April 23, 2014

Microsoft releases warning as hackers attack vulnerability in Vista and Office

Windows-Vista-command-promptMicrosoft has released  Security Advisory 2896666 about a vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync, that is being exploited in the wild and targeting PC users mainly in the Middle East and South Asia.

The attack uses an email with a specially crafted Word attachment.  If the user opens the attachment it will try to exploit the vulnerability via a malformed image embedded in the document. If successful the attackers gain the same user rights as the logged on user.

According to Microsoft the remote code execution vulnerability exists because of bugs in the code which handles badly formed TIFF images. Only Windows Vista is affected and the current versions of Microsoft Office are not vulnerable.

The current attacks use the Word document attached to the email as a container for the specially crafted TIFF file. However, Microsoft says that hackers could also exploit the issue via a web-based attack. “An attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website,” it said.

While Microsoft is working to fix the error and release a security update it recommends the following actions:

  • Apply the Microsoft Fix it solution, “Disable the TIFF Codec” that prevents exploitation of the issue. See Microsoft Knowledge Base Article 2896666 to use the automated Microsoft Fix it solution to enable this workaround.
  • Deploy the Enhanced Mitigation Experience Toolkit (EMET). This will help prevent exploitation by providing mitigations to protect against the issue and should not affect usability of any programs.  An easy guide for EMET installation and configuration is available inKB2458544.

How Flame Hijacked Windows Update

Source: Symantec.com

(LiveHacking.Com) – It is a malware writers dream to invent a system that automatically infects a PC by pretending to be a legitimate OS update coming from the manufacturer, or more specifically to trick a PC into thinking that the software it is receiving isn’t malware but in fact an update from Microsoft. Such updates are installed by the OS without question meaning that the infection happens automatically and without question. Up until now this had been impossible.

But now, Symantec has posted details on how the Flame malware has managed to do exactly that, how it managed to launch a man-in-the-middle attack on the Windows update service. Flame has an interesting feature in that it is modular. New modules can be uploaded to any infected PC by the Flame authors. For the Windows update spoof Flame uses three modules called: SNACK, MUNCH, and GADGET.

SNACK

On start-up, IE automatically sends out Web Proxy Auto-Discovery Protocol (WPAD) requests to discover if there any proxies on the network. These requests are directed to local computers with the relevant wpad domain names, but if there are no DNS records with those names then the request protocol switches over to NetBIOS. One of SNACK’s functions is to act as a sniffer and catch any WPAD requests and spoof the sending computer into thinking it is a valid proxy. The uninfected PC will now start using the infected PC as a web proxy and all web traffic will flow through the infected machine.

MUNCH

MUNCH is Flame’s built-in webserver. As the web traffic is redirected to the infected PC due to SNACK, MUNCH sniffs all the requested URLs and hijacks Windows Update traffic. Because Flame has some fake Microsoft code signing certificates, MUNCH is able to tell GADGET to send fake updates to the Windows machine.

GADGET

GADGET sends a binary signed by a certificate that appears to belong to Microsoft to the uninfected computer as if it is a legitimate Windows Update file. The binary isn’t Flamer itself, but a loader for Flamer. Once the update is received, the uninfected computer executes it and then in due course Flame is downloaded on to the PC.

 

One in Six PCs Without Basic Security Software

(LiveHacking.Com) – A recent study has shown that world-wide 17% of all the computers have no anti-virus software installed and surprisingly the USA is one of the worse countries. Ranked in the bottom 5, 19.32% of USA consumers have no basic security software, of any kind, installed. This compares to the top ranked country of Finland where only 9.7% of consumer PCs are unprotected.

The study, which was conducted by McAfee, used a free diagnostic tool for Windows called McAfee Security Scan Plus. It is able to detect the majority of security programs available for Windows and also checked the computer being scanned for threats, anti-virus software and firewall protection. Data was collected from computers in 24 countries, and analyzed an average of 27 million PCs each month. This allowed McAfee to determine a global estimate of the number of consumers who have basic security software.

What is even more interesting is that in countries like Singapore, Canada, the USA and the UK upto 11% of the PCs scanned actually had some form of security software installed but it was disabled! Since basic security software is available for free from the likes of Microsoft, AVG and avast! it is extraordinary that users are running PCs without them. According to McAfee, many consumers still believe that by only visiting known “safe” sites, they’ll be protected from all forms of malicious content.

