English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity
0
 

Absolutely all of the latest versions of Microsoft Word and some versions of Internet Explorer maintain critical vulnerabilities enabling remote code execution. Today, Microsoft releases two critical patches to close multiple vulnerabilities with each. Two important updates are released to address a batch file handling issue and another RCE hole in Microsoft Publisher. All of these are addressed with MS14-017 through MS14-020.

Both end users of Microsoft Office software and system administrators of SharePoint portals, Microsoft Office Web Apps servers, and even Apple Office for Mac users need to download and install these patches: MS14-017 and MS14-018.

These sorts of Office vulnerabilities are commonly and frequently the delivery vector for targeted attack spearphishing campaigns. Red October, NetTraveler, and Icefog, all abused Office vulnerabilities in their spearphishing campaigns. There are many more of these groups, and they will continue to actively pursue potential victims, in part using exploits for Office applications.

On the brighter side, Microsoft is doing a fantastic job of consistent response and update delivery. Accordingly, their software, while it continues to be heavily used, does not continue to remain even in the top 10 vulnerable software applications that we see. Those spots still go to Oracle's Java, Adobe's Flash and Photoshop, Apple's Quicktime, WinRAR, WinAmp and other media players, and other apps that are frequently targeted by commodity exploit packs.

Follow me on Twitter

The Internet Explorer vulnerabilities do not hit all of the Microsoft platforms in the same manner as the Word vuln this month, although critical RCE is enabled by every version of unpatched Internet Explorer code on at least one version of every Microsoft Windows platform. So, Internet Explorer 6, which no one should be using, maintains critical RCE on the now unsupported Windows XP SP3 and XP Pro x64 SP2. IE 7, 8, 9 all maintain critical RCE as well. Internet Explorer 10 is not affected. IE 11 on Windows 7 and Windows 8.1 maintains critical RCE, but moderate severity on Windows Server 2008 and Windows 2012 R2. The Windows Update software will smoothly make sense of all of the versioning and patch needs for you when run. Nonetheless, there are serious issues here that exploit packs likely will attack with fresh exploit code.

Comment      Link
0.6
 

The world of APTs is a colorful place. In 2012, we uncovered Flame, a massive cyberespionage operation infiltrating computers in the Middle East. Our research indicated a connection with the wellknown Stuxnet cyberweapon, designed to sabotage the Iranian nuclear program.

In early 2013, we announced our research on RedOctober, a cyberespionage operation focusing on diplomatic institutions. In June 2013, we published our research on NetTraveler, and in September, our research on the Kimsuky attacks.

Our analysis of all these different APT operations indicated an unique use of languages, that offer clues regarding some of the people behind these operations. If the comments in the Flame C&C were written in English, artifacts in RedOctober indicated Russian speakers, NetTraveler indicated Chinese natives. Finally, Kimsuky indicated Korean speaking authors, which we linked to North Korea.

During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation "The Mask" for reasons to be explained later.

0.3
 

This will take place on April 8, 2014 and Microsoft has already announced this publicly.  This would not be a problem if all Windows users would have already migrated to more recent versions of Windows or do so by the mentioned date. However, according to our statistics based on the KSN technology during the last 30 days, 18% of Windows users worldwide still use the XP platform.
 

0.2
 

Eight Microsoft Security Bulletins are being pushed out this month, MS13-096 through MS13-106. Five of them are rated "Critical" and another six are rated "Important". The top priorities to roll out this month are the critical GDI+ (MS13-096), Internet Explorer (MS13-097), and Scripting Runtime (MS13-099) updates.

Several of the vulnerabilities have been actively exploited as a part of targeted attacks around the world, and one of them is known to be ItW for at least six months or so.

The GDI+ update patches memory corruption vulnerability CVE-2013-3906, which we have been detecting as Exploit.Win32.CVE-2013-3906.a. We have seen a low number of ITW variations on exploitation of this vulnerability as a malformed TIFF file, all dropping backdoors like Citadel, the BlackEnergy bot, PlugX, Taidoor, Janicab, Solar, and Hannover. The target profile and toolset distribution related to these exploit attempts suggest a broad array of likely threat actors that got their hands on it since this July, and a wide reaching distribution chain that provided the exploit around the world. Considering the variety of uses and sources, this one may replace cve-2012-0158 as a part of targeted attacks in terms of overall volume.

Follow me on Twitter

The Internet Explorer Bulletin fixes seven different elevation of privilege and memory corruption vulnerabilities, any one of which effects Internet Explorer 6 on Windows XP SP 3 through Internet Explorer 11 on Windows Server 2012 R2 and Windows RT 8.1. We expect to see exploits for some of these vulnerabilities included in commodity exploit packs.

Finally, another critical vulnerability exists in the Windows Scripting Engine as yet another "use after free", which unfortunately enables remote code execution across every version of Windows out there and can be attacked via any of the common web browsers. Patch!

This post will likely be updated later today, but in the meantime, more about this month's patches can be found at the Microsoft site.

Comment      Link
0.4
 

Microsoft releases a long list of security bulletins this month on the server and client side, patching a longer list of vulnerabilities in this month's array of technologies. Only four of the bulletins are rated "critical" this month: Internet Explorer, a variety of built-in Windows components, and Sharepoint and Office Web Services. Thirteen security bulletins are released in total, patching almost fifty vulnerabilities. Mostly every one of this month's vulnerabilities were reported privately, other than the XSS vulnerability in Sharepoint, which Microsoft claims would be difficult to exploit. In all likelihood, at some point Windows folks will have to reboot following download and install of around 100Mb of system updates this month.

For mass exploitation purposes, the most problematic issues have to do with Internet Explorer, with working exploits likely being developed in the near future to attack these memory corruption vulnerabilities. These are the sort of things that can happen to anyone online, so all Windows users should address them asap. These ten vulnerabilities enable remote code execution across all supported versions of IE across all Windows clients and servers, so most likely, they will receive immediate attention from the offensive security global peanut gallery.

Follow me on Twitter

On the targeted attack side, Sharepoint and Web Office Service administrators need to be aware of the critical vulnerabilities addressed with the large cumulative update MS013-067. Flaws in this code base enable RCE that could be exploited with the spear phishing techniques very commonly and effectively in use.

Also problematic from both perspectives is this interesting Outlook update, which patches a flaw in Outlook 2007 and 2010 S/MIME handling. It can be triggered in preview mode, which seems to make this the first severe, potentially wormable issue seen in Outlook in years. Patch immediately.

The long list of important updates are presented at Microsoft's Technet site here.

Comment      Link
0.2
 

Today, Microsoft released a set of eight security Bulletins (MS13-059 through MS13-066) for a broad variety of vulnerable technologies and exploit categories. The critical vulnerabilities are not known to be exploited publicly at the time of Bulletin release. The more interesting Bulletins this month address RCE and EoP vulnerabilities in Internet Explorer, Windows components, and yet again Exchange/OWA components licensed from Oracle. Also included in this month's release are fixes for RPC, kernel drivers, Active Directory, and the networking stack.

MS13-059 is the priority update to roll out across Windows clients, as it fixes nine critical memory corruption vulnerabilities (that look like use-after-free to me) in IE6, IE7, IE8, IE9, IE10 and even IE11 preview on Windows 8.1 preview, along with XSS due to flawed Kanji font handling and flawed code in the "Windows Integrity Mechanism", which is used for sandboxing apps like Internet Explorer, Adobe Reader and Google Chrome. On Windows server, the maximum severity is "Moderate" and doesn't effect "Server Core" installations at all. Admins need to refer to the severity ratings and maximum impact table to prioritize server patch deployments, but those that need to prioritize patch deployments probably shouldn't surf the web from these types of systems anyway.

Follow me on Twitter

MS13-060 corrects code in the Unicode Scripts Processor implementing OpenType font handling, a format developed by Microsoft and Adobe over the past decade built on top of the TrueType format, in USB10.dll. This dll is used by Windows and all sorts of third party applications to handle right-to-left scripts like Arabic and Hebrew, and other complex fonts like Indian and Thai scripts too. The vulnerability is a user mode vulnerability that effects only Windows XP SP 2 and 3 (64 bit too) and Windows 2003 versions. These types of systems continue to be widely deployed, especially in government and critical infrastructure systems around the world. Exploits may be delivered via spearphish, as in the Duqu incident, or via a web page for a browser like Internet Explorer, as in Duqu copycat malcode like the Blackhole exploit pack that continues to be widely distributed and highly active.

Another interesting update includes MS13-061 that patches code in third party components built by Oracle and licensed by Microsoft for Outlook Web Access on Exchange Server 2007, 2010, and 2013. Applying the patch will not require a system reboot, but it will restart related Exchange services. The interesting thing about this critical set of issues is that they enable exploitation of the WebReady Document Viewing and Data Loss Prevention features on OWA for code execution not on the client system, but on the server itself with LocalService credentials. So a client system browsing code sent to their email account can remotely execute code on the server in the service's context, which is very problematic.

