English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
0.2
 

Eight Microsoft Security Bulletins are being pushed out this month, MS13-096 through MS13-106. Five of them are rated "Critical" and another six are rated "Important". The top priorities to roll out this month are the critical GDI+ (MS13-096), Internet Explorer (MS13-097), and Scripting Runtime (MS13-099) updates.

Several of the vulnerabilities have been actively exploited as a part of targeted attacks around the world, and one of them is known to be ItW for at least six months or so.

The GDI+ update patches memory corruption vulnerability CVE-2013-3906, which we have been detecting as Exploit.Win32.CVE-2013-3906.a. We have seen a low number of ITW variations on exploitation of this vulnerability as a malformed TIFF file, all dropping backdoors like Citadel, the BlackEnergy bot, PlugX, Taidoor, Janicab, Solar, and Hannover. The target profile and toolset distribution related to these exploit attempts suggest a broad array of likely threat actors that got their hands on it since this July, and a wide reaching distribution chain that provided the exploit around the world. Considering the variety of uses and sources, this one may replace cve-2012-0158 as a part of targeted attacks in terms of overall volume.

Follow me on Twitter

The Internet Explorer Bulletin fixes seven different elevation of privilege and memory corruption vulnerabilities, any one of which effects Internet Explorer 6 on Windows XP SP 3 through Internet Explorer 11 on Windows Server 2012 R2 and Windows RT 8.1. We expect to see exploits for some of these vulnerabilities included in commodity exploit packs.

Finally, another critical vulnerability exists in the Windows Scripting Engine as yet another "use after free", which unfortunately enables remote code execution across every version of Windows out there and can be attacked via any of the common web browsers. Patch!

This post will likely be updated later today, but in the meantime, more about this month's patches can be found at the Microsoft site.

Comment      Link

Events|Microsoft Updates November 2013 - Burning the 0day

Kurt Baumgartner
Kaspersky Lab Expert
Posted November 12, 19:01  GMT
Tags: Microsoft, Patch tuesday
0.2
 

Microsoft's November 2013 Patch Tuesday delivers a set of three critical Bulletins and five Bulletins rated "important". This month's MS13-088 patches eight critical vulnerabilities and two important vulnerabilities in Internet Explorer. Overall, Microsoft is addressing 19 issues in Internet Explorer, Office and Windows itself.

The star of the show is MS13-090 which addresses CVE-2013-3918, an ActiveX vulnerability being attacked through Internet Explorer, revealed on the 8th by the guys at FireEye to be abused by a long running APT operation they call "DeputyDog". As a part of this operation, the group strategically popped yet another carefully selected web site, then redirected those visitors to their 0day attack. Simply labelling it "just another watering hole" may not fully describe the amount of planning and preparation that goes into selecting the web site property to compromise, and then burn the 0day on attack activity. The identity of the compromised web property in this case has not been publicly disclosed to date. The timing of this 0day delivery could quite possibly reveal the operational maturity of this group as well. On another note, I don't know if I missed something, but in my decade or so of reviewing shellcoding techniques, I don't think that I have ever seen "CreateRemoteThread" used to deliver a payload in a significant exploit.

Follow me on Twitter

At the same time, another whopping eight flaws are being fixed in Internet Explorer with MS013-088. No doubt these should be patched by organizations immediately, as the memory corruption issues invite exploit development attention. A few of the eight CVE include issues with "information disclosure", which enable exploit developers to advance their exploit code further into process space and are serious issues.

Surprisingly, Microsoft is patching code in their WordPerfect converter "wpft532.cnv" for stack overflow issue CVE-2013-1324. This vulnerability enables spearphish attacks across all versions of their OS, but on 64bit platforms, the component may not be present. I didn't expect to write about stack BoF in their code at the end of 2013, but hey, it's tricky stuff.

More about this month's patches can be found at the Microsoft site.

Comment      Link
0.4
 

Microsoft releases a long list of security bulletins this month on the server and client side, patching a longer list of vulnerabilities in this month's array of technologies. Only four of the bulletins are rated "critical" this month: Internet Explorer, a variety of built-in Windows components, and Sharepoint and Office Web Services. Thirteen security bulletins are released in total, patching almost fifty vulnerabilities. Mostly every one of this month's vulnerabilities were reported privately, other than the XSS vulnerability in Sharepoint, which Microsoft claims would be difficult to exploit. In all likelihood, at some point Windows folks will have to reboot following download and install of around 100Mb of system updates this month.

