English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Software |Adobe Updates April 2014

Roel
Kaspersky Lab Expert
Posted April 08, 20:38  GMT
Tags: Adobe
0
 

This month's Adobe Patch Tuesday revolves around Flash. This means the zero-days used by VUPEN to exploit Adobe Reader at CanSecWest last month go unpatched.

CVE-2014-0506 and CVE-2014-0507 deal with remote code execution and were both used separately at CanSecWest's Pwn2Own. (It looks like these CVEs were initially assigned CVE-2014-0511 and CVE-2014-0510.)

0
 

Absolutely all of the latest versions of Microsoft Word and some versions of Internet Explorer maintain critical vulnerabilities enabling remote code execution. Today, Microsoft releases two critical patches to close multiple vulnerabilities with each. Two important updates are released to address a batch file handling issue and another RCE hole in Microsoft Publisher. All of these are addressed with MS14-017 through MS14-020.

Both end users of Microsoft Office software and system administrators of SharePoint portals, Microsoft Office Web Apps servers, and even Apple Office for Mac users need to download and install these patches: MS14-017 and MS14-018.

These sorts of Office vulnerabilities are commonly and frequently the delivery vector for targeted attack spearphishing campaigns. Red October, NetTraveler, and Icefog, all abused Office vulnerabilities in their spearphishing campaigns. There are many more of these groups, and they will continue to actively pursue potential victims, in part using exploits for Office applications.

On the brighter side, Microsoft is doing a fantastic job of consistent response and update delivery. Accordingly, their software, while it continues to be heavily used, does not continue to remain even in the top 10 vulnerable software applications that we see. Those spots still go to Oracle's Java, Adobe's Flash and Photoshop, Apple's Quicktime, WinRAR, WinAmp and other media players, and other apps that are frequently targeted by commodity exploit packs.

Follow me on Twitter

The Internet Explorer vulnerabilities do not hit all of the Microsoft platforms in the same manner as the Word vuln this month, although critical RCE is enabled by every version of unpatched Internet Explorer code on at least one version of every Microsoft Windows platform. So, Internet Explorer 6, which no one should be using, maintains critical RCE on the now unsupported Windows XP SP3 and XP Pro x64 SP2. IE 7, 8, 9 all maintain critical RCE as well. Internet Explorer 10 is not affected. IE 11 on Windows 7 and Windows 8.1 maintains critical RCE, but moderate severity on Windows Server 2008 and Windows 2012 R2. The Windows Update software will smoothly make sense of all of the versioning and patch needs for you when run. Nonetheless, there are serious issues here that exploit packs likely will attack with fresh exploit code.

Comment      Link

Software |The End of Microsoft’s Support for Windows XP

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted January 07, 11:35  GMT
Tags: Microsoft Windows, Microsoft
0.3
 

This will take place on April 8, 2014 and Microsoft has already announced this publicly.  This would not be a problem if all Windows users would have already migrated to more recent versions of Windows or do so by the mentioned date. However, according to our statistics based on the KSN technology during the last 30 days, 18% of Windows users worldwide still use the XP platform.
 

Software |iOS update available - version 7.0.4 is here

Stefan Tanase
Kaspersky Lab Expert
Posted November 15, 11:09  GMT
Tags: Apple iPhone, Apple, Vulnerabilities
0.3
 

This week, Apple has released a small but very important update to their popular mobile operating system - iOS 7.0.4. According to the details provided, by Apple, the update comes with several bug fixes and improvements, including a fix for an issue that causes FaceTime calls to fail in some cases.

But the latest iOS update also comes with an important security fix for CVE-2013-5193, a vulnerability allowing App and In-App purchases to be completed with insufficient authorization - meaning that the password prompt presented to a signed in user before making an App purchase could have been bypassed and the transaction completed without providing a password.

Why are updates so important?

This software update for iOS, just like many other software updates for any platform, shows once again the importance of updating. Updates don’t just fix innocent bugs, they don’t just improve the user’s experience. They do that, yes, but most of the times updates also fix security vulnerabilities which can be exploited in-the-wild.

How to update your iOS device?

