May 19, 2013

You are here: Home / Archives for Microsoft

Adobe fixes Flash Player and Microsoft patches IE 10 to update its built-in version

January 9, 2013 by

adobe-logo(LiveHacking.Com) – Adobe has released security updates for Adobe Flash Player for Windows, OS X, Linux and Android. These updates address a vulnerability that could cause a crash and potentially allow an attacker to executable arbitrary code on the affected system.

These updates fix a buffer overflow vulnerability in Flash that could lead to code execution.

Affected Versions

  • Adobe Flash Player 11.5.502.135 and earlier versions for Windows
  • Adobe Flash Player 11.5.502.136 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.258 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.34 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.29 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.880 and earlier versions for Windows
  • Adobe AIR 3.5.0.890 and earlier versions for Macintosh
  • Adobe AIR 3.5.0.880 for Android
  • Adobe AIR 3.5.0.880 SDK and Adobe AIR 3.5.0.890 SDK

IE10

Microsoft has also revised Security Advisory 2755801 to include the latest Adobe updates. IE10 comes with a built-in version of Flash (like Chrome). An IE10 update is availbale as a cumulative update, which means customers do not need to install previous updates as a prerequisite for installing the current update.

“We remain committed to working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process,” wrote Dustin Childs from Microsoft’s Trustworthy Computing unit.

Filed Under: Adobe, Microsoft, News Tagged With: , , ,

Microsoft updates its XML Core Services as part of Critical patch release

January 9, 2013 by

microsoft logo(LiveHacking.Com) –  Microsoft has released seven bulletins, two ranked Critical and five ranked Important, to address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools and Windows Server. Among the Critical patches is an update (MS13-002) to Microsoft’s XML Core Services that resolves two flaws that could allow remote code execution when a user opened a specially crafted website designed to exploit the vulnerability. The issue was privately disclosed and Microsoft is not aware of any attacks in the wild.

The other Critical-class bulletin (MS13-001) addresses a vulnerability in Microsoft Windows which could allow remote code execution if a print server received a specially crafted print job. The standard default Windows firewall configuration means that this can’t normally be exploited from an external source. The bug only affects Windows 7 and Windows Server 2008 R2.

The first Important-class patch addresses vulnerabilities in System Center Operations Manager.  The vulnerabilities could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL. Microsoft also fixed two other “elevation of privilege” vulnerabilities. The first in its .NET framework and the other in the Windows Kernel-Mode Driver. To exploit the kernel vulnerability a user would need to run an executable specifically designed to exploit the bug.

Microsoft also fixed a vulnerability in the way that Windows handle the SSL version 3 (SSLv3) and TLS protocols. The vulnerability could allow security feature bypass if an attacker injects specially crafted content into an SSL/TLS session. The flaw exists in all versions of Windows after XP: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT.

The final patch fixes a problem in the Open Data Protocol. The vulnerability could allow denial of service if an unauthenticated attacker sends specially crafted HTTP requests to an affected site.

Filed Under: Microsoft, News Tagged With: , , , , ,

Someone has bypassed Microsoft’s Fix It for the IE 8 zero-day vulnerability already

January 8, 2013 by

security news at livehacking.com(LiveHacking.Com) – Security information company Exodus Intelligence has published a blog post claiming to have bypassed Microsoft’s Fix It for the current zero-day vulnerability in Internet Explorer 8. The official Fix It was released by Microsoft as a temporary workaround to the zero-day vulnerability found in Internet Explorer 6,7 and 8. The bug in IE can corrupt memory in such a way that it allows an attacker to execute arbitrary code in the context of the current user within IE. To exploit it, users are tricked into visiting a specially crafted website which uses either Flash or Javascript to generate a heap spray attack against IE. The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution.

According to Exodus Intelligence it is now possible to bypass the shim and compromise a fully-patched system. Due to the nature of its business, Exodus Intelligence has passed on the details about the bypass to its customers. Thankfully it has also notified Microsoft. The company promises to fully disclose the details of the bypass once Microsoft has fully addresses the issue.

