Posts Tagged ‘Patch Tuesday’

Friday, November 14, 2014 @ 04:11 PM gHale

Patch Tuesday this month means 14 bulletins with new versions and patches for Microsoft software, operating systems and applications.

The most important bulletin MS14-064 addresses a current Zero Day vulnerability – CVE-2014-6352 in the Windows OLE packager for Vista and newer OS versions. Attackers have been leveraging the vulnerability to gain code execution by sending PowerPoint files to their targets. Microsoft had previously acknowledged the vulnerability in security advisory KB3010060 and offered a work-around using EMET and a temporary FixIt patch. This is the final fix for OLE Packager that should address all known exploit vectors.

RELATED STORIES
New Windows Zero Day
Microsoft Mulls a Patch for The Patch
Patch Tuesday Fixes 3 Zero Days
Chrome 38 Fixes 159 Security Bugs

MS14-066 is a new version of Internet Explorer that addresses 17 vulnerabilities. The most severe of these vulnerabilities could end up used to gain control over the targeted machine. An attack will take the form of a malicious webpage the targeted user lands on.

There are two basic scenarios that attackers use frequently: One is the user browses to the site on their own, maybe as part of a daily routine, but the attacker has gained control over the website in question through a separate vulnerability and is able to plant malicious content on the site.

A second scenario has the attacker setting up a new site and then directs traffic to it through Search Engine Manipulations, i.e. sites purporting to have the latest pictures on a recent event of general or specific interest.

MS14-069 addresses Microsoft Word 2007 and provides fixes for a Remote Code Execution (RCE) vulnerability. The attack scenario here is a malicious document the attacker prepares to exploit the vulnerability. Attackers then send the document directly or a link to their targets and use social engineering techniques, such as legitimate sounding file names and content descriptions that likely interest the targets in question. If you run newer versions of Microsoft Office you are not vulnerable, but users of Office 2007 are susceptible to the weakness.

Microsoft ranks highly the next bulletin, which addresses a number of vulnerabilities in an encryption component of Windows called Schannel, which sees use in SSL and TLS connections. The fixes in this bulletin are the result of an internal code review at Microsoft that uncovered a number of memory corruption issues in Schannel in both server and client roles. The vulnerabilities are private as researchers within Microsoft found it.

The remaining bulletins address a mix of different operating systems and platforms and include a number of server vulnerabilities: MS14-073 in Microsoft SharePoint and MS14-076 in IIS.

Wednesday, October 15, 2014 @ 03:10 PM gHale

It was Patch Tuesday and as usual Microsoft issued security bulletins; this time they had eight that address two dozen vulnerabilities, including a bug exploited by Russian hackers to target NATO computers, officials said.

Issued as part of its October edition of Patch Tuesday, the updates address vulnerabilities found in all currently supported versions of Windows, Internet Explorer, Office and the .Net framework. Three of the bulletins are critical, meaning Microsoft recommends systems administrators apply the patches immediately.

RELATED STORIES
Chrome 38 Fixes 159 Security Bugs
Patch Tuesday: IE Zero Day Fixed
Chrome Update Brings 50 Security Fixes
Google Fixes 12 Chrome Vulnerabilities

Security researcher FireEye identified two of three Zero Day bugs used as “part of limited, targeted attacks against some major corporations.”

One of the patches addresses a remote code execution flaw in all supported versions of Microsoft Windows and Windows Server 2008 and 2012 exploited in the “Sandworm” cyberattack. The exploit was part of a five-year cyberespionage campaign, according to security firm iSight.

A team of hackers previously launched campaigns targeting the U.S. and EU intelligence communities, military establishments, news organizations and defense contractors — as well as jihadists and rebels in Chechnya, iSight said. However, focus turned toward the Ukrainian conflict with Russia, energy industries and political issues concerning Russia based on evidence gleaned from phishing emails.

Microsoft rated the flaw as important rather than critical because it requires a user to open a Microsoft Office file to initiate the code execution.

“A vulnerability exists in Windows OLE that could allow remote code execution if a user opens a file that contains a specially crafted OLE object,” Microsoft said in its bulletin. “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.”

Another Zero Day flaw addressed by the update is a privilege escalation vulnerability that “could lead to full access to the affected system,” Microsoft said in its bulletin.

