Posts Tagged ‘Patch Tuesday’
Monday, January 19, 2015 @ 02:01 PM gHale
While it was almost a week ago, Patch Tuesday is still an important day as Microsoft released one critical security bulletin and seven others rated “important.”
The critical bulletin addressees a vulnerability in Microsoft Windows’ Telnet Service that enables an attacker to remotely execute code via specially-crafted packets sent to an affected Windows server. Only users who enable Telnet are vulnerable to the issue. Telnet is not a default installation on systems running Windows Vista and later, and is on Windows Server 2003, but not enabled.
Four of the eight bulletins have to deal with privilege escalation issues. One of these, MS15-004 is under limited, targeted attacks, According to Microsoft, the vulnerability exists in the TS WebProxy Windows component and occurs when Windows fails to properly sanitize file paths. Currently, the vulnerability is in attacks as a sandbox bypass.
“To successfully exploit this vulnerability, an attacker would have to take advantage of an existing vulnerability in Internet Explorer by tricking a user into downloading a specially crafted application,” Microsoft said in its advisory. “In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.”
The privilege escalation issues fixed in the updates include the bug uncovered by Google in Windows 8.1. The remaining bulletins address a vulnerability that could allow denial of service on an Internet Authentication Service (IAS) or Network Policy Server (NPS) and two others that could allow an attacker to bypass a security feature in Windows.
Wednesday, October 15, 2014 @ 03:10 PM gHale
It was Patch Tuesday and as usual Microsoft issued security bulletins; this time they had eight that address two dozen vulnerabilities, including a bug exploited by Russian hackers to target NATO computers, officials said.
Issued as part of its October edition of Patch Tuesday, the updates address vulnerabilities found in all currently supported versions of Windows, Internet Explorer, Office and the .Net framework. Three of the bulletins are critical, meaning Microsoft recommends systems administrators apply the patches immediately.
Security researcher FireEye identified two of three Zero Day bugs used as “part of limited, targeted attacks against some major corporations.”
One of the patches addresses a remote code execution flaw in all supported versions of Microsoft Windows and Windows Server 2008 and 2012 exploited in the “Sandworm” cyberattack. The exploit was part of a five-year cyberespionage campaign, according to security firm iSight.
A team of hackers previously launched campaigns targeting the U.S. and EU intelligence communities, military establishments, news organizations and defense contractors — as well as jihadists and rebels in Chechnya, iSight said. However, focus turned toward the Ukrainian conflict with Russia, energy industries and political issues concerning Russia based on evidence gleaned from phishing emails.
Microsoft rated the flaw as important rather than critical because it requires a user to open a Microsoft Office file to initiate the code execution.
“A vulnerability exists in Windows OLE that could allow remote code execution if a user opens a file that contains a specially crafted OLE object,” Microsoft said in its bulletin. “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.”
Another Zero Day flaw addressed by the update is a privilege escalation vulnerability that “could lead to full access to the affected system,” Microsoft said in its bulletin.
A third Zero Day in Windows rated as critical and patched could allow remote code execution when a victim visits opens a document or visits a malicious website that contains embedded TrueType fonts.
Thursday, August 14, 2014 @ 05:08 PM gHale
Microsoft released 26 patches for Internet Explorer, including one fixing a critical vulnerability that could allow a remote attacker to gain access to a computer from over the Internet.
The patches were part of Microsoft’s monthly software update cycle, Patch Tuesday.
Overall, Microsoft addressed 37 vulnerabilities this month, including two critical ones that could end up used for remote code execution.
MS14-051 is a collection of 26 patches for the Internet Explorer browser, said Wolfgang Kandek, chief technology officer for IT security firm Qualys. These vulnerabilities range across all currently supported versions of Internet Explorer, from IE6 to IE11.
The other critical vulnerability this month, addressed by MS14-048, is in Microsoft’s OneNote note-taking software. The vulnerability is a bug that would allow a malicious user to gain control of a machine.
