This month's patch Tuesday is a sizable one by any standards, following the quiet Tuesday that my colleague Roel Schouwenberg described last month. Microsoft is patching a total of 34 vulnerabilities in 16 bulletins, MS11-038 through MS11-051. At least eight different Microsoft product lines are updated, and Adobe is coordinating release of Reader, Acrobat, Shockwave and Flash updates as well today.

So we are looking at patching the following programs:
Microsoft Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight, ISA and Adobe Reader, Acrobat, Shockwave and Flash player. More than half of the vulnerabilities being patched exist in the Internet Explorer and Microsoft Excel software components, frequent targets of drive-by and spear phishing attacks.

Most interesting is MS11-050, a single patch that knocks out 11 separate Internet Explorer vulnerabilities, some enabling information disclosure (cookiejacking), memory corruption and remote code execution: CVE-2011-1250, CVE-2011-1251, CVE-2011-1252, CVE-2011-1254, CVE-2011-1255, CVE-2011-1256, CVE-2011-1260, CVE-2011-1261, CVE-2011-1262. The additional VML patch MS11-052 knocks out another Internet Explorer vulnerability, CVE-2011-1266.

Microsoft already pointed out that the Internet Explorer patch addressing "cookiejacking" is not a particularly high risk issue because it is relatively unknown to them as an attack vector, and because there are more substantial social engineering techniques. While those points may be true, now that the techniques are more widely discussed, the risk of them being abused by more attackers goes up as well.

Eight different privately reported vulnerabilities are being patched in Microsoft Excel alone by MS11-045, each of which allow for remote code execution. We are still reviewing why the patch is rated "important" and not critical for the various Excel versions.

The patches that stand out result in remote code execution within Internet Explorer, Office and Silverlight. The recent history of attacks on consumer and corporate users, including the many successful spear phishing and APT attacks should help increase the urgency of these patches.

On the server side in the cloud, Microsoft is patching a vulnerability that could be abused in a DoS attack that could only be staged from within the cloud. MS11-047 is rated an "Important" patch for Windows 2008 versions, correcting a flaw in Hyper-V where a guest could send a malformed packet to the VMBus and result in denial of service on the server. MS11-039 is the Silverlight patch that could not only be used in a remote code execution attack on the client side, but also can be used to remotely run arbitrary code on vulnerable IIS web servers.

At least eight of the nine patches rated "Critical" requires a restart, be prepared for this interruption. We recommend applying all of this month's released patches asap.

The Democratic Party of Hong Kong's website was compromised and malware uploaded to the web server. Interestingly, the server was distributing malicious flash and spyware nearly identical to the compromised UK Amnesty International servers at the beginning of this month. The server is being cleaned up.

The english version of the website did not include injected iframe links pointing to the exploit.html page, which in turn delivers three different version-appropriate malicious variants of flash detected by Kaspersky as "Exploit.SWF.CVE-2011-0611". The malicious flash was 0day at the beginning of this month, and will be effective on unpatched systems.

Instantly this news became  very fruitful  for all kinds of cybercriminals. Here is  some of the proof we found:

1) SEO optimized Google image searches leading to a malicious site with the exploit for the “Help Center URL Validation Vulnerability”. The exploit drops into the system a malicious executable file which is a password stealer malware. 

At the moment we found it, Kaspersky Anti-Virus detected the sample as Heur.Trojan.Win32 .  Meanwhile the Jotti multiscanner results were 1/20

The exploit also works with Opera and Firefox browsers by dropping into the system a malicious PDF file:

2) SEO optimized for all non-Russian Google searchers leading to Rogue AVs, in particular to “XP Anti-Virus 2011” which  actually  is quite  aggressive in blocking Internet access and extorting money for the activation

The infection scheme is quiet simple: a victim looks for pictures with the topic “Royal Wedding” and when the click comes with a Google reference a special malicious script redirects the victim to a malicious .cc domain with a classic Fake AV window.

3) Scams related to a fake Satellite TV where a victim should pay for the fake service. And of course, the credit card is being stolen once the payment is accepted.

4) Spam on Twitter just abusing TT and leading to misc. junk content sites

We highly recommend using the latest patched Browser with a plugin like NoScript, don’t click on any unknown link, and keep your AV updated and real-time protection working.

News has spread pretty quickly about the latest IE 0-day exploit. Unfortunately, in trying to publicize the quality of his employer’s product in relation to this new exploit, according to Ryan Naraine, a researcher at McAfee inadvertently divulged too much information about the vulnerability leading to some unintended consequences.

