Posts Tagged ‘Patch Tuesday’
Thursday, July 10, 2014 @ 03:07 PM gHale
Microsoft released a critical fix for vulnerabilities in its Internet Explorer web browser, as a part of its latest monthly Patch Tuesday update.
The Internet Explorer (IE) update is one of two critical updates this month and could end up used by hackers to mount remote code-execution attacks.
While the vulnerabilities are not to be trifled with, at least they are not Zero Days, so the potential use to hackers is limited.
The second critical bulletin relates to Microsoft’s now ancient Windows XP Tablet Edition, and its Windows Journal note-taking application. The vulnerability looks as though it is unlikely hackers will bother creating exploits to target it, although a patch should still end up installed.
The July Patch Tuesday release also includes three “important” updates plugging flaws in Windows On-Screen keyboard, afd.sys driver and DirectShow service. All three could end up used by hackers to provide local escalation of privileges.
There is also a fix for a “moderate” flaw in Windows Service Bus that could end up exploited to mount a denial-of-service attack.
Internet Explorer flaws have been an ongoing issue for Microsoft. By comparison, the company issued 59 IE fixes as part of its June Patch Tuesday update.
Wednesday, May 14, 2014 @ 11:05 AM gHale
Adobe’s Patch Tuesday offering included fixes for its Flash, Reader, and Acrobat platforms, as well as an update for Illustrator. In total, the update will patch 18 common vulnerabilities and exposures (CVE) security flaws.
Six of the flaws end up addressed in an update for the Windows, Linux, and OS X versions of Flash Player and Air SDK. The company said the update includes fixes for critical flaws that could allow remote code execution, and updating Flash Player should be a top priority for users and administrators.
Adobe credited the discovery of four of the flaws to Contextis researcher James Forshaw. Researchers with Keen Team and Team 509 via HP Zero Day Initiative (ZDI) received credit for unearthing another flaw, while Masato Kinugawa discovered one vulnerability.
Reader and Acrobat will receive 11 fixes, including remote code execution flaws for OS X and Windows software, which the company recommends administrators make a top deployment priority alongside the Flash Player updates.
Researchers credited with discovering those flaws include VUPEN (via HP ZDI), Ukatemi’s Gábor Molnár, Nanyang Technological University’s Wei Lei and Wu Hongjun, Yuki Chen of Trend Micro, Agile Information Security’s Pedro Ribeiro, HP ZDI researcher chkr_d591, Honglin Long, Sune Vuorela from Ange Optimization, and researchers with the Venustech Active-Defense Lab.
The third patch, addressing a remote code vulnerability in Illustrator CS6 for Windows and OS X, is a lower priority, as the platform is not a popular target for malware attacks – although users and administrators should test and deploy the update as soon as possible. Credit for discovery of the flaw went to researcher Noam Rathaus.
Wednesday, May 14, 2014 @ 10:05 AM gHale
Two critical advisories released on Patch Tuesday from Microsoft.
Microsoft identified three of advisories: MS14-024, MS14-025, and MS14-029, the IE patch, as priority one patching concerns. MS14-029 which is the update to IE is the only one of the two critical issues to receive the patching priority one designation. The other critical, MS14-022, affecting SharePoint is a priority two for patching. This is due to the complexity of the attack and it ended up privately reported and, therefore, not a public exploit.
MS14-029 is an interesting advisory. It is not a cumulative rollup fix for IE, which breaks with the recent trend of IE patching, but it does re-include the patch for MS14-021 which ended up fixed outside of the normal patch cycle on May 1. It’s not yet clear if this modifies the original fix or simply provides another vector for customers to get it.
One of the other CVEs fixed in this advisory is under limited, targeted attack. Also, there are two types to this patch for Windows 8.1 users, one for those who took the “Spring 2014 update rollup” and one for those who did not. This is the first advisory that clearly would have applied to Windows XP, but for which a patch is not available.
IE 6, 7, & 8 are vulnerable on Windows 2003 SP2, this would historically have mapped to the same scope of XP patches, but not this time. Microsoft ended support for XP in April.
Of the other two, important but highest patching priority issues, MS14-024 is a fix for an ASLR bypass. That means this issue is not really an exploit in and of itself, hence the “important” designation, but a weakness used in conjunction with other exploits to increase the likelihood of successfully controlling the location of memory manipulation. MS14-024 has seen use in conjunction with other attacks.
