November 29, 2014

Microsoft, Adobe and Google release security patches for Critical vulnerabilities

binarycodeMicrosoft, Adobe and Google have released patches for their products to fix Critical security vulnerabilities. Microsoft released eight security bulletins – two rated Critical and six rated Important – to address 13 different vulnerabilities in .NET Framework, Office, SharePoint, Internet Explorer, and Windows. Adobe released security updates to address multiple vulnerabilities in Reader, Acrobat, Flash Player, and Illustrator. For both companies, some of the vulnerabilities could allow hackers to run arbitrary code and take control of the affected system. Google also updated its Chrome web browser with the new version of Adobe Flash, but it also took the opportunity to patch some vulnerabilities in the internals of its browser.

Microsoft

Listed among Microsoft’s updates is a patch for IE which fixes the zero-day vulnerability that attackers were using against the browser at the end of April. Microsoft released this particular patch on May 1 2014 and the patch also applied to Windows XP. However the same can’t be said of the rest of Microsoft’s updates. XP is now officially dead, from a support point of view anyway.

May’s patches also include another update for IE. This time to fix two privately reported vulnerabilities in the browser. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. IE 6 to IE 11 are all affected.

Microsoft are also recommending that system administrators ensure that their systems are updated with  MS14-024 and MS14-025. The former fixes a vulnerability in the MSCOMCTL common controls library that could allow a security feature bypass if a user views a specially crafted webpage with a web browser capable of instantiating COM components, such as Internet Explorer. The latter patches a vulnerability in Windows that could allow elevation of privilege if the Active Directory Group Policy preferences are used to distribute passwords across the domain. The update removes the ability to configure and distribute passwords that use certain Group Policy preference extensions because such actions could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences.

Adobe

Adobe’s updates cover three main product groups: Adobe Reader and AcrobatAdobe Flash Player and Adobe Illustrator (CS6). The affected versions are as follows:

  • Adobe Reader XI 11.0.07 for Windows and Macintosh
  • Adobe Reader X 10.1.10 for Windows and Macintosh
  • Adobe Acrobat XI (11.0.07) for Windows and Macintosh
  • Adobe Acrobat X (10.1.10) for Windows and Macintosh
  • Adobe Flash Player 13.0.0.214 for Windows, Macintosh, and Linux
  • Adobe Flash Player 11.2.202.359 for Linux
  • Adobe AIR SDK and Compiler 13.0.0.111 for Windows and Macintosh
  • Adobe Illustrator (subscription) 16.2.2 for Windows and Macintosh
  • Adobe Illustrator (non-subscription) 16.0.5 for Windows and Macintosh

The patch for Adobe Illustrator (CS6) for Windows and Macintosh fixes a “vulnerability that could be exploited to gain remote code execution on the affected system”, while the updates for Adobe Flash Player “address vulnerabilities that could potentially allow an attacker to take control of the affected system.” All the updates are rated as Critical including the third set which patch Adobe Reader and Acrobat XI to “address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”

Google

With the release of a new version of Adobe Flash, Google released Chrome 34.0.1847.137 for Windows, Mac and Linux to include Flash Player 13.0.0.214. However the search giant also took the opportunity to fix three security problems. The non-Google researchers who contributed to finding the vulnerabilities where rewarded $4500 between them for their efforts:

  • [$2000][358038] High CVE-2014-1740: Use-after-free in WebSockets. Credit to Collin Payne.
  • [$1500][349898] High CVE-2014-1741: Integer overflow in DOM ranges. Credit to John Butler.
  • [$1000][356690] High CVE-2014-1742: Use-after-free in editing. Credit to cloudfuzzer.

Microsoft releases 11 bulletins including a patch for Vista zero-day exploit, but XP still under attack

microsoft logoMicrosoft has released 11 security bulletins to address 24 vulnerabilities in Windows, Internet Explorer, Office and Exchange. Among them is the fix for the TIFF file vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync. However a fix for the zero-day vulnerability in Windows XP, which is being actively exploited in the wild via a malicious PDF file, is missing.

MS13-096 fixes the publicly disclosed vulnerability that can allow remote code execution if a user views content that contains specially crafted TIFF files. According to Microsoft an attacker who successfully exploits this vulnerability can execute arbitrary code with the privileges of the user who viewed the TIFF file.