The consequences were - the prompt creation of a PoC Metasploit module for the vulnerability, turning what was once an exploit used in targeted attacks into a potentially widespread issue for users IE 6 and 7.

What exactly was divulged? Well, I was curious too, as I frequently am faced with what information I should or should not mention. It turns out that all that was divulged was a list of file names involved with the exploit and malware dropped by the exploit, and the domain name that the malware connected to.

It seems pretty reasonable to list that information in a blog post, right? Surely someone writing IDS signatures would find the URL used by the malware useful, and other anti-virus researchers might gain benefit from knowing the file names associated with the attack.

This leads to the question then, exactly what can be safely disclosed? Should nothing be disclosed? As a technical individual I get frustrated when an author redacts all important information in regards to indentifying a threat; the McAfee researcher was obviously trying to keep people like myself interested.

My suggestion for researchers writing about live threats is simple. If the domain(s) hosting un-patched exploits are still active, don’t post the URL or filenames associated with the exploit: frequently Google will happily locate the page for you.

Does this mean researchers shouldn't share key information about live threats? Of course not, we do it all the time. But not in public - there are plenty of secure methods for sharing details about live threats.

Earlier today, Microsoft released the out-of-band (OOB) Microsoft Security Bulletin MS10-002 (rated “Critical”) to the public. The cumulative Security Update for Internet Explorer 978207 fixes a couple of serious issues which allow remote code execution through malicious HTML pages, vulnerabilities that are now known to have been used in the Google/Adobe hack.

The bulletin is available here:

http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

To patch, just use Windows Update.

In addition to that, Microsoft created a tool which will opt-in Internet Explorer to Data Execution Prevention (DEP), if your processor has this feature and the operating system is aware of it. DEP is a wonderful technology which makes it much harder for hackers to exploit vulnerabilities such as this one. We recommend that you check it out at:

http://support.microsoft.com/kb/978207

As usual, there are a few other fine alternatives to IE out there that you might want to try. I recommend Chrome (http://www.google.com/chrome), Firefox (http://www.getfirefox.com/) and Opera (http://www.opera.com/download/).

This month Microsoft released 6 bulletins to plug 12 vulnerabilities in Windows, Internet Explorer (IE) and Microsoft Office products. Three of them are rated Critical and the other three Important. These bulletins affect all supported versions of Windows and IE; regarding Office the bulletins impact Project, Word and Works 8.5. The other important piece of information is that all of the updates require a reboot so plan accordingly.

MS09-072 covers Security Advisory 977981 (HTML Object Memory Corruption) and due to the fact that the vulnerability was publicly disclosed and affects IE 6 and IE 7 Microsoft put this at the top of the priority list. It's the only bulletin that has both a critical severity rating and the maximum Exploitability rating. Those users running IE 8 on any version of Windows and IE 5.01 on Windows 2000 are not affected by this vulnerability. With that said how many people are still running IE 5.01 on systems? I'd like to think that sometime in the last 8 years most if not everyone has updated their systems.

MS09-070 resolves two reported vulnerabilities in Windows which allow maliciously crafted HTTP request to an ADFS-enabled Web server. However for the attack to be effective valid log on credentials are needed – because of this, Microsoft placed this lower on the deployment list. This patch is for any machine running Windows Server 2003 32 and x64 Edition, Windows Server 2008 and Windows 2008 x64 Edition.

MS09-071 addresses vulnerabilities in the Internet Authentication Services where if a message is copied incorrectly into memory when handling PEAP authentication attempts it could allow compromise. This security update is rated Critical for Windows Server 2008 for 32-bit Systems Service Pack 2 and Windows Server 2008 for x64-based Systems Service Pack 2 and for other versions of Windows the rating drops to either Important or Moderate. However those running Windows 7 or Server 2008 R2 x64 or Itanium versions are not affected.

MS09-073 patches a vulnerability in Microsoft's WordPad and Office text converters. For users to be affected by this they would need to open a malicious Word 97 file in either WordPad or MS Word. This security update is rated Important for WordPad on all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003. It's also rated Important for all supported editions of Microsoft Office Word 2002 and Microsoft Office Word 2003, Microsoft Office Converter Pack, and Microsoft Works 8.5. This does not affect Vista SP1, SP2 32 or x64, Windows 7 32 or x64, Server 2008 R2x64 or Itanium versions of windows.