The quickest way to update your iPhone, iPad or iPod touch is to do it directly from the device. Just make sure you have everything backed up before you proceed, that you are connected to a WiFi network and the device has enough power, then just go to Settings › General › Software Update. If an update is available, tap Download, then Install.

You can also update your device through iTunes, while it’s connected through a cable. For more details and tips, Apple has a complete step-by-step guide available here: http://support.apple.com/kb/HT4623

Comment      Link
0.3
 

Microsoft's 2013 Treehouse of Horror Bulletins include a long list of fixes for memory corruption vulnerabilities effecting mostly previous versions of the software, and not the latest versions. Of immediate interest to most Windows users are the critical vulnerabilities being patched in Internet Explorer, multiple Windows drivers, and the .Net Framework which even effects the latest versions of Windows 8 and Windows Server 2012. Systems administrators at organizations also may pay immediate attention to the critical vulnerabilities in the Windows Common Control Library patched by MS13-083, which enables server side ASP.NET webapp exploitation on 64 bit systems. MS13-080 through MS13-087 include four Bulletins rated critical and four Bulletins rated Important addressing 26 vulnerabilities.

Much of the list of ghoulish October Bulletins appears to be similar to September's list, but the news of note this month is that the Internet Explorer vulnerabilities CVE-2013-3893 and CVE-2013-3897 are being exploited as a part of targeted attacks. We have been monitoring the situation in Japan and southeastern asia, where attackers have been using exploits that succesfully pop Internet Explorer versions 8 and 9.

It's somewhat surprising that the Office vulnerabilities effecting Office 2003 and 2007 are only being rated "important" this month being patched with MS13-084, MS13-085, and MS13-086, considering that Microsoft Excel and Word have been leading vectors of spearphishing attacks for the past year or so. The vulnerabilities enable remote code execution on systems where the user is duped into opening the attachment.

Follow me on Twitter

Interesting and unusual is this month's Windows Common Control Library vulnerability effecting only x64 ASP.NET web applications. Attackers may send a pre-authentication web request to web applications attacking integer overflow vulnerability CVE-2013-3195 enabling remote code execution. System admins following best practices may end up with process running on their web servers with local user rights.

Full ghastly October Bulletin details on Microsoft's Technet site here. Microsoft's Update software is a convenient and easy way to update your system software every month. If you are running Microsoft software, please go ahead and do so now.

comments      Link
0.4
 

Microsoft releases a long list of security bulletins this month on the server and client side, patching a longer list of vulnerabilities in this month's array of technologies. Only four of the bulletins are rated "critical" this month: Internet Explorer, a variety of built-in Windows components, and Sharepoint and Office Web Services. Thirteen security bulletins are released in total, patching almost fifty vulnerabilities. Mostly every one of this month's vulnerabilities were reported privately, other than the XSS vulnerability in Sharepoint, which Microsoft claims would be difficult to exploit. In all likelihood, at some point Windows folks will have to reboot following download and install of around 100Mb of system updates this month.

For mass exploitation purposes, the most problematic issues have to do with Internet Explorer, with working exploits likely being developed in the near future to attack these memory corruption vulnerabilities. These are the sort of things that can happen to anyone online, so all Windows users should address them asap. These ten vulnerabilities enable remote code execution across all supported versions of IE across all Windows clients and servers, so most likely, they will receive immediate attention from the offensive security global peanut gallery.

Follow me on Twitter

On the targeted attack side, Sharepoint and Web Office Service administrators need to be aware of the critical vulnerabilities addressed with the large cumulative update MS013-067. Flaws in this code base enable RCE that could be exploited with the spear phishing techniques very commonly and effectively in use.

Also problematic from both perspectives is this interesting Outlook update, which patches a flaw in Outlook 2007 and 2010 S/MIME handling. It can be triggered in preview mode, which seems to make this the first severe, potentially wormable issue seen in Outlook in years. Patch immediately.

The long list of important updates are presented at Microsoft's Technet site here.

Comment      Link
0.2
 

Today, Microsoft released a set of eight security Bulletins (MS13-059 through MS13-066) for a broad variety of vulnerable technologies and exploit categories. The critical vulnerabilities are not known to be exploited publicly at the time of Bulletin release. The more interesting Bulletins this month address RCE and EoP vulnerabilities in Internet Explorer, Windows components, and yet again Exchange/OWA components licensed from Oracle. Also included in this month's release are fixes for RPC, kernel drivers, Active Directory, and the networking stack.