OneNote, which is part of Office, does not see the widespread use like Word, Excel and PowerPoint, so Microsoft and researchers have been playing down the severity of this bug, but an organization that has this application should patch it immediately, Kandek said.
Other products patched this month include Windows, SharePoint and SQL Server. The SQL Server patch, addressed in MS14-044, offers patches for the database server software that don’t appear that often.
There are also two sets of patches that Adobe issued Tuesday, for its Reader and Flash software.
In the past few weeks, Microsoft has taken additional measures to better secure IE. It has created blocking mechanisms to stop older, unsecured, ActiveX and Java applications from running when the browser is in Internet-mode. It provides a whitelist that organizations can use to run their legacy Web applications, however.
Microsoft also said as of January 2016, it will stop supporting all but the latest versions of IE, a move to help the company better secure the browser by limiting the number of versions running. Organizations that require a specific version of the browser for legal or compliance reasons can continue to run the software in a new “enterprise mode” of operation Microsoft added to the browser.
Thursday, July 10, 2014 @ 03:07 PM gHale
Microsoft released a critical fix for vulnerabilities in its Internet Explorer web browser, as a part of its latest monthly Patch Tuesday update.
The Internet Explorer (IE) update is one of two critical updates this month and could end up used by hackers to mount remote code-execution attacks.
While the vulnerabilities are not to be trifled with, at least they are not Zero Days, so the potential use to hackers is limited.
The second critical bulletin relates to Microsoft’s now ancient Windows XP Tablet Edition, and its Windows Journal note-taking application. The vulnerability looks as though it is unlikely hackers will bother creating exploits to target it, although a patch should still end up installed.
The July Patch Tuesday release also includes three “important” updates plugging flaws in Windows On-Screen keyboard, afd.sys driver and DirectShow service. All three could end up used by hackers to provide local escalation of privileges.
There is also a fix for a “moderate” flaw in Windows Service Bus that could end up exploited to mount a denial-of-service attack.
Internet Explorer flaws have been an ongoing issue for Microsoft. By comparison, the company issued 59 IE fixes as part of its June Patch Tuesday update.
Wednesday, May 14, 2014 @ 11:05 AM gHale
Adobe’s Patch Tuesday offering included fixes for its Flash, Reader, and Acrobat platforms, as well as an update for Illustrator. In total, the update will patch 18 common vulnerabilities and exposures (CVE) security flaws.
Six of the flaws end up addressed in an update for the Windows, Linux, and OS X versions of Flash Player and Air SDK. The company said the update includes fixes for critical flaws that could allow remote code execution, and updating Flash Player should be a top priority for users and administrators.
Adobe credited the discovery of four of the flaws to Contextis researcher James Forshaw. Researchers with Keen Team and Team 509 via HP Zero Day Initiative (ZDI) received credit for unearthing another flaw, while Masato Kinugawa discovered one vulnerability.
Reader and Acrobat will receive 11 fixes, including remote code execution flaws for OS X and Windows software, which the company recommends administrators make a top deployment priority alongside the Flash Player updates.
Researchers credited with discovering those flaws include VUPEN (via HP ZDI), Ukatemi’s Gábor Molnár, Nanyang Technological University’s Wei Lei and Wu Hongjun, Yuki Chen of Trend Micro, Agile Information Security’s Pedro Ribeiro, HP ZDI researcher chkr_d591, Honglin Long, Sune Vuorela from Ange Optimization, and researchers with the Venustech Active-Defense Lab.
The third patch, addressing a remote code vulnerability in Illustrator CS6 for Windows and OS X, is a lower priority, as the platform is not a popular target for malware attacks – although users and administrators should test and deploy the update as soon as possible. Credit for discovery of the flaw went to researcher Noam Rathaus.
Wednesday, May 14, 2014 @ 10:05 AM gHale
Two critical advisories released on Patch Tuesday from Microsoft.
Microsoft identified three of advisories: MS14-024, MS14-025, and MS14-029, the IE patch, as priority one patching concerns. MS14-029 which is the update to IE is the only one of the two critical issues to receive the patching priority one designation. The other critical, MS14-022, affecting SharePoint is a priority two for patching. This is due to the complexity of the attack and it ended up privately reported and, therefore, not a public exploit.
MS14-029 is an interesting advisory. It is not a cumulative rollup fix for IE, which breaks with the recent trend of IE patching, but it does re-include the patch for MS14-021 which ended up fixed outside of the normal patch cycle on May 1. It’s not yet clear if this modifies the original fix or simply provides another vector for customers to get it.
One of the other CVEs fixed in this advisory is under limited, targeted attack. Also, there are two types to this patch for Windows 8.1 users, one for those who took the “Spring 2014 update rollup” and one for those who did not. This is the first advisory that clearly would have applied to Windows XP, but for which a patch is not available.
IE 6, 7, & 8 are vulnerable on Windows 2003 SP2, this would historically have mapped to the same scope of XP patches, but not this time. Microsoft ended support for XP in April.
Of the other two, important but highest patching priority issues, MS14-024 is a fix for an ASLR bypass. That means this issue is not really an exploit in and of itself, hence the “important” designation, but a weakness used in conjunction with other exploits to increase the likelihood of successfully controlling the location of memory manipulation. MS14-024 has seen use in conjunction with other attacks.
MS14-025 isn’t really a fix for the underlying issue, it just stops system administrators from doing something that weakens their overall security going forward by preventing them from specifying a local administrator password in group policy settings where anyone on the network can recover it in a reusable form. However, administrators who have already made that mistake will not have the setting removed and will still have to take other measures to plug that hole.
MS14-027 is an elevation of privilege issue privately reported to Microsoft, and is seeing limited, targeted attacks.
MS14-028 is a denial of service affecting Windows Servers with the iSCSI service installed. The service is not a default setting on Windows 2008 or 2008 R2, and is in, but disabled by default on Windows 2012.
Thursday, April 10, 2014 @ 06:04 PM gHale
Patch Tuesday, while small in nature this month, it was huge in that the industry will no longer see Windows XP as a part of the Microsoft environment.
Four patches — two rated as critical and another two rated as important by Microsoft – did end up releasing.
This first update (MS14-017) rated critical relates to one private and two publicly disclosed Remote Code Execution vulnerabilities in Microsoft’s Office productivity suite. This attack requires the user to click-on a specially crafted file which allows a successful attacker the same rights as the affected user. This vulnerability in Microsoft Office affects the entire spectrum of Office document handling products including all versions of Microsoft Word (2003, 2007, 2010, 1013, RT) and the Office Word document handling Web services such as SharePoint and Microsoft Web Apps. This issue also affects the Microsoft Word Viewer and the Microsoft Compatibility Pack.
This is the second attempt by Microsoft to resolve this issue as this update is a direct replacement for a security update earlier this year.
The second update (MS14-018) release relates to six privately reported memory corruption vulnerabilities that affect almost all versions of Internet Explorer from version 6 to Version 11 for 32 and 64-bit platforms and for the Windows RT platform – but not Internet Explorer 10 due to its recent Out of Band Update from Microsoft.
This vulnerability ends up exposed through a user accessing a specially crafted web page which could result in the same privileges as the logged in user.
The third (MS14-019) update rated important deals with a single privately reported vulnerability in the file handling functionally in all Windows platforms (32 and 64-bit). Using specially crafted batch or Command files (.bat or .cmd) files an attacker could gain the same access as a user through a Remote Code Execution vulnerability. Microsoft has resolved this security issue with an update to how these files (.bat and .cmd) files are run from remote or network based locations.
And the last update (MS14-020) relates to Microsoft Publisher which deals with a Remote Code Execution security vulnerability if a user opens a specially crafted file in Microsoft Publisher.
