.

Of course trying to use IE8 with Javascrit disabled is probably next to impossible. So while Microsoft are working on a comprehensive update to IE there is a trick which Microsoft is releasing as a Fix It. The trick does not address the vulnerability but does prevent the vulnerability from being exploited for code execution by making a two-byte change  (to replace a je instruction with a jmp) to mshtml.

Known as a shim, the change may have the side effect in some circumstances of the default form button not being selected by default.

The shim is currently being packaged and code-signed as a one-click, deployable Microsoft Fix It tool. The 32-bit and 64-bit shims are attached to this blog post and also available at the following URLs:

 

Microsoft fixes five Critical vulnerabilities as promised

(LiveHacking.Com) –  As expected Microsoft has released seven bulletins, five to address Critical vulnerabilities and and two for Important vulnerabilities  In total the bulletins address 12 vulnerabilities a variety of products including Microsoft Windows, Internet Explorer (IE), Word and Windows Server.

According to Microsoft the two most important bulletins are MS12-077  – a cumulative security update for Internet Explorer and MS12-079 – a patch to fix a vulnerability in Microsoft Word that could allow remote code execution.

The IE update resolves three privately reported vulnerabilities, the most severe of which could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. The patch for Word resolves a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Office software, or previews or opens a specially crafted RTF email message in Outlook while using Microsoft Word as the email viewer.

The other Critical vulnerabilities are MS12-078 – which fixes vulnerabilities in Windows kernel-mode drivers, MS12-080 – which addresses vulnerabilities in Microsoft Exchange Server and MS12-081 – which resolves a vulnerability in Windows file handling component. All of these three could allow remote code execution if exploited.

Adobe has also released an update to its Flash Player and as a result Microsoft has revised Security Advisory 2755801 to update the built-in version of Flash in Internet Explorer.

Microsoft to patch five critical security flaws in time for the holidays

(LiveHacking.Com) –  Microsoft has published its advance notification for the security vulnerabilities it will fix in December’s patch Tuesday. This month it will release seven security bulletins, five of which are rated as Critical and two as Important. In total these bulletins will address 11 vulnerabilities. The five Critical bulletins will fix security vulnerabilities in Microsoft Windows, Word, Windows Server and Internet Explorer. While the two Important-rated bulletins will resolve issues in Microsoft Windows.

Six of the seven bulletins address vulnerabilities that could allow an attacker to execute arbitrary code on the affected PC. While the other bulletin addresses a “Security Feature Bypass.” When Microsoft talk about a Critical rated vulnerabilities it means a flaw which can be exploited and allow arbitrary code execution without any user interaction. These vulnerabilities can allow self-propagating malware to spread. These types of vulnerabilities are normally exploited without warnings or prompts and can be triggered by browsing to a web page or opening email.

Windows XP is affected by all but one of the Windows related bulletins, as its Windows Server 2003.  Windows Vista, Windows 7 and Windows Server 2008 are likewise affected by four of the five fixes for Windows. For each of the previously mentioned operating systems  bulletin seven (which is rated as Important)  doesn’t apply. However bulletin seven does affect Windows Server 2008 R2 and Windows Server 2012.

Windows 8, Microsoft’s latest operating system which was released in October, is affected by two of the Critical bulletins and just one of Important ones.

Microsoft Office 2003, 2007 and 2010 are all affected by the Critical rated bulletin number three as is Microsoft SharePoint Server 2010 and Microsoft Office Web Apps 2010. Bulletin four deals with Critical issues in Microsoft Exchange Server 2007 and 2010.

“While it may be the most wonderful time of the year, we know it can also be the busiest time of the year,” wrote Dustin Childs from Microsoft. “We recommend that customers pause from searching for those hot new gadgets and review the ANS summary page for more information. Please prepare for bulletin testing and deployment as soon as possible to help ensure a smooth update process.”

Microsoft has scheduled the bulletin release for the second Tuesday of the month, at approximately 10 a.m. PST.

Microsoft to release out-of-band fix for Internet Explorer

(LiveHacking.Com) – Microsoft has announced that it will release an out-of-band update to Internet Explorer to fix the recently found zero-day vulnerability that affects IE 6, 7, 8 and 9. The flaw was discovered by Eric Romang, a security researcher, who was monitoring some servers suspected of serving malware. On one of the server he found four files which upon analysis turned out to be a zero-day vulnerability exploit for Internet Explorer.

