Posts Tagged ‘Patch Tuesday’
Tuesday, January 14, 2014 @ 05:01 PM gHale
Here we are in 2014 and some things just don’t change with the New Year. Take today’s Patch Tuesday. Three of the IT behemoths issued the first patch report of the New Year with Oracle leading the way with Microsoft and Adobe not too far behind.
Oracle first patch update for the New Year was one of its biggest ever, including a slew of security patches, most of which address vulnerabilities in Java.
The Critical Patch Update addresses 144 flaws in hundreds of Oracle products, 36 of which apply to vulnerabilities in Java SE, including 34 that are bugs that can end up remotely exploited by an attacker without requiring authentication.
“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products,” Oracle officials said. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”
Five of the security fixes apply to Oracle Database Server. One of these vulnerabilities might be remotely exploitable without authentication, meaning it could suffer exploitation over a network without the need for a username and password.
The patch update will include Oracle products and components like JavaFX, versions 2.2.45 and earlier, Java JDK and JRE, versions 5.0u55, 6u65, 7u45 and earlier, and Java SE Embedded, versions 7u45 and earlier.
The highest CVSS 2.0 Base Score for vulnerabilities in Oracle’s Critical Patch Update is 10.0 for Java SE, Java SE Embedded, and JRockit of Oracle Java SE, MySQL Enterprise Monitor of Oracle MySQL, Oracle FLEXCUBE Private Banking of Oracle Financial Services Software and Oracle WebCenter Sites of Oracle Fusion Middleware.
Meanwhile, Microsoft disclosed four security bulletins describing six vulnerabilities, and released product updates to address these vulnerabilities.
This is the first month since September 2011 that Microsoft released no critical updates in a Patch Tuesday cycle, and the first since September 2012 they have released four or fewer updates.
The four bulletins rated important include:
• MS14-001: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605) — At least one of three memory corruption vulnerabilities affect every version of Word or the Word viewer, as well as the relevant parts of Office Web Apps and SharePoint. These are remote code execution vulnerabilities.
• MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) — A user with valid logon credentials who is able to log on locally could run a special program and elevate privilege. This vulnerability affects only Windows XP and Windows Server 2003.
• MS14-003: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602) — Windows 7 and Windows Server 2008 R2 are vulnerable to a privilege elevation vulnerability. The user must have valid logon credentials and be able to log on locally.
• MS14-004: Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826) — If an authenticated attacker submits specially crafted data to an affected Microsoft Dynamics AX Application Object Server (AOS) instance, the AOS instance could stop functioning.
Last, but not least, Adobe’s Patch Tuesday release had fixes for Flash Player, Acrobat and Reader. All vulnerabilities get the highest priority rating. This means future exploits are likely.
The Flash Player bulletin, CVE-2014-0491 and CVE-2014-0492, concerns remote code execution vulnerabilities.
CVE-2014-0493, CVE-2014-0495 and CVE-2014-0496 affect Acrobat and Reader. These CVEs also concern remote code execution vulnerabilities. All of this month’s vulnerabilities ended up reported to Adobe directly.
Tuesday, December 10, 2013 @ 07:12 PM gHale
Microsoft issued 11 Patch Tuesday advisories affecting 6 different product types. All supported versions of Windows, Office, SharePoint, Exchange, Lync and a mixed bag of developer tools are now on the mend.
Five of the advisories rate as critical, including one affecting Exchange and one affecting SharePoint and Lync, not to mention the critical patch for Internet Explorer. Microsoft has given a critical with priority 1 rating to the three of them, MS13-096 (GDI+), MS13-097 (IE, all versions) and MS13-099 (Scripting Runtime).
Regarding MS13-099, this is an interesting vulnerability because it’s exploitable by VBA script and EMET counter measures do not mitigate it.
This round of patching addresses the GDI+ issue publicly disclosed in early November in Security Advisory 2896666 and then blogged about by the various researchers.
There is also a Kernel Driver patch (MS13-101), but this round of patching does not include a fix for the publicly disclosed Kernel Elevation of Privilege issue reported in Security Advisory 2914486.