For mass exploitation purposes, the most problematic issues have to do with Internet Explorer, with working exploits likely being developed in the near future to attack these memory corruption vulnerabilities. These are the sort of things that can happen to anyone online, so all Windows users should address them asap. These ten vulnerabilities enable remote code execution across all supported versions of IE across all Windows clients and servers, so most likely, they will receive immediate attention from the offensive security global peanut gallery.

Follow me on Twitter

On the targeted attack side, Sharepoint and Web Office Service administrators need to be aware of the critical vulnerabilities addressed with the large cumulative update MS013-067. Flaws in this code base enable RCE that could be exploited with the spear phishing techniques very commonly and effectively in use.

Also problematic from both perspectives is this interesting Outlook update, which patches a flaw in Outlook 2007 and 2010 S/MIME handling. It can be triggered in preview mode, which seems to make this the first severe, potentially wormable issue seen in Outlook in years. Patch immediately.

The long list of important updates are presented at Microsoft's Technet site here.

Comment      Link
0.2
 

Today, Microsoft released a set of eight security Bulletins (MS13-059 through MS13-066) for a broad variety of vulnerable technologies and exploit categories. The critical vulnerabilities are not known to be exploited publicly at the time of Bulletin release. The more interesting Bulletins this month address RCE and EoP vulnerabilities in Internet Explorer, Windows components, and yet again Exchange/OWA components licensed from Oracle. Also included in this month's release are fixes for RPC, kernel drivers, Active Directory, and the networking stack.

MS13-059 is the priority update to roll out across Windows clients, as it fixes nine critical memory corruption vulnerabilities (that look like use-after-free to me) in IE6, IE7, IE8, IE9, IE10 and even IE11 preview on Windows 8.1 preview, along with XSS due to flawed Kanji font handling and flawed code in the "Windows Integrity Mechanism", which is used for sandboxing apps like Internet Explorer, Adobe Reader and Google Chrome. On Windows server, the maximum severity is "Moderate" and doesn't effect "Server Core" installations at all. Admins need to refer to the severity ratings and maximum impact table to prioritize server patch deployments, but those that need to prioritize patch deployments probably shouldn't surf the web from these types of systems anyway.

Follow me on Twitter

MS13-060 corrects code in the Unicode Scripts Processor implementing OpenType font handling, a format developed by Microsoft and Adobe over the past decade built on top of the TrueType format, in USB10.dll. This dll is used by Windows and all sorts of third party applications to handle right-to-left scripts like Arabic and Hebrew, and other complex fonts like Indian and Thai scripts too. The vulnerability is a user mode vulnerability that effects only Windows XP SP 2 and 3 (64 bit too) and Windows 2003 versions. These types of systems continue to be widely deployed, especially in government and critical infrastructure systems around the world. Exploits may be delivered via spearphish, as in the Duqu incident, or via a web page for a browser like Internet Explorer, as in Duqu copycat malcode like the Blackhole exploit pack that continues to be widely distributed and highly active.

Another interesting update includes MS13-061 that patches code in third party components built by Oracle and licensed by Microsoft for Outlook Web Access on Exchange Server 2007, 2010, and 2013. Applying the patch will not require a system reboot, but it will restart related Exchange services. The interesting thing about this critical set of issues is that they enable exploitation of the WebReady Document Viewing and Data Loss Prevention features on OWA for code execution not on the client system, but on the server itself with LocalService credentials. So a client system browsing code sent to their email account can remotely execute code on the server in the service's context, which is very problematic.

Please review the set and update ASAP. While most of the vulnerabilities this month were privately reported, these present high risk opportunities and the Exchange issues and exploitation are publicly known.

Comment      Link
0.2
 

Microsoft released a long list of updates for Microsoft software today. The most interesting appear to be those patching Internet Explorer and the kernel software vulnerabilities. In all, ten critical "use-after-free" vulnerabilities are patched in IE along with one important Information Disclosure vulnerability, and three elevation of privilege vulnerabilities are being patched as well. Almost all of these IE vulnerabilities were reported by external security researchers working through HP's Zero Day Initiative.

The recent Internet Explorer 8 0day implemented with ROP to work across ASLR-protected Windows 7, hosted on the compromised Department of Labor website and others, was used as a part of a targeted attack watering hole campaign suggested to be run by known threat actor "DeepPanda". This IE 0day was reported by the guys over at FireEye and iSight Partners. It is being patched with Security Bulletin MS13-038. The others may not have been actively used by threat actors, but as always, it is very important for all Internet Explorer users to update these asap and avoid being a victim of the more common financially motivated mass-exploitation schemes.

