The Laws of Vulnerabilities

Update on Internet Explorer 0-day

2010-03-11T15:52:36Z

The exploit for the Internet Explorer 6 and 7 vulnerability announced yesterday (KB981374) is public now. Late yesterday, Moshe Ben Abu published a Metasploit Module for the exploit after tracking down the exploit to a webpage.

> But Microsoft also released advisory KB981374 which describes a 0-day vulnerability
> reported to Microsoft only recently. At the moment only a limited number of targeted
> attacks have been reported. Internet Explorer 8 is not vulnerable, another good reason
> to update to this latest version of IE. There are not a lot of details available on the
> vulnerability, but for IE6/7 workarounds apply and are detailed in the advisory.

More on March's Patch Tuesday...

2010-03-10T01:25:51Z

Patch Tuesday Bottomline - March 2010

2010-03-09T18:39:53Z

Contrary to what we expected last week, the Microsoft March Security announcements have a little surprise in it.

The standard bulletins cover Windows Movie Maker/Producer and Office:

MS10-016 - possible code execution in Windows Movie Maker - ranked important: an attacker can send a malicious file to the target. When the file gets opened, remote code execution is possible. The exploitability index is high, meaning that the file format vulnerability is relatively easy to exploit. Windows XP and Vista ship with vulnerable versions. While Windows 7 does not ship with a vulnerable version, a user could have downloaded and installed the 2.6 version, which is affected. The bulletin does not provide a patch for the also affected Windows Producer, a little used multimedia add-on to Powerpoint.
MS10-017 - possible code execution in Microsoft Excel - ranked important as well. This bulletin covers 7 vulnerabilities, all of them file format based. All versions of Office are affected, including Mac Office 2004 and 2008. An attacker needs to trick the target to open a specially crafted Excel document, which will allow the attacker to take control of the target system. Exploitability is high for the majority of vulnerabilities listed, so we suggest to put this patch on a fast installation schedule. Attack vectors include also Excel viewer and SharePoint server.

But Microsoft also released advisory KB981374 which describes a 0-day vulnerability reported to Microsoft only recently. At the moment only a limited number of targeted attacks have been reported. Internet Explorer 8 is not vulnerable, another good reason to update to this latest version of IE. There are not a lot of details available on the vulnerability, but for IE6/7 workarounds apply and are detailed in the advisory.

No major updates on advisory KB981169, also for Internet Explorer, which requires the target to press F1 to launch the attack and can best be avoided by user education.

References:

Patch Tuesday - Preview for March 2010

2010-03-04T19:25:39Z

After the massive February update Microsoft will only release 2 Bulletins next week. Both are rated as "important," a medium criticality rating for Microsoft. The first bulletin is for the Windows Operating System affecting the only desktop platforms XP, Vista and Windows 7. The second Bulletin is for Microsoft Office and applies to all versions on Windows (Office XP, 2003 and 2007) and Mac OS X (Office 2004 and 2008), plus SharePoint and the Excel Viewer.

The lower criticality ratings allow IT admins more time to address these March bulletins. It is likely that the Office vulnerabilities should be handled first, as file format vulnerabilities in general have been on the rise in the last year and end users frequently trust open office format files such as Excel due to their business oriented, serious nature.

Microsoft issued earlier this week an advisory KB981169 for a clever attack through Internet Explorer. It requires the end user to press F1 in a pop-up box, so the main defense is make your users aware of the existence of the flaw and instruct them to get in touch with IT should this happen.

Stay tuned for our detailed analysis on next Tuesday.

References:

CSA Top Threat Report Coming

2010-02-22T19:34:50Z

For the last couple of months we have participated in the Cloud Security Alliance's project "Top Threats to Cloud Computing". A first version will be published at RSA 2010 at the Cloud Security Alliance Summit during RSA 2010.

Please help us with this effort by completing the Top Threats Survey. The survey takes about 5 minutes to complete and will help us understand whether we are on the right track with the areas covered.

The idea is to present summarized results of this survey at RSA. The project will continue to evolve after the conference as we incoporate your feedback.

Come see the results at the Cloud Security Alliance Summit !

Adobe Patching Out-Of-band - Updated

2010-02-12T18:13:43Z

Updated: The Patch for Adobe Reader (9.3.1) is now available - one of the flaws CVE-2010-0188 was found by Microsoft's Research Team.

Adobe announced a number of updates yesterday out of their normal 3-month cycle: APSB10-06 addresses a critical flaw in Adobe Flash and AIR. APSB10-07 is the announcement for an Adobe Reader and Acrobat update that will come out next Tuesday. It applicable to Windows, MAC OS X and Unix and critical as well.

More on February's Patch Tuesday...

2010-02-10T02:37:03Z

Patch Tuesday Bottomline - February 2010

2010-02-09T18:36:10Z

Microsoft's February 2010 Patch Tuesday was slated to be the biggest release for Microsoft fixes in the last two years - 14 bulletins addressing 34 vulnerabilities. But the Google/CN Internet Explorer 0-day forced Microsoft to accelerate the testing of the planned IE bulletin and release it early, still in January. That leaves 13 bulletins covering 26 vulnerabilities for the February release, which constitutes one of the bigger patch Tuesdays.