A third Zero Day in Windows rated as critical and patched could allow remote code execution when a victim visits opens a document or visits a malicious website that contains embedded TrueType fonts.

Thursday, August 14, 2014 @ 05:08 PM gHale

Microsoft released 26 patches for Internet Explorer, including one fixing a critical vulnerability that could allow a remote attacker to gain access to a computer from over the Internet.

The patches were part of Microsoft’s monthly software update cycle, Patch Tuesday.

RELATED STORIES
IE Browser of Choice for Attacks
Patch Tuesday for Internet Explorer
Breach Alert: Critical Infrastructure at 70%
Data Breaches: Not Learning from History

Overall, Microsoft addressed 37 vulnerabilities this month, including two critical ones that could end up used for remote code execution.

MS14-051 is a collection of 26 patches for the Internet Explorer browser, said Wolfgang Kandek, chief technology officer for IT security firm Qualys. These vulnerabilities range across all currently supported versions of Internet Explorer, from IE6 to IE11.

The other critical vulnerability this month, addressed by MS14-048, is in Microsoft’s OneNote note-taking software. The vulnerability is a bug that would allow a malicious user to gain control of a machine.

OneNote, which is part of Office, does not see the widespread use like Word, Excel and PowerPoint, so Microsoft and researchers have been playing down the severity of this bug, but an organization that has this application should patch it immediately, Kandek said.

Other products patched this month include Windows, SharePoint and SQL Server. The SQL Server patch, addressed in MS14-044, offers patches for the database server software that don’t appear that often.

There are also two sets of patches that Adobe issued Tuesday, for its Reader and Flash software.

In the past few weeks, Microsoft has taken additional measures to better secure IE. It has created blocking mechanisms to stop older, unsecured, ActiveX and Java applications from running when the browser is in Internet-mode. It provides a whitelist that organizations can use to run their legacy Web applications, however.

Microsoft also said as of January 2016, it will stop supporting all but the latest versions of IE, a move to help the company better secure the browser by limiting the number of versions running. Organizations that require a specific version of the browser for legal or compliance reasons can continue to run the software in a new “enterprise mode” of operation Microsoft added to the browser.

Thursday, July 10, 2014 @ 03:07 PM gHale

Microsoft released a critical fix for vulnerabilities in its Internet Explorer web browser, as a part of its latest monthly Patch Tuesday update.

The Internet Explorer (IE) update is one of two critical updates this month and could end up used by hackers to mount remote code-execution attacks.

RELATED STORIES
IE Script Engine at Risk for Attacks
Big Patch Tuesday for Microsoft
Another IE Zero Day
Extreme Risk: SMBs Still Using XP

While the vulnerabilities are not to be trifled with, at least they are not Zero Days, so the potential use to hackers is limited.

The second critical bulletin relates to Microsoft’s now ancient Windows XP Tablet Edition, and its Windows Journal note-taking application. The vulnerability looks as though it is unlikely hackers will bother creating exploits to target it, although a patch should still end up installed.

The July Patch Tuesday release also includes three “important” updates plugging flaws in Windows On-Screen keyboard, afd.sys driver and DirectShow service. All three could end up used by hackers to provide local escalation of privileges.

There is also a fix for a “moderate” flaw in Windows Service Bus that could end up exploited to mount a denial-of-service attack.

Internet Explorer flaws have been an ongoing issue for Microsoft. By comparison, the company issued 59 IE fixes as part of its June Patch Tuesday update.

Wednesday, May 14, 2014 @ 11:05 AM gHale

Adobe’s Patch Tuesday offering included fixes for its Flash, Reader, and Acrobat platforms, as well as an update for Illustrator. In total, the update will patch 18 common vulnerabilities and exposures (CVE) security flaws.

Six of the flaws end up addressed in an update for the Windows, Linux, and OS X versions of Flash Player and Air SDK. The company said the update includes fixes for critical flaws that could allow remote code execution, and updating Flash Player should be a top priority for users and administrators.

RELATED STORIES
Adobe Fixes Flash Zero Day
After False Start, Apache Struts Fixed
DoS Risk with Apache Tomcat Servers
DDoS Attacks Break Records

Adobe credited the discovery of four of the flaws to Contextis researcher James Forshaw. Researchers with Keen Team and Team 509 via HP Zero Day Initiative (ZDI) received credit for unearthing another flaw, while Masato Kinugawa discovered one vulnerability.

Reader and Acrobat will receive 11 fixes, including remote code execution flaws for OS X and Windows software, which the company recommends administrators make a top deployment priority alongside the Flash Player updates.

Researchers credited with discovering those flaws include VUPEN (via HP ZDI), Ukatemi’s Gábor Molnár, Nanyang Technological University’s Wei Lei and Wu Hongjun, Yuki Chen of Trend Micro, Agile Information Security’s Pedro Ribeiro, HP ZDI researcher chkr_d591, Honglin Long, Sune Vuorela from Ange Optimization, and researchers with the Venustech Active-Defense Lab.

The third patch, addressing a remote code vulnerability in Illustrator CS6 for Windows and OS X, is a lower priority, as the platform is not a popular target for malware attacks – although users and administrators should test and deploy the update as soon as possible. Credit for discovery of the flaw went to researcher Noam Rathaus.

Wednesday, May 14, 2014 @ 10:05 AM gHale

Two critical advisories released on Patch Tuesday from Microsoft.

Microsoft identified three of advisories: MS14-024, MS14-025, and MS14-029, the IE patch, as priority one patching concerns. MS14-029 which is the update to IE is the only one of the two critical issues to receive the patching priority one designation. The other critical, MS14-022, affecting SharePoint is a priority two for patching. This is due to the complexity of the attack and it ended up privately reported and, therefore, not a public exploit.

RELATED STORIES
Microsoft Patches IE Zero Day
Microsoft Fixes Security Essentials Bug
No More XP after Patch Tuesday
Patch Tuesday: XP, IE Take Center Stage

MS14-029 is an interesting advisory. It is not a cumulative rollup fix for IE, which breaks with the recent trend of IE patching, but it does re-include the patch for MS14-021 which ended up fixed outside of the normal patch cycle on May 1. It’s not yet clear if this modifies the original fix or simply provides another vector for customers to get it.

One of the other CVEs fixed in this advisory is under limited, targeted attack. Also, there are two types to this patch for Windows 8.1 users, one for those who took the “Spring 2014 update rollup” and one for those who did not. This is the first advisory that clearly would have applied to Windows XP, but for which a patch is not available.

IE 6, 7, & 8 are vulnerable on Windows 2003 SP2, this would historically have mapped to the same scope of XP patches, but not this time. Microsoft ended support for XP in April.

Of the other two, important but highest patching priority issues, MS14-024 is a fix for an ASLR bypass. That means this issue is not really an exploit in and of itself, hence the “important” designation, but a weakness used in conjunction with other exploits to increase the likelihood of successfully controlling the location of memory manipulation. MS14-024 has seen use in conjunction with other attacks.

MS14-025 isn’t really a fix for the underlying issue, it just stops system administrators from doing something that weakens their overall security going forward by preventing them from specifying a local administrator password in group policy settings where anyone on the network can recover it in a reusable form. However, administrators who have already made that mistake will not have the setting removed and will still have to take other measures to plug that hole.

MS14-027 is an elevation of privilege issue privately reported to Microsoft, and is seeing limited, targeted attacks.

MS14-028 is a denial of service affecting Windows Servers with the iSCSI service installed. The service is not a default setting on Windows 2008 or 2008 R2, and is in, but disabled by default on Windows 2012.

Thursday, April 10, 2014 @ 06:04 PM gHale

Patch Tuesday, while small in nature this month, it was huge in that the industry will no longer see Windows XP as a part of the Microsoft environment.

Four patches — two rated as critical and another two rated as important by Microsoft – did end up releasing.

RELATED STORIES
Industry Faces Life after XP
XP Risks, Protection Tips after April 8
Patch Tuesday: XP, IE Take Center Stage
Security Awareness: A Matter of Safety

This first update (MS14-017) rated critical relates to one private and two publicly disclosed Remote Code Execution vulnerabilities in Microsoft’s Office productivity suite. This attack requires the user to click-on a specially crafted file which allows a successful attacker the same rights as the affected user. This vulnerability in Microsoft Office affects the entire spectrum of Office document handling products including all versions of Microsoft Word (2003, 2007, 2010, 1013, RT) and the Office Word document handling Web services such as SharePoint and Microsoft Web Apps. This issue also affects the Microsoft Word Viewer and the Microsoft Compatibility Pack.

