ISSSource White Papers

Posts Tagged ‘Patch Tuesday’

Wednesday, June 10, 2015 @ 02:06 PM gHale

There was a smaller allotment of patches this month from Microsoft, with two critical patches to deal with and six important.

MS15-056 is a critical cumulative update for Internet Explorer addressing 24 CVEs. The issue at hand is attackers could force a remote code execution and gain the same rights as the affected user.

Patch Tuesday Fixes 46 Flaws
Adobe Updates Flash Player
Windows, Flash Zero Days Targeted
Flash Bug Allows Secret Video, Audio

MS15-059, while rated important, impacts all shipping desktop versions of Microsoft Office. This bulletin addresses three vulnerabilities in Office which an attacker can use for remote code execution.

The critical MS15-057 affects Windows Media Player where it can allow full user rights to the attacker when a malicious file plays, but the user will need to also focus n a vulnerability in Adobe Flash. APSB15-11 is the eighth update of Flash Player this year and updates 13 vulnerabilities that span across Windows and Mac desktops.

Microsoft unveiled it will release Windows 10 July 29. For a year, this upgrade will be available for free and will continue for the lifetime of any device you install it on: A PC, tablet, or phone.

Microsoft said they will continually update the OS with new features and security updates without the fanfare of a new OS version number, without the costly endeavor of testing code and holding on to it until a pre-selected release date. In time, this should result in a simpler, safer computing experience, they said.

Friday, May 15, 2015 @ 05:05 PM gHale

This past week was Patch Tuesday and that resulted in 14 critical vulnerabilities in Internet Explorer among the targets of Microsoft’s monthly security patches.

Over all, the software giant fixed 46 vulnerabilities across products including Windows, Internet Explorer and Office.

Adobe Updates Flash Player
Windows, Flash Zero Days Targeted
Flash Bug Allows Secret Video, Audio
Adobe Updates Flash Player Vulnerabilities

The patches were in 13 security bulletins, three flagged as critical and ten as important.

The critical bulletins, MS15-043, MS15-044 and MS15-045, cover remote code execution vulnerabilities in Windows, IE, Office, Microsoft .NET Framework, Microsoft Lync and Silverlight.

MS15-043 fixes 22 vulnerabilities in Internet Explorer, of which 14 rated critical. Critical vulnerabilities in IE allow attackers to execute arbitrary code on machines when their users visit malicious Web pages.

MS15-044 fixes two vulnerabilities in a font parsing library used by many Microsoft products. Attackers could exploit these flaws by embedding a specially crafted font in documents or Web pages.

Monday, February 16, 2015 @ 09:02 AM gHale

While it is almost a week late, it is still important to point out the Patch Tuesday bulletin where Microsoft issued nine releases.

Three of the bulletins rate as “critical” and impact Internet Explorer and Microsoft Windows. The IE bulletin (MS15-009) will be the focus for most organizations, and fixes 41 vulnerabilities, one of which ended up publicly disclosed (CVE-2014-8967) and another of which is currently under attack (CVE-2015-0071). Despite the large number of fixes, the bulletin does not address the universal cross-site scripting vulnerability hitting IE.

Alter One Bit, Bypass Security
Microsoft: Control System Warning
IE Hole Allows Attackers to Phish
New Malware Stays Hidden

The critical Windows bulletins are MS15-010 and MS15-011.

According to Microsoft, MS15-010 addresses one publicly-disclosed and five privately-disclosed issues. The most severe of these can end up exploited if an attacker convinces a user to open a specially-crafted document or visit an untrusted website that contains embedded TrueType fonts. MS15-011 meanwhile focuses on one privately reported issue in Windows that could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network.

“A remote code execution vulnerability exists in how Group Policy receives and applies policy data when a domain-joined system connects to a domain controller,” Microsoft said in its advisory. “To exploit this vulnerability, an attacker would have to convince a victim with a domain-configured system to connect to an attacker-controlled network.”

The bug, CVE-2015-0008, ended up discovered by JAS Global Advisors and simMachines. All computers and devices that are members of a corporate Active Directory may be at risk, JAS researchers said.

“The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device,” according to a JAS advisory. “Roaming machines — Active Directory member devices that connect to corporate networks via the public Internet (possibly over a Virtual Private Network (VPN)) — are at heightened risk.”

The remaining bulletins are all “Important,” and cover issues affecting Microsoft Office, Windows and Microsoft Server Software.