There are 5 critical vulnerabilities for the Windows Operating System family - the newer versions Windows 7 and Windows 2008 R2 are only affected by 3 of them. Rewrites of the TCP/IP stack and the URI handling in Windows 7 and 2008/R2 improved on the implementation of these core OS capabilities.

Overall highest on our list for patching are MS10-006 SMB client and MS10-013 DirectShow, which affect all versions of Windows and have a low exploitability index. Next are MS10-007 Shell URL handling, which is critical for Windows 2000, XP and 2003 and MS10-008, an update to the ActiveX Killbit settings, applicable to all platforms.

MS10-012 is a bulletin for SMB that server administrators should focus on. It allows a malicious, unauthenticated party to launch a remote denial of service attack. In addition remote authenticated clients can execute code using another flaw addressed in the bulletin.

MS10-010 addresses an interesting vulnerability - it is in the hypervisor of Windows 2008. This virtualization vulnerability allows a guest operating system to crash the host operating system, affecting all virtual machines running on the same physical host. Virtualization is increasingly used in corporate IT environments and in cloud computing initiatives and we see this class of vulnerability gaining importance.

Microsoft Office has 2 bulletins, both rated as important. While the newest version of Office for Windows, Office 2007, is not affected, users of all other versions, including on MAC OS X should update as quickly as possible because file based vulnerabilities have been a favorite of attackers in the last year.

References:

IE 0-day Patched Out-Of-band

2010-01-21T20:30:13Z

Microsoft released today the patch for the critical Internet Explorer 0-day flaw that has been widely covered by us and the security community in general. MS10-002 fixes a total of 8 vulnerabilities, including the 0-day which is identified as CVE-2010-0249 and is attributed to Meron Sellem from BugSec.

In the MSRC blog post announcing the release, Microsoft gives some insight on how they were able to turn around this patch in record time. Meron had reported the vulnerability in late August of 2009 and Microsoft had it confirmed in early September. By the time of public disclosure of the attacks against Google and others, the fix was in essence ready and tested. It was slated for release in the February Patch bulletin. Microsoft had to decide whether an out-of-band release of the patch was warranted or whether to bundle it into the February release as originally planned. An out-of-band release causes additional work for IT administrators that are tasked with addressing operating system vulnerabilities and are have been feeling the strain of keeping updated the growing number of software packages that attackers are increasingly targeting.

Nevertheless, given that exploits are available and that security researchers have shown that DEP as a defense can be circumvented, we recommend applying this update as soon as possible.

IE 0-day Update

2010-01-20T00:08:54Z

Hi this is Richie again with some updates:

Internally we do not think of the IE 0-day that was released last week isn't something that is new or unique. Every couple of months a new exploit for a critical vulnerability is discovered in the browser space and all major browsers see their share. Exploits of these types are commonly used in targeted attacks ("spear-phisihing") against corporations. What is new is that the affected organizations are coming forward with information on the attacks - a positive trend that we encourage and hope will continue.

Technically, the attack was focused on the browser/OS combination IE6 and Windows XP, both close to 10 years old and near end of life. Microsoft has put a lot of work into increasing attack mitigation and surface hardening that reduces the risk of successful exploitation on newer versions of the Windows Operating System (Vista, Windows 2008, Windows 7). In general users should upgrade to a modern OS/Browser combination, at minimum the browser should be updated to IE8 or another modern browser.

As of now, the attacks are limited to a small target population and we have not seen widespread use of the exploit. We expect that to change in the coming days since details of the vulnerability have been made publicly available. Microsoft has released a Fix-It which will turn on DEP for IE and help mitigate the attack. However there is active research going on to bypass the DEP measure and its effectiveness could be limited.

Further Microsoft has indicated that they will release an out-of-band patch for this issue soon. We will keep you updated with new developments as they arise.

Thanks
Richie Lai
Director of Vulnerability Research, Qualys, Inc.
http://twitter.com/rlaiqualys

More Info on the IE 0-day

2010-01-15T00:30:45Z

Hi, my name is Richie Lai and I am the Director of Vulnerability Research here at Qualys. Some of you might have seen me with Wolfgang during our monthly patch Tuesday webcasts. We have been tracking some developments surrounding a 0-day in Internet explorer and I just wanted to give everyone information we've gathered.

Today Microsoft released an advisory for Internet Explorer versions 6 above and on all platforms up to Win7. The current exploit that is in the wild results in code execution only on Internet Explorer 6 on XP. The vulnerability exists in IE DOM parsing resulting in a dangling pointer potentially exploitable for remote code execution. Even though the advisory lists all platforms as affected, there are a few mitigating factors.

