October 26, 2014

Microsoft releases 11 bulletins including a patch for Vista zero-day exploit, but XP still under attack

microsoft logoMicrosoft has released 11 security bulletins to address 24 vulnerabilities in Windows, Internet Explorer, Office and Exchange. Among them is the fix for the TIFF file vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync. However a fix for the zero-day vulnerability in Windows XP, which is being actively exploited in the wild via a malicious PDF file, is missing.

MS13-096 fixes the publicly disclosed vulnerability that can allow remote code execution if a user views content that contains specially crafted TIFF files. According to Microsoft an attacker who successfully exploits this vulnerability can execute arbitrary code with the privileges of the user who viewed the TIFF file.

The vulnerability is currently being exploited in the wild and targeting PC users mainly in the Middle East and South Asia. The attack uses an email with a specially crafted Word attachment.  However the security bulletin points out that this isn’t the only possible attack vector. The vulnerability can be exploited in a web-based attack scenario, where an attacker creates a website that is designed to exploit this vulnerability and then convinces a user to view the website, or via email.

Another Critical rated fix is MS13-097, a cumulative update for Internet Explorer. The patch resolves seven privately reported vulnerabilities in IE, the most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage. The update affects Internet Explorer 6 through to Internet Explorer 11.

MS13-099 resolves a vulnerability in Microsoft Scripting Runtime Object Library that could allow remote code execution if a user visits a specially crafted website. The update is rated as Critical for Windows Script 5.6, Windows Script 5.7, and Windows Script 5.8 where affected on all supported releases of Microsoft Windows.

Security Bulletin MS13-106 fixes a publicly disclosed vulnerability in a Microsoft Office shared component that is currently being exploited in the wild. The problem exists because hxds.dll in Microsoft Office 2007 SP3 and 2010 SP1 and SP2 do not implement the ASLR protection mechanism, which makes it easier for remote attackers to execute arbitrary code via a crafted COM component on a web site that is visited with IE. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.

patch.tuesday.dec.2013.deployment

The other Critical bulletins are:

  • MS13-098 – Resolves a privately reported vulnerability in Microsoft Windows that could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.
  • MS13-105  – Resolves three publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server. The most severe of these vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server.

The Important bulletins from Microsoft are:

  • MS13-100 – Resolves multiple privately reported vulnerabilities in Microsoft Office server software. These vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a SharePoint server.
  • MS13-101 – Resolves five privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.
  • MS13-102 – Addresses a privately reported vulnerability in Microsoft Windows that could allow elevation of privilege if an attacker spoofs an LRPC server and sends a specially crafted LPC port message to any LRPC client.
  • MS13-103 – Fixes a privately reported vulnerability in ASP.NET SignalR. The vulnerability could allow elevation of privilege if an attacker reflects specially crafted JavaScript back to the browser of a targeted user.
  • MS13-104 – Resolves a privately reported vulnerability in Microsoft Office that could allow information disclosure if a user attempts to open an Office file hosted on a malicious website.

Microsoft fixes Internet Explorer zero-day vulnerability

microsoft logoMicrosoft has released eight security bulletins to address 26 different security vulnerabilities in a range of its products including Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight.

The most important patch fixes the zero-day exploit which has been used by attackers in the wild since mid-September. Microsoft reports that there have been targeted attacks aimed at Internet Explorer 8 and 9 however the vulnerability is present in all versions of IE from 6 to IE 11. The vulnerability exists because of a use-after-free coding error in the JavaScript SetMouseCapture implementation in Internet Explorer. Microsoft’s patch (MS13-080) changes “the way that Internet Explorer handles objects in memory” meaning Microsoft fixed the user-after-free bug. The patch is Critical and all users should ensure that it is applied (normally via Windows Update).

The next patch resolves a vulnerability in some Windows kernel-mode drivers, specifically how these drivers handle specially crafted OpenType and  TrueType Font (TTF) files. If exploited the vulnerabilities, which were reported to Microsoft privately, could allow remote code execution and an attacker could take complete control of an affected system. According to Microsoft these bugs exist in all supported releases of Microsoft Windows from XP upwards, except Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Windows is updated again in the next patch (MS13-083) to fix a vulnerability in the Windows Common Control Library that could allow remote code execution. The patch actually updates a fix from 2010 where Microsoft corrected the way in which the Windows common controls handle messages passed from a third-party scalable vector graphics (SVG) viewer. At the time it was rated as Important, but the new patch is rated as Critical for all supported 64-bit editions of Microsoft Windows. The update has no severity rating for Windows RT and for all supported 32-bit editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows 8.