Tuesday, January 14, 2014 @ 05:01 PM gHale
Here we are in 2014 and some things just don’t change with the New Year. Take today’s Patch Tuesday. Three of the IT behemoths issued the first patch report of the New Year with Oracle leading the way with Microsoft and Adobe not too far behind.
Oracle first patch update for the New Year was one of its biggest ever, including a slew of security patches, most of which address vulnerabilities in Java.
The Critical Patch Update addresses 144 flaws in hundreds of Oracle products, 36 of which apply to vulnerabilities in Java SE, including 34 that are bugs that can end up remotely exploited by an attacker without requiring authentication.
“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products,” Oracle officials said. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”
Five of the security fixes apply to Oracle Database Server. One of these vulnerabilities might be remotely exploitable without authentication, meaning it could suffer exploitation over a network without the need for a username and password.
The patch update will include Oracle products and components like JavaFX, versions 2.2.45 and earlier, Java JDK and JRE, versions 5.0u55, 6u65, 7u45 and earlier, and Java SE Embedded, versions 7u45 and earlier.
The highest CVSS 2.0 Base Score for vulnerabilities in Oracle’s Critical Patch Update is 10.0 for Java SE, Java SE Embedded, and JRockit of Oracle Java SE, MySQL Enterprise Monitor of Oracle MySQL, Oracle FLEXCUBE Private Banking of Oracle Financial Services Software and Oracle WebCenter Sites of Oracle Fusion Middleware.
Meanwhile, Microsoft disclosed four security bulletins describing six vulnerabilities, and released product updates to address these vulnerabilities.
This is the first month since September 2011 that Microsoft released no critical updates in a Patch Tuesday cycle, and the first since September 2012 they have released four or fewer updates.
The four bulletins rated important include:
• MS14-001: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605) — At least one of three memory corruption vulnerabilities affect every version of Word or the Word viewer, as well as the relevant parts of Office Web Apps and SharePoint. These are remote code execution vulnerabilities.
• MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) — A user with valid logon credentials who is able to log on locally could run a special program and elevate privilege. This vulnerability affects only Windows XP and Windows Server 2003.
• MS14-003: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602) — Windows 7 and Windows Server 2008 R2 are vulnerable to a privilege elevation vulnerability. The user must have valid logon credentials and be able to log on locally.
• MS14-004: Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826) — If an authenticated attacker submits specially crafted data to an affected Microsoft Dynamics AX Application Object Server (AOS) instance, the AOS instance could stop functioning.
Last, but not least, Adobe’s Patch Tuesday release had fixes for Flash Player, Acrobat and Reader. All vulnerabilities get the highest priority rating. This means future exploits are likely.
The Flash Player bulletin, CVE-2014-0491 and CVE-2014-0492, concerns remote code execution vulnerabilities.
CVE-2014-0493, CVE-2014-0495 and CVE-2014-0496 affect Acrobat and Reader. These CVEs also concern remote code execution vulnerabilities. All of this month’s vulnerabilities ended up reported to Adobe directly.
Tuesday, December 10, 2013 @ 07:12 PM gHale
Microsoft issued 11 Patch Tuesday advisories affecting 6 different product types. All supported versions of Windows, Office, SharePoint, Exchange, Lync and a mixed bag of developer tools are now on the mend.
Five of the advisories rate as critical, including one affecting Exchange and one affecting SharePoint and Lync, not to mention the critical patch for Internet Explorer. Microsoft has given a critical with priority 1 rating to the three of them, MS13-096 (GDI+), MS13-097 (IE, all versions) and MS13-099 (Scripting Runtime).
Regarding MS13-099, this is an interesting vulnerability because it’s exploitable by VBA script and EMET counter measures do not mitigate it.
This round of patching addresses the GDI+ issue publicly disclosed in early November in Security Advisory 2896666 and then blogged about by the various researchers.
There is also a Kernel Driver patch (MS13-101), but this round of patching does not include a fix for the publicly disclosed Kernel Elevation of Privilege issue reported in Security Advisory 2914486.