“The freedom to browse the Internet comes with the added risk of unwanted exposure, and cybercriminals are preying on unsuspecting victims,” says Steve Petracca, SVP and GM of consumer, small business and mobile at McAfee. “With the increasing number of global cyber-attacks affecting consumers, it is critical that the 17% of consumers that are unprotected update their virus protection before it’s too late.”

Recently, McAfee released its quarterly threats report for Q1 2012, which showed that PC-based malware hit a new high during the quarter and showed the largest single jump in malware numbers in the last four years.

Microsoft’s RDP Bug Exposing 5 Million Hosts to Potential Attack

(LiveHacking.Com) – The impact of the RDP bug which Microsoft patched as part of this month’s Patch Tuesday is continuing to grow. Dan Kaminsky, who is best known for his work finding a critical DNS and for helping to fix it, has initiated a scan of the Internet and by extrapolating the data from the 8% sample (some 300 million IP addresses) it seems that there are about five million RDP endpoints on the Internet today.

With a proof of concept exploit already circulating in the wild this means that, unless updated to apply the latest patches, these five million servers are vulnerable to a real, palpable attack. Not a theoretical vulnerability but real exposure. Since RDP is the way most Windows systems are remotely administered, this vulneravility is now being seen on a whole different scale.

“There’s a very good chance that your network is exposing some RDP surface. If you have any sort of crisis response policy, and you aren’t completely sure you’re safe from the RDP vulnerability, I advise you to invoke it as soon as possible,” wrote Dan on his blog.

For those who haven’t yet applied Microsoft’s patches there is a way to substantially reduce the risk on Windows Vista and later systems where RDP is enabled: By enabling Remote Desktop’s Network Level Authentication (NLA) users are forced to authenticate before a remote desktop session is established. On systems with NLA enabled, the vulnerable code is still present and could potentially be exploited for code execution. However, NLA would require an attacker to first authenticate to the server before attempting to exploit the vulnerability.  You can find instructions here to enable NLA.

Apple Releases QuickTime 7.7.1 for Windows to Fix Vulnerabilities

(LiveHacking.Com) - Apple has released QuickTime 7.7.1 for Windows to fix multiple vulnerabilities that if exploited could allow an attacker to execute arbitrary code, cause a denial-of-service condition, or obtain sensitive information.

According to the security advisory, QuickTime 7.7.1 for Windows 7, Vista and XP, fixes several issues which have either been fixed in OS X (with OS X Lion v10.7.2 or with Security Update 2011-006 for
OS X v10.6 systems) or don’t affect Mac OS X systems.

The problems fixed are:

  • A buffer overflow existed in QuickTime’s handling of H.264 encoded movie files.
  • An uninitialized memory access issue existed in QuickTime’s handling of URL data handlers within movie files.
  • An implementation issue existed in QuickTime’s handling of the atom hierarchy within a movie file.
  • A cross-site scripting issue existed in QuickTime Player’s “Save for Web” export. The template HTML files generated by this feature referenced a script file from a non-encrypted origin. An attacker in a privileged network position may be able to inject malicious scripts in the local domain if the user views a template file locally. This issue is addressed by removing the reference to an online script.
  • A buffer overflow existed in QuickTime’s handling of FlashPix files.
  • A buffer overflow existed in QuickTime’s handling of FLIC files.
  • Multiple memory corruption issues existed in QuickTime’s handling of movie files.
  • An integer overflow issue existed in the handling of PICT files.
  • A signedness issue existed in the handling of font tables embedded in QuickTime movie files.
  • A buffer overflow issue existed in the handling of FLC encoded movie files.
  • An integer overflow issue existed in the handling of JPEG2000 encoded movie files.
  • A memory corruption issue existed in the handling of TKHD atoms in QuickTime movie files.
To exploit most of the these vulnerabilities an attacker would need to create a special crafted movie file and get the victim to watch it on their PC.

Worm Tries to Crack Weak Passwords on Remote Desktops Connections

(LiveHacking.Com) - Microsoft has published details of a worm called Morto which attempts to break into remote servers which use the Windows Remote Desktop. The worm attempts to compromise the systems by exploiting weak administrator passwords. Once a new system is compromised, it connects to a remote server in order to download additional information and update its components. It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted.

As with all accounts (both local and remote) it is essential for users and system administrators to set strong passwords. According to Microsoft the worm tries the following passwords:

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

Microsoft are reporting that although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable.