Please review the set and update ASAP. While most of the vulnerabilities this month were privately reported, these present high risk opportunities and the Exchange issues and exploitation are publicly known.

Comment      Link
0.3
 

As promised in Microsoft's July Advance Notification, Microsoft ships seven security bulletins this month (MS13-052 - MS13-058). At least 34 CVE are being patched. Six of the Security Bulletins are rated "critical" due to remote code execution issues. The vulnerabilities being fixed this month enable RCE across all versions of Windows operating systems, but most of these serious flaws have all been privately reported and there is no indication that they are publicly known or exploited yet. Some however, are publicly known and drew attention from a number of exploit developers.
The kernel mode vulnerability, CVE-2013-3172 is publicly known, along with another kernel mode bug publicly disclosed by Tavis Ormandy in May. Unfortunately, an exploit abusing that vulnerability was touched up by another contributor and then already integrated into metasploit for public distribution and use.
It's also interesting that the update for the kernel mode TrueType Font Parsing CVE-2013-3129 bug effects code paths in seven different software packages (Office, Lync, Visual Studio, .NET, Silverlight, and "Windows components") updated separately by Security Bulletins MS13-052, MS13-053, and MS13-054.

Internet Explorer receives the bulk of attention, with sixteen RCE bugs and one "information disclosure" bug all fixed up in one tidy bulletin, MS13-055. All of these but one are memory corruption issues, and all versions of IE across all operating systems are effected by one or another of these RCE issues.

Serious issues in multiple graphics components are being addressed this month.

Serious memory corruption flaw CVE-2013-3174 is being fixed in DirectShow that enables RCE across all supported Windows OS. DirectShow handles multimedia streaming, and the software mishandles .gif files, an ancient file format designed back in the day of 8-bit video, Windows 3.1 and x486. The major issue here is that this RCE exists across all versions of Windows.

A WMV decoding flaw is implemented in several dlls (wmvdecod.dll, wmvdmod.dll, and wmv9vcm.dll) that enables RCE. The dlls support Windows Media Player and the Windows Media Fomat Runtime across all versions of Windows except the server code installs. But, some administrators may have enabled the optional "Desktop Experience" and installed these dlls. These dlls are not all installed on each OS by default, so not all systems require MS13-056 DirectShow update.

TrueType font parsing, the software functionality attacked in targeted attacks including the Duqu campaign and currently a part of the Blackhole exploit kit, again enables exploitation of another vulnerability in kernel mode graphics handling component GDI+. This bug also exists across all versions of Windows.

The metasploit code attacking CVE-2013-3172 and patched with MS13-053 is currently limited to escalation of privilege, but with all the interest, this one may soon publicly become full RCE. Considering that the bug was publicly circulated in May, it is great to see Microsoft finally roll out a full patch for this one, because in addition to this month's TrueType handling fix, this win32k.sys vulnerability enables RCE across all versions of the Windows OS, including Windows 2012 core server installations.

.NET and Silverlight are being patched with one bulletin, and a couple of the bugs are publicly known.

Comment      Link
0.4
 

Today's February Microsoft Security Bulletin release patches a long list of vulnerabilities. However, only a subset of these vulnerabilities are critical. Four of them effect client side software and one effect server side - Internet Explorer, DirectShow media processing components (using web browsers or Office software as a vector of delivery), OLE automation components (APT related spearphish), and one effecting the specially licensed "Oracle Outside In" components hosted by Microsoft Exchange that could be used to attack OWA users. These critical vulnerabilities all potentially enable remote code execution, as does the Sharepoint server related Bulletin rated "important" this month. The other vulnerabilities enable Elevation of Privilege and Denial of Service attacks. Several of the vulnerabilities have been publicly disclosed, and at least one is known to be publicly exploited. A large number of the CVE being patched are in the kernel code, so this month most everyone should expect to manage a reboot.

The long list of CVE patched by MS-13-016 all address race conditions that were privately reported in win32k.sys, which all enable non-trivial EoP attacks. This lessens the severity of the issue, as evidenced by the recent RDP vulnerability that attracted so much attention at the end of this past year.

So, we should focus immediate efforts on the handful of critical RCE this month.

comments      Link
0.9
 

Earlier this week, we published our report on “Red October”, a high-level cyber-espionage campaign that during the past five years has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations.

In part one, we covered the most important parts of the campaign: the anatomy of the attack, a timeline of the attacker’s operation, the geographical distribution of the victims, sinkhole information and presented a high level overview of the C&C infrastructure.