MS13-059 is the priority update to roll out across Windows clients, as it fixes nine critical memory corruption vulnerabilities (that look like use-after-free to me) in IE6, IE7, IE8, IE9, IE10 and even IE11 preview on Windows 8.1 preview, along with XSS due to flawed Kanji font handling and flawed code in the "Windows Integrity Mechanism", which is used for sandboxing apps like Internet Explorer, Adobe Reader and Google Chrome. On Windows server, the maximum severity is "Moderate" and doesn't effect "Server Core" installations at all. Admins need to refer to the severity ratings and maximum impact table to prioritize server patch deployments, but those that need to prioritize patch deployments probably shouldn't surf the web from these types of systems anyway.

Follow me on Twitter

MS13-060 corrects code in the Unicode Scripts Processor implementing OpenType font handling, a format developed by Microsoft and Adobe over the past decade built on top of the TrueType format, in USB10.dll. This dll is used by Windows and all sorts of third party applications to handle right-to-left scripts like Arabic and Hebrew, and other complex fonts like Indian and Thai scripts too. The vulnerability is a user mode vulnerability that effects only Windows XP SP 2 and 3 (64 bit too) and Windows 2003 versions. These types of systems continue to be widely deployed, especially in government and critical infrastructure systems around the world. Exploits may be delivered via spearphish, as in the Duqu incident, or via a web page for a browser like Internet Explorer, as in Duqu copycat malcode like the Blackhole exploit pack that continues to be widely distributed and highly active.

Another interesting update includes MS13-061 that patches code in third party components built by Oracle and licensed by Microsoft for Outlook Web Access on Exchange Server 2007, 2010, and 2013. Applying the patch will not require a system reboot, but it will restart related Exchange services. The interesting thing about this critical set of issues is that they enable exploitation of the WebReady Document Viewing and Data Loss Prevention features on OWA for code execution not on the client system, but on the server itself with LocalService credentials. So a client system browsing code sent to their email account can remotely execute code on the server in the service's context, which is very problematic.

Please review the set and update ASAP. While most of the vulnerabilities this month were privately reported, these present high risk opportunities and the Exchange issues and exploitation are publicly known.

Comment      Link
0.3
 

As promised in Microsoft's July Advance Notification, Microsoft ships seven security bulletins this month (MS13-052 - MS13-058). At least 34 CVE are being patched. Six of the Security Bulletins are rated "critical" due to remote code execution issues. The vulnerabilities being fixed this month enable RCE across all versions of Windows operating systems, but most of these serious flaws have all been privately reported and there is no indication that they are publicly known or exploited yet. Some however, are publicly known and drew attention from a number of exploit developers.
The kernel mode vulnerability, CVE-2013-3172 is publicly known, along with another kernel mode bug publicly disclosed by Tavis Ormandy in May. Unfortunately, an exploit abusing that vulnerability was touched up by another contributor and then already integrated into metasploit for public distribution and use.
It's also interesting that the update for the kernel mode TrueType Font Parsing CVE-2013-3129 bug effects code paths in seven different software packages (Office, Lync, Visual Studio, .NET, Silverlight, and "Windows components") updated separately by Security Bulletins MS13-052, MS13-053, and MS13-054.

Internet Explorer receives the bulk of attention, with sixteen RCE bugs and one "information disclosure" bug all fixed up in one tidy bulletin, MS13-055. All of these but one are memory corruption issues, and all versions of IE across all operating systems are effected by one or another of these RCE issues.

Serious issues in multiple graphics components are being addressed this month.

Serious memory corruption flaw CVE-2013-3174 is being fixed in DirectShow that enables RCE across all supported Windows OS. DirectShow handles multimedia streaming, and the software mishandles .gif files, an ancient file format designed back in the day of 8-bit video, Windows 3.1 and x486. The major issue here is that this RCE exists across all versions of Windows.