Wednesday, November 13, 2013 @ 06:11 AM gHale
Patch Tuesday for Microsoft meant the software giant addressed 19 unique vulnerabilities including Internet Explorer, Hyper-V, the Graphics Device Interface (GDI), Office, and others.
They also fixed the Zero Day vulnerability in Internet Explorer disclosed by FireEye over the weekend.
Of the advisories, the three most critical patches are the Internet Explorer patch (MS13-088), GDI (MS13-089), and the Zero Day flaw in ActiveX control which affected several versions of Internet Explorer (MS13-090), security experts said.
“Bulletin MS13-090 addresses the publicly-known issue in ActiveX Control, currently under targeted attacks. Customers with automatic updates enabled are protected against this vulnerability and do not need to take any action,” said Dustin Childs, group manager of Microsoft Trustworthy Computing.
Last week, security firm FireEye notified Microsoft of serious vulnerabilities in Internet Explorer, but it appears the team already knew about them as the ActiveX control patch (MS13-090) fixes the InformationCardSignInHelper flaw. Attackers have already targeted the bug in a watering-hole-style attack, and exploit code appeared on text-sharing site Pastebin, making this a high-priority issue.
Microsoft also disclosed a Zero Day vulnerability in how some versions of Microsoft Windows and older versions of Microsoft Office handled the TIFF graphics format. There is no patch available addressing this flaw in this Patch Tuesday release, so users who have not yet installed the FixIt temporary workaround should consider doing so as soon as possible.
Another IE patch (MS13-088) fixed two information disclosure bugs and eight memory corruption issues in various versions of the Web browser. Two of the vulnerabilities affect every version of IE, from versions 6 through 11, the latest version. While there have been no reported attacks exploiting these vulnerabilities, the fact that so many versions of Windows and Internet Explorer are affected means this patch should roll out as soon as possible.
The third highest priority bulletin (MS13-089) fixes a GDI bug, which affects every supported version of Windows from XP to Windows 8.1. Attackers need to create a malicious file and convince users to open it in WordPad to exploit this vulnerability.
The remaining patches addressed vulnerabilities in various versions of Microsoft Office (MS13-091), an information disclosure vulnerability in newer versions of Office (MS13-094), an elevation of privilege flaw in Hyper-V (MS13-092) in Windows 8 and Server 2012 R2, an information disclosure bug in Windows (MS13-093), and a denial of service (MS13-095) issue in the operating system.
Wednesday, October 9, 2013 @ 03:10 PM gHale
Microsoft released eight new security bulletins, with four rated critical and four important and two Zero Days in Internet Explorer.
The security update for Internet Explorer, MS13-080, addresses 10 separate vulnerabilities that affect all supported versions of the Web browser. Users should be aware because this update stems from two of the vulnerabilities that are Zero Day bugs already undergoing exploitation.
Security researchers have been watching the IE exploit since it first became public in mid-September.
The catch is now there is a patch released, attackers can reverse engineer and then they have an attack all lined up and ready to go because while Microsoft puts the patch out there, it does not mean everyone applies it. That makes those folks more susceptible to an attack.
There are two other security bulletins that follow the Internet Explorer security update.
MS13-081 addresses seven vulnerabilities in kernel-mode drivers affecting all versions of Windows except for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2. Two of the flaws are for font-parsing and could enable an attacker to remotely execute malicious code if successfully exploited.
Microsoft has released 87 security bulletins so far this year. That puts them 17 ahead of last year’s pace.
However, the number of bulletins should also come from the perspective that Microsoft has stepped up the pace for addressing identified vulnerabilities, and it is patching a growing number of supported platforms and applications.
Wednesday, September 18, 2013 @ 01:09 PM gHale
It was one more time for Microsoft as the software giant needed to reissue four security bulletins after its Patch Tuesday performance.
Microsoft said the new patches were available last Thursday on its blog, just two days after it released its scheduled Patch Tuesday update for products containing bugs.