Monday, January 19, 2015 @ 02:01 PM gHale

While it was almost a week ago, Patch Tuesday is still an important day as Microsoft released one critical security bulletin and seven others rated “important.”

The critical bulletin addressees a vulnerability in Microsoft Windows’ Telnet Service that enables an attacker to remotely execute code via specially-crafted packets sent to an affected Windows server. Only users who enable Telnet are vulnerable to the issue. Telnet is not a default installation on systems running Windows Vista and later, and is on Windows Server 2003, but not enabled.

Unpatched Windows 8.1 Hole Exposed
Router Flaw Found
Re-engaged: Multi GAE Sandbox Bypasses
Vulnerabilities with Google App Engine

Four of the eight bulletins have to deal with privilege escalation issues. One of these, MS15-004 is under limited, targeted attacks, According to Microsoft, the vulnerability exists in the TS WebProxy Windows component and occurs when Windows fails to properly sanitize file paths. Currently, the vulnerability is in attacks as a sandbox bypass.

“To successfully exploit this vulnerability, an attacker would have to take advantage of an existing vulnerability in Internet Explorer by tricking a user into downloading a specially crafted application,” Microsoft said in its advisory. “In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.”

The privilege escalation issues fixed in the updates include the bug uncovered by Google in Windows 8.1. The remaining bulletins address a vulnerability that could allow denial of service on an Internet Authentication Service (IAS) or Network Policy Server (NPS) and two others that could allow an attacker to bypass a security feature in Windows.

Friday, November 14, 2014 @ 04:11 PM gHale

Patch Tuesday this month means 14 bulletins with new versions and patches for Microsoft software, operating systems and applications.

The most important bulletin MS14-064 addresses a current Zero Day vulnerability – CVE-2014-6352 in the Windows OLE packager for Vista and newer OS versions. Attackers have been leveraging the vulnerability to gain code execution by sending PowerPoint files to their targets. Microsoft had previously acknowledged the vulnerability in security advisory KB3010060 and offered a work-around using EMET and a temporary FixIt patch. This is the final fix for OLE Packager that should address all known exploit vectors.

New Windows Zero Day
Microsoft Mulls a Patch for The Patch
Patch Tuesday Fixes 3 Zero Days
Chrome 38 Fixes 159 Security Bugs

MS14-066 is a new version of Internet Explorer that addresses 17 vulnerabilities. The most severe of these vulnerabilities could end up used to gain control over the targeted machine. An attack will take the form of a malicious webpage the targeted user lands on.

There are two basic scenarios that attackers use frequently: One is the user browses to the site on their own, maybe as part of a daily routine, but the attacker has gained control over the website in question through a separate vulnerability and is able to plant malicious content on the site.

A second scenario has the attacker setting up a new site and then directs traffic to it through Search Engine Manipulations, i.e. sites purporting to have the latest pictures on a recent event of general or specific interest.

MS14-069 addresses Microsoft Word 2007 and provides fixes for a Remote Code Execution (RCE) vulnerability. The attack scenario here is a malicious document the attacker prepares to exploit the vulnerability. Attackers then send the document directly or a link to their targets and use social engineering techniques, such as legitimate sounding file names and content descriptions that likely interest the targets in question. If you run newer versions of Microsoft Office you are not vulnerable, but users of Office 2007 are susceptible to the weakness.

Microsoft ranks highly the next bulletin, which addresses a number of vulnerabilities in an encryption component of Windows called Schannel, which sees use in SSL and TLS connections. The fixes in this bulletin are the result of an internal code review at Microsoft that uncovered a number of memory corruption issues in Schannel in both server and client roles. The vulnerabilities are private as researchers within Microsoft found it.

The remaining bulletins address a mix of different operating systems and platforms and include a number of server vulnerabilities: MS14-073 in Microsoft SharePoint and MS14-076 in IIS.

Wednesday, October 15, 2014 @ 03:10 PM gHale

It was Patch Tuesday and as usual Microsoft issued security bulletins; this time they had eight that address two dozen vulnerabilities, including a bug exploited by Russian hackers to target NATO computers, officials said.

Issued as part of its October edition of Patch Tuesday, the updates address vulnerabilities found in all currently supported versions of Windows, Internet Explorer, Office and the .Net framework. Three of the bulletins are critical, meaning Microsoft recommends systems administrators apply the patches immediately.