MS09-074 covers a vulnerability in Microsoft Project where if a user opens a maliciously crafted project file the attacker can get complete control of the affected system. This has a Critical rating for MS Project 2000 SP1 and an important rating for MS project 2002 SP1 and MS Project 2003 SP3.

MS09-069 fixes a vulnerability in Local Security Authority Subsystem Service (LSASS) that could allow for a denial of service (DNS) attack. For this to take place the attacker would have to send ISAKMP messages to the LSASS communicating through Internet Protocol security (IPsec). This is rated Important for all supported Windows 2000, Windows XP and Windows Server 2003.

I also want to highlight the rerelease of MS08-037. This addresses the vulnerability in both DNS client and DNS server that could allow spoofing. This is for Microsoft Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008. For Windows 2000 users, if you've downloaded and installed this already, you need to install it again to be completely updated.

As I always say, no matter what the severity rating from Microsoft you should download and install all the updates needed for your system.

For more detailed information, take a look at the Microsoft blog about these updates.

Today marks the largest patch Tuesday ever from our friends in Redmond with 13 vulnerabilities addressed, covering a total of 34 potential exploits. Three of the exploits have had public code posted while 11 of them are rated as likely to be consistently exploitable.

The most alarming vulnerability this month is MS09-050, which according to its discoverer, was introduced by the patch for MS07-063. MS09-050 was first published publicly on security researcher Laurent Gaffié’s blog on September 7th outlining a denial of service vulnerability in SMB 2.0, specifically the srv2.sys driver. You might remember some of the buzz when this was first released as several people immediately added that that this was not only a denial of service, but could easily lead to remote code execution. What should be just as concerning for Microsoft, however, is the fact that the vulnerability affects Windows Vista and Windows 7 machines and not Windows XP - not an encouraging sign.

Included in this patch are also updated kill bits for ActiveX controls ala MS09-035, which if you remember was related to several vulnerabilities in ATL. Also, MS09-060 appears to address these vulnerabilities as they pertain to MS Office. It’s less than settling to see this vulnerability still has not been fully patched.
Another highly visible patch this month is the fix for the SSL certificate impersonation vulnerability, MS09-056. Those who attended Blackhat LV in July won’t have forgotten that this was the exploit being enthusiastically described to a standing room only audience by Moxie Marlinspike. Interestingly enough, this vulnerability was discovered by Dan Kaminsky.

As always, make sure to apply these patches as soon as possible and especially this month if you are using Windows Vista or later with SMB enabled!

As you've probably already heard, there's a dangerous vulnerability in Internet Explorer 6 & Internet Explorer 7 being exploited in the wild. The vulnerability affects Windows XP Service Pack 0 to Service Pack 3. Microsoft hasn't released a patch yet, but they have provided a work-around.

Some people have simply recommended turning off JavaScript to mitigate this issue. However this vulnerability is a trivial buffer overflow which makes it possible to overwrite the SEH handler. Thus, heap spraying is not required and turning off JavaScript only mitigates attacks from less skilled attackers. I put a bit of time into researching this -it very quickly became clear that this vulnerability doesn't rely on JavaScript, i.e. it can be exploited with JavaScript turned off:

The vulnerability allows arbitrary code execution and we therefore strongly recommend that you should apply the workaround from Microsoft's advisory or turn off ActiveX altogether. Otherwise you will be at risk of exploitation of Internet Explorer 6 and Internet Explorer 7.

We've added generic detection for the actual exploit as Exploit.Win32.Direktshow and the often accompanying JavaScript as Exploit.JS.Direktshow.

(08.07, 15.04: edited to correct typo in the Service Pack information.)

Microsoft has now announced it will be issuing a out-of-cycle patch for the IE7 vulnerability today at 1pm EST. The patch is available via auto-update and from the Microsoft Download Center.

Quite a long time ago I contacted Microsoft regarding what I thought was a XSS vulnerability in IE.

Microsoft disagreed, preferring to call it a 'feature'.

This feature allows javascript embedded into GIF files to be executed under certain circumstances. The javascript may point to an alternate domain (as is the case with XSS vulnerabilities).

And this is what I saw yesterday - a compromised site containing a modified GIF file which exploits this XSS vulnerability.

The GIF file contains an embedded iframe pointing to a malicious site. (Thankfully, the site is currently presenting a 'file not found' error message.)

Here's the GIF:

This is one step more on from today's common web site compromises where some javascript gets added to the main page.

Clicking "view source" doesn't reveal any malicious code – and this makes a quick analysis of the threat more difficult.

Following this discovery we've contacted Microsoft again – hopefully they'll reconsider their position on this issue.