The vulnerability is currently being exploited in the wild and targeting PC users mainly in the Middle East and South Asia. The attack uses an email with a specially crafted Word attachment.  However the security bulletin points out that this isn’t the only possible attack vector. The vulnerability can be exploited in a web-based attack scenario, where an attacker creates a website that is designed to exploit this vulnerability and then convinces a user to view the website, or via email.

Another Critical rated fix is MS13-097, a cumulative update for Internet Explorer. The patch resolves seven privately reported vulnerabilities in IE, the most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage. The update affects Internet Explorer 6 through to Internet Explorer 11.

MS13-099 resolves a vulnerability in Microsoft Scripting Runtime Object Library that could allow remote code execution if a user visits a specially crafted website. The update is rated as Critical for Windows Script 5.6, Windows Script 5.7, and Windows Script 5.8 where affected on all supported releases of Microsoft Windows.

Security Bulletin MS13-106 fixes a publicly disclosed vulnerability in a Microsoft Office shared component that is currently being exploited in the wild. The problem exists because hxds.dll in Microsoft Office 2007 SP3 and 2010 SP1 and SP2 do not implement the ASLR protection mechanism, which makes it easier for remote attackers to execute arbitrary code via a crafted COM component on a web site that is visited with IE. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.

patch.tuesday.dec.2013.deployment

The other Critical bulletins are:

  • MS13-098 – Resolves a privately reported vulnerability in Microsoft Windows that could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.
  • MS13-105  – Resolves three publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server. The most severe of these vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server.

The Important bulletins from Microsoft are:

  • MS13-100 – Resolves multiple privately reported vulnerabilities in Microsoft Office server software. These vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a SharePoint server.
  • MS13-101 – Resolves five privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.
  • MS13-102 – Addresses a privately reported vulnerability in Microsoft Windows that could allow elevation of privilege if an attacker spoofs an LRPC server and sends a specially crafted LPC port message to any LRPC client.
  • MS13-103 – Fixes a privately reported vulnerability in ASP.NET SignalR. The vulnerability could allow elevation of privilege if an attacker reflects specially crafted JavaScript back to the browser of a targeted user.
  • MS13-104 – Resolves a privately reported vulnerability in Microsoft Office that could allow information disclosure if a user attempts to open an Office file hosted on a malicious website.

Microsoft releases warning as hackers attack vulnerability in Vista and Office

Windows-Vista-command-promptMicrosoft has released  Security Advisory 2896666 about a vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync, that is being exploited in the wild and targeting PC users mainly in the Middle East and South Asia.

The attack uses an email with a specially crafted Word attachment.  If the user opens the attachment it will try to exploit the vulnerability via a malformed image embedded in the document. If successful the attackers gain the same user rights as the logged on user.

According to Microsoft the remote code execution vulnerability exists because of bugs in the code which handles badly formed TIFF images. Only Windows Vista is affected and the current versions of Microsoft Office are not vulnerable.

The current attacks use the Word document attached to the email as a container for the specially crafted TIFF file. However, Microsoft says that hackers could also exploit the issue via a web-based attack. “An attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website,” it said.

While Microsoft is working to fix the error and release a security update it recommends the following actions:

  • Apply the Microsoft Fix it solution, “Disable the TIFF Codec” that prevents exploitation of the issue. See Microsoft Knowledge Base Article 2896666 to use the automated Microsoft Fix it solution to enable this workaround.
  • Deploy the Enhanced Mitigation Experience Toolkit (EMET). This will help prevent exploitation by providing mitigations to protect against the issue and should not affect usability of any programs.  An easy guide for EMET installation and configuration is available inKB2458544.

Microsoft updates its XML Core Services as part of Critical patch release

microsoft logo(LiveHacking.Com) –  Microsoft has released seven bulletins, two ranked Critical and five ranked Important, to address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools and Windows Server. Among the Critical patches is an update (MS13-002) to Microsoft’s XML Core Services that resolves two flaws that could allow remote code execution when a user opened a specially crafted website designed to exploit the vulnerability. The issue was privately disclosed and Microsoft is not aware of any attacks in the wild.

The other Critical-class bulletin (MS13-001) addresses a vulnerability in Microsoft Windows which could allow remote code execution if a print server received a specially crafted print job. The standard default Windows firewall configuration means that this can’t normally be exploited from an external source. The bug only affects Windows 7 and Windows Server 2008 R2.