A bit less sexy but very important for organizations to update are the three "Important" kernel escalation of privilege vulnerabilities. While these have not yet been known to be publicly exploited, EoP are actively deployed for post-exploitation purposes and are a significant part of any infiltration exercise. All three of these problems were reported by external security researchers, to whom Microsoft extended a "thanks".

Organizations should also be aware that Http.sys in Windows 8, Windows RT and Windows 2012 is vulnerable to denial of service attacks, but exploiting this bug appears to be very difficult. Accordingly, they are rating it "Important".

Other client side apps are being patched with "Important" rated updates as well, including Word, Publisher, and more. More information on all of these updates can be found over at Microsoft's summary.

Also today, Adobe's PSIRT pushed several important updates in ColdFusion (in the crosshairs for persistent attackers on organizations) and both of their big client side apps Flash and Reader/Acrobat.

Comment      Link
0.3
 

Microsoft released two Bulletins this month patching 3 critical vulnerabilities. Along with these immediate issues, they released five other Bulletins rated "Important". It appears that the two critical Bulletins address use-after-free vulnerabilities that can all be attacked through Internet Explorer.

For the Windows workstation environments, all versions of Internet Explorer need to be patched asap, including v10 preview running on Windows RT. The patch for Internet Explorer 10 on Windows RT is available at the "Windows Update" site.

In addition to the privately reported vulnerabilities in Internet Explorer code itself, the Remote Desktop Connection v6.1 Client and Remote Desktop Connection v7.0 Client ActiveX components on XP, Vista, and Windows 7 are vulnerable. Microsoft's SRD team expects to see exploits available within 30 days targeting CVE-2013-1296.

Of the "Important" vulnerabilities, interesting to note is a privately reported Elevation of Privilege issue CVE-2013-0078, which is a bug in the Windows Defender anti-malware engine running on Windows 8 and Windows RT. This vulnerability could be used by an insider or determined adversary to gain further access, and not a type of vulnerability usually hit by mass exploitation kits. Within organizations, this is something to quickly address, but generally individuals do not need to urgently address this type of issue.

See Microsoft's Security Bulletin Summary for April 2013 for the full list of this month's Bulletin releases.

Comment      Link
0.4
 

Today's February Microsoft Security Bulletin release patches a long list of vulnerabilities. However, only a subset of these vulnerabilities are critical. Four of them effect client side software and one effect server side - Internet Explorer, DirectShow media processing components (using web browsers or Office software as a vector of delivery), OLE automation components (APT related spearphish), and one effecting the specially licensed "Oracle Outside In" components hosted by Microsoft Exchange that could be used to attack OWA users. These critical vulnerabilities all potentially enable remote code execution, as does the Sharepoint server related Bulletin rated "important" this month. The other vulnerabilities enable Elevation of Privilege and Denial of Service attacks. Several of the vulnerabilities have been publicly disclosed, and at least one is known to be publicly exploited. A large number of the CVE being patched are in the kernel code, so this month most everyone should expect to manage a reboot.

The long list of CVE patched by MS-13-016 all address race conditions that were privately reported in win32k.sys, which all enable non-trivial EoP attacks. This lessens the severity of the issue, as evidenced by the recent RDP vulnerability that attracted so much attention at the end of this past year.

So, we should focus immediate efforts on the handful of critical RCE this month.

comments      Link
0.2
 

Microsoft released 13 bulletins addressing 22 CVE's in its own software: Microsoft Windows, Office, Internet Explorer, .NET and Visual Studio. We'll be watching for Adobe to coordinate any release of their own updates today.

This month's release of 13 bulletins is a sizable one, following up on Microsoft's four bulletin release last month. Everything from Microsoft operating system kernel and networking components to their Microsoft Internet Explorer web browser and development products are impacted to patch information disclosure, denial of service, memory corruption, and elevation of privilege vulnerabilities.

Of the long list, a few appear to be the most severe. All versions of Microsoft's Internet Explorer across mostly all of the Windows operating system are impacted in serious ways. Remote code execution exploits are possible along with information disclosure and less serious denial of service attacks. Microsoft Excel is effected by the manner in which its Windows Data Access Tracing component loads external libraries. An Excel file could be shared on a WebDAV directory along with a maliciously modified library. When it's opened, the library would load and execute on the system at the same privileges as the user that opened the Excel file. For vulnerabilities like these, we will be monitoring for related exploit inclusion in underground market exploit packs like BlackHole, NeoSploit and Phoenix, which is always a bad thing. Visio is also at risk of remote code execution for a second month in a row as attackers serve up modified Visio files. But we won't see its inclusion in the packs because of its low install base numbers.