New patches were available for four security bulletins: MS13-067, MS13-072, MS13-073 and MS13-074, which addressed bugs in series of Microsoft Office products, including Excel and SharePoint Server. Non-security updates also ended up re-released for Microsoft PowerPoint 2010, KB2553145 and PowerPoint Viewer 2010, KB2553351.
Customers complained about updates attempting to reinstall numerous times on their machines, the company said. In other instances, patches weren’t available to customers.
“Since the shipment of the September 2013 security bulletin release, we have received reports of updates being offered for installation multiple times, or certain cases where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM),” the blog post said. “We have investigated the issue, established the cause, and we have released new updates that will cease the unnecessary re-targeting of the updates or the correct offering of these updates.”
In a blog posted on Monday, security researcher Graham Cluley wrote the reoccurring problems with Patch Tuesday releases was highly concerning given the number of users that rely on the fixes.
In last month’s patch release, Microsoft pulled a patch that addresses three vulnerabilities in Exchange Server. In that incident, the Patch Tuesday fix ended up scrapped after Microsoft became aware that installing it caused problems.
“Following so soon after last month’s buggy security update, one has to wonder what’s going wrong at Microsoft Quality Control,” Cluley said. “The company can’t afford to keep messing up like this. The risk is that millions of users around the world will begin to question Microsoft’s ability to properly patch security vulnerabilities, and lose trust in the firm.”
Microsoft did catch one bug in its Patch Tuesday update before dispatching the release. The company had originally planned to release 14 fixes, but only shipped 13 last week, leaving out one patch that would have addressed an issue in its .Net software framework, which could allow denial-of-service.
Wednesday, September 11, 2013 @ 09:09 AM gHale
Microsoft’s Patch Tuesday brought out 13 bulletins.
Of the 13 bulletins, the MS Office family has seven vulnerabilities and Windows OS patches have six.
There are four advisories labeled as critical. All of these are going to be important, subjective to the deployment of various versions of Windows in your environment. One of these is going to be the monthly IE update. All versions of IE require this update.
Microsoft is putting top priority on MS13-067, which affects SharePoint Server. The advisory covers multiple CVEs, but the most severe of is CVE-2013-1330, which allows remote code execution by malicious content sent to the server without user interaction, genuine real-time remote exploitation. Of the 10 CVEs, one is public, but supposedly that is not CVE-2013-1330. There is a workaround for CVE-2013-1330 related to enabling state inspection for message authentication code attributes.
Of the other two critical advisories, both require user interaction to trigger the vulnerability; however, MS13-068 affecting Microsoft Outlook is particularly toxic because it can occur when users view malicious content in the Outlook preview pane.
MS13-070 only applies to XP and Server 2003 and those vulnerabilities tend to be less “contained” than more mature versions of Windows. XP and Office 2003 have shown no let up in patching frequency, despite the end of support for XP looming just around the corner in April 2014.
If you are running an MS heavy shop and have significantly invested in the back office technology of SharePoint, then this month is going to be very busy. There are lots of vulnerabilities to patch, many of which are high risk. Office vulnerabilities typically end up mitigated because they require a user to interact with something malicious, either through an attachment or a link. But with the Office Server (SharePoint) that degree of mitigation may go away and other factors of defense in depth will come into play.
Wednesday, August 14, 2013 @ 04:08 PM gHale
Some patches are more of a rush job than others and this month Microsoft took less than 30 days to incorporate an Oracle Outside In patch and fix a critically rated remote code execution bug in Exchange Servers.
Those are is among the eight bulletins released as part of Microsoft’s August 2013 Patch Tuesday security updates.
Oracle patched Outside In with its July Critical Patch Update (CPU); the technology allows developers to turn unstructured file formats into normalized files. MS13-061 includes the Outside In Patch, which is part of the WebReady Document Viewing and Data Loss Prevention features on Exchange Servers.
Exploits could allow an attacker to remotely execute code if a user previews or opens a malicious file using Outlook Web App (OWA). The attacker would have the same privileges as the transcoding services on the Exchange Server; that would be the LocalService account for WebReady Document Viewing and the Filtering Management service for the DLP feature. Both, however, run with minimal privileges.
