September 19, 2014

Microsoft fix two remote code execution issues in Microsoft Office

(LiveHacking.Com) – Microsoft has released its software patches for October. Seven bulletins have been published that address 20 issues in Microsoft Windows, SQL Server, and Office including SharePoint, Lync, Microsoft Works and InfoPath.

The most important bulletin (and the only Critical level bulletin this month) is for Microsoft Office. MS12-064 resolves two problems in Microsoft Office that can result in remote code execution. If exploited an attacker could run arbitrary code on the PC. To exploit the bug the attacker would need to get the user to open a specially crafted Rich Text Format (RTF) file or preview/open a specially crafted RTF email message.

Microsoft also released a fix (MS12-067) for the vulnerabilities in the FAST Search Server which are caused by Oracle’s Outside In libraries. The vulnerabilities could allow remote code execution. FAST Search Server for SharePoint is only affected by this issue when Advanced Filter Pack is enabled. By default, Advanced Filter Pack is disabled. The libraries are also used in Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010. The Outside In libraries were updated by Oracle in July and Microsoft addressed the issue in Exchange during August’s Patch Tuesday.

The other fix are:

  • MS12-065 – This security update resolves a privately reported vulnerability in Microsoft Works that could allow remote code execution if a user opens a specially crafted Microsoft Word file using Microsoft Works.
  • MS12-066 – Fixes a publicly disclosed vulnerability in Microsoft Office, Microsoft Communications Platforms, Microsoft Server software, and Microsoft Office Web Apps. The vulnerability could allow elevation of privilege if an attacker sends specially crafted content to a user.
  • MS12-068 – Corrects a vulnerability in all supported releases of Microsoft Windows before Windows 8 and Windows Server 2012 which could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
  • MS12-069 – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote attacker sends a specially crafted session request to the Kerberos server.
  • MS12-070 – This security update resolves a privately reported vulnerability in Microsoft SQL Server on systems running SQL Server Reporting Services (SSRS). The vulnerability is a cross-site-scripting (XSS) vulnerability that could allow elevation of privilege, enabling an attacker to execute arbitrary commands on the SSRS site in the context of the targeted user.

As previously announced, this month updates contains a patch to Windows that restricts the use of certificates with RSA keys < 1024 bits. Microsoft have implemented this at the API level which means that any service or application that calls the CertGetCertificateChain function for a certificate with an RSA key < 1024 bits will be informed that the certificate can’t be trusted. This impacts a wide variety of applications and services including encrypted email, SSL/TLS encryption channels, signed applications, and private PKI environments.

Finally, Microsoft has reminded customers that Microsoft Works reaches the end of its support lifecycle this week.

Microsoft fixes remote code execution vulnerabilities some of which are already being exploited

(LiveHacking.Com) – As anticipated, Microsoft has released nine security bulletins as part of Patch Tuesday. Of the nine bulletins five are rated as Critical and four as Important. In total they address 26 vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office. All of the Critical level bulletins fix Remote Code Execution vulnerabilities.

The first Critical set of fixes (MS12-052) is for Internet Explorer, the most severe of which could allow remote code execution if a user views a specially crafted webpage. The vulnerabilities are rated as Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows XP, Vista and 7. The fix modifies the way that Internet Explorer handles objects in memory.

The second Critical bulletin addresses issues with in the Remote Desktop Protocol. This isn’t the first time Microsoft have had to fix the protocol which is used by millions to control remote machines (including web server running and exposed on the Internet). Back in March, Microsoft fixed a bug in RDP which exposed over 5 million machines on the Internet after an exploit was developed for the vulnerability. The latest set of fixes (MS12-053) sounds very similar to previous RDP bugs. According to Microsoft, “The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.” However one bit of good news is that the bug only affects Windows XP. To fix the problem, Microsoft has changed the way that the Remote Desktop Protocol processes packets in memory.

The next Critical bulletin (MS12-054) resolves four privately reported vulnerabilities in the Windows print spooler. These vulnerabilities could allow remote code execution if an attacker sends a specially crafted response to the spooler. This security update is rated Critical for all supported editions of Windows XP and Windows Server 2003; Important for all supported editions of Windows Vista; and Moderate for all supported editions of Windows Server 2008, Windows 7, and Windows 2008 R2. As part of the fix the code has been changed to correct the way the Windows Print Spooler handles specially crafted responses and how Windows networking components handle Remote Administration Protocol (RAP) responses.

The fourth bulletin (MS12-060) is already seeing some targeted attacks attempting to exploit this vulnerability, but there is no public proof-of-concept code published yet. This security update resolves a vulnerability in the Windows common controls and since multiple software products utilize Windows Common Controls , and the issues addressed in this bulletin affect Microsoft Office, SQL Server, Server Software, and Developer Tools. The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability.

Finally, MS12-058 resolves publicly disclosed vulnerabilities in Microsoft Exchange Server WebReady Document Viewing. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA).  The vulnerabilities are actually in Oracle’s Outside In libraries, that are used in Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and FAST Search Server 2010 for SharePoint. The Outside In libraries were recently updated as part a Critical Patch Update released by Oracle.