“After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week,” said Exodus Intelligence on its blog.

Microsoft will release seven security bulletins today to address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools, Microsoft Server Software and the .NET Framework. However a fix for the Internet Explorer vulnerability will not be among the patches.

Internet Explorer 9 and 10 are immune to the attack and upgrading to the later versions of IE will protect users (as will using a different browser like Firefox or Chrome), the problem is that XP users can’t upgrade IE beyond 8. Also Enterprise users may still be stuck on older versions of IE due to legacy application support. In combination this means that pressure is now mounting on Microsoft to make an out-of-band release for IE to fix the vulnerability.

Filed Under: Intenet Explorer, Microsoft, News Tagged With: , , ,

In Brief: Microsoft, Google and Mozilla all block digital certificate issued by intermediate certificate authority of TURKTRUST

January 4, 2013 by

turktrust_logo(LiveHacking.Com) –  Microsoft, Google and Mozilla have all removed the trust of certificates issued by an intermediate certificate authority (CA) linking back to TURKTRUST Inc. What has happened is that TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org), the first of which was used to issue a fraudulent digital certificate for *.google.com.

Intermediate CA certificates carry the same authority as CA, so anyone who has one can use it to create a certificate for any website. Fraudulent certificate can be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

“TURKTRUST told us that based on our information, they discovered that, in August 2011, they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,” wrote Google.

Google is also considering an update to Chrome which will no longer indicate Extended Validation status for certificates issued by TURKTRUST. Mozilla has suspended the TURKTRUST root certificate. TURKTRUST subsequently asked Mozilla to include a newer root certificate and their request was initially approved. However, due to the mis-issued  intermediate CA certificates, Mozilla has decided to suspend inclusion of the new root certificate for now.

Filed Under: Cryptography, Google, Microsoft, Mozilla, News, Security Tagged With: , , , ,

Two Critical-level bulletins to be released by Microsoft on Tuesday, IE 8 patch not included

January 4, 2013 by

microsoft logo(LiveHacking.Com) –  Microsoft is preparing to release seven security bulletins next week; two Critical and five Important. In total they address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools, Microsoft Server Software and the .NET Framework.

There is no news on when Microsoft plans to patch the zero day vulnerability and exploit in Internet Explorer that was discovered during the holidays. Until it is fixed, Microsoft has issued a Fix It. The vulnerability was discovered when FireEye was investigating reports that the Council on Foreign Relations (CFR) website had been compromised. According to Microsoft’s Security Advisory 2794220, the issue impacts Internet Explorer 6, 7, and 8 and that there are a small number of targeted attacks happening in the wild.

The first Critical bulletins affects all supported versions of  Windows (including Windows 8), Office 2003 & 2007 and some server software. The second is for Windows 7 and Windows Server 2008 R2 only. Both critical bulletins address vulnerabilities would enable an attacker to remotely execute code on a vulnerable Windows machine.

Windows 8 RT, the version of Windows that runs on the ARM processor used, among others, on Microsoft’s Surface tablet, is also affected by the first Critical bulletin and at least three of the Important-level ones.

The Important-level bulletins address vulnerabilities that could allow privilege escalations, vulnerabilities that could allow security features to be bypassed or vulnerabilities which could allow attackers to start a denial of service attack.

Microsoft plans to release the bulletins on the second Tuesday of the month, at approximately 10 a.m. PST.

Filed Under: Microsoft, News, Security Tagged With: ,

In Brief: Microsoft publishes official Fix It for IE 8 vulnerability

January 2, 2013 by

internet-explorer-logo(LiveHacking.Com) –  Microsoft has updated Security Advisory 2749920 to include new information about the official Fix It that the company said it would release.  The Fix It, which is a temporary measure issued by Redmond until a full patch can be delivered, is a response to the zero-day vulnerability found in Internet Explorer 6,7 and 8.