If a users is running Exchange and users have OWA, they should address this issue as quickly as possible. Microsoft also recommends a workaround that turns off Outside In document processing.
MS13-059 is another cumulative patch for Internet Explorer and repairs 11 remotely executable vulnerabilities in the browser, including a sandbox bypass vulnerability discovered and exploited by VUPEN researchers during the Pwn2Own contest in March. IE 6-10 is vulnerable to exploit; Microsoft said it is not aware of any active exploits for any of these vulnerabilities.
The IE rollup includes patches for nine memory corruption vulnerabilities, as well as fixes for a privilege escalation flaw in the way in which the browser handles process integrity level assignment and an information disclosure cross-site scripting vulnerability in EUC-JP character encoding, Microsoft said.
The final critical bulletin, MS13-060, patches a Windows vulnerability in the Unicode Scripts Processor; the patch corrects the way Windows parses certain OpenType font characteristics. An exploit could allow an attacker to run code remotely if a user opens a malicious document or visits a website that supports OpenType fonts.
The remaining bulletins all ended up rated important by Microsoft.
• MS13-062 patches a privilege escalation vulnerability in Windows RPC, correcting the manner in which Windows handles asynchronous RPC messages.
• MS13-063 is another privilege escalation issue in the Windows kernel. Four vulnerabilities ended up patched in this bulletin, the most severe of which enables elevated privileges if an attacker is able to log in locally and run a malicious application. In addition to memory corruption bugs, one of the vulnerabilities in this bulletin enables an attacker to bypass Address Space Layout Randomization (ASLR), a memory protection native to the OS.
• MS13-064 patches a denial of service vulnerability in Windows NAT Driver.
• MS13-065 also fixes a denial of service bug in ICMPv6; Vista, Windows Server 2008, Windows &, Windows 8, Windows RT and Windows Server 2012.
• MS13-066 patches an information-disclosure vulnerability in Active Directory Federation Services on Windows Server 2008 and Windows Server 2012.
Wednesday, July 10, 2013 @ 11:07 AM gHale
Patch Tuesday brought out seven bulletins from Microsoft this month, which addresses 34 vulnerabilities. Six of the bulletins rate as “critical” and allow for Remote Code Execution.
Of the 34 holes in Windows, Internet Explorer, Office among other products, a Windows kernel vulnerability that affected the Windows privilege system for over a month ended up fixed.
Google security expert Tavis Ormandy discovered the kernel hole in May and didn’t wait too long before disclosing details. Shortly afterwards, an exploit followed that opens a Windows prompt at system privilege level – regardless of the user’s actual privilege level.
The hole, with CVE identification number CVE-2013-3660, affects all versions of Windows. Microsoft didn’t warn its customers about the security problem ahead of the patch day despite, according to the company, the hole being a part of targeted attacks.
Patch bulletin MS13-053 closes further critical security holes, including an issue in the code for processing TrueType fonts, and users should install it as soon as possible.
The .NET framework and Silverlight also struggle with specially crafted TrueType fonts, potentially allowing attackers to inject malicious code. Microsoft said two of the vulnerabilities the patch bulletin fixes already were out. The GDI+ graphics library contains a critical font processing issue that allows attackers to infect systems with malware. The library is part of quite a few Microsoft applications, all of which suffer from the issue: All versions of Windows, Office 2003 to 2010, Visual Studio .NET 2003 and Microsoft Lync.
Microsoft also released a collective update for Internet Explorer, a critical update for DirectShow and another for the Windows Media Format runtime.
There is a patch for Windows Defender to close a hole that allows attackers to execute code at system privilege level in Windows 7 and Server 2008 R2. To exploit the hole, however, potential attackers must be able to log into a system, and apparently they must also have the right to write to the highest level of the system disk. This is the only update that Microsoft has rated at the second highest threat level.
The company also said the developers of apps available in the Windows Store, Windows Phone Store, Office Store and Azure Marketplace will, in future, have 180 days to close “critical” and “important” vulnerabilities. A prerequisite for this grace period is there must not be a public exploit for the hole. Otherwise, Microsoft said, it will withdraw vulnerable apps at short notice if necessary.