Chrome 38 Fixes 159 Security Bugs
Patch Tuesday: IE Zero Day Fixed
Chrome Update Brings 50 Security Fixes
Google Fixes 12 Chrome Vulnerabilities

Security researcher FireEye identified two of three Zero Day bugs used as “part of limited, targeted attacks against some major corporations.”

One of the patches addresses a remote code execution flaw in all supported versions of Microsoft Windows and Windows Server 2008 and 2012 exploited in the “Sandworm” cyberattack. The exploit was part of a five-year cyberespionage campaign, according to security firm iSight.

A team of hackers previously launched campaigns targeting the U.S. and EU intelligence communities, military establishments, news organizations and defense contractors — as well as jihadists and rebels in Chechnya, iSight said. However, focus turned toward the Ukrainian conflict with Russia, energy industries and political issues concerning Russia based on evidence gleaned from phishing emails.

Microsoft rated the flaw as important rather than critical because it requires a user to open a Microsoft Office file to initiate the code execution.

“A vulnerability exists in Windows OLE that could allow remote code execution if a user opens a file that contains a specially crafted OLE object,” Microsoft said in its bulletin. “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.”

Another Zero Day flaw addressed by the update is a privilege escalation vulnerability that “could lead to full access to the affected system,” Microsoft said in its bulletin.

A third Zero Day in Windows rated as critical and patched could allow remote code execution when a victim visits opens a document or visits a malicious website that contains embedded TrueType fonts.

Thursday, August 14, 2014 @ 05:08 PM gHale

Microsoft released 26 patches for Internet Explorer, including one fixing a critical vulnerability that could allow a remote attacker to gain access to a computer from over the Internet.

The patches were part of Microsoft’s monthly software update cycle, Patch Tuesday.

IE Browser of Choice for Attacks
Patch Tuesday for Internet Explorer
Breach Alert: Critical Infrastructure at 70%
Data Breaches: Not Learning from History

Overall, Microsoft addressed 37 vulnerabilities this month, including two critical ones that could end up used for remote code execution.

MS14-051 is a collection of 26 patches for the Internet Explorer browser, said Wolfgang Kandek, chief technology officer for IT security firm Qualys. These vulnerabilities range across all currently supported versions of Internet Explorer, from IE6 to IE11.

The other critical vulnerability this month, addressed by MS14-048, is in Microsoft’s OneNote note-taking software. The vulnerability is a bug that would allow a malicious user to gain control of a machine.

OneNote, which is part of Office, does not see the widespread use like Word, Excel and PowerPoint, so Microsoft and researchers have been playing down the severity of this bug, but an organization that has this application should patch it immediately, Kandek said.

Other products patched this month include Windows, SharePoint and SQL Server. The SQL Server patch, addressed in MS14-044, offers patches for the database server software that don’t appear that often.

There are also two sets of patches that Adobe issued Tuesday, for its Reader and Flash software.

In the past few weeks, Microsoft has taken additional measures to better secure IE. It has created blocking mechanisms to stop older, unsecured, ActiveX and Java applications from running when the browser is in Internet-mode. It provides a whitelist that organizations can use to run their legacy Web applications, however.

Microsoft also said as of January 2016, it will stop supporting all but the latest versions of IE, a move to help the company better secure the browser by limiting the number of versions running. Organizations that require a specific version of the browser for legal or compliance reasons can continue to run the software in a new “enterprise mode” of operation Microsoft added to the browser.

Thursday, July 10, 2014 @ 03:07 PM gHale

Microsoft released a critical fix for vulnerabilities in its Internet Explorer web browser, as a part of its latest monthly Patch Tuesday update.

The Internet Explorer (IE) update is one of two critical updates this month and could end up used by hackers to mount remote code-execution attacks.

IE Script Engine at Risk for Attacks
Big Patch Tuesday for Microsoft
Another IE Zero Day
Extreme Risk: SMBs Still Using XP

While the vulnerabilities are not to be trifled with, at least they are not Zero Days, so the potential use to hackers is limited.

The second critical bulletin relates to Microsoft’s now ancient Windows XP Tablet Edition, and its Windows Journal note-taking application. The vulnerability looks as though it is unlikely hackers will bother creating exploits to target it, although a patch should still end up installed.

The July Patch Tuesday release also includes three “important” updates plugging flaws in Windows On-Screen keyboard, afd.sys driver and DirectShow service. All three could end up used by hackers to provide local escalation of privileges.