The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution. If triggered the browser will now just crash. Applying the Fix it does not require a reboot.

“While we have still observed only a few attempts to exploit this issue, we encourage all customers to apply this Fix it to help protect their systems,” said Dustin Childs from Microsoft’s Trustworthy Computing unit.

 

Filed Under: Intenet Explorer, Microsoft, News, Security Tagged With: , ,

New Critical zero-day vulnerability found in IE 6,7 and 8

December 31, 2012 by

security news at livehacking.com(LiveHacking.Com) –  While investigating reports that the Council on Foreign Relations (CFR) website had been compromised, FireEye discovered that the site was hosting malware that exploited a previously unknown (zero-day) vulnerability in Internet Explorer 8. The attack seen by FireEye uses Adobe Flash to generate a heap spray attack against IE. According to Microsoft’s Security Advisory 2794220, the issue impacts Internet Explorer 6, 7, and 8 and that there are a small number of targeted attacks happening in the wild. A successful exploit, which is normally triggered by getting a victim using IE 8 to browse a malicious website, allows remote code execution. Internet Explorer 9 and 10 are not affected by this issue, so upgrading to these versions will help defend from this vulnerability. However neither IE 9 or IE 10 is available for Windows XP users.

The vulnerability exists because of the way that Internet Explorer accesses a previously deleted chunk of memory. The vulnerability can corrupt memory in such a way that it allows an attacker to execute arbitrary code in the context of the current user within IE. By making a specially crafted website, that is designed to trigger an exploit, the vulnerability can be used when an Internet Explorer 6,7 or 8 user is convinced/tricked into viewing the site.

Microsoft’s initial investigation has shown that at least four attacks exist in the wild, each exploiting the vulnerability using a different attack method. Along with the Flash based heap spray, Microsoft have also seen some obfuscated Javascript that can be to trigger the vulnerability, an ASLR bypass using either Java6 MSVCR71.DLL or Office 2007/2010 hxds.dll and a DEP bypass via a chain of ROP gadgets.

What can you do?

Aside from upgrading to IE9 and IE 10 and while IE 8 users are waiting for a patch, IE users can can block the current targeted attacks by disabling the attack vectors:

    • Disabling Javascript will prevent the vulnerability from being triggered initially.
    • Disabling Flash will prevent the ActionScipt-based heap spray from preparing memory such that the freed object contains exploit code.
    • Disabling the ms-help protocol handler AND ensuring that Java6 is not allowed to run will block the ASLR bypass and the associated ROP chain.

Of course trying to use IE8 with Javascrit disabled is probably next to impossible. So while Microsoft are working on a comprehensive update to IE there is a trick which Microsoft is releasing as a Fix It. The trick does not address the vulnerability but does prevent the vulnerability from being exploited for code execution by making a two-byte change  (to replace a je instruction with a jmp) to mshtml.

Known as a shim, the change may have the side effect in some circumstances of the default form button not being selected by default.

The shim is currently being packaged and code-signed as a one-click, deployable Microsoft Fix It tool. The 32-bit and 64-bit shims are attached to this blog post and also available at the following URLs:

 

Filed Under: Intenet Explorer, Microsoft, News, Vulnerability Tagged With: , ,

In Brief: Microsoft re-releases one of its Patch Tuesday bulletins to fix font problem

December 21, 2012 by

microsoft_logo1-squareMicrosoft has re-released update MS12-078 to fix a problem with disappearing fonts. Reports starting to appear when users installed the patch that Microsoft released on December 11th. The patch was designed to fix a  font rendering vulnerability. In the worst case sceanatrio explotation of the bug could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType or OpenType font files.

However it seems that the fix prevented PostScript Type 1 and OpenType fonts from being displayed correctly and the fonts disappeared completely in several programs including CorelDraw, QuarkExpress and PowerPoint. The only way to get the fonts back was to uninstall the update.