A WMV decoding flaw is implemented in several dlls (wmvdecod.dll, wmvdmod.dll, and wmv9vcm.dll) that enables RCE. The dlls support Windows Media Player and the Windows Media Fomat Runtime across all versions of Windows except the server code installs. But, some administrators may have enabled the optional "Desktop Experience" and installed these dlls. These dlls are not all installed on each OS by default, so not all systems require MS13-056 DirectShow update.

TrueType font parsing, the software functionality attacked in targeted attacks including the Duqu campaign and currently a part of the Blackhole exploit kit, again enables exploitation of another vulnerability in kernel mode graphics handling component GDI+. This bug also exists across all versions of Windows.

The metasploit code attacking CVE-2013-3172 and patched with MS13-053 is currently limited to escalation of privilege, but with all the interest, this one may soon publicly become full RCE. Considering that the bug was publicly circulated in May, it is great to see Microsoft finally roll out a full patch for this one, because in addition to this month's TrueType handling fix, this win32k.sys vulnerability enables RCE across all versions of the Windows OS, including Windows 2012 core server installations.

.NET and Silverlight are being patched with one bulletin, and a couple of the bugs are publicly known.

Comment      Link
0.2
 

Microsoft released a long list of updates for Microsoft software today. The most interesting appear to be those patching Internet Explorer and the kernel software vulnerabilities. In all, ten critical "use-after-free" vulnerabilities are patched in IE along with one important Information Disclosure vulnerability, and three elevation of privilege vulnerabilities are being patched as well. Almost all of these IE vulnerabilities were reported by external security researchers working through HP's Zero Day Initiative.

The recent Internet Explorer 8 0day implemented with ROP to work across ASLR-protected Windows 7, hosted on the compromised Department of Labor website and others, was used as a part of a targeted attack watering hole campaign suggested to be run by known threat actor "DeepPanda". This IE 0day was reported by the guys over at FireEye and iSight Partners. It is being patched with Security Bulletin MS13-038. The others may not have been actively used by threat actors, but as always, it is very important for all Internet Explorer users to update these asap and avoid being a victim of the more common financially motivated mass-exploitation schemes.

A bit less sexy but very important for organizations to update are the three "Important" kernel escalation of privilege vulnerabilities. While these have not yet been known to be publicly exploited, EoP are actively deployed for post-exploitation purposes and are a significant part of any infiltration exercise. All three of these problems were reported by external security researchers, to whom Microsoft extended a "thanks".

Organizations should also be aware that Http.sys in Windows 8, Windows RT and Windows 2012 is vulnerable to denial of service attacks, but exploiting this bug appears to be very difficult. Accordingly, they are rating it "Important".

Other client side apps are being patched with "Important" rated updates as well, including Word, Publisher, and more. More information on all of these updates can be found over at Microsoft's summary.

Also today, Adobe's PSIRT pushed several important updates in ColdFusion (in the crosshairs for persistent attackers on organizations) and both of their big client side apps Flash and Reader/Acrobat.

Comment      Link
0.3
 

Microsoft released two Bulletins this month patching 3 critical vulnerabilities. Along with these immediate issues, they released five other Bulletins rated "Important". It appears that the two critical Bulletins address use-after-free vulnerabilities that can all be attacked through Internet Explorer.

For the Windows workstation environments, all versions of Internet Explorer need to be patched asap, including v10 preview running on Windows RT. The patch for Internet Explorer 10 on Windows RT is available at the "Windows Update" site.

In addition to the privately reported vulnerabilities in Internet Explorer code itself, the Remote Desktop Connection v6.1 Client and Remote Desktop Connection v7.0 Client ActiveX components on XP, Vista, and Windows 7 are vulnerable. Microsoft's SRD team expects to see exploits available within 30 days targeting CVE-2013-1296.

Of the "Important" vulnerabilities, interesting to note is a privately reported Elevation of Privilege issue CVE-2013-0078, which is a bug in the Windows Defender anti-malware engine running on Windows 8 and Windows RT. This vulnerability could be used by an insider or determined adversary to gain further access, and not a type of vulnerability usually hit by mass exploitation kits. Within organizations, this is something to quickly address, but generally individuals do not need to urgently address this type of issue.

See Microsoft's Security Bulletin Summary for April 2013 for the full list of this month's Bulletin releases.

Comment      Link