September 27, 2016

Microsoft releases 11 bulletins including a patch for Vista zero-day exploit, but XP still under attack

microsoft logoMicrosoft has released 11 security bulletins to address 24 vulnerabilities in Windows, Internet Explorer, Office and Exchange. Among them is the fix for the TIFF file vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync. However a fix for the zero-day vulnerability in Windows XP, which is being actively exploited in the wild via a malicious PDF file, is missing.

MS13-096 fixes the publicly disclosed vulnerability that can allow remote code execution if a user views content that contains specially crafted TIFF files. According to Microsoft an attacker who successfully exploits this vulnerability can execute arbitrary code with the privileges of the user who viewed the TIFF file.

The vulnerability is currently being exploited in the wild and targeting PC users mainly in the Middle East and South Asia. The attack uses an email with a specially crafted Word attachment.  However the security bulletin points out that this isn’t the only possible attack vector. The vulnerability can be exploited in a web-based attack scenario, where an attacker creates a website that is designed to exploit this vulnerability and then convinces a user to view the website, or via email.

Another Critical rated fix is MS13-097, a cumulative update for Internet Explorer. The patch resolves seven privately reported vulnerabilities in IE, the most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage. The update affects Internet Explorer 6 through to Internet Explorer 11.

MS13-099 resolves a vulnerability in Microsoft Scripting Runtime Object Library that could allow remote code execution if a user visits a specially crafted website. The update is rated as Critical for Windows Script 5.6, Windows Script 5.7, and Windows Script 5.8 where affected on all supported releases of Microsoft Windows.

Security Bulletin MS13-106 fixes a publicly disclosed vulnerability in a Microsoft Office shared component that is currently being exploited in the wild. The problem exists because hxds.dll in Microsoft Office 2007 SP3 and 2010 SP1 and SP2 do not implement the ASLR protection mechanism, which makes it easier for remote attackers to execute arbitrary code via a crafted COM component on a web site that is visited with IE. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.

patch.tuesday.dec.2013.deployment

The other Critical bulletins are:

  • MS13-098 – Resolves a privately reported vulnerability in Microsoft Windows that could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.
  • MS13-105  – Resolves three publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server. The most severe of these vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server.

The Important bulletins from Microsoft are:

  • MS13-100 – Resolves multiple privately reported vulnerabilities in Microsoft Office server software. These vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a SharePoint server.
  • MS13-101 – Resolves five privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.
  • MS13-102 – Addresses a privately reported vulnerability in Microsoft Windows that could allow elevation of privilege if an attacker spoofs an LRPC server and sends a specially crafted LPC port message to any LRPC client.
  • MS13-103 – Fixes a privately reported vulnerability in ASP.NET SignalR. The vulnerability could allow elevation of privilege if an attacker reflects specially crafted JavaScript back to the browser of a targeted user.
  • MS13-104 – Resolves a privately reported vulnerability in Microsoft Office that could allow information disclosure if a user attempts to open an Office file hosted on a malicious website.

Third time’s a charm for Microsoft’s recent security patches

microsoft logo(LiveHacking.Com) – Just under two weeks ago Microsoft released its regular set of patches for Windows and other Microsoft products to fix the current security vulnerabilities. Some of these patches were deemed as Critical because the vulnerabilities could allow a hacker to execute arbitrary code on an affected PC and gain remote access to the machine.

Among the original updates was MS13-066, a patch rated as Important which fixed a vulnerability in the Active Directory Federation Services. The original vulnerability could allow information disclosure. Unfortunately after its release, Microsoft discovered that the patch could cause the AD FS to stop working. As a result Microsoft removed the update. Then last week Microsoft re-released the bulletin with a fix for the fix. It turns out that systems without the RU3 rollup QFE installed experienced the problems. The new patch should work with or without RU3.

That was strike one.

August’s Patch Tuesday also contained MS13-061 a Critical patch to fix vulnerabilities in Microsoft’s Exchange Server. If exploited these vulnerabilities could allow remote code execution. Like for MS13-066, after the release of the patch Microsoft discovered some problems. Specifically that after the update Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2 would stop indexing mail. Today Microsoft released MS13-061 to fix the bug that stopped the indexing of messages.

That was strike two.

The next (and last?) patch that caused trouble for Microsoft was MS13-057, a Critical patch from July which addressed a vulnerability in the Windows Media Format Runtime. The vulnerability could allow remote code execution if a user opens a specially crafted media file. Just before August’s Patch Tuesday Microsoft re-released it to address an application compatibility issue in which WMV encoded video could fail to properly render during playback. Originally this only affected Windows 7 and Windows Server 2008 R2. Today Microsoft released the patch (third time’s a charm – we hope) for Windows XP, Windows Server 2003 and Windows Vista to address the same WMV playback error.

And that was strike three? Any more swings at the ball Microsoft???