Today we are publishing part two of our research, which comprises over 140 pages of technical analysis of the modules used in the operation.

When analyzing targeted attacks, sometimes researchers focus on the superficial system infection and how that occurred. Sometimes, that is sufficient, but in the case of Kaspersky Lab, we have higher standards. This is why our philosophy is that it’s important to analyze not just the infection, but to answer three very important questions:

  • What happens to the victim after they’re infected?
  • What information is being stolen?
  • Why is “Red October” such a big deal compared to other campaigns like Aurora or Night Dragon?
  • According to our knowledge, never before in the history of ITSec has an cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration. In most cases, the analysis is compromised by the lack of access to the victim’s data; the researchers see only some of the modules and do not understand the full purpose of the attack or what was stolen.

    To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months. This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attack.

    0.1
     

    The folks at the Microsoft Security Response Center are winding down 2012 with another full release of seven Security Bulletins containing fixes for memory corruption on application, server, and system code along with a Certificate Bypass problem and set of fixes for Oracle Outside In software components. Within the seven Bulletins, they are patching at least 11 vulnerabilities, accurately described in the Advanced notification for this month. The MSRC recommends that their Internet Explorer (MS12-077) and Microsoft Word (MS12-079) updates are addressed asap.

    The December 2012 Microsoft Security Bulletin Release fixes a varying array of versions of software and platforms per Bulletin. For consumers, that mostly means ensuring that the Microsoft Update software is enabled, run, and selected patches applied. For the vast majority of Windows customers, this month's release also requires that customers reboot their systems following the updates - the Internet Explorer, the kernel level font parsing updates and the file handling updates all require a reboot and hotpatching is not supported. The lack of hotpatch support means that the fix is not enabled on the system until it is rebooted. For IT folks in large and small organizations, this month's Release also requires some time set aside to understand whether or not your organization is running the versions of software requiring patches and accordingly address your environment.

    The Microsoft Internet Explorer code maintains three different use-after-free vulnerabilities that are being patched this month. This "use-after-free" category of bugs is continuing to prove very difficult to stamp out, even in meaty, prevalent attack vectors like Internet Explorer. It was this sort of vulnerability that was abused in the 2010 Aurora cyber-espionage attacks on Google, Adobe, and the long list of other international corporate names that continue to maintain their incidents undisclosed and in the dark. At least one of these Internet Explorer vulnerabilities is likely to have exploit code developed against it.

    As a vector of delivery for spearphish attacks, Microsoft Office seems to me to be the most popular target in the second half of the year. CVE-2012-0158 and CVE-2010-3333 continue to be identified in malicious attachments (both malicious Word and Excel files) in targeted attacks across the globe, while Adobe Reader and Flash, which were heavily abused, almost have fallen off the map. I don't know if this coincides with the release and distribution of the newly armored Adobe Reader X software and more sandboxing for Flash, or simply that offensive security investment in late summer had been directed toward producing toolkits that pump out the Office exploits we are seeing now. Either way, be sure to patch this Word flaw CVE-2012-2539 asap.

    Follow me on Twitter

    Unfortunately, we have seen kernel level exploits bundled into mass-exploitation kits like Blackhole. The Duqu exploit, previously used in very targeted attacks throughout the middle east, is being re-used in this manner. And MS12-078 this month patches kernel mode RCE for OpenType and TrueType font parsing flaws. The recent mass-exploitation activity increases and interest in kernel level font parsing vulnerabilities coincides with the open source github release of Microsoft font fuzzing tools and projects.

    More of the Oracle Outside In code is being updated this month with a pile of publicly known critical vulnerabilities being patched much like in August of this year. Critical and Important Microsoft Exchange, DirectPlay, and IPHTTPS components are also being patched this month.

    Also following up the annnouncement of the Microsoft software update release, Microsoft announced the availability of security updates for Adobe Flash that effect Internet Explorer users, among others. The flaws include a RCE buffer overflow vulnerability (CVE-2012-5676), RCE integer overflow vulnerability (CVE-2012-5677), and memory corruption vulnerability (CVE-2012-5678). For my production workstations and mobile devices, I've got multiple web browsers, and each one uses a different implementation of Flash. In my case, on my production systems, I visit this page with each browser to determine whether or not I have the lastest version of Flash. Android systems are effected too, and you can find more information at Adobe's APSB12-27. Perhaps we will see a resurgence of Flash exploitation over the next few weeks and into the New Year.

    Comment      Link