The first Important-class patch addresses vulnerabilities in System Center Operations Manager.  The vulnerabilities could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL. Microsoft also fixed two other “elevation of privilege” vulnerabilities. The first in its .NET framework and the other in the Windows Kernel-Mode Driver. To exploit the kernel vulnerability a user would need to run an executable specifically designed to exploit the bug.

Microsoft also fixed a vulnerability in the way that Windows handle the SSL version 3 (SSLv3) and TLS protocols. The vulnerability could allow security feature bypass if an attacker injects specially crafted content into an SSL/TLS session. The flaw exists in all versions of Windows after XP: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT.

The final patch fixes a problem in the Open Data Protocol. The vulnerability could allow denial of service if an unauthenticated attacker sends specially crafted HTTP requests to an affected site.

Microsoft fix two remote code execution issues in Microsoft Office

(LiveHacking.Com) – Microsoft has released its software patches for October. Seven bulletins have been published that address 20 issues in Microsoft Windows, SQL Server, and Office including SharePoint, Lync, Microsoft Works and InfoPath.

The most important bulletin (and the only Critical level bulletin this month) is for Microsoft Office. MS12-064 resolves two problems in Microsoft Office that can result in remote code execution. If exploited an attacker could run arbitrary code on the PC. To exploit the bug the attacker would need to get the user to open a specially crafted Rich Text Format (RTF) file or preview/open a specially crafted RTF email message.

Microsoft also released a fix (MS12-067) for the vulnerabilities in the FAST Search Server which are caused by Oracle’s Outside In libraries. The vulnerabilities could allow remote code execution. FAST Search Server for SharePoint is only affected by this issue when Advanced Filter Pack is enabled. By default, Advanced Filter Pack is disabled. The libraries are also used in Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010. The Outside In libraries were updated by Oracle in July and Microsoft addressed the issue in Exchange during August’s Patch Tuesday.

The other fix are:

  • MS12-065 – This security update resolves a privately reported vulnerability in Microsoft Works that could allow remote code execution if a user opens a specially crafted Microsoft Word file using Microsoft Works.
  • MS12-066 – Fixes a publicly disclosed vulnerability in Microsoft Office, Microsoft Communications Platforms, Microsoft Server software, and Microsoft Office Web Apps. The vulnerability could allow elevation of privilege if an attacker sends specially crafted content to a user.
  • MS12-068 – Corrects a vulnerability in all supported releases of Microsoft Windows before Windows 8 and Windows Server 2012 which could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
  • MS12-069 – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote attacker sends a specially crafted session request to the Kerberos server.
  • MS12-070 – This security update resolves a privately reported vulnerability in Microsoft SQL Server on systems running SQL Server Reporting Services (SSRS). The vulnerability is a cross-site-scripting (XSS) vulnerability that could allow elevation of privilege, enabling an attacker to execute arbitrary commands on the SSRS site in the context of the targeted user.

As previously announced, this month updates contains a patch to Windows that restricts the use of certificates with RSA keys < 1024 bits. Microsoft have implemented this at the API level which means that any service or application that calls the CertGetCertificateChain function for a certificate with an RSA key < 1024 bits will be informed that the certificate can’t be trusted. This impacts a wide variety of applications and services including encrypted email, SSL/TLS encryption channels, signed applications, and private PKI environments.

Finally, Microsoft has reminded customers that Microsoft Works reaches the end of its support lifecycle this week.

Vulnerabilities: Microsoft Office TIFF Image Converter

Secunia Research has discovered two vulnerabilities in Microsoft Office, which can be exploited by malicious people to compromise a user’s system.

An input validation error in the TIFF Import/Export Graphic Filter when copying certain data can be exploited to cause a heap-based buffer overflow via a specially crafted TIFF image.

Another input validation error in the TIFF Import/Export Graphic Filter when copying certain data after having encountered a specific error can be exploited to cause a heap-based buffer overflow via a
specially crafted TIFF image.

According to Secunia research, the successful exploitation of the vulnerabilities may allow execution of arbitrary code when processing a TIFF image in an application using the graphics filter (e.g. opening the image in Microsoft Photo Editor or importing it into an Office document).

Microsoft Office XP SP3, Microsoft Office Converter Pack and Microsoft Works 9 are affected software but other versions may also be affected.

These two vulnerabilities rated critical and Microsoft has released a security patch (MS10-105) to fix the issues.

Source:[http://secunia.com/secunia_research/2009-30/]