MS14-025 isn’t really a fix for the underlying issue, it just stops system administrators from doing something that weakens their overall security going forward by preventing them from specifying a local administrator password in group policy settings where anyone on the network can recover it in a reusable form. However, administrators who have already made that mistake will not have the setting removed and will still have to take other measures to plug that hole.
MS14-027 is an elevation of privilege issue privately reported to Microsoft, and is seeing limited, targeted attacks.
MS14-028 is a denial of service affecting Windows Servers with the iSCSI service installed. The service is not a default setting on Windows 2008 or 2008 R2, and is in, but disabled by default on Windows 2012.
Thursday, April 10, 2014 @ 06:04 PM gHale
Patch Tuesday, while small in nature this month, it was huge in that the industry will no longer see Windows XP as a part of the Microsoft environment.
Four patches — two rated as critical and another two rated as important by Microsoft – did end up releasing.
This first update (MS14-017) rated critical relates to one private and two publicly disclosed Remote Code Execution vulnerabilities in Microsoft’s Office productivity suite. This attack requires the user to click-on a specially crafted file which allows a successful attacker the same rights as the affected user. This vulnerability in Microsoft Office affects the entire spectrum of Office document handling products including all versions of Microsoft Word (2003, 2007, 2010, 1013, RT) and the Office Word document handling Web services such as SharePoint and Microsoft Web Apps. This issue also affects the Microsoft Word Viewer and the Microsoft Compatibility Pack.
This is the second attempt by Microsoft to resolve this issue as this update is a direct replacement for a security update earlier this year.
The second update (MS14-018) release relates to six privately reported memory corruption vulnerabilities that affect almost all versions of Internet Explorer from version 6 to Version 11 for 32 and 64-bit platforms and for the Windows RT platform – but not Internet Explorer 10 due to its recent Out of Band Update from Microsoft.
This vulnerability ends up exposed through a user accessing a specially crafted web page which could result in the same privileges as the logged in user.
The third (MS14-019) update rated important deals with a single privately reported vulnerability in the file handling functionally in all Windows platforms (32 and 64-bit). Using specially crafted batch or Command files (.bat or .cmd) files an attacker could gain the same access as a user through a Remote Code Execution vulnerability. Microsoft has resolved this security issue with an update to how these files (.bat and .cmd) files are run from remote or network based locations.
And the last update (MS14-020) relates to Microsoft Publisher which deals with a Remote Code Execution security vulnerability if a user opens a specially crafted file in Microsoft Publisher.
Tuesday, January 14, 2014 @ 05:01 PM gHale
Here we are in 2014 and some things just don’t change with the New Year. Take today’s Patch Tuesday. Three of the IT behemoths issued the first patch report of the New Year with Oracle leading the way with Microsoft and Adobe not too far behind.
Oracle first patch update for the New Year was one of its biggest ever, including a slew of security patches, most of which address vulnerabilities in Java.
The Critical Patch Update addresses 144 flaws in hundreds of Oracle products, 36 of which apply to vulnerabilities in Java SE, including 34 that are bugs that can end up remotely exploited by an attacker without requiring authentication.
“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products,” Oracle officials said. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”
Five of the security fixes apply to Oracle Database Server. One of these vulnerabilities might be remotely exploitable without authentication, meaning it could suffer exploitation over a network without the need for a username and password.
The patch update will include Oracle products and components like JavaFX, versions 2.2.45 and earlier, Java JDK and JRE, versions 5.0u55, 6u65, 7u45 and earlier, and Java SE Embedded, versions 7u45 and earlier.
The highest CVSS 2.0 Base Score for vulnerabilities in Oracle’s Critical Patch Update is 10.0 for Java SE, Java SE Embedded, and JRockit of Oracle Java SE, MySQL Enterprise Monitor of Oracle MySQL, Oracle FLEXCUBE Private Banking of Oracle Financial Services Software and Oracle WebCenter Sites of Oracle Fusion Middleware.
Meanwhile, Microsoft disclosed four security bulletins describing six vulnerabilities, and released product updates to address these vulnerabilities.
This is the first month since September 2011 that Microsoft released no critical updates in a Patch Tuesday cycle, and the first since September 2012 they have released four or fewer updates.
The four bulletins rated important include:
• MS14-001: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605) — At least one of three memory corruption vulnerabilities affect every version of Word or the Word viewer, as well as the relevant parts of Office Web Apps and SharePoint. These are remote code execution vulnerabilities.
• MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) — A user with valid logon credentials who is able to log on locally could run a special program and elevate privilege. This vulnerability affects only Windows XP and Windows Server 2003.