The final Critical level bulletin (MS13-082) fixes two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft’s .NET Framework. The worst of the vulnerabilities could allow remote code execution if a user visits a website containing a specially crafted OpenType font (OTF) file using a browser which is able to start XBAP applications. XBAP applications are Windows Presentation Foundation programs that run inside browsers such as Firefox or Internet Explorer. These applications run in a partial sandbox environment.

Microsoft October 2013-Priority.jpg-550x0

The remaining patches are rated as Important:

  • MS13-084 – Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution. The most severe vulnerability could allow remote code execution if a user opens a specially crafted Office file in an affected version of Microsoft SharePoint Server, Microsoft Office Services, or Web Apps.
  • MS13-085 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file with an affected version of Microsoft Excel or other affected Microsoft Office software.
  • MS13-086 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution. The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word or other affected Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS13-087 – Vulnerability in Silverlight Could Allow Information Disclosure. The vulnerability could allow information disclosure if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability.

 

Microsoft fixes critical flaws in Windows, IE and Office

microsoft logo(LiveHacking.Com) – Microsoft has released its security patches for September to address 47 different vulnerabilities in Microsoft Windows, Office, Internet Explorer and SharePoint. It total the company released 13 bulletins–four Critical and nine Important.

The first Critical bulletin fixes vulnerabilities in Microsoft SharePoint Server that could allow remote code execution if an attacker sends specially crafted content to the affected server. The vulnerability is present in Microsoft SharePoint Server 2007 and 2010, Microsoft SharePoint Services 2.0 and 3.0, and Microsoft SharePoint Foundation 2010. Also affected are Microsoft Office Services and Web Apps on supported editions of Microsoft SharePoint Server 2010. Although not rated as Critical the vulnerability is also present in Microsoft SharePoint Server 2013, Microsoft SharePoint Foundation 2013, and Excel Services on Microsoft SharePoint Server 2007.

Microsoft Outlook got updated in the second bulletin to fix a vulnerability that could allow remote code execution if a user opens or previews a specially crafted email message. The update, which is available for all supported editions of Microsoft Outlook 2007 and Microsoft Outlook 2010, corrects the way that Microsoft Outlook parses specially crafted S/MIME email messages.

Internet Explorer also got updated to resolves ten privately reported vulnerabilities, the most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage. Affected versions are  Internet Explorer 6, 7, 8, 9, and Internet Explorer 10. The vulnerabilities are related to memory corruptions as the fixes listed by Microsoft change the way that Internet Explorer handles objects in memory.

The final Critical update is for Windows itself and resolves a vulnerability that could allow remote code execution if a user opens a file that contains a specially crafted OLE object. Only Windows XP and Windows Server 2003 are the update fixes the way that OLE objects are handled in memory.

The remaining bulletins are all listed as Important:

  • MS13-071 – Vulnerability in Windows Theme File Could Allow Remote Code Execution
  • MS13-072 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
  • MS13-073 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
  • MS13-074 – Vulnerabilities in Microsoft Access Could Allow Remote Code Execution
  • MS13-075 – Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege
  • MS13-076 – Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege
  • MS13-077 – Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege
  • MS13-078 – Vulnerability in FrontPage Could Allow Information Disclosure
  • MS13-079 – Vulnerability in Active Directory Could Allow Denial of Service

Third time’s a charm for Microsoft’s recent security patches

microsoft logo(LiveHacking.Com) – Just under two weeks ago Microsoft released its regular set of patches for Windows and other Microsoft products to fix the current security vulnerabilities. Some of these patches were deemed as Critical because the vulnerabilities could allow a hacker to execute arbitrary code on an affected PC and gain remote access to the machine.

Among the original updates was MS13-066, a patch rated as Important which fixed a vulnerability in the Active Directory Federation Services. The original vulnerability could allow information disclosure. Unfortunately after its release, Microsoft discovered that the patch could cause the AD FS to stop working. As a result Microsoft removed the update. Then last week Microsoft re-released the bulletin with a fix for the fix. It turns out that systems without the RU3 rollup QFE installed experienced the problems. The new patch should work with or without RU3.

That was strike one.

August’s Patch Tuesday also contained MS13-061 a Critical patch to fix vulnerabilities in Microsoft’s Exchange Server. If exploited these vulnerabilities could allow remote code execution. Like for MS13-066, after the release of the patch Microsoft discovered some problems. Specifically that after the update Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2 would stop indexing mail. Today Microsoft released MS13-061 to fix the bug that stopped the indexing of messages.

That was strike two.

The next (and last?) patch that caused trouble for Microsoft was MS13-057, a Critical patch from July which addressed a vulnerability in the Windows Media Format Runtime. The vulnerability could allow remote code execution if a user opens a specially crafted media file. Just before August’s Patch Tuesday Microsoft re-released it to address an application compatibility issue in which WMV encoded video could fail to properly render during playback. Originally this only affected Windows 7 and Windows Server 2008 R2. Today Microsoft released the patch (third time’s a charm – we hope) for Windows XP, Windows Server 2003 and Windows Vista to address the same WMV playback error.

And that was strike three? Any more swings at the ball Microsoft???

Microsoft patches Windows Kernel-Mode Driver vulnerability which is being exploited in the wild

microsoft logo(LiveHacking.Com) – Among the six Critical security bulletins issued by Microsoft, during its regular Patch Tuesday updates for July, was a fix for  CVE-2013-3660 a vulnerability in win32k.sys that allows remote code execution if a user views shared content that embeds TrueType font files. The vulnerability allows hackers to take complete control of an affected PC and Microsoft are reporting that it is being used in the wild in “limited, targeted attacks.”

The Windows Kernel-Mode Driver vulnerability, which affects all supported versions of Windows from XP SP2 on-wards (including Windows 8 and Windows 8 RT), exists because of an uninitialized pointer bug in the EPATHOBJ::pprFlattenRec function. The security patch fixes the way Windows handles specially crafted TrueType Font (TTF) files and by correcting the way that Windows handles objects in memory (in other words by fixing the uninitialized pointer bug).

The other five Critical bulletins also outline fixes for vulnerabilities which can lead to unauthorized remote code execution. MS13-052 fixes vulnerabilities in the Microsoft .NET Framework and Microsoft Silverlight, while MS13-054 addresses a vulnerability in Microsoft Windows, Microsoft Office, Microsoft Lync, and Microsoft Visual Studio – again connected with content that embeds TrueType font files.

There is also a cumulative security update for Internet Explorer. It resolves seventeen vulnerabilities in the browser. The most severe of these could allow remote code execution if a user views a specially crafted webpage. The security update is rated Critical for Internet Explorer 6, 7, 8, 9 and 10 on desktop versions of Windows and Moderate on Windows servers.

The only non-Critical patch was for a vulnerability in Windows Defender for Windows 7. The vulnerability could allow a hacker to gain elevated of privilege due to the way pathnames are used by Windows Defender, however an attacker must have valid logon credentials to exploit this vulnerability.

In total Microsoft addressed 34 vulnerabilities across its products. The software giant is recommending that system administrators who need to prioritize the role out of these patches should focus on the Windows Kernel-Mode Driver vulnerability and the updates to IE.

Microsoft patches Kernel-Mode driver after blue screen of death issues

microsoft logo(LiveHacking.Com) – Microsoft has released a new patch to replace the Kernel-Mode driver update which was released as part of April’s Patch Tuesday. Problems started to arise with the update and Microsoft had to pull the patch. Peculiar to Windows 7, the patch could put systems into a situation where they failed to recover from a reboot (as they just keep rebooting) or make certain applications (specifically from Kaspersky) fail.

According to a Microsoft knowledge base article the symptoms are either an Event ID 55 or a 0xc000021a Stop error during the boot process. The Event ID 55 will wrongly claim that file system structure on the disk is corrupt and unusable and force the run of the Chkdsk utility. The Stop error will simply say that the Session Manager Initialization system process terminated unexpectedly and the system will shutdown. Any attempt to reboot will likely results in the same stop code.

The new update, KB2840149, has been rebuilt and still addresses the Moderate security issue described in MS13-036 but without the previous problems. For those with automatic updates enabled, you won’t need to take any actions. If you are applying updates manually Microsoft recommends you apply this update as soon as possible.

Microsoft’s Patch Tuesday Kernel-Mode driver update causing problems

stop-_c000021a(LiveHacking.Com) – Last Tuesday Microsoft released nine security bulletins to address 14 different vulnerabilities in its products including one to fix vulnerabilities in Windows’ Kernel-Mode Driver that could allow an attacker to gain elevated privileges. Following the released of the patches reports started to appear about Windows 7 systems that fail to recover from a reboot (as they just keep rebooting) or applications (specifically from Kaspersky) that fails after the security update is applied. Microsoft recommends that customers uninstall this update and it has removed the download links to the update while it investigates.

According to a Microsoft knowledge base article the symptoms are either you receive an Event ID 55 or a 0xc000021a Stop error during the boot process. The Event ID 55 will wrongly claim that file system structure on the disk is corrupt and unusable and force the run of the Chkdsk utility. The Stop error will simply say that the Session Manager Initialization system process terminated unexpectedly and the system will shutdown. Any attempt to reboot will likely results in the same stop code.

According to Microsoft, systems with the update applied that use Kaspersky Anti-Virus for Windows Workstations or Kaspersky Anti-Virus for Windows Servers versions 6.0.4.1424 and 6.0.4.1611 may display an error message saying that the license for the product is not valid.

Microsoft fixes Critical IE and Remote Desktop flaws

Windows(LiveHacking.Com) – Microsoft has released a series of nine security bulletins, (two Critical and seven Important) to fix 14 different vulnerabilities in a range of its products including Microsoft Windows, Internet Explorer, Microsoft Antimalware and Windows Server Software.

The first of the two Critical level bulletins patches Internet Explorer against a remote code execution attack which could occur if users visited a specially crafted webpage using IE. A successful exploited would mean that the attacker would gain the same rights as the current user. The good news is that both of these IE issues were privately disclosed and Microsoft has not detected any attacks or customer impact. The vulnerabilities affect Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10.

There is also a remote code execution patch for Windows in connection with the Windows Remote Desktop Client ActiveX control. As with the IE bugs, this vulnerability could allow remote code execution if an attacker convinces a customer to view a website containing specially crafted content that exploits the vulnerability. This bug is seen as Critical for the Remote Desktop Connection 6.1 Client and the Remote Desktop Connection 7.0 Client on Windows XP, Windows Vista, and Windows 7.

Although Windows 8 was not affected by the Remote Desktop vulnerability, it isn’t immune to other problems including an exclusive patch for problems with the Windows 8 antimalware client used in Windows Defender.

Microsoft received a private report about a vulnerability that could allow elevation of privilege due to the pathnames used by the Microsoft Antimalware Client. If successfully exploited an attacker could execute arbitrary code and take complete control of an affected system. This would allow them to install programs and create new accounts. The bulletin is marked as Important (and not Critical)  for Windows 8 and Windows RT as an attacker must have valid logon credentials to exploit the vulnerability.

Microsoft to patch critical flaws in Windows and IE on Tuesday

microsoft logo(LiveHacking.Com) – Microsoft has released its customary advanced warning about security vulnerabilities that it plans to fix during its next Patch Tuesday. April’s update will contain nine bulletins, two of which are marked as Critical. The Critical bulletins address vulnerabilities in Microsoft Windows and Internet Explorer. The remaining seven are tagged as Important and will address issues in Microsoft Windows, Office, Anti-malware Software, and Server Software.

The IE bulletin affects all supported versions of Microsoft’s browser from IE 6 on XP to IE 10 on Windows 8 and RT. These vulnerabilities in IE could allow hackers to remotely execute arbitrary code (often used to infect a PC with malware via a drive-by download) on unpatched machines.

The Critical patches for Windows, which are also to fix remote code execution vulnerabilities, affects only the older versions of Windows from Windows 7 back to Windows XP. Windows 8, Windows Server 2012 and the version of Windows for tablets, Windows RT, are not affected.

Bulletin 7 only affects Windows 8 and Windows 8 RT and applies to some flaws in Windows Defender which could allow a hacker to run programs at an elevated privilege. Paul Henry, security and forensic analyst at Lumension, told The Register that “Windows Defender is an important security component for the new operating systems, so it’s a little concerning to see it impacted here, even if only at an ‘important’ rather than critical level. If you’re running either of those systems, I would patch this important bulletin first.

Microsoft plans to publish the bulletins on April 9, 2013 at approximately 10 a.m. PDT.

Microsoft fixes Critical remote code execution vulnerabilities

microsoft logo(LiveHacking.Com) – Microsoft has released 12 bulletins, five Critical and seven Important , to addressing 57 different vulnerabilities in Microsoft Windows, Office, Internet Explorer, Exchange and .NET Framework.

Among the fixes was a security update that resolves thirteen vulnerabilities in Internet Explorer. The most severe of these issues could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. As well as generally patching IE, the company also patched its implementation of the Vector Markup Language (VML) in its browser. If exploited the vulnerability could allow remote code execution if a user viewed a specially crafted webpage. Microsoft says that it is aware of this vulnerability being used as an information disclosure vulnerability in targeted attacks. It is therefore essential that this patch is applied as soon as possible.

There is also an update for Microsoft Windows Object Linking and Embedding (OLE) Automation. Again, the vulnerability could allow remote code execution, this time  if a user opens a specially crafted file. The fix corrects the way in which OLE Automation parses files. This security update is rated as Critical but only for Windows XP Service Pack 3. All other support versions of Microsoft Windows are not affected.

Similarly Microsoft fixed a vulnerability in how different types of media are decompressed. The remote code execution vulnerability could be exploited by tricking a user to open  a specially crafted media file (such as an .mpg file), open a Microsoft Office document (such as a .ppt file) that contains a maliciously crafted embedded media file, or if the user runs programs to receives streaming content designed to exploit the vulnerability.

There is also a fix for remote code execution vulnerabilities in Microsoft Exchange Server, the most severe of which could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing.