Microsoft released a long list of updates for Microsoft software today. The most interesting appear to be those patching Internet Explorer and the kernel software vulnerabilities. In all, ten critical "use-after-free" vulnerabilities are patched in IE along with one important Information Disclosure vulnerability, and three elevation of privilege vulnerabilities are being patched as well. Almost all of these IE vulnerabilities were reported by external security researchers working through HP's Zero Day Initiative.

The recent Internet Explorer 8 0day implemented with ROP to work across ASLR-protected Windows 7, hosted on the compromised Department of Labor website and others, was used as a part of a targeted attack watering hole campaign suggested to be run by known threat actor "DeepPanda". This IE 0day was reported by the guys over at FireEye and iSight Partners. It is being patched with Security Bulletin MS13-038. The others may not have been actively used by threat actors, but as always, it is very important for all Internet Explorer users to update these asap and avoid being a victim of the more common financially motivated mass-exploitation schemes.

A bit less sexy but very important for organizations to update are the three "Important" kernel escalation of privilege vulnerabilities. While these have not yet been known to be publicly exploited, EoP are actively deployed for post-exploitation purposes and are a significant part of any infiltration exercise. All three of these problems were reported by external security researchers, to whom Microsoft extended a "thanks".

Organizations should also be aware that Http.sys in Windows 8, Windows RT and Windows 2012 is vulnerable to denial of service attacks, but exploiting this bug appears to be very difficult. Accordingly, they are rating it "Important".

Other client side apps are being patched with "Important" rated updates as well, including Word, Publisher, and more. More information on all of these updates can be found over at Microsoft's summary.

Also today, Adobe's PSIRT pushed several important updates in ColdFusion (in the crosshairs for persistent attackers on organizations) and both of their big client side apps Flash and Reader/Acrobat.

Microsoft released two Bulletins this month patching 3 critical vulnerabilities. Along with these immediate issues, they released five other Bulletins rated "Important". It appears that the two critical Bulletins address use-after-free vulnerabilities that can all be attacked through Internet Explorer.

For the Windows workstation environments, all versions of Internet Explorer need to be patched asap, including v10 preview running on Windows RT. The patch for Internet Explorer 10 on Windows RT is available at the "Windows Update" site.

In addition to the privately reported vulnerabilities in Internet Explorer code itself, the Remote Desktop Connection v6.1 Client and Remote Desktop Connection v7.0 Client ActiveX components on XP, Vista, and Windows 7 are vulnerable. Microsoft's SRD team expects to see exploits available within 30 days targeting CVE-2013-1296.

Of the "Important" vulnerabilities, interesting to note is a privately reported Elevation of Privilege issue CVE-2013-0078, which is a bug in the Windows Defender anti-malware engine running on Windows 8 and Windows RT. This vulnerability could be used by an insider or determined adversary to gain further access, and not a type of vulnerability usually hit by mass exploitation kits. Within organizations, this is something to quickly address, but generally individuals do not need to urgently address this type of issue.

See Microsoft's Security Bulletin Summary for April 2013 for the full list of this month's Bulletin releases.

Microsoft recently announced the shutdown of its popular IM client MSN Messenger, which will be replaced by Skype, but its end represents the beginning of malicious attacks posing as the installer of the software. Cybercriminals already started to use this fact in their attacks, registering malicious domains, buying sponsored links on search engines, tricking users to download and install a malware masquerade as the MSN installer.

MSN Messenger is still very popular in several countries; Microsoft informed that the service has more than 100 million users worldwide, approximately 30.5 million of them in Brazil. As an escalated migration of all users is planned, it's getting harder to find the installer of the program and this is the window of opportunity exploited by Brazilian cybercriminals aiming to infect users looking for the software.

In a simple search on Google for "MSN messenger" the first result displayed is sponsored link of a malicious domain aiming to distribute the fake installer, which is actually a Trojan banker:

Microsoft releases nine March Security Bulletins. Four of the Bulletins are rated critical, but of the 20 vulnerabilities being patched, 12 are rated critical and enable remote code execution and elevation of privilege. Microsoft software being patched with critical priority include Internet Explorer, Silverlight, Visio Viewer, and SharePoint. So, pretty much everyone running Windows, and lots of Microsoft shops, should be diligently patching systems today.

Pwn2own attracted top offensive security talent to Cansecwest and awarded a half million in prizes for fresh 0day this year, but the event didn't force much Microsoft fix development for this Bulletin release. Adobe, Java, Firefox and Chrome were all hit this year along with two Internet Explorer 10 0day for full compromise on Windows 8 on a Windows Surface Pro tablet.
Instead, MS013-021 is one giant "Internet Explorer Use-After-Free patch", addressing the longest list of IE use-after-free vulnerabilities in a single monthly Bulletin to date. Knowing that only one of these vulnerabilities was disclosed publicly, it almost looks as though they fixed a fuzzer in their own labs or someone stepped up development of their own.

MS013-022 addresses a memory pointer check in Silverlight component HTML rendering - an unusual problem known as "double de-referencing". The interesting thing here is that this client side RCE enables exploitation across not only all of its supported Windows systems, but across Apple's Mac OS X systems. In the light of OS X mass exploitation this past year and the recent slew of OS X-enabled targeted attacks, this patch is important to folks lugging around systems running OS X.

Microsoft recommends that EMET helps mitigate both the Internet Explorer and the Silverlight issues.

On the server side, altogether different from the client side memory corruption issues above, we see a web service vulnerability in Sharepoint, a pretty widely distributed service in organizations. The eye popper here includes an EoP enabled by an XSS flaw that provides remote users with a method to issue Sharepoint commands in the context of an administrative user on the site. These Sharepoint flaws were all privately reported by an outside researcher, but no public disclosure is known. At the same time, a denial of service and buffer overflow issue is being addressed in the Sharepoint code.

MS012-023 addresses vulnerable code in Visio Viewer 2010, but the vulnerable code also is delivered in components within Microsoft Office. The odd thing is that there is no known code path traversal through the vulnerable code within Microsoft Office. And, Microsoft maintains four or five versions of Visio Viewer, a widely used piece of software for organizations to distribute diagrams and charts of all types. However, this vulnerability only affects one version - Microsoft Visio Viewer 2010. Nonetheless, Microsoft is leaning towards addressing any and all security issues (including unknown future issues), and patching the code everywhere it resides including Microsoft Office, whether or not it is traversed at runtime within Office.

Of the lesser rated vulnerabilities, the kernel mode USB descriptor issue seems the most interesting. And yes, the title of this post is out-of proportion and fairly ridiculous. I don't expect another Stuxnet to rise up simply because of this vulnerability. But, in a flashback to Stuxnet exploit vectors, it provides another vector of delivery for arbitrary code to be executed in kernel mode simply by inserting a USB device into a system.
To clarify, the danger here does not lie in the immediate potential for another Stuxnet. The immediate danger lies in the availability of attack surface demonstrated by Stuxnet to enable highly secured, air gapped industrial environments to be infiltrated with Pearl Harbor style surprise and effectiveness.

Today's February Microsoft Security Bulletin release patches a long list of vulnerabilities. However, only a subset of these vulnerabilities are critical. Four of them effect client side software and one effect server side - Internet Explorer, DirectShow media processing components (using web browsers or Office software as a vector of delivery), OLE automation components (APT related spearphish), and one effecting the specially licensed "Oracle Outside In" components hosted by Microsoft Exchange that could be used to attack OWA users. These critical vulnerabilities all potentially enable remote code execution, as does the Sharepoint server related Bulletin rated "important" this month. The other vulnerabilities enable Elevation of Privilege and Denial of Service attacks. Several of the vulnerabilities have been publicly disclosed, and at least one is known to be publicly exploited. A large number of the CVE being patched are in the kernel code, so this month most everyone should expect to manage a reboot.

The long list of CVE patched by MS-13-016 all address race conditions that were privately reported in win32k.sys, which all enable non-trivial EoP attacks. This lessens the severity of the issue, as evidenced by the recent RDP vulnerability that attracted so much attention at the end of this past year.

So, we should focus immediate efforts on the handful of critical RCE this month.

The folks at the Microsoft Security Response Center are winding down 2012 with another full release of seven Security Bulletins containing fixes for memory corruption on application, server, and system code along with a Certificate Bypass problem and set of fixes for Oracle Outside In software components. Within the seven Bulletins, they are patching at least 11 vulnerabilities, accurately described in the Advanced notification for this month. The MSRC recommends that their Internet Explorer (MS12-077) and Microsoft Word (MS12-079) updates are addressed asap.

The December 2012 Microsoft Security Bulletin Release fixes a varying array of versions of software and platforms per Bulletin. For consumers, that mostly means ensuring that the Microsoft Update software is enabled, run, and selected patches applied. For the vast majority of Windows customers, this month's release also requires that customers reboot their systems following the updates - the Internet Explorer, the kernel level font parsing updates and the file handling updates all require a reboot and hotpatching is not supported. The lack of hotpatch support means that the fix is not enabled on the system until it is rebooted. For IT folks in large and small organizations, this month's Release also requires some time set aside to understand whether or not your organization is running the versions of software requiring patches and accordingly address your environment.

The Microsoft Internet Explorer code maintains three different use-after-free vulnerabilities that are being patched this month. This "use-after-free" category of bugs is continuing to prove very difficult to stamp out, even in meaty, prevalent attack vectors like Internet Explorer. It was this sort of vulnerability that was abused in the 2010 Aurora cyber-espionage attacks on Google, Adobe, and the long list of other international corporate names that continue to maintain their incidents undisclosed and in the dark. At least one of these Internet Explorer vulnerabilities is likely to have exploit code developed against it.

As a vector of delivery for spearphish attacks, Microsoft Office seems to me to be the most popular target in the second half of the year. CVE-2012-0158 and CVE-2010-3333 continue to be identified in malicious attachments (both malicious Word and Excel files) in targeted attacks across the globe, while Adobe Reader and Flash, which were heavily abused, almost have fallen off the map. I don't know if this coincides with the release and distribution of the newly armored Adobe Reader X software and more sandboxing for Flash, or simply that offensive security investment in late summer had been directed toward producing toolkits that pump out the Office exploits we are seeing now. Either way, be sure to patch this Word flaw CVE-2012-2539 asap.

Unfortunately, we have seen kernel level exploits bundled into mass-exploitation kits like Blackhole. The Duqu exploit, previously used in very targeted attacks throughout the middle east, is being re-used in this manner. And MS12-078 this month patches kernel mode RCE for OpenType and TrueType font parsing flaws. The recent mass-exploitation activity increases and interest in kernel level font parsing vulnerabilities coincides with the open source github release of Microsoft font fuzzing tools and projects.

More of the Oracle Outside In code is being updated this month with a pile of publicly known critical vulnerabilities being patched much like in August of this year. Critical and Important Microsoft Exchange, DirectPlay, and IPHTTPS components are also being patched this month.

Also following up the annnouncement of the Microsoft software update release, Microsoft announced the availability of security updates for Adobe Flash that effect Internet Explorer users, among others. The flaws include a RCE buffer overflow vulnerability (CVE-2012-5676), RCE integer overflow vulnerability (CVE-2012-5677), and memory corruption vulnerability (CVE-2012-5678). For my production workstations and mobile devices, I've got multiple web browsers, and each one uses a different implementation of Flash. In my case, on my production systems, I visit this page with each browser to determine whether or not I have the lastest version of Flash. Android systems are effected too, and you can find more information at Adobe's APSB12-27. Perhaps we will see a resurgence of Flash exploitation over the next few weeks and into the New Year.

Microsoft is patching a fair number of vulnerabilities in their software with 19 flaws being fixed. All of them are being updated in six Bulletins this month (MS12-071 through MS12-076). Four of the Bulletins are rated critical with only two of them being rated urgent for immediate deployment by larger customers concerned with compatibility and performance. At the same time, Internet Explorer 10 is not vulnerable to exploitation by the related set of three flaws, and newly released Windows 8 is affected by yet another font parsing flaw described by CVE-2012-2897, similar to the vulnerability exploited by Duqu. The font malware is especially interesting because the Duqu exploit is currently being included in mass exploitation kits alongside widespread Java and Adobe Reader exploits to spread Ransomware, ZeroAccess, and other trojans of all sorts. Even though Duqu was spread years ago, the patch delivered months ago, the vulnerability continues to be included in the kits and successfully exploited.

Today's Microsoft updates include a few fixes for remote code execution, and several fixes for escalation of privilege and denial of service flaws. The priority for both general folks and corporate customers running Windows and Office will be to roll out MS12-064 effecting Microsoft Office immediately. Vulnerability CVE-2012-2528 and CVE-2012-0182 is patched by this bulletin, and -2528 predictably will be attacked with more malformed rtf formatted documents. These sorts of files have been delivered with a .doc extension, previously exploiting CVE-2012-0158. This 0158 vulnerability has been heavily exploited with spearphish in a large variety of serious targeted attacks this summer. Accordingly, expect to see more of this new vulnerability exploited with spearphish from the APT. Note that another vulnerability in Word is being patched within the same Bulletin, but is comparably difficult to reliably exploit.

Microsoft is also releasing a bulletin for a vulnerability in Microsoft Works. This code exposes a heap overflow but is a much lower priority because of the level of difficulty in building a reliable exploit.

Another major problem, but not anywhere near as serious, is within Microsoft Sharepoint, InfoPath, and the Microsoft Office WebApps service. A person could craft malicious content and send it to a user, sending just enough data to elevate their privileges to admin on the system.

Depending on your environment, you may look into the other handful of patches immediately. Microsoft presents October's MS SQL, Kerberos, and Kernel Bulletins here.

Earlier today, we received an interesting collection of samples from colleagues at another anti-malware company.

The samples are especially interesting because they contain a module with the following string:

C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb

Of course, the ?wiper� reference immediately reminds us of the Iranian computer-wiping incidents from April 2012 that led to the discovery of Flame.

The malware is a 900KB PE file that contains a number of encrypted resources:

Defcon 2012 marked its 20th anniversary with unexpected speakers, some pretty tough content, and the cultural dark magic that buzzes the conference every year.

The Dark Tangent welcomed Mark Weatherford. an ex-Navy and Raytheon security guy that became the CISO of the State of Colorado and California and then CSO at the highly regulated NERC before recently moving on to a top spot at the Department of Homeland Security. Weatherford provided some insight into the amount of attacks he sees every day, and then moved on to explaining that some of the best people he is working with don't have a college degree and some recruiting - they are hiring.
The next, huge name that Dark Tangent brought out was General Keith Alexander, Commander of the US Army CyberCom and Director of the NSA/CSS. It seems to be a sign of the times that the hacker community would be approached by the individual building out what is becoming the largest group of "cyberwarriors" in the world, attempting to draw shared principles and parallels between the groups. The guy was genuinely funny, rolling out jokes throughout his talk and Q&A answers, inviting kids onstage and showing off multiple tshirts. Aside from the explanation of their mission and the recruiting talk, a couple other interesting topics came up. According to Alexander, folks should know better than claiming that the NSA maintains files on every individual in the US, and he thinks that the Cybercom doesn't need to become larger than the current US Navy, partly because of the power that automation and smart work provides. Oh, and they are hiring. It was a repeated theme this past week.

A couple of the talks were shocking in their presentation. FX from Phonoelit and Recurity Greg analysed just how bad Huawei router code really is from a security perspective, it was almost unbelievable for a product line from a $21 billion company. Their preso began with a Code Quality slide that they claimed was almost left empty. Every slide's content made it seem like Huawei security practices and implementation couldn't be worse than suggested by the previous slide, but it did. And it was bad. After pouring over the router codes' open services and inability to be disabled, they described a lack of security advisories and updates, interrupt tables with RWX access, a Chinese-only debug interface, a lack of any communication channel whatsoever for reporting vulnerabilities, and a lack of real security development lifecycle throughout the code development, they followed Huawei's lead and copy/pasted their decades old Cisco IOS exploit code into exploits developed for these Huawei routers, targeting 90s style vulnerabilities. The company clearly has't also taken security lessons learned from Cisco's experience in this space.

At first, I was disappointed that the "Dr Strangelove" nuclear power plant SCADA system talk was cancelled without notice to attendees until arrival at the talk. It was replaced with a talk on SCADA HMI (or human-machine interfaces) security issues from Wesley McGrew titled "SCADA HMI and Microsoft Bob: Modern Authentication Flaws With a 90's Flavor". At face value, it sounded comparably uninteresting. But, it was eye-opening. The talk itself weaved through known, commonly approached technical problems that were met with disturbingly juvenile, incorrect security implementations - these systems are critical infrastructure and security requirements are not being met. This talk was complemented by Alberto Garcia Illera's pen-testing adventures in the transportation systems of Spain, using simple, unforeseen flaws in publicly accessible systems, to peel layers back until they reached the poorly protected SCADA systems called "How to Hack All the Transport Networks of a Country". The first talk revealed incredibly weak implementations in SCADA systems, and the second revealed exactly why those weaknesses need to be fixed and better understood by their developers and vendors.