There is also a fix for a “moderate” flaw in Windows Service Bus that could end up exploited to mount a denial-of-service attack.

Internet Explorer flaws have been an ongoing issue for Microsoft. By comparison, the company issued 59 IE fixes as part of its June Patch Tuesday update.

Wednesday, May 14, 2014 @ 11:05 AM gHale

Adobe’s Patch Tuesday offering included fixes for its Flash, Reader, and Acrobat platforms, as well as an update for Illustrator. In total, the update will patch 18 common vulnerabilities and exposures (CVE) security flaws.

Six of the flaws end up addressed in an update for the Windows, Linux, and OS X versions of Flash Player and Air SDK. The company said the update includes fixes for critical flaws that could allow remote code execution, and updating Flash Player should be a top priority for users and administrators.

Adobe Fixes Flash Zero Day
After False Start, Apache Struts Fixed
DoS Risk with Apache Tomcat Servers
DDoS Attacks Break Records

Adobe credited the discovery of four of the flaws to Contextis researcher James Forshaw. Researchers with Keen Team and Team 509 via HP Zero Day Initiative (ZDI) received credit for unearthing another flaw, while Masato Kinugawa discovered one vulnerability.

Reader and Acrobat will receive 11 fixes, including remote code execution flaws for OS X and Windows software, which the company recommends administrators make a top deployment priority alongside the Flash Player updates.

Researchers credited with discovering those flaws include VUPEN (via HP ZDI), Ukatemi’s Gábor Molnár, Nanyang Technological University’s Wei Lei and Wu Hongjun, Yuki Chen of Trend Micro, Agile Information Security’s Pedro Ribeiro, HP ZDI researcher chkr_d591, Honglin Long, Sune Vuorela from Ange Optimization, and researchers with the Venustech Active-Defense Lab.

The third patch, addressing a remote code vulnerability in Illustrator CS6 for Windows and OS X, is a lower priority, as the platform is not a popular target for malware attacks – although users and administrators should test and deploy the update as soon as possible. Credit for discovery of the flaw went to researcher Noam Rathaus.

Wednesday, May 14, 2014 @ 10:05 AM gHale

Two critical advisories released on Patch Tuesday from Microsoft.

Microsoft identified three of advisories: MS14-024, MS14-025, and MS14-029, the IE patch, as priority one patching concerns. MS14-029 which is the update to IE is the only one of the two critical issues to receive the patching priority one designation. The other critical, MS14-022, affecting SharePoint is a priority two for patching. This is due to the complexity of the attack and it ended up privately reported and, therefore, not a public exploit.

Microsoft Patches IE Zero Day
Microsoft Fixes Security Essentials Bug
No More XP after Patch Tuesday
Patch Tuesday: XP, IE Take Center Stage

MS14-029 is an interesting advisory. It is not a cumulative rollup fix for IE, which breaks with the recent trend of IE patching, but it does re-include the patch for MS14-021 which ended up fixed outside of the normal patch cycle on May 1. It’s not yet clear if this modifies the original fix or simply provides another vector for customers to get it.

One of the other CVEs fixed in this advisory is under limited, targeted attack. Also, there are two types to this patch for Windows 8.1 users, one for those who took the “Spring 2014 update rollup” and one for those who did not. This is the first advisory that clearly would have applied to Windows XP, but for which a patch is not available.

IE 6, 7, & 8 are vulnerable on Windows 2003 SP2, this would historically have mapped to the same scope of XP patches, but not this time. Microsoft ended support for XP in April.

Of the other two, important but highest patching priority issues, MS14-024 is a fix for an ASLR bypass. That means this issue is not really an exploit in and of itself, hence the “important” designation, but a weakness used in conjunction with other exploits to increase the likelihood of successfully controlling the location of memory manipulation. MS14-024 has seen use in conjunction with other attacks.

MS14-025 isn’t really a fix for the underlying issue, it just stops system administrators from doing something that weakens their overall security going forward by preventing them from specifying a local administrator password in group policy settings where anyone on the network can recover it in a reusable form. However, administrators who have already made that mistake will not have the setting removed and will still have to take other measures to plug that hole.

MS14-027 is an elevation of privilege issue privately reported to Microsoft, and is seeing limited, targeted attacks.

MS14-028 is a denial of service affecting Windows Servers with the iSCSI service installed. The service is not a default setting on Windows 2008 or 2008 R2, and is in, but disabled by default on Windows 2012.

Archived Entries