First, you are protected from this specific known exploit if Data Execute Protection (DEP) is enabled in the operating system. While DEP has been proven to stop exploits like this, there are known ways to bypass DEP if you can get code running. Which is where the second mitigating factor comes in, Address Space Layout Randomization (ASLR). On platforms where both DEP and ASLR are enabled, exploitation is extremely difficult. In the mean time, we suggest Windows XP users run Microsoft's "Fix-It" from the advisory which will enable DEP for IE 6 or 7 on XP. Table outlining the current exploitability across all platforms and IE versions listed below. As you can see, having the most updated browser will significantly reduce your exposure to this vulnerability at this time. We will update you as we get more information regarding this development.

	Windows 2000	Windows XP	Windows 2003	Windows Vista	Windows 2008	Windows 7
IE 6	exploitable	exploitable	DEP protected	N/A	N/A	N/A
IE 7	N/A	exploitable	DEP protected	Protected by Protected Mode	N/A	N/A
IE 8	N/A	DEP protected with XPSP3	DEP protected	DEP and ASLR Protected	DEP and ASLR Protected	DEP and ASLR Protected

Thanks
Richie Lai
Director of Vulnerability Research, Qualys, Inc.
http://twitter.com/rlaiqualys

IE 0-day, Not Adobe Used in Data Breaches

2010-01-14T22:20:20Z

McAfee's CTO George Kurtz just published some deeper insight into the attacks against Google. According to him a 0-day vulnerability in Internet Explorer was used. Microsoft has just issued an advisory KB979352 acknowledging the vulnerability on all versions of Internet Explorer, except IE v5.

It looks as if the Adobe Reader 0-day was not directly involved, contrary to what we had assumed so far.

We will update this post when further information comes to our attention.

References:

Wired post by Kim Zetter
CNET News by Elinor Mills

Adobe Patches 0-day Flaw Used In Stealth Attacks

2010-01-13T22:17:11Z

Yesterday Adobe Systems updated its Reader product to fix a total of eight vulnerabilities. Out of the eight vulnerabilities, six allow remote code execution and are critical. One of the flaws addressed was CVE-2009-4324, the 0-day vulnerability which has had exploits in the wild since December 14 2009, roughly a month ago. This vulnerability is exploited by including malicious code in a PDF document and triggered by executing an embedded JavaScript program. The PDF can be delivered through e-mail or downloaded from a website, making it a fairly easy attack to execute. Interestingly enough it seems that this particular flaw was used in against Adobe itself as pointed out by Elinor Mills at CNET.

Adobe has introduced two interesting security tools in the last two releases of the Reader product - one is an integrated update mechanism that will eventually default to automatic and silent updates. This mechanism is currently in beta and being tested with part of the installed base. The second tool is a internal blacklist that allows hackers to disable specific JavaScript functions. Adobe recently provided guidance on how to mitigate the December 0-day by using this tool. Both tools are in their initial stages but look very promising.

The fixed versions are now Reader v9.3 and v8.2 . What is important for Adobe Reader v7 users to know is that v7 is now out of support (as of 12/28/2009 - see: http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#86) and is not being updated anymore with Security fixes. However, it is impacted by the December 0-day. IT administrators should take inventory of their v7 users and upgrade them to the current standard of v9.

References:

More on January's Patch Tuesday...

2010-01-13T03:58:33Z

http://www.youtube.com/watch?v=q82o4y7CKmk

Patch Tuesday Bottomline - January 2010

2010-01-12T22:08:02Z

Microsoft starts 2010 slowly - a single bulletin containing one vulnerability in the embedded OpenType Font (EOT) engine. Due to the memory model in Windows 2000 the vulnerability is critical on that version of the Windows Operating System, all others receive a low severity rating. The flaw can be exploited through any OpenType enabled application such as Internet Explorer, PowerPoint, Word, etc by viewing a webpage or a document. Users of Windows 2000 should upgrade as quickly as possible.

There are 2 significant releases from other vendors today:

Oracle has released their quarterly Critical Patch Update today. It contains 25 fixes for 7 of their products, including application servers and database engine. The majority of the vulnerabilities are remotely exploitable without authentication and IT admins should be taking a close look at the exposure these products have in their networks. In general database engines should have no necessity to be connected to open networks, but the application servers are very likely exposed.
Adobe is also publishing their quarterly patch - and it will address a vulnerability in Adobe Reader that was documented as being actively exploited in the wild since the week before Christmas. There are workarounds are available, the official recommendation is to blacklist the JavaScript function that is being exploited. Blacklisting is a capability introduced by Adobe in their last update to Adobe Reader v9 and v8 in October 2009 and might not be familiar to many IT admins yet. An alternative recommendation is to turn off JavaScript completely in Adobe Reader - JavaScript has played a major role in the exploitation of Adobe Reader in 2009, so this a good preventive and defensive measure. As this setting disables functionality potentially needed by users, IT admins need to evaluate their individual situations.

This release is also introducing the new Adobe updater process, which will according to Brad Arkin's tweet come preconfigured for automatic, silent updates à la Google Chrome

Intevydis, a security research company in Russia has announced last week that they will publish server-based 0-day vulnerabilities for the next 3 weeks. The first two are live and have POC code for Sun Directory Server 7.0 and Tivoli Directory Server 6.2. We are monitoring these releases and will keep you updated on further development.

References: