Recently in Patch Tuesday Category
Contrary to what we expected last week, the Microsoft March Security announcements have a little surprise in it.
The standard bulletins cover Windows Movie Maker/Producer and Office:
No major updates on advisory KB981169, also for Internet Explorer, which requires the target to press F1 to launch the attack and can best be avoided by user education.
References:
The standard bulletins cover Windows Movie Maker/Producer and Office:
- MS10-016 - possible code execution in Windows Movie Maker - ranked important: an attacker can send a malicious file to the target. When the file gets opened, remote code execution is possible. The exploitability index is high, meaning that the file format vulnerability is relatively easy to exploit. Windows XP and Vista ship with vulnerable versions. While Windows 7 does not ship with a vulnerable version, a user could have downloaded and installed the 2.6 version, which is affected. The bulletin does not provide a patch for the also affected Windows Producer, a little used multimedia add-on to Powerpoint.
- MS10-017 - possible code execution in Microsoft Excel - ranked important as well. This bulletin covers 7 vulnerabilities, all of them file format based. All versions of Office are affected, including Mac Office 2004 and 2008. An attacker needs to trick the target to open a specially crafted Excel document, which will allow the attacker to take control of the target system. Exploitability is high for the majority of vulnerabilities listed, so we suggest to put this patch on a fast installation schedule. Attack vectors include also Excel viewer and SharePoint server.
No major updates on advisory KB981169, also for Internet Explorer, which requires the target to press F1 to launch the attack and can best be avoided by user education.
References:
After the massive February update Microsoft will only release 2 Bulletins next week. Both are rated as "important," a medium criticality rating for Microsoft. The first bulletin is for the Windows Operating System affecting the only desktop platforms XP, Vista and Windows 7. The second Bulletin is for Microsoft Office and applies to all versions on Windows (Office XP, 2003 and 2007) and Mac OS X (Office 2004 and 2008), plus SharePoint and the Excel Viewer.
The lower criticality ratings allow IT admins more time to address these March bulletins. It is likely that the Office vulnerabilities should be handled first, as file format vulnerabilities in general have been on the rise in the last year and end users frequently trust open office format files such as Excel due to their business oriented, serious nature.
Microsoft issued earlier this week an advisory KB981169 for a clever attack through Internet Explorer. It requires the end user to press F1 in a pop-up box, so the main defense is make your users aware of the existence of the flaw and instruct them to get in touch with IT should this happen.
Stay tuned for our detailed analysis on next Tuesday.
References:
The lower criticality ratings allow IT admins more time to address these March bulletins. It is likely that the Office vulnerabilities should be handled first, as file format vulnerabilities in general have been on the rise in the last year and end users frequently trust open office format files such as Excel due to their business oriented, serious nature.
Microsoft issued earlier this week an advisory KB981169 for a clever attack through Internet Explorer. It requires the end user to press F1 in a pop-up box, so the main defense is make your users aware of the existence of the flaw and instruct them to get in touch with IT should this happen.
Stay tuned for our detailed analysis on next Tuesday.
References:
Microsoft's February 2010 Patch Tuesday was slated to be the biggest release for Microsoft fixes in the last two years - 14 bulletins addressing 34 vulnerabilities. But the Google/CN Internet Explorer 0-day forced Microsoft to accelerate the testing of the planned IE bulletin and release it early, still in January. That leaves 13 bulletins covering 26 vulnerabilities for the February release, which constitutes one of the bigger patch Tuesdays.
There are 5 critical vulnerabilities for the Windows Operating System family - the newer versions Windows 7 and Windows 2008 R2 are only affected by 3 of them. Rewrites of the TCP/IP stack and the URI handling in Windows 7 and 2008/R2 improved on the implementation of these core OS capabilities.
Overall highest on our list for patching are MS10-006 SMB client and MS10-013 DirectShow, which affect all versions of Windows and have a low exploitability index. Next are MS10-007 Shell URL handling, which is critical for Windows 2000, XP and 2003 and MS10-008, an update to the ActiveX Killbit settings, applicable to all platforms.
MS10-012 is a bulletin for SMB that server administrators should focus on. It allows a malicious, unauthenticated party to launch a remote denial of service attack. In addition remote authenticated clients can execute code using another flaw addressed in the bulletin.
MS10-010 addresses an interesting vulnerability - it is in the hypervisor of Windows 2008. This virtualization vulnerability allows a guest operating system to crash the host operating system, affecting all virtual machines running on the same physical host. Virtualization is increasingly used in corporate IT environments and in cloud computing initiatives and we see this class of vulnerability gaining importance.
Microsoft Office has 2 bulletins, both rated as important. While the newest version of Office for Windows, Office 2007, is not affected, users of all other versions, including on MAC OS X should update as quickly as possible because file based vulnerabilities have been a favorite of attackers in the last year.
References:
There are 5 critical vulnerabilities for the Windows Operating System family - the newer versions Windows 7 and Windows 2008 R2 are only affected by 3 of them. Rewrites of the TCP/IP stack and the URI handling in Windows 7 and 2008/R2 improved on the implementation of these core OS capabilities.
Overall highest on our list for patching are MS10-006 SMB client and MS10-013 DirectShow, which affect all versions of Windows and have a low exploitability index. Next are MS10-007 Shell URL handling, which is critical for Windows 2000, XP and 2003 and MS10-008, an update to the ActiveX Killbit settings, applicable to all platforms.
MS10-012 is a bulletin for SMB that server administrators should focus on. It allows a malicious, unauthenticated party to launch a remote denial of service attack. In addition remote authenticated clients can execute code using another flaw addressed in the bulletin.
MS10-010 addresses an interesting vulnerability - it is in the hypervisor of Windows 2008. This virtualization vulnerability allows a guest operating system to crash the host operating system, affecting all virtual machines running on the same physical host. Virtualization is increasingly used in corporate IT environments and in cloud computing initiatives and we see this class of vulnerability gaining importance.
Microsoft Office has 2 bulletins, both rated as important. While the newest version of Office for Windows, Office 2007, is not affected, users of all other versions, including on MAC OS X should update as quickly as possible because file based vulnerabilities have been a favorite of attackers in the last year.
References:
Yesterday Adobe Systems updated its Reader product to fix a total of eight vulnerabilities. Out of the eight vulnerabilities, six allow remote code execution and are critical. One of the flaws addressed was CVE-2009-4324, the 0-day vulnerability which has had exploits in the wild since December 14 2009, roughly a month ago. This vulnerability is exploited by including malicious code in a PDF document and triggered by executing an embedded JavaScript program. The PDF can be delivered through e-mail or downloaded from a website, making it a fairly easy attack to execute. Interestingly enough it seems that this particular flaw was used in against Adobe itself as pointed out by Elinor Mills at CNET.
Adobe has introduced two interesting security tools in the last two releases of the Reader product - one is an integrated update mechanism that will eventually default to automatic and silent updates. This mechanism is currently in beta and being tested with part of the installed base. The second tool is a internal blacklist that allows hackers to disable specific JavaScript functions. Adobe recently provided guidance on how to mitigate the December 0-day by using this tool. Both tools are in their initial stages but look very promising.
The fixed versions are now Reader v9.3 and v8.2 . What is important for Adobe Reader v7 users to know is that v7 is now out of support (as of 12/28/2009 - see: http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#86) and is not being updated anymore with Security fixes. However, it is impacted by the December 0-day. IT administrators should take inventory of their v7 users and upgrade them to the current standard of v9.
References:
Adobe has introduced two interesting security tools in the last two releases of the Reader product - one is an integrated update mechanism that will eventually default to automatic and silent updates. This mechanism is currently in beta and being tested with part of the installed base. The second tool is a internal blacklist that allows hackers to disable specific JavaScript functions. Adobe recently provided guidance on how to mitigate the December 0-day by using this tool. Both tools are in their initial stages but look very promising.
The fixed versions are now Reader v9.3 and v8.2 . What is important for Adobe Reader v7 users to know is that v7 is now out of support (as of 12/28/2009 - see: http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#86) and is not being updated anymore with Security fixes. However, it is impacted by the December 0-day. IT administrators should take inventory of their v7 users and upgrade them to the current standard of v9.
References:
Microsoft starts 2010 slowly - a single bulletin containing one vulnerability in the embedded OpenType Font (EOT) engine. Due to the memory model in Windows 2000 the vulnerability is critical on that version of the Windows Operating System, all others receive a low severity rating. The flaw can be exploited through any OpenType enabled application such as Internet Explorer, PowerPoint, Word, etc by viewing a webpage or a document. Users of Windows 2000 should upgrade as quickly as possible.
There are 2 significant releases from other vendors today:
References:
There are 2 significant releases from other vendors today:
- Oracle has released their quarterly
Critical Patch Update today. It contains 25 fixes for 7 of their products, including application servers and database engine. The majority of the vulnerabilities are remotely exploitable without authentication and IT admins should be taking a close look at the exposure these products have in their networks. In general database engines should have no necessity to be connected to open networks, but the application servers are very likely exposed. - Adobe is also publishing their quarterly patch - and it will address a vulnerability in Adobe Reader that was documented as being actively exploited in the wild since the week before Christmas. There are workarounds are available, the official recommendation is to blacklist the JavaScript function that is being exploited. Blacklisting is a capability introduced by Adobe in their last update to Adobe Reader v9 and v8 in October 2009 and might not be familiar to many IT admins yet. An alternative recommendation is to turn off JavaScript completely in Adobe Reader - JavaScript has played a major role in the exploitation of Adobe Reader in 2009, so this a good preventive and defensive measure. As this setting disables functionality potentially needed by users, IT admins need to evaluate their individual situations.
This release is also introducing the new Adobe updater process, which will according to Brad Arkin's tweet come preconfigured for automatic, silent updates à la Google Chrome
References:
Microsoft closes 2009 with its last regular patch release adding 6 bulletins bringing the year's total to 74. December's release is by our current standards a rather normal workload of 12 individual vulnerabilities. As expected Bulletin MS09-072 fixes the critical 0-day Internet Explorer vulnerability that was publicly disclosed just 3 weeks ago. Microsoft credits iDefense for the vulnerability, so it appears that they had been working on the issue already. Still Kudos to the team at Microsoft for the quick release. This patch is rated for immediate deployment as attackers are actively working on making the POC into a reliable exploit. The advisory further contains an additional 4 vulnerabilities, with 3 affecting Internet Explorer 8, including Windows 7. BTW, this is the only bulletin this month that affects Windows 7 and Windows 2008 R2.
Bulletin MS09-070 deals with remote code execution on Active Directory on Windows 2003 and 2008. This is rated as Important because it requires an attacker to be authenticated. If the attacker has credentials, an exploit can be used to execute code on the active directory server and impact core infrastructure of corporate environments - we recommend fixing it as quickly as possible after internal testing.
MS09-073 and MS09-074 address vulnerabilities in file formats for Word/Wordpad converters and MS-Project. Both allow remote code execution when users open specifically crafted files that can be received through e-mail or downloaded from a website. Install the patches as quickly as possible and review whether extended testing is necessary in your environment.
The 2 remaining bulletins MS09-069 and MS09-071 address the Windows operating system, one in the well-known LSASS component and the other in the Intenet Authentication Services (IAS). The LSASS is a resource consumption DOS only vulnerability and the IAS only affect Windows 2008 with MSCHAP v2 enabled. The exploitability index for both is 2 and we think these patches should be installed as necessary.
The highly critical vulnerability in IE6/7 with an exposure window to exploits of over 3 weeks without the availability of a patch, should put the task of getting users off IE6/7 on the top of IT admins New Year's resolutions for 2010. They have to be migrated to a more modern browser, with the most viable options being IE8 with its well known patching mechanism or Firefox 3 with its more aggressive patching schedule.
Outside of the direct Microsoft realm, Adobe will release an update for a critical Flash vulnerability that we recommend installing right away.
References:
Bulletin MS09-070 deals with remote code execution on Active Directory on Windows 2003 and 2008. This is rated as Important because it requires an attacker to be authenticated. If the attacker has credentials, an exploit can be used to execute code on the active directory server and impact core infrastructure of corporate environments - we recommend fixing it as quickly as possible after internal testing.
MS09-073 and MS09-074 address vulnerabilities in file formats for Word/Wordpad converters and MS-Project. Both allow remote code execution when users open specifically crafted files that can be received through e-mail or downloaded from a website. Install the patches as quickly as possible and review whether extended testing is necessary in your environment.
The 2 remaining bulletins MS09-069 and MS09-071 address the Windows operating system, one in the well-known LSASS component and the other in the Intenet Authentication Services (IAS). The LSASS is a resource consumption DOS only vulnerability and the IAS only affect Windows 2008 with MSCHAP v2 enabled. The exploitability index for both is 2 and we think these patches should be installed as necessary.
The highly critical vulnerability in IE6/7 with an exposure window to exploits of over 3 weeks without the availability of a patch, should put the task of getting users off IE6/7 on the top of IT admins New Year's resolutions for 2010. They have to be migrated to a more modern browser, with the most viable options being IE8 with its well known patching mechanism or Firefox 3 with its more aggressive patching schedule.
Outside of the direct Microsoft realm, Adobe will release an update for a critical Flash vulnerability that we recommend installing right away.
References:
Today Microsoft released patches for 6 security updates that address 15 individual vulnerabilities. Three patches were rated as critical and the other 3 are rates as important. Here is a recap of today's advisory:
In a similar way the security features included in the new Office 2010 would have prevented both MS09-067 and MS09-068. We saw a demo of these features the other day at BlueHat and the strict sandboxing imposed on files that are received through e-mail or Internet download should take care of 2 of the main attack vectors for this type of exploit.
References:
- MS09-065 was rated as Critical due to the EOT (Embedded Open Type Font) vulnerability in which an attacker can execute arbitrary commands on the victim's computer. This can be achieved by enticing the victim to visit a web page with malicious EOT fonts or open an e-mail which contains malicious content. A proof of concept that causes the application to crash is publicly disclosed. All Windows operating systems except Windows 7 and Windows 2008 R2 are affected.
We can expect working exploits soon and this is the most critical vulnerability to address - for users that cannot patch the vulnerability immediately Microsoft has provided also some workarounds in a detailed blog post including instructions on how to use GPOs to roll them out in an automated way.
- MS09-063 and MS09-064 are critical as well as they allow a remote un-authenticated attacker to send malicious packets to the affected systems to cause a remote code execution. MS09-063 is limited to attacks from the local subnet.
- MS09-067 and MS09-068 affect Microsoft Excel and Word. They are standard file format issues that affect consumers and enterprise users alike.
- Three of the six advisories (MS09-063, MS09-064 and MS09-066) have listening ports open which can be targeted for network based attacks.
In a similar way the security features included in the new Office 2010 would have prevented both MS09-067 and MS09-068. We saw a demo of these features the other day at BlueHat and the strict sandboxing imposed on files that are received through e-mail or Internet download should take care of 2 of the main attack vectors for this type of exploit.
References:
October's 2009 Microsoft Patch Tuesday is a massive release with 13 advisories covering 34 vulnerabilities. 2 advisories address last month's 0-day vulnerabilities - SMBv2 and FTP for IIS in a very quick turn-around. However another 6 vulnerabilities are tagged as having information disclosed publicly before today's patch release. Of the total set of vulnerabilities a full 22 are of critical severity and should be addressed as quickly as possible. A large selection of software is affected: all versions of Windows (including Windows 7), Windows Media Player, Office and also Silverlight - Microsoft's new rich media development tool. Internet Explorer also receives an update for 2 critical vulnerabilities - one of them disclosed at the Black Hat Security conference.
MS09-054 is a fix for critical vulnerabilities in all versions of Internet Explorer and interestingly can also affect non-Microsoft software - namely Firefox the browser from Mozilla. The Microsoft .Net runtime installs a plug-in into Firefox that allows XAML Browser Applications (XABP) to be launched through Firefox and serves as a conduit to the vulnerable component of Windows.
The biggest set of vulnerabilities this month is addressed by MS09-062, which fixes 8 flaws in the GDI+ graphics library. This library is widely used in applications as diverse as Microsoft Office, Visual Studio development tools, SQL Server and even Forefront Security Client.
Another set of 2 vulnerabilities disclosed at Black Hat (video presentation here and here - worth watching) is addressed by MS09-056. It provides a fix to the CryptoAPI library and the much talked about "Null prefix certificate" which allows for the impersonation of an arbitrary SSL certificate by embedding a NULL character at the right spot in the certificate request. Earlier this month a certificate was leaked to the full disclosure mailing list that impersonated www.paypal.com. The vulnerability is rated only as "important", because it does not allow the attacker to take over the machine, but it can be used to steal the user's credentials to any web site.
Important: Adobe released their patch for Adobe Reader, the popular PDF viewer. Adobe Reader versions 7, 8 and 9 are vulnerable on all versions Windows and Mac OS X. Adobe had acknowledged the existence of exploits focused on v9 and Windows last week. This is a critical update that should be applied as soon as possible.
References:
MS09-054 is a fix for critical vulnerabilities in all versions of Internet Explorer and interestingly can also affect non-Microsoft software - namely Firefox the browser from Mozilla. The Microsoft .Net runtime installs a plug-in into Firefox that allows XAML Browser Applications (XABP) to be launched through Firefox and serves as a conduit to the vulnerable component of Windows.
The biggest set of vulnerabilities this month is addressed by MS09-062, which fixes 8 flaws in the GDI+ graphics library. This library is widely used in applications as diverse as Microsoft Office, Visual Studio development tools, SQL Server and even Forefront Security Client.
Another set of 2 vulnerabilities disclosed at Black Hat (video presentation here and here - worth watching) is addressed by MS09-056. It provides a fix to the CryptoAPI library and the much talked about "Null prefix certificate" which allows for the impersonation of an arbitrary SSL certificate by embedding a NULL character at the right spot in the certificate request. Earlier this month a certificate was leaked to the full disclosure mailing list that impersonated www.paypal.com. The vulnerability is rated only as "important", because it does not allow the attacker to take over the machine, but it can be used to steal the user's credentials to any web site.
Important: Adobe released their patch for Adobe Reader, the popular PDF viewer. Adobe Reader versions 7, 8 and 9 are vulnerable on all versions Windows and Mac OS X. Adobe had acknowledged the existence of exploits focused on v9 and Windows last week. This is a critical update that should be applied as soon as possible.
References:
This month Microsoft released 5 critical advisories, addressing a total of 8 vulnerabilities. The focus is on the Windows Operating System family and all versions are affected. The notable exception is Windows 7 which is a pleasant surprise and most likely an outcome of the additional security measure implemented in this latest version of Windows.
MS09-045 and MS09-047 are client side vulnerabilities affecting indirectly Internet Explorer and Windows Media Player. They require user actions for a successful exploit, but attackers have the necessary tools in place to entice users to visit infected web pages and open malicious media files. MS09-048 is a "classical" network vulnerability of a type that we have not seen in a while: it is located in the TCP/IP network stack of Windows 2008 and Vista and can be exploited through the network, however Microsoft rates the exploitation difficulty as high. MS09-049 is a very interesting attack on the WLAN auto-configuration service of Vista and Windows 2008, it requires a malicious Access Point to be in WIFI range, which limits the number of machines that can be attacked at any given time. We recommend that customers focus on MS09-045 and MS09-047 due the high likely hood of exploits.
As previously announced Microsoft did not address the IIS FTP 0-day vulnerability that was made public last week. In addition yesterday a security researcher disclosed a vulnerability in the file sharing protocol (SMB2) of Vista, 2008 and potentially Windows 7. We expect Microsoft to monitor the extent of exploitation of these 2 new vulnerabilities and continue to provide guidance for workarounds.
Update: Microsoft has acknowledged the SMB2 vulnerability and provided a workaround in advisory 975497, suggesting to disable the SMB2 protocol, machines would then fallback to the older SMB protocol for filesharing.
References:
MS09-045 and MS09-047 are client side vulnerabilities affecting indirectly Internet Explorer and Windows Media Player. They require user actions for a successful exploit, but attackers have the necessary tools in place to entice users to visit infected web pages and open malicious media files. MS09-048 is a "classical" network vulnerability of a type that we have not seen in a while: it is located in the TCP/IP network stack of Windows 2008 and Vista and can be exploited through the network, however Microsoft rates the exploitation difficulty as high. MS09-049 is a very interesting attack on the WLAN auto-configuration service of Vista and Windows 2008, it requires a malicious Access Point to be in WIFI range, which limits the number of machines that can be attacked at any given time. We recommend that customers focus on MS09-045 and MS09-047 due the high likely hood of exploits.
As previously announced Microsoft did not address the IIS FTP 0-day vulnerability that was made public last week. In addition yesterday a security researcher disclosed a vulnerability in the file sharing protocol (SMB2) of Vista, 2008 and potentially Windows 7. We expect Microsoft to monitor the extent of exploitation of these 2 new vulnerabilities and continue to provide guidance for workarounds.
Update: Microsoft has acknowledged the SMB2 vulnerability and provided a workaround in advisory 975497, suggesting to disable the SMB2 protocol, machines would then fallback to the older SMB protocol for filesharing.
References:
This Monday proof of concept exploit code for a Microsoft IIS FTP vulnerability was posted to the milw0rm site. The code allows the attacker to take control of the machine that runs the vulnerable FTP server and can easily be automated and turned into a mass attack tool by combining it with a scanning tool. In order to be exploitable, the vulnerable FTP server need to allow write access and the creation of directories. Unfortunately, even anonymous write access is good enough to make the server vulnerable, but nevertheless this cuts down on the number of potential targets.
Microsoft acknowledged the vulnerability and published an advisory 975191 this afternoon and list 5.0, 5.1, 6.0 and also 7.0 as affected. The advisory suggests as work-arounds to either disable FTP altogether, limit access to only authorized and named users or use NTFS capabilities to prohibit the creation of directories on the server. The NTFS solution seems to be the way to go for users that cannot make a bigger change to their FTP services and has minimal impact, so it is a good interim solution until a real patch comes out. We don't expect this problem to be addressed in next week's Patch Tuesday release as the Development and QA time are too long; it makes sense to prepare for a longer period without a real solution. An alternate way of dealing with the problem is to evaluate whether a robust FTP server with more granular management capabilities can be deployed instead of the one built-in within IIS.
HD Moore ported the exploit code to his Metasploit project yesterday. This makes it even simpler for IT administrators to demonstrate the existence of the exploit and argue for the deployment of an alternative FTP server.
Updated to include IIS 7.0 as Microsoft amended their advisory on 9/3/2009
Microsoft acknowledged the vulnerability and published an advisory 975191 this afternoon and list 5.0, 5.1, 6.0 and also 7.0 as affected. The advisory suggests as work-arounds to either disable FTP altogether, limit access to only authorized and named users or use NTFS capabilities to prohibit the creation of directories on the server. The NTFS solution seems to be the way to go for users that cannot make a bigger change to their FTP services and has minimal impact, so it is a good interim solution until a real patch comes out. We don't expect this problem to be addressed in next week's Patch Tuesday release as the Development and QA time are too long; it makes sense to prepare for a longer period without a real solution. An alternate way of dealing with the problem is to evaluate whether a robust FTP server with more granular management capabilities can be deployed instead of the one built-in within IIS.
HD Moore ported the exploit code to his Metasploit project yesterday. This makes it even simpler for IT administrators to demonstrate the existence of the exploit and argue for the deployment of an alternative FTP server.
Updated to include IIS 7.0 as Microsoft amended their advisory on 9/3/2009
Although August is the month of vacations, it's certainly not the case for Microsoft which today announced 9 total patches as part of their monthly Patch Tuesday release cycle for August 2009. There are 5 critical patches that can all be exploited remotely and 4 important ones that require direct access to the system for exploitation. This release covers a variety of products with Windows as the main focus.
Highlights of the 5 critical patches covered in this release are:
References:
Highlights of the 5 critical patches covered in this release are:
- MS09-37: This is an MS Active template library patch that covers 5 vulnerabilities. It supersedes MS09-034 where a temporary fix was made available as a work around. This is a true patch and it covers a lot of Microsoft software on all versions of Windows including Outlook, MS media players, ActiveX and many others.
- MS09-038: Windows Media file processing patch where a malicious AVI can be posted on any media site for exploitation. All that's needed to be exploited is to click on a malicious link on a file-sharing site like MySpace or others. The malicious link can then take complete control of the user's computer.
- MS09-039: This is a patch for WINS and while critical WINS is not installed by default so it is likely not that relevant for most users. However, if WINS is enabled on a Windows system, someone can send a malicious packet to the running service and take control of user's machine.
- MS09-043: This is an Office patch for 4 vulnerabilities including one Zero-day. Office is very prevalent and this vulnerability is fairly simple to exploit. All that's needed is to convince someone to view a malicious web page. There is already a Zero-day detection for it in the QualysGuard Knowledgebase (QID 110101) to address CVE-2009-1136.
- MS09-044: This is a patch to address a Remote Desktop vulnerability that is critical, but it requires the user to connect to a malicious server using Remote Desktop. Remote Desktop is typically used by an advanced user or system administrator.
References:
As announced last week Microsoft today released 2 bulletins, one addressing Internet Explorer (MS09-034) and the other addressing the ATL component of Visual Studio (MS09-035). The release outside of their normal patch window means that exploits for this vulnerability have been spotted in the wild and IT administrators should treat the fixes as high priority.
The main attack vector that the current exploit is using is browsing with Internet Explorer. An end-user browsing the Internet with a vulnerable version of IE can get their system taken over simply by looking at a websites that have malicious tables or ATL objects. To increase their reach, attackers have been using web application vulnerabilities to put these type of exploits on common, non-malicious sites, that end-users would not suspect of. Once infected the attacker can add the system to their botnet or use it to attack other machines inside the network where the system is hosted. This second mode of use of an infected computer is increasingly common and can lead to indirect exploitation of systems within corporate networks that do not even have external connectivity or a browser installed.
