October 1, 2014

Microsoft releases details of zero-day vulnerability in Word

Microsoft has published information about a new zero-day vulnerability in its Word product. There is a real-world exploit for the vulnerability and it is currently being exploited in the wild. Microsoft says it is “aware of limited, targeted attacks directed at Microsoft Word 2010.”

According to Microsoft’s Dustin Childs, the vulnerability can be exploited by an attacker and allow “remote code execution if someone was convinced to open a specially crafted Rich Text Format (RTF) file or a specially crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer.”

Microsoft-Word-LogoMicrosoft’s immediate response has been to publish a one-click Fix it  which basically disables support for RTF in Microsoft Word. Although Microsoft wants to “encourage all customers using Microsoft Word” to apply the Fix it, disabling RTF support could be troublesome for those who rely on this document format.

The vulnerability, which was reported to Microsoft by members of the Google Security Team, can be exploited via email or via the web. In the email scenario, the attacker sends a specially crafted RTF document as the contents of the message. The vulnerability is exploited when the message is previewed or opened in Outlook where Microsoft Word is the email viewer. An attacker could also exploit the vulnerability by sending a specially crafted RTF document as an attachment. In the web scenario, the attacker would need to trick the user into downloading the document and then opening it.

This remote code execution vulnerability exists because of bugs in the way that Word parses maliciously crafted RTF documents. The bugs cause a memory corruption and give the attacker a way to execute arbitrary code. The vulnerability can also be exploited through Microsoft Outlook if Word is used as the email viewer, which it is by default in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.

Microsoft is working on a full fix but it isn’t known if the Redmond company will be able to develop and test the fix by April 8th, the date of the company’s next Patch Tuesday. Patch Tuesday is the name given to Microsoft’s monthly security updates which patch Microsoft’s products to fix security issues.

Interestingly, support for Office 2003 ends April 8th and Microsoft has included Word 2003 Service Pack 3 in its list of affected products. If Microsoft doesn’t manage to release a full patch by April 8th then Office 2003 could remain vulnerable without any hope of a solution. Even if Microsoft does release a patch now, this incident highlights the dangers of using Microsoft products which have reached their end-of-life.

Microsoft issues “Fix it” for zero-day exploit attack against IE

internetexplorer_logo(LiveHacking.Com) – Microsoft has issued an emergency “Fix it” to help fend off a zero-day vulnerability attack which is being exploited in the wild. Currently there are reports of targeted attacks specifically directed at Internet Explorer 8 and 9 however the vulnerability is present in all versions of IE from 6 and up to IE 11 – which is to be released to the public with Windows 8.1. The vulnerability is exploited when users visit a web page with malicious content and can allow remote code execution.

The vulnerability is exists because of a use-after-free coding error in the JavaScript SetMouseCapture implementation in Internet Explorer. Further details of the exploit have been posted on pastebin. Microsoft says it is actively working to develop a security update to address the vulnerability and in the mean time users should apply the “Fix it” and also set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones. Microsoft also recommends that users configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.

“We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our customers,” said Dustin Childs, Group Manager of Trustworthy Computing at Microsoft.

Microsoft hasn’t ruled out issuing an out-of-cycle security update to fix this bug, but it says it wants first to complete its investigation and may just provide a solution through its normal monthly Patch Tuesday bulletins, depending on customer needs and the extent of the attack.

More zero-day vulnerabilities found in Java

java-square(LiveHacking.Com) – Java was last updated only a few days ago when Oracle released an updated patch for Java SE to included five additional fixes that did not make it into the original patches delivered on February 1st. Now Adam Gowdiak, from Security Explorations, has posted to the full disclosure mailing list revealing details of two more zero-day vulnerabilities in the latest Java version.

According to Gowdiak, his company started to analyze the February 19th update and found two new security issues which when combined together can be successfully used to gain a complete Java security sandbox bypass. The company immediately reported the vulnerabilities to Oracle along with working Proof of Concept code.

Oracle did some investigation and has confirmed that the two issues when combined result in a full sandbox bypass for Java SE 7 Update 15. However, Oracle did note that one of the issues was actually the intended behavior, something that the team at Security Explorations reject. According to Gowdiak, there is a mirror case corresponding to the issue that leads to an access denied condition and a security exception.

“That alone seems to be enough to contradict the ‘allowed behavior’ claim,” said Adam Gowdiak. “Is it possible to claim a non-security vulnerability when access is denied for a public API, but allowed for some private code path?”

It seems that Gowdiak is going to release details of the issue which he claims is a security vulnerability, but Oracle claim is the ‘allowed behavior’, if Oracle doesn’t change its stance.

Both the issues are specific to Java SE 7 only as they abuse the Reflection API in a particularly interesting way.

New zero-day Java exploit on sale for a five digit sum

(LiveHacking.Com) – A new zero-day Java exploit has been offered for sale on an underground black market cyber criminal Internet forum. The new threat is advertised as working on Java JRE 7 Update 9, the most recent version of Java, but doesn’t affect Java 6 or earlier versions.

According to Brian Krebs, the exploit is serious enough that an attacker could use it to remotely seize control over any systems running the program. This typically means it would be used to spread malware. If a cyber criminal did buy this exploit it would most likely be used to spread a banking Trojan so that the buyer could recoup the money spent. In the end it is all about money (illegally and immorally gained of course).

The exploit has been offered for sale on an invite-only Underweb forum for an undisclosed sum but the seller suggested that it needs to be five digits (meaning $100,000 or more). There are not many details, but the vulnerability is said to be in ‘MidiDevice.Info,’ a Java class which handles MIDI devices. The seller has tested the exploit on Firefox and Internet Explorer running on Windows 7.

“I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly,” the exploit seller is reported to have written.

Many security experts, including us here at Live Hacking, have lots of concerns about the number of possible vulnerabilities in Java. If you don’t need Java it is best to remove it completely from your system.

As an alternative you can also disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. For Windows systems, go to “Control Panel” and select “Java”. When the “Java Runtime Environment Settings” dialog box appears, select the “Java” tab. From there, click the “View” button. You will see a list of the currently installed versions of Java. Uncheck the “Enabled” check box to disable that installation from being used by Java Plug-in and Java Web Start. Oracle has published a detailed description of these settings.

Adobe Reader PDF zero-day exploit selling for $50,000 on black market

(LiveHacking.Com) – Although Adobe added sandboxing to Adobe Reader X it still seems that malicious hackers are find ways of compromising the security of computers via specially formed PDF files. Russian security  firm Group-IB has announced that there is a new zero-day exploit for the popular PDF file reader which is being sold in the underground for up to $50,000. The exploit, which targets Windows-based installations of Adobe X and IX, has also been included in a modified version of the notorious BlackHole exploit toolkit.

At the moment the exploit is only being distributed in a small circles of underground hackers but, of course, there is every possibility that its use will become wide spread. The new unpatched zero day threat allows malware writers and bot authors further opportunities to create new attacked vectors by which malware can be loaded into a victims computer.

“The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document. Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution,” said Andrey Komarov, the Head of International Projects Department of Group-IB.

A video showing a proof of concept can be seen here: http://www.youtube.com/watch?v=uGF8VDBkK0M&feature=youtu.be. As the video shows, for the payload to run the web browser needs to be restarted. This means that the malware might not infect the PC at the moment the PDF file is opened, but it will most likely succeed at a future time whenever the web browser is closed.

“We saw the announcement from Group IB, but we haven’t seen or received any details,” Adobe spokeswoman Wiebke Lips told SCMagazine.com in an email. “Adobe PSIRT (Product Security Incident Response Team) has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately — beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”

Brian Krebs has pointed out that Blackhole is by far the most prevalent exploit kit in use today. At any rate, consumers should realize that there are several PDF reader option apart from Adobe’s,  including FoxitPDF-Xchange Viewer,Nitro PDF and Sumatra PDF.

Microsoft to release out-of-band fix for Internet Explorer

(LiveHacking.Com) – Microsoft has announced that it will release an out-of-band update to Internet Explorer to fix the recently found zero-day vulnerability that affects IE 6, 7, 8 and 9. The flaw was discovered by Eric Romang, a security researcher, who was monitoring some servers suspected of serving malware. On one of the server he found four files which upon analysis turned out to be a zero-day vulnerability exploit for Internet Explorer.

Microsoft subquently published Security Advisory 2757760 which confirms that the flaw exists in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Then it published the “Prevent Memory Corruption via ExecCommand in Internet Explorer” Fix it solution, designed to be a easy-to-use, one-click, workaround for the vulnerability.

“A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

Now, Microsoft has released details of an out-of-band update to Internet Explorer to fully address the issue as well as four other Critical-class remote code execution issues. Microsoft will release the cumulative update for IE today at 10 a.m. PDT. The update applies to IE 6, 7, 8 and 9 on all supported versions of Windows (XP, Vista, 7, Windows server). It will be made available through Windows Update and it is recommended that you install it as soon as it is available. If you have automatic updates enabled you won’t need to take any action. Microsoft has previously reported that there are targeted attacks, that attempt to exploit this vulnerability, happening in the wild.

Microsoft to release “Fix it” as workaround for IE zero-day vulnerability

(LiveHacking.Com) – In the next few days Microsoft will release a “Fix it” as a workaround for the recently discovered IE zero-day vulnerability. Previously Microsoft had urged user to install the Enhanced Mitigation Experience Toolkit (EMET) to help to prevent a malicious website from exploiting the vulnerability. However many commentors have pointed out that the EMET needs to be installed and configured manually, a task would could be beyond some users.

“The Fix it is an easy-to-use, one-click, full-strength solution any Internet Explorer user can install. It will not affect your ability to browse the Web, and it will provide full protection against this issue until an update is available. It won’t require a reboot of your computer,” said Microsoft in a statement.

The German government is taking this vulnerability very seriously, so much so its Federal Office for Information Security (BSI) has published an advisory, telling Internet Explorer users to switch to alternative browsers until a patch is released for IE. Microsoft is saying that it has only seen a “few attempts to exploit the issue” and that it has impacted “an extremely limited number of people,” however it is still working to fix the issue.

Microsoft will release the “Fix it” for everyone to download and install within the next few days.

Microsoft releases security advisory about zero day vulnerability in IE

(LiveHacking.Com) – I wrote yesterday about a new zero-day vulnerability in Internet Explorer that was discovered by security researcher Eric Romang while he was monitoring some servers suspected of serving malware. He discovered four files which upon analysis turned out to be a zero-day vulnerability in Internet Explorer. As a response to these reports, Microsoft has published  Security Advisory 2757760 which confirms that the flaw exists in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Microsoft also reports that there are targeted attacks, that attempt to exploit this vulnerability, happening in the wild.

The vulnerability leads to corrupt memory which can then allow an attacker to execute arbitrary code. It exists because of the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated.

“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer need,” wrote Microsoft in a statement.

As this is a zero day vulnerability there is currently no fix, but Microsoft are recommending that users deploy the Enhanced Mitigation Experience Toolkit (EMET) to help to prevent a malicious website from successfully exploiting the vulnerability.

The advisory also details a full set of alternative workarounds, to deploying EMET, which include:

  • Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
    This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
  •  Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
    This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

 

Oracle knew of Java vulnerabilities in April and had proof of concept code examples

(LiveHacking.Com) – It turns out that the latest Java vulnerabilities, which are being used to spread malware across the global, aren’t zero day vulnerabilities at all. PC World is reporting that Oracle knew about the existence of the two unpatched Java 7 vulnerabilities since April. Polish security firm Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day vulnerabilities that are being exploited in the wild now. Including further vulnerabilities that the company reported to Oracle in May, the total reported problems was 29. “We demonstrated 16 full Java SE 7 sandbox compromises with the use of our bugs,” said Adam Gowdiak, the founder and CEO of Security Explorations.

According to the press release which Security Explorations issued at the time, the  security issues violated the “Secure Coding Guidelines for the Java Programming Language”  and most of them demonstrate a specific problem related to Java SE security. As part of the research, Security Explorations developed reliable Proof of Concepts for ALL of the issues found. This included 12 exploits that demonstrated a complete JVM security sandbox bypass.

This means that for the last four months Oracle has had information about critical Java vulnerabilities including proof of concept code. The last status report that Adam Gowdiak received from Oracle revealed that the company was planning to fix the two vulnerabilities, which are being exploited today, in its October Critical Patch Update (CPU).

“Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don’t know why Oracle left so many serious bugs for the Oct. CPU,” Gowdiak said.

Oracle use a 4 month patch cycle (middle of February, June, October) and the next patch is scheduled for October 16.

Concern grows as zero day Java exploit spreads

(LiveHacking.Com) – Concerns about the impact (even devastation) of the recently discovered zero day Java exploit are starting to grow as the exploit has been added to the infamous Blackhole exploit kit. It has also been discovered that the attacks, which have now become global with cases recorded in the United States, Russia, Belarus and Germany,  are actually using two unpatched vulnerabilities in Java 7 – not one, as was originally thought. Kurt Baumgartner, a senior security researcher at security firm Kaspersky Lab, wrote in a blog post that the infections are becoming more common and have spread out from their initial starting point in China.

Oracle have yet to comment on the vulnerability and since every major browser is susceptible to the attack, US-CERT has released Vulnerability Note VU#636312 which advises users to disable the Java browser plugin.

  • To disable the Java web plug-in in Safari, open Safari > Preferences, click “Security” and uncheck “Enable Java”.
  • To disable Java applets in Firefox, click on the Firefox button and then click Add-ons., select the Plugins panel, click on the Java (TM) Platform plugin and then click on the Disable button.
  • For Chrome,  type chrome://plugins/ into the address bar, scroll down to Java and click Disable.
  • Disabling Java in Internet Explorer isn’t easy, detailed instructions can be found here, here and here.

Disclosure concerns
There have also been some concerns about how this exploit was disclosed. It appears that some bloggers irresponsibly reported the vulnerability by including links to known sites serving the attack. “Would you encourage folks to walk down a mugger’s dark alley with no protection or would you work to communicate the muggers’ whereabouts to the right folks and work on lighting the alley or giving better directions?” wrote Kurt Baumgartner from Kaspersky.

Also since the exploit was added to the Metasploit penetration testing framework it became available to every would-be hacker. The counter argument is that such full disclosure will force Oracle to deliver an out-of-band patch, which in the past it has failed to do.  The company’s next scheduled Java security updates is on October 16 2012.