Microsoft Patches Bluetooth Hole in July’s Patch Tuesday

(LiveHacking.Com) — As expected, Microsoft has released 4 security bulletins to address 22 vulnerabilities in Windows and Office. One of the bulletins is rated Critical, and the other three as Important. Microsoft has marked one bulletin, MS11-053, as a high deployment priority:

  • MS11-053 (Bluetooth Stack). This security bulletin resolves one privately reported vulnerability in the Windows Bluetooth Stack. This bulletin is rated Critical for Windows Vista and Windows 7 platforms. All prior versions of Windows are unaffected.

Microsoft is encouraging all customers to apply MS11-053 first, before deploying the rest of the July updates. If you have Automatic Update enabled on your computer, you will not need to take any action; the tool ensures that the updates are applied and the system is protected.

According to the executive summary, the vulnerability resolved in MS11-053 could allow remote code execution if an attacker sent a series of specially crafted Bluetooth packets to an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Naturally it  only affects systems with Bluetooth capability.

On the Microsoft Office front, Redmond fixed a problem with Visio. The vulnerability could allow remote code execution if a user opens a legitimate Visio file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

Microsoft Patches Critical Vulnerabilities in Windows and IE

Microsoft has released 16 updates (which it calls security bulletins) covering a broad spectrum of its products including Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight, Microsoft Office, Microsoft SQL Server, Microsoft Visual Studio and Internet Explorer.

Of the sixteen, nine are rated critical, and seven are rated important. There are four critical level updates that Microsoft are highlighting as top priority updates.

  • MS11-042 (DFS). This security update resolves two privately reported vulnerabilities in the Microsoft Distributed File System (DFS). The more severe of these vulnerabilities could allow remote code execution when an attacker sends a specially crafted DFS response to a client-initiated DFS request. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system.
  • MS11-043 (SMB Client). This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit the vulnerability, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.
  • MS11-050 (Internet Explorer). This security update resolves eleven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS11-052 (Windows). This security update resolves a privately reported vulnerability in the Microsoft implementation of Vector Markup Language (VML). This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows clients; and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows servers. Internet Explorer 9 is not affected by the vulnerability. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft recommend that customers apply these and all other updates as soon as possible.

Windows 7 SP1 Available Today

As we previously reported Windows 7 SP1 and Windows Server 2008 R2 SP1 become generally available for download today. Microsoft had previously made SP1 available to MSDN and TechNet users (as well as Volume License customers) on February 16th.

SP1 is available from the Microsoft Download Center or via Windows Update. If you are updating a single PC the best approach is to use Windows Update. If you are deploying it across multiple machines it is best to download the standalone installer to save bandwidth.

As a general tip, it is worth backing up your important files and data before installing SP1, however there is no known reason to think that there will be any trouble with the installation. It is also worth checking that your malware software is up to date. Laptop users should make sure that there laptop is connected to the mains electricity to avoid the laptop shutting down, due to a depleted battery, during the update.

After installing SP1 you will need to reboot your PC. Once it restarts you can reclaim some disk space by removing the service pack installation specific files. Run Disk Cleanup and click on the “Clean up system files” button then check “Service Pack Backup Files”.

Windows File Sharing Vulnerability Found – Triggers Blue Screen of Death

An anonymous researcher has found and revealed a vulnerability in the SMB (Server Message Block) which affects the Windows file sharing (AKA CIFS / Common Internet File System) browser service.

The researcher also provided Proof-of-Concept (PoC) exploit code showing exactly how to exploit the vulnerability and how to force a blue screen of death.

Since this vulnerability was publicly disclosed and included PoC it means hackers and in a position to use it today to at least trigger a blue screen of death on target machines and in doing so mount a denial of service attack. Microsoft have responded with Vuln:Win/SMB.Browser.DoS!NIS-2011-0003 as a first response measure.

The vulnerability exists because the Microsoft Server Message Block (SMB) client implementation incorrectly handles malformed SMB messages. A function in the error-reporting module pushes the calling arguments into a pre-allocated fixed size buffer. And due to a bug in the length handling, this buffer can overflow.

This then results in a blue screen of death. Microsoft reckon that based on the nature of the bug remote code execution is theoretically possible, but not likely in practice.

Microsoft have also released notes on exploitability of the recent Windows BROWSER protocol issue with more technical information.