Four of these Microsoft Security Bulletins patch vulnerabilities that may lead to severe problems like remote code execution, which are often included as a part of client-side drive-by attacks in exploit packs. But this month one of the more interesting vulnerabilities is server-side and may lead to remote code execution on Microsoft DNS servers. This one may be timely because of suggestions that the ongoing progress to DNSSEC implementation will alleviate the problems that the PKI infrastructure has seen related in certificate authorities, a huge subject Moxie Marlinspike addressed at Blackhat last week.

As always, we recommend patching your systems asap. Cheers to a problem free patch Tuesday!

Comment      Link
0.3
 

Discussion of this month's patch Tuesday is overshadowed by the massive releases from spearphishing, web and SQLi attacks reported in the media. Four bulletins are being released to address 22 CVE records, or sets of vulnerabilities.

Two of the vulnerabilies immediately enabling remote code execution is the Bluetooth related vuln, however unreliable attacking it may be, and a Visio vuln. A set of vulnerabilities in the CSRSS leading to elevation of privilege and a long set of win32k flaws are impacted.

Microsoft prioritizes deployment of the Bluetooth patch on Vista and Windows 7 client platforms highest. Servers should not be effected. I suppose that in close working environments, it could potentially enable a worm. But the likelihood of another Cabir is low. High value targeted attacks seem to be more of a risk.

The Visio vulnerability was publicly known and PoC released since at least August of last year. Some of our generic detections most likely would have prevented exploitation of this vuln. We are researching for any evidence of related exploitation and will update accordingly.

If you see any problems from the kernel level patches, please comment below, I am interested. Win32k modifications have caused users problems in the past. Cheers to problem free patching!

comments      Link
0.3
 

This month's patch Tuesday is a sizable one by any standards, following the quiet Tuesday that my colleague Roel Schouwenberg described last month. Microsoft is patching a total of 34 vulnerabilities in 16 bulletins, MS11-038 through MS11-051. At least eight different Microsoft product lines are updated, and Adobe is coordinating release of Reader, Acrobat, Shockwave and Flash updates as well today.

So we are looking at patching the following programs:
Microsoft Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight, ISA and Adobe Reader, Acrobat, Shockwave and Flash player. More than half of the vulnerabilities being patched exist in the Internet Explorer and Microsoft Excel software components, frequent targets of drive-by and spear phishing attacks.

Most interesting is MS11-050, a single patch that knocks out 11 separate Internet Explorer vulnerabilities, some enabling information disclosure (cookiejacking), memory corruption and remote code execution: CVE-2011-1250, CVE-2011-1251, CVE-2011-1252, CVE-2011-1254, CVE-2011-1255, CVE-2011-1256, CVE-2011-1260, CVE-2011-1261, CVE-2011-1262. The additional VML patch MS11-052 knocks out another Internet Explorer vulnerability, CVE-2011-1266.

Microsoft already pointed out that the Internet Explorer patch addressing "cookiejacking" is not a particularly high risk issue because it is relatively unknown to them as an attack vector, and because there are more substantial social engineering techniques. While those points may be true, now that the techniques are more widely discussed, the risk of them being abused by more attackers goes up as well.

Eight different privately reported vulnerabilities are being patched in Microsoft Excel alone by MS11-045, each of which allow for remote code execution. We are still reviewing why the patch is rated "important" and not critical for the various Excel versions.

The patches that stand out result in remote code execution within Internet Explorer, Office and Silverlight. The recent history of attacks on consumer and corporate users, including the many successful spear phishing and APT attacks should help increase the urgency of these patches.

On the server side in the cloud, Microsoft is patching a vulnerability that could be abused in a DoS attack that could only be staged from within the cloud. MS11-047 is rated an "Important" patch for Windows 2008 versions, correcting a flaw in Hyper-V where a guest could send a malformed packet to the VMBus and result in denial of service on the server. MS11-039 is the Silverlight patch that could not only be used in a remote code execution attack on the client side, but also can be used to remotely run arbitrary code on vulnerable IIS web servers.

At least eight of the nine patches rated "Critical" requires a restart, be prepared for this interruption. We recommend applying all of this month's released patches asap.

Comment      Link