October 25, 2014

Zero-day vulnerability in Windows XP being exploited via a malicious PDF file

microsoft logoMicrosoft has issued a warning to all users of its aging Windows XP operating system about a zero-day vulnerability that allows attackers to gain elevated privileges. Once the attackers have system level privileges they can install programs; view, change, or delete data; or create new accounts with full administrative rights.

The vulnerability is in the Windows kernel and affects Windows Server 2003 as well as XP. Once exploited an attacker can run arbitrary code in kernel mode which automatically gives them full administrative rights.

According to CVE-2013-5065 NDProxy.sys in the kernel of Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application. The vulnerability is being exploited in the wild.

Microsoft has issued a workaround for the vulnerability however by implementing it services that rely on the Windows Telephony Application Programming Interfaces (TAPI) to not function, this includes Remote Access Service (RAS), dial-up networking, and virtual private networking (VPN). Full details of the workaround, which disables NDProxy.sys and reroute all calls to Null.sys, can be found in Microsoft’s security advisory.

According to Symantec there have been a “small number” of in-the-wild attacks happening since early November. Users in the U.S., India, Australia, Saudi Arabia and throughout Europe were targeted.

This is the second zero-day vulnerability to be recently exposed in Windows. At the beginning of November Microsoft released  a security advisory about a vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync, that is being exploited in the wild and targeting PC users mainly in the Middle East and South Asia.

Microsoft updates its XML Core Services as part of Critical patch release

microsoft logo(LiveHacking.Com) –  Microsoft has released seven bulletins, two ranked Critical and five ranked Important, to address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools and Windows Server. Among the Critical patches is an update (MS13-002) to Microsoft’s XML Core Services that resolves two flaws that could allow remote code execution when a user opened a specially crafted website designed to exploit the vulnerability. The issue was privately disclosed and Microsoft is not aware of any attacks in the wild.

The other Critical-class bulletin (MS13-001) addresses a vulnerability in Microsoft Windows which could allow remote code execution if a print server received a specially crafted print job. The standard default Windows firewall configuration means that this can’t normally be exploited from an external source. The bug only affects Windows 7 and Windows Server 2008 R2.

The first Important-class patch addresses vulnerabilities in System Center Operations Manager.  The vulnerabilities could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL. Microsoft also fixed two other “elevation of privilege” vulnerabilities. The first in its .NET framework and the other in the Windows Kernel-Mode Driver. To exploit the kernel vulnerability a user would need to run an executable specifically designed to exploit the bug.

Microsoft also fixed a vulnerability in the way that Windows handle the SSL version 3 (SSLv3) and TLS protocols. The vulnerability could allow security feature bypass if an attacker injects specially crafted content into an SSL/TLS session. The flaw exists in all versions of Windows after XP: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT.

The final patch fixes a problem in the Open Data Protocol. The vulnerability could allow denial of service if an unauthenticated attacker sends specially crafted HTTP requests to an affected site.

Microsoft fixes five Critical vulnerabilities as promised

(LiveHacking.Com) –  As expected Microsoft has released seven bulletins, five to address Critical vulnerabilities and and two for Important vulnerabilities  In total the bulletins address 12 vulnerabilities a variety of products including Microsoft Windows, Internet Explorer (IE), Word and Windows Server.

According to Microsoft the two most important bulletins are MS12-077  – a cumulative security update for Internet Explorer and MS12-079 – a patch to fix a vulnerability in Microsoft Word that could allow remote code execution.

The IE update resolves three privately reported vulnerabilities, the most severe of which could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. The patch for Word resolves a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Office software, or previews or opens a specially crafted RTF email message in Outlook while using Microsoft Word as the email viewer.

The other Critical vulnerabilities are MS12-078 – which fixes vulnerabilities in Windows kernel-mode drivers, MS12-080 – which addresses vulnerabilities in Microsoft Exchange Server and MS12-081 – which resolves a vulnerability in Windows file handling component. All of these three could allow remote code execution if exploited.

Adobe has also released an update to its Flash Player and as a result Microsoft has revised Security Advisory 2755801 to update the built-in version of Flash in Internet Explorer.

Microsoft to patch five critical security flaws in time for the holidays

(LiveHacking.Com) –  Microsoft has published its advance notification for the security vulnerabilities it will fix in December’s patch Tuesday. This month it will release seven security bulletins, five of which are rated as Critical and two as Important. In total these bulletins will address 11 vulnerabilities. The five Critical bulletins will fix security vulnerabilities in Microsoft Windows, Word, Windows Server and Internet Explorer. While the two Important-rated bulletins will resolve issues in Microsoft Windows.

Six of the seven bulletins address vulnerabilities that could allow an attacker to execute arbitrary code on the affected PC. While the other bulletin addresses a “Security Feature Bypass.” When Microsoft talk about a Critical rated vulnerabilities it means a flaw which can be exploited and allow arbitrary code execution without any user interaction. These vulnerabilities can allow self-propagating malware to spread. These types of vulnerabilities are normally exploited without warnings or prompts and can be triggered by browsing to a web page or opening email.

Windows XP is affected by all but one of the Windows related bulletins, as its Windows Server 2003.  Windows Vista, Windows 7 and Windows Server 2008 are likewise affected by four of the five fixes for Windows. For each of the previously mentioned operating systems  bulletin seven (which is rated as Important)  doesn’t apply. However bulletin seven does affect Windows Server 2008 R2 and Windows Server 2012.

Windows 8, Microsoft’s latest operating system which was released in October, is affected by two of the Critical bulletins and just one of Important ones.

Microsoft Office 2003, 2007 and 2010 are all affected by the Critical rated bulletin number three as is Microsoft SharePoint Server 2010 and Microsoft Office Web Apps 2010. Bulletin four deals with Critical issues in Microsoft Exchange Server 2007 and 2010.

“While it may be the most wonderful time of the year, we know it can also be the busiest time of the year,” wrote Dustin Childs from Microsoft. “We recommend that customers pause from searching for those hot new gadgets and review the ANS summary page for more information. Please prepare for bulletin testing and deployment as soon as possible to help ensure a smooth update process.”

Microsoft has scheduled the bulletin release for the second Tuesday of the month, at approximately 10 a.m. PST.

Microsoft Patch Remote Code Execution Vulnerability in WINS

Microsoft has issued a patch for a remote code execution vulnerability in WINS, the Windows Internat name service, as part of May’s Patch Tuesday. The vulnerability could allow remote code execution if a user received a specially crafted WINS replication packet on an affected system running the WINS service. The fix corrects a logic error that occurs when buffers are passed as parameters.

This security update is rated Critical for servers running WINS on Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2. Itanium installations aren’t affected.

According to Computerworld some security researchers think Microsoft is trying to play down the importance of this patch as the summary stated that “by default, WINS is not installed on any affected operating system. Only customers who manually installed this component are affected by this issue.” But the probability is that most government and corporate networks have WINS installed in the data center.

The other security problem fixed on May’s Patch Tuesday was a remote code execution in PowerPoint. If a user opened a specially crafted malicious PowerPoint file an attacker could gain the same user rights as a logged-on user. Affected versions of Office are Microsoft Office XP, 2003 and 2007. But also Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac and the Open XML File Format Converter for Mac.