• MS14-003: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602) — Windows 7 and Windows Server 2008 R2 are vulnerable to a privilege elevation vulnerability. The user must have valid logon credentials and be able to log on locally.
• MS14-004: Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826) — If an authenticated attacker submits specially crafted data to an affected Microsoft Dynamics AX Application Object Server (AOS) instance, the AOS instance could stop functioning.
Last, but not least, Adobe’s Patch Tuesday release had fixes for Flash Player, Acrobat and Reader. All vulnerabilities get the highest priority rating. This means future exploits are likely.
The Flash Player bulletin, CVE-2014-0491 and CVE-2014-0492, concerns remote code execution vulnerabilities.
CVE-2014-0493, CVE-2014-0495 and CVE-2014-0496 affect Acrobat and Reader. These CVEs also concern remote code execution vulnerabilities. All of this month’s vulnerabilities ended up reported to Adobe directly.
Tuesday, December 10, 2013 @ 07:12 PM gHale
Microsoft issued 11 Patch Tuesday advisories affecting 6 different product types. All supported versions of Windows, Office, SharePoint, Exchange, Lync and a mixed bag of developer tools are now on the mend.
Five of the advisories rate as critical, including one affecting Exchange and one affecting SharePoint and Lync, not to mention the critical patch for Internet Explorer. Microsoft has given a critical with priority 1 rating to the three of them, MS13-096 (GDI+), MS13-097 (IE, all versions) and MS13-099 (Scripting Runtime).
Regarding MS13-099, this is an interesting vulnerability because it’s exploitable by VBA script and EMET counter measures do not mitigate it.
This round of patching addresses the GDI+ issue publicly disclosed in early November in Security Advisory 2896666 and then blogged about by the various researchers.
There is also a Kernel Driver patch (MS13-101), but this round of patching does not include a fix for the publicly disclosed Kernel Elevation of Privilege issue reported in Security Advisory 2914486.
Wednesday, November 13, 2013 @ 06:11 AM gHale
Patch Tuesday for Microsoft meant the software giant addressed 19 unique vulnerabilities including Internet Explorer, Hyper-V, the Graphics Device Interface (GDI), Office, and others.
They also fixed the Zero Day vulnerability in Internet Explorer disclosed by FireEye over the weekend.
Of the advisories, the three most critical patches are the Internet Explorer patch (MS13-088), GDI (MS13-089), and the Zero Day flaw in ActiveX control which affected several versions of Internet Explorer (MS13-090), security experts said.
“Bulletin MS13-090 addresses the publicly-known issue in ActiveX Control, currently under targeted attacks. Customers with automatic updates enabled are protected against this vulnerability and do not need to take any action,” said Dustin Childs, group manager of Microsoft Trustworthy Computing.
Last week, security firm FireEye notified Microsoft of serious vulnerabilities in Internet Explorer, but it appears the team already knew about them as the ActiveX control patch (MS13-090) fixes the InformationCardSignInHelper flaw. Attackers have already targeted the bug in a watering-hole-style attack, and exploit code appeared on text-sharing site Pastebin, making this a high-priority issue.
Microsoft also disclosed a Zero Day vulnerability in how some versions of Microsoft Windows and older versions of Microsoft Office handled the TIFF graphics format. There is no patch available addressing this flaw in this Patch Tuesday release, so users who have not yet installed the FixIt temporary workaround should consider doing so as soon as possible.
Another IE patch (MS13-088) fixed two information disclosure bugs and eight memory corruption issues in various versions of the Web browser. Two of the vulnerabilities affect every version of IE, from versions 6 through 11, the latest version. While there have been no reported attacks exploiting these vulnerabilities, the fact that so many versions of Windows and Internet Explorer are affected means this patch should roll out as soon as possible.
The third highest priority bulletin (MS13-089) fixes a GDI bug, which affects every supported version of Windows from XP to Windows 8.1. Attackers need to create a malicious file and convince users to open it in WordPad to exploit this vulnerability.
The remaining patches addressed vulnerabilities in various versions of Microsoft Office (MS13-091), an information disclosure vulnerability in newer versions of Office (MS13-094), an elevation of privilege flaw in Hyper-V (MS13-092) in Windows 8 and Server 2012 R2, an information disclosure bug in Windows (MS13-093), and a denial of service (MS13-095) issue in the operating system.
Wednesday, October 9, 2013 @ 03:10 PM gHale
Microsoft released eight new security bulletins, with four rated critical and four important and two Zero Days in Internet Explorer.
The security update for Internet Explorer, MS13-080, addresses 10 separate vulnerabilities that affect all supported versions of the Web browser. Users should be aware because this update stems from two of the vulnerabilities that are Zero Day bugs already undergoing exploitation.
Security researchers have been watching the IE exploit since it first became public in mid-September.
The catch is now there is a patch released, attackers can reverse engineer and then they have an attack all lined up and ready to go because while Microsoft puts the patch out there, it does not mean everyone applies it. That makes those folks more susceptible to an attack.
There are two other security bulletins that follow the Internet Explorer security update.
MS13-081 addresses seven vulnerabilities in kernel-mode drivers affecting all versions of Windows except for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2. Two of the flaws are for font-parsing and could enable an attacker to remotely execute malicious code if successfully exploited.
Microsoft has released 87 security bulletins so far this year. That puts them 17 ahead of last year’s pace.
However, the number of bulletins should also come from the perspective that Microsoft has stepped up the pace for addressing identified vulnerabilities, and it is patching a growing number of supported platforms and applications.
Wednesday, September 18, 2013 @ 01:09 PM gHale
It was one more time for Microsoft as the software giant needed to reissue four security bulletins after its Patch Tuesday performance.
Microsoft said the new patches were available last Thursday on its blog, just two days after it released its scheduled Patch Tuesday update for products containing bugs.
New patches were available for four security bulletins: MS13-067, MS13-072, MS13-073 and MS13-074, which addressed bugs in series of Microsoft Office products, including Excel and SharePoint Server. Non-security updates also ended up re-released for Microsoft PowerPoint 2010, KB2553145 and PowerPoint Viewer 2010, KB2553351.
Customers complained about updates attempting to reinstall numerous times on their machines, the company said. In other instances, patches weren’t available to customers.
“Since the shipment of the September 2013 security bulletin release, we have received reports of updates being offered for installation multiple times, or certain cases where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM),” the blog post said. “We have investigated the issue, established the cause, and we have released new updates that will cease the unnecessary re-targeting of the updates or the correct offering of these updates.”
In a blog posted on Monday, security researcher Graham Cluley wrote the reoccurring problems with Patch Tuesday releases was highly concerning given the number of users that rely on the fixes.
In last month’s patch release, Microsoft pulled a patch that addresses three vulnerabilities in Exchange Server. In that incident, the Patch Tuesday fix ended up scrapped after Microsoft became aware that installing it caused problems.
“Following so soon after last month’s buggy security update, one has to wonder what’s going wrong at Microsoft Quality Control,” Cluley said. “The company can’t afford to keep messing up like this. The risk is that millions of users around the world will begin to question Microsoft’s ability to properly patch security vulnerabilities, and lose trust in the firm.”
Microsoft did catch one bug in its Patch Tuesday update before dispatching the release. The company had originally planned to release 14 fixes, but only shipped 13 last week, leaving out one patch that would have addressed an issue in its .Net software framework, which could allow denial-of-service.
Wednesday, September 11, 2013 @ 09:09 AM gHale
Microsoft’s Patch Tuesday brought out 13 bulletins.
Of the 13 bulletins, the MS Office family has seven vulnerabilities and Windows OS patches have six.
There are four advisories labeled as critical. All of these are going to be important, subjective to the deployment of various versions of Windows in your environment. One of these is going to be the monthly IE update. All versions of IE require this update.
Microsoft is putting top priority on MS13-067, which affects SharePoint Server. The advisory covers multiple CVEs, but the most severe of is CVE-2013-1330, which allows remote code execution by malicious content sent to the server without user interaction, genuine real-time remote exploitation. Of the 10 CVEs, one is public, but supposedly that is not CVE-2013-1330. There is a workaround for CVE-2013-1330 related to enabling state inspection for message authentication code attributes.
Of the other two critical advisories, both require user interaction to trigger the vulnerability; however, MS13-068 affecting Microsoft Outlook is particularly toxic because it can occur when users view malicious content in the Outlook preview pane.
MS13-070 only applies to XP and Server 2003 and those vulnerabilities tend to be less “contained” than more mature versions of Windows. XP and Office 2003 have shown no let up in patching frequency, despite the end of support for XP looming just around the corner in April 2014.
If you are running an MS heavy shop and have significantly invested in the back office technology of SharePoint, then this month is going to be very busy. There are lots of vulnerabilities to patch, many of which are high risk. Office vulnerabilities typically end up mitigated because they require a user to interact with something malicious, either through an attachment or a link. But with the Office Server (SharePoint) that degree of mitigation may go away and other factors of defense in depth will come into play.