Ryan Smith will present on the issue at BlackHat in Las Vegas tomorrow and has a small preview up on his site....
The main attack vector that the current exploit is using is browsing with Internet Explorer. An end-user browsing the Internet with a vulnerable version of IE can get their system taken over simply by looking at a websites that have malicious tables or ATL objects. To increase their reach, attackers have been using web application vulnerabilities to put these type of exploits on common, non-malicious sites, that end-users would not suspect of. Once infected the attacker can add the system to their botnet or use it to attack other machines inside the network where the system is hosted. This second mode of use of an infected computer is increasingly common and can lead to indirect exploitation of systems within corporate networks that do not even have external connectivity or a browser installed.
This has been an exciting week in the security space, first Adobe and and now Microsoft have announced that they will deliver out-of-band patches next week:
- Adobe: has a problem in the Flash component and there are known instances of attacks in the wild using PDF documents as an entry point (these were detected first) and also word of the standard drive-by variety.
- Microsoft: will address a problem on Tuesday with a patch for Visual Studio and Internet Explorer
Microsoft's July Security Bulletin does not have any surprises due to the intense pre-release activity around the 3 zero-day advisories that came out in the last 6 weeks. Microsoft had already announced that they would address 2 advisories with patches MS09-028 and MS09-032 for DirectShow and Microsoft Video respectively. Yesterday's zero-day is left for later and users should apply the work-around published in KB973472. The 3rd critical vulnerability addressed is MS09-029 OpenType Font Engine which applies to all versions of Windows, Vista and 2008 included.These 3 advisories should be addressed immediately as they allow the attacker to fully control the victim's computer.
Microsoft proxy server ISA 2006 has a vulnerability rated as "important" that allows remote unauthenticated users to access the server. However paired with a knowledge of the administrators user name attackers can take full control of the server. As administrator usernames are often easy to guess this vulnerability deserves special attention, if IT organizations are using ISA with the Radius configuration. This vulnerability is covered in MS09-031. The ISA blog has some more in depth information.
MS09-030 is an advisory for the Publisher component in the MS Office 2007 suite is rated as "important" as well, but can be used to take full control of the system if the victim is logged in as administrator. If an organization uses Publisher or has it installed as part of Office 2007, this should be treated as "critical" as well.
Microsoft also provided patches for their virtualization product VPC and Virtual Server on all versions (MS09-033) preventing an elevation of privilege in the guest operating system. This is classified as "important" because local access to the guest OS is required. This bulletin is interesting because this vulnerability is introduced by the fact that the OS is running under a virtual environment and allows the user to access to privileged kernel mode.
In addition we are working on the Oracle CPU patch release and are monitoring the Firefox 3.5 zero-day.
References:
Microsoft proxy server ISA 2006 has a vulnerability rated as "important" that allows remote unauthenticated users to access the server. However paired with a knowledge of the administrators user name attackers can take full control of the server. As administrator usernames are often easy to guess this vulnerability deserves special attention, if IT organizations are using ISA with the Radius configuration. This vulnerability is covered in MS09-031. The ISA blog has some more in depth information.
MS09-030 is an advisory for the Publisher component in the MS Office 2007 suite is rated as "important" as well, but can be used to take full control of the system if the victim is logged in as administrator. If an organization uses Publisher or has it installed as part of Office 2007, this should be treated as "critical" as well.
Microsoft also provided patches for their virtualization product VPC and Virtual Server on all versions (MS09-033) preventing an elevation of privilege in the guest operating system. This is classified as "important" because local access to the guest OS is required. This bulletin is interesting because this vulnerability is introduced by the fact that the OS is running under a virtual environment and allows the user to access to privileged kernel mode.
In addition we are working on the Oracle CPU patch release and are monitoring the Firefox 3.5 zero-day.
References:
June's Patch Tuesday is generating major workload for IT administrators. Microsoft released their biggest number of patches in recent memory, not only for Windows systems, but also for their Mac Office suite. Adobe has patches for their Reader product for Windows, Mac and Unixes and Apple released a production version of Safari 4 for Mac OS X and Windows.