This is the second attempt by Microsoft to resolve this issue as this update is a direct replacement for a security update earlier this year.

The second update (MS14-018) release relates to six privately reported memory corruption vulnerabilities that affect almost all versions of Internet Explorer from version 6 to Version 11 for 32 and 64-bit platforms and for the Windows RT platform – but not Internet Explorer 10 due to its recent Out of Band Update from Microsoft.

This vulnerability ends up exposed through a user accessing a specially crafted web page which could result in the same privileges as the logged in user.

The third (MS14-019) update rated important deals with a single privately reported vulnerability in the file handling functionally in all Windows platforms (32 and 64-bit). Using specially crafted batch or Command files (.bat or .cmd) files an attacker could gain the same access as a user through a Remote Code Execution vulnerability. Microsoft has resolved this security issue with an update to how these files (.bat and .cmd) files are run from remote or network based locations.

And the last update (MS14-020) relates to Microsoft Publisher which deals with a Remote Code Execution security vulnerability if a user opens a specially crafted file in Microsoft Publisher.

Tuesday, January 14, 2014 @ 05:01 PM gHale

Here we are in 2014 and some things just don’t change with the New Year. Take today’s Patch Tuesday. Three of the IT behemoths issued the first patch report of the New Year with Oracle leading the way with Microsoft and Adobe not too far behind.

Oracle first patch update for the New Year was one of its biggest ever, including a slew of security patches, most of which address vulnerabilities in Java.

RELATED STORIES
Adobe Patches Flash Player, Shockwave
Patch Tuesday Fixes 24 Holes
Big Security Patch from Oracle
Adobe Fixes Flash Player, ColdFusion

The Critical Patch Update addresses 144 flaws in hundreds of Oracle products, 36 of which apply to vulnerabilities in Java SE, including 34 that are bugs that can end up remotely exploited by an attacker without requiring authentication.

“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products,” Oracle officials said. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”

Five of the security fixes apply to Oracle Database Server. One of these vulnerabilities might be remotely exploitable without authentication, meaning it could suffer exploitation over a network without the need for a username and password.

The patch update will include Oracle products and components like JavaFX, versions 2.2.45 and earlier, Java JDK and JRE, versions 5.0u55, 6u65, 7u45 and earlier, and Java SE Embedded, versions 7u45 and earlier.

The highest CVSS 2.0 Base Score for vulnerabilities in Oracle’s Critical Patch Update is 10.0 for Java SE, Java SE Embedded, and JRockit of Oracle Java SE, MySQL Enterprise Monitor of Oracle MySQL, Oracle FLEXCUBE Private Banking of Oracle Financial Services Software and Oracle WebCenter Sites of Oracle Fusion Middleware.

Meanwhile, Microsoft disclosed four security bulletins describing six vulnerabilities, and released product updates to address these vulnerabilities.

This is the first month since September 2011 that Microsoft released no critical updates in a Patch Tuesday cycle, and the first since September 2012 they have released four or fewer updates.

The four bulletins rated important include:
• MS14-001: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605) — At least one of three memory corruption vulnerabilities affect every version of Word or the Word viewer, as well as the relevant parts of Office Web Apps and SharePoint. These are remote code execution vulnerabilities.
• MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) — A user with valid logon credentials who is able to log on locally could run a special program and elevate privilege. This vulnerability affects only Windows XP and Windows Server 2003.
• MS14-003: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602) — Windows 7 and Windows Server 2008 R2 are vulnerable to a privilege elevation vulnerability. The user must have valid logon credentials and be able to log on locally.
• MS14-004: Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826) — If an authenticated attacker submits specially crafted data to an affected Microsoft Dynamics AX Application Object Server (AOS) instance, the AOS instance could stop functioning.

Last, but not least, Adobe’s Patch Tuesday release had fixes for Flash Player, Acrobat and Reader. All vulnerabilities get the highest priority rating. This means future exploits are likely.

