Posts Tagged ‘Patch Tuesday’
Tuesday, December 10, 2013 @ 07:12 PM gHale
Microsoft issued 11 Patch Tuesday advisories affecting 6 different product types. All supported versions of Windows, Office, SharePoint, Exchange, Lync and a mixed bag of developer tools are now on the mend.
Five of the advisories rate as critical, including one affecting Exchange and one affecting SharePoint and Lync, not to mention the critical patch for Internet Explorer. Microsoft has given a critical with priority 1 rating to the three of them, MS13-096 (GDI+), MS13-097 (IE, all versions) and MS13-099 (Scripting Runtime).
Regarding MS13-099, this is an interesting vulnerability because it’s exploitable by VBA script and EMET counter measures do not mitigate it.
This round of patching addresses the GDI+ issue publicly disclosed in early November in Security Advisory 2896666 and then blogged about by the various researchers.
There is also a Kernel Driver patch (MS13-101), but this round of patching does not include a fix for the publicly disclosed Kernel Elevation of Privilege issue reported in Security Advisory 2914486.
Wednesday, November 13, 2013 @ 06:11 AM gHale
Patch Tuesday for Microsoft meant the software giant addressed 19 unique vulnerabilities including Internet Explorer, Hyper-V, the Graphics Device Interface (GDI), Office, and others.
They also fixed the Zero Day vulnerability in Internet Explorer disclosed by FireEye over the weekend.
Of the advisories, the three most critical patches are the Internet Explorer patch (MS13-088), GDI (MS13-089), and the Zero Day flaw in ActiveX control which affected several versions of Internet Explorer (MS13-090), security experts said.
“Bulletin MS13-090 addresses the publicly-known issue in ActiveX Control, currently under targeted attacks. Customers with automatic updates enabled are protected against this vulnerability and do not need to take any action,” said Dustin Childs, group manager of Microsoft Trustworthy Computing.
Last week, security firm FireEye notified Microsoft of serious vulnerabilities in Internet Explorer, but it appears the team already knew about them as the ActiveX control patch (MS13-090) fixes the InformationCardSignInHelper flaw. Attackers have already targeted the bug in a watering-hole-style attack, and exploit code appeared on text-sharing site Pastebin, making this a high-priority issue.
Microsoft also disclosed a Zero Day vulnerability in how some versions of Microsoft Windows and older versions of Microsoft Office handled the TIFF graphics format. There is no patch available addressing this flaw in this Patch Tuesday release, so users who have not yet installed the FixIt temporary workaround should consider doing so as soon as possible.
Another IE patch (MS13-088) fixed two information disclosure bugs and eight memory corruption issues in various versions of the Web browser. Two of the vulnerabilities affect every version of IE, from versions 6 through 11, the latest version. While there have been no reported attacks exploiting these vulnerabilities, the fact that so many versions of Windows and Internet Explorer are affected means this patch should roll out as soon as possible.
The third highest priority bulletin (MS13-089) fixes a GDI bug, which affects every supported version of Windows from XP to Windows 8.1. Attackers need to create a malicious file and convince users to open it in WordPad to exploit this vulnerability.
The remaining patches addressed vulnerabilities in various versions of Microsoft Office (MS13-091), an information disclosure vulnerability in newer versions of Office (MS13-094), an elevation of privilege flaw in Hyper-V (MS13-092) in Windows 8 and Server 2012 R2, an information disclosure bug in Windows (MS13-093), and a denial of service (MS13-095) issue in the operating system.
Wednesday, October 9, 2013 @ 03:10 PM gHale
Microsoft released eight new security bulletins, with four rated critical and four important and two Zero Days in Internet Explorer.
The security update for Internet Explorer, MS13-080, addresses 10 separate vulnerabilities that affect all supported versions of the Web browser. Users should be aware because this update stems from two of the vulnerabilities that are Zero Day bugs already undergoing exploitation.
Security researchers have been watching the IE exploit since it first became public in mid-September.
The catch is now there is a patch released, attackers can reverse engineer and then they have an attack all lined up and ready to go because while Microsoft puts the patch out there, it does not mean everyone applies it. That makes those folks more susceptible to an attack.
There are two other security bulletins that follow the Internet Explorer security update.
MS13-081 addresses seven vulnerabilities in kernel-mode drivers affecting all versions of Windows except for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2. Two of the flaws are for font-parsing and could enable an attacker to remotely execute malicious code if successfully exploited.
Microsoft has released 87 security bulletins so far this year. That puts them 17 ahead of last year’s pace.
However, the number of bulletins should also come from the perspective that Microsoft has stepped up the pace for addressing identified vulnerabilities, and it is patching a growing number of supported platforms and applications.
Wednesday, September 18, 2013 @ 01:09 PM gHale
It was one more time for Microsoft as the software giant needed to reissue four security bulletins after its Patch Tuesday performance.
Microsoft said the new patches were available last Thursday on its blog, just two days after it released its scheduled Patch Tuesday update for products containing bugs.
New patches were available for four security bulletins: MS13-067, MS13-072, MS13-073 and MS13-074, which addressed bugs in series of Microsoft Office products, including Excel and SharePoint Server. Non-security updates also ended up re-released for Microsoft PowerPoint 2010, KB2553145 and PowerPoint Viewer 2010, KB2553351.
Customers complained about updates attempting to reinstall numerous times on their machines, the company said. In other instances, patches weren’t available to customers.
“Since the shipment of the September 2013 security bulletin release, we have received reports of updates being offered for installation multiple times, or certain cases where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM),” the blog post said. “We have investigated the issue, established the cause, and we have released new updates that will cease the unnecessary re-targeting of the updates or the correct offering of these updates.”
In a blog posted