Microsoft subquently published Security Advisory 2757760 which confirms that the flaw exists in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Then it published the “Prevent Memory Corruption via ExecCommand in Internet Explorer” Fix it solution, designed to be a easy-to-use, one-click, workaround for the vulnerability.

“A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

Now, Microsoft has released details of an out-of-band update to Internet Explorer to fully address the issue as well as four other Critical-class remote code execution issues. Microsoft will release the cumulative update for IE today at 10 a.m. PDT. The update applies to IE 6, 7, 8 and 9 on all supported versions of Windows (XP, Vista, 7, Windows server). It will be made available through Windows Update and it is recommended that you install it as soon as it is available. If you have automatic updates enabled you won’t need to take any action. Microsoft has previously reported that there are targeted attacks, that attempt to exploit this vulnerability, happening in the wild.

Microsoft to release “Fix it” as workaround for IE zero-day vulnerability

(LiveHacking.Com) – In the next few days Microsoft will release a “Fix it” as a workaround for the recently discovered IE zero-day vulnerability. Previously Microsoft had urged user to install the Enhanced Mitigation Experience Toolkit (EMET) to help to prevent a malicious website from exploiting the vulnerability. However many commentors have pointed out that the EMET needs to be installed and configured manually, a task would could be beyond some users.

“The Fix it is an easy-to-use, one-click, full-strength solution any Internet Explorer user can install. It will not affect your ability to browse the Web, and it will provide full protection against this issue until an update is available. It won’t require a reboot of your computer,” said Microsoft in a statement.

The German government is taking this vulnerability very seriously, so much so its Federal Office for Information Security (BSI) has published an advisory, telling Internet Explorer users to switch to alternative browsers until a patch is released for IE. Microsoft is saying that it has only seen a “few attempts to exploit the issue” and that it has impacted “an extremely limited number of people,” however it is still working to fix the issue.

Microsoft will release the “Fix it” for everyone to download and install within the next few days.

Microsoft releases security advisory about zero day vulnerability in IE

(LiveHacking.Com) – I wrote yesterday about a new zero-day vulnerability in Internet Explorer that was discovered by security researcher Eric Romang while he was monitoring some servers suspected of serving malware. He discovered four files which upon analysis turned out to be a zero-day vulnerability in Internet Explorer. As a response to these reports, Microsoft has published  Security Advisory 2757760 which confirms that the flaw exists in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Microsoft also reports that there are targeted attacks, that attempt to exploit this vulnerability, happening in the wild.

The vulnerability leads to corrupt memory which can then allow an attacker to execute arbitrary code. It exists because of the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated.

“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer need,” wrote Microsoft in a statement.

As this is a zero day vulnerability there is currently no fix, but Microsoft are recommending that users deploy the Enhanced Mitigation Experience Toolkit (EMET) to help to prevent a malicious website from successfully exploiting the vulnerability.

The advisory also details a full set of alternative workarounds, to deploying EMET, which include:

  • Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
    This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
  •  Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
    This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

 

New zero-day vulnerability discovered for Internet Explorer

(LiveHacking.Com) – Security researcher Eric Romang was monitoring some infected servers, allegedly being used by the Nitro gang for targeted attacks using the recent Java 7 zero-day vulnerabilities, when he found four files on the server which have turned out to be an unknown exploit for IE 7 , IE8 and IE9. The four files (an executable, a Flash Player movie and two HTML files called exploit.html and protect.html) are used in conjunction to download a malicious executable on to the victim’s computer.

The attackers can upload any executable of their choosing and use sthe victim’s machine as part of a botnet or install a banking information stealing trojan. According to a tweet by Malc0de the currently used payload could be Poison Ivy (http://bit.ly/PkRPIP).

Eric discussed his findings with a variety of security researchers @binjo and @_sinn3r. He also got further help from those who frequent the Metasploit IRC channel. The conclusion is that the files represent a vulnerablity in all versions of Internet Explorer, from IE 7 onwards, that is not dependent on any known Adobe Flash vulnerabilities.

It appears as if his actions haven’t gone unnoticed:

The guys who developed this new 0day were not happy to have been caught, they have removed all the files from the source server just 2 days after my discovery. But more interestingly, they also removed a Java 0-day variant from other folders.

It is thought that a Metasploit exploit module will be released sometime today and progress on the module is going well.