The Flash Player bulletin, CVE-2014-0491 and CVE-2014-0492, concerns remote code execution vulnerabilities.

CVE-2014-0493, CVE-2014-0495 and CVE-2014-0496 affect Acrobat and Reader. These CVEs also concern remote code execution vulnerabilities. All of this month’s vulnerabilities ended up reported to Adobe directly.

Tuesday, December 10, 2013 @ 07:12 PM gHale

Microsoft issued 11 Patch Tuesday advisories affecting 6 different product types. All supported versions of Windows, Office, SharePoint, Exchange, Lync and a mixed bag of developer tools are now on the mend.

Five of the advisories rate as critical, including one affecting Exchange and one affecting SharePoint and Lync, not to mention the critical patch for Internet Explorer. Microsoft has given a critical with priority 1 rating to the three of them, MS13-096 (GDI+), MS13-097 (IE, all versions) and MS13-099 (Scripting Runtime).

RELATED STORIES
Getting Ready for XP’s End of Life
Under Attack: XP Zero Day
Patch Tuesday Fixes Zero Day
Zero Day: Microsoft Under Attack

Regarding MS13-099, this is an interesting vulnerability because it’s exploitable by VBA script and EMET counter measures do not mitigate it.

This round of patching addresses the GDI+ issue publicly disclosed in early November in Security Advisory 2896666 and then blogged about by the various researchers.

There is also a Kernel Driver patch (MS13-101), but this round of patching does not include a fix for the publicly disclosed Kernel Elevation of Privilege issue reported in Security Advisory 2914486.

Wednesday, November 13, 2013 @ 06:11 AM gHale

Patch Tuesday for Microsoft meant the software giant addressed 19 unique vulnerabilities including Internet Explorer, Hyper-V, the Graphics Device Interface (GDI), Office, and others.

They also fixed the Zero Day vulnerability in Internet Explorer disclosed by FireEye over the weekend.

Of the advisories, the three most critical patches are the Internet Explorer patch (MS13-088), GDI (MS13-089), and the Zero Day flaw in ActiveX control which affected several versions of Internet Explorer (MS13-090), security experts said.

RELATED STORIES
Zero Day: Microsoft Under Attack
Microsoft Reinstates Update Tablet
Patch Tuesday Fixes Zero Days
Big Security Patch from Oracle

“Bulletin MS13-090 addresses the publicly-known issue in ActiveX Control, currently under targeted attacks. Customers with automatic updates enabled are protected against this vulnerability and do not need to take any action,” said Dustin Childs, group manager of Microsoft Trustworthy Computing.

Last week, security firm FireEye notified Microsoft of serious vulnerabilities in Internet Explorer, but it appears the team already knew about them as the ActiveX control patch (MS13-090) fixes the InformationCardSignInHelper flaw. Attackers have already targeted the bug in a watering-hole-style attack, and exploit code appeared on text-sharing site Pastebin, making this a high-priority issue.

Microsoft also disclosed a Zero Day vulnerability in how some versions of Microsoft Windows and older versions of Microsoft Office handled the TIFF graphics format. There is no patch available addressing this flaw in this Patch Tuesday release, so users who have not yet installed the FixIt temporary workaround should consider doing so as soon as possible.

Another IE patch (MS13-088) fixed two information disclosure bugs and eight memory corruption issues in various versions of the Web browser. Two of the vulnerabilities affect every version of IE, from versions 6 through 11, the latest version. While there have been no reported attacks exploiting these vulnerabilities, the fact that so many versions of Windows and Internet Explorer are affected means this patch should roll out as soon as possible.

The third highest priority bulletin (MS13-089) fixes a GDI bug, which affects every supported version of Windows from XP to Windows 8.1. Attackers need to create a malicious file and convince users to open it in WordPad to exploit this vulnerability.

The remaining patches addressed vulnerabilities in various versions of Microsoft Office (MS13-091), an information disclosure vulnerability in newer versions of Office (MS13-094), an elevation of privilege flaw in Hyper-V (MS13-092) in Windows 8 and Server 2012 R2, an information disclosure bug in Windows (MS13-093), and a denial of service (MS13-095) issue in the operating system.

 
 
Archived Entries