“Rereleased update KB2753842 to resolve an issue with OpenType fonts not properly rendering after the original update was installed. Customers who have successfully installed the original KB2753842 update need to install the rereleased update,” wrote Microsoft.

Filed Under: Microsoft, News, Security, Vulnerability Tagged With: ,

IE lets web pages track mouse movements, bad news for virtual keyboards, great news for unscrupulous ad companies

December 14, 2012 by

(LiveHacking.Com) –  Details have emerged about how Microsoft Internet Explorer allows web pages with JavaScript to track the whereabouts of the mouse anywhere on the screen, even outside of the currently viewed web page. The ramifications of this are two fold. First those using virtual keyboard as a way to avoid possible keyloggers can now no longer assume that the virtual keyboard is safe. Secondly it appears that unscrupulous ad companies have been using this flaw for a while to  measure the viewability of display ads.

Spider.io, a web analytics firm, told Microsoft about the flaw in October, but Redmond has done nothing about it. The issues affects all version of Internet Explorer from version 6 to version 10 and only since the finding have been made public has Microsoft commented on the vulnerability. At the moment Microsoft has no plans to patch the flaw.

The team at Spider.io have created a game to illustrate how easy it is to exploit IE and compromise the security of virtual keyboards. The game may be found at iedataleak.spider.io. There is also a demonstration showing how the flaw can be used to track the mouse over the Skype keypad despite the fact that the Internet Explorer window is not active.

According to  Doug de Jager, chief executive of spider.io, the vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.

“The vulnerability is being exploited rather mischievously by these companies to measure the viewability of display ads – arguably the hot topic in display advertising at the moment,” de Jager told the Guardian. “Almost every US-based user of Internet Explorer will have their mouse cursor tracked via this exploit almost every day they browse the web.”

Microsoft’s lack of action is a little surprising and it is Redmond’s indifference that has caused Spider.io to disclose the details of the flaw. “We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected,” Microsoft said in a statement, adding that it would take “appropriate action to protect our customers”.

Details of the vulnerability

Due to a design flaw, Internet Explorer is populating the global Event object with attributes relating to mouse events, even when it shouldn’t. This means that a web page can be created which uses the fireEvent() method to poll for the mouse position anywhere on the screen and at any time. The reason why the flaw allows programs like Skype to be tracked is that the fireEvent() method and the mouse positions are processed even when the page isn’t active or focused.

Filed Under: Intenet Explorer, Microsoft, Vulnerability Tagged With: , ,

Microsoft fixes five Critical vulnerabilities as promised

December 12, 2012 by

(LiveHacking.Com) –  As expected Microsoft has released seven bulletins, five to address Critical vulnerabilities and and two for Important vulnerabilities  In total the bulletins address 12 vulnerabilities a variety of products including Microsoft Windows, Internet Explorer (IE), Word and Windows Server.

According to Microsoft the two most important bulletins are MS12-077  – a cumulative security update for Internet Explorer and MS12-079 - a patch to fix a vulnerability in Microsoft Word that could allow remote code execution.

The IE update resolves three privately reported vulnerabilities, the most severe of which could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. The patch for Word resolves a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Office software, or previews or opens a specially crafted RTF email message in Outlook while using Microsoft Word as the email viewer.

The other Critical vulnerabilities are MS12-078 - which fixes vulnerabilities in Windows kernel-mode drivers, MS12-080 - which addresses vulnerabilities in Microsoft Exchange Server and MS12-081 - which resolves a vulnerability in Windows file handling component. All of these three could allow remote code execution if exploited.

Adobe has also released an update to its Flash Player and as a result Microsoft has revised Security Advisory 2755801 to update the built-in version of Flash in Internet Explorer.

Filed Under: Microsoft, News, Vulnerability Tagged With: , , , , ,
«Older Posts
Newer Posts»