Microsoft's 10 bulletins patch a total of 31 vulnerabilities, extending to almost all of their products on both servers and workstations. Most urgent on the server side are MS09-018 for the Active Directory vulnerabilities and MS09-020 for the IIS/WebDAV vulnerabilities, as both are categorized as critical and have the highest rating (Consistent exploit code likely) in the Microsoft exploitability index. MS09-022 - Windows Print Spooler is rated critical as well, affects both servers and workstations and so has a higher exposure potential than the other server based vulnerabilities. MS09-25 brings 4 updates for the Windows base operating system kernels and even the new Vista and 2008 versions are affected by 3 of them.
On the workstation side, beyond MS09-022 and MS09-025 we have the updates for Internet Explorer, Word, Excel and Windows Search. MS09-019 has patches for 8 IE vulnerabilities for all versions from IE5 to IE8 - however it is interesting to note that IE8 is only affected by a single vulnerability, which was recently disclosed at the CanSecWest conference in the Pwn2Own contest sponsored by TippingPoint's ZDI.
As expected we did not see a patch for DirectShow vulnerability, acknowledged by Microsoft 10 days ago in KB971778. While they have the patch it is still undergoing Quality Assurance and Stability testing. For Macintosh users, Microsoft provided the patch for last month's disclosed vulnerabilities - MS09-017 for PowerPoint. Both users of Office 2004 and Office 2008 are advised to upgrade to fix a Remote Code execution issue.
As Adobe had announced previously they also published their quarterly patches this 2nd Tuesday of the month. Currently we see that a patch has been released, but there is no further detail available as to the vulnerabilities covered.
Update: The Adobe advisory is out and it shows a total of 14 vulnerabilities. The patch covers Adobe Reader on Windows and Macintosh. Unix users will have to wait until June 16th to get their fixes.
References:
Microsoft's 10 bulletins patch a total of 31 vulnerabilities, extending to almost all of their products on both servers and workstations. Most urgent on the server side are MS09-018 for the Active Directory vulnerabilities and MS09-020 for the IIS/WebDAV vulnerabilities, as both are categorized as critical and have the highest rating (Consistent exploit code likely) in the Microsoft exploitability index. MS09-022 - Windows Print Spooler is rated critical as well, affects both servers and workstations and so has a higher exposure potential than the other server based vulnerabilities. MS09-25 brings 4 updates for the Windows base operating system kernels and even the new Vista and 2008 versions are affected by 3 of them.
On the workstation side, beyond MS09-022 and MS09-025 we have the updates for Internet Explorer, Word, Excel and Windows Search. MS09-019 has patches for 8 IE vulnerabilities for all versions from IE5 to IE8 - however it is interesting to note that IE8 is only affected by a single vulnerability, which was recently disclosed at the CanSecWest conference in the Pwn2Own contest sponsored by TippingPoint's ZDI.
As expected we did not see a patch for DirectShow vulnerability, acknowledged by Microsoft 10 days ago in KB971778. While they have the patch it is still undergoing Quality Assurance and Stability testing. For Macintosh users, Microsoft provided the patch for last month's disclosed vulnerabilities - MS09-017 for PowerPoint. Both users of Office 2004 and Office 2008 are advised to upgrade to fix a Remote Code execution issue.
As Adobe had announced previously they also published their quarterly patches this 2nd Tuesday of the month. Currently we see that a patch has been released, but there is no further detail available as to the vulnerabilities covered.
Update: The Adobe advisory is out and it shows a total of 14 vulnerabilities. The patch covers Adobe Reader on Windows and Macintosh. Unix users will have to wait until June 16th to get their fixes.
References:
Microsoft just published their advance notice for June's Patch Tuesday. After the rather light weight release of last month, which only addressed PowerPoint on Windows, this month's release covers all major areas with 10 updates. Two are critical updates for Windows (out of a total of 6), there is one critical update for Internet Explorer and three critical updates for Microsoft Office.
Mac OS X users, which have seen their fair share of action recently on the OS side and with QuickTime need to pay attention as well, Microsoft will release an update for the Powerpoint vulnerabilities that they disclosed last month for both Windows and Mac platforms, but at the time only provided patches for Windows.
We will not see a fix for the DirectShow vulnerability KB971778 disclosed last week. While they have a fix it is still undergoing Quality Assurance and Stability testing.
Mac OS X users, which have seen their fair share of action recently on the OS side and with QuickTime need to pay attention as well, Microsoft will release an update for the Powerpoint vulnerabilities that they disclosed last month for both Windows and Mac platforms, but at the time only provided patches for Windows.
We will not see a fix for the DirectShow vulnerability KB971778 disclosed last week. While they have a fix it is still undergoing Quality Assurance and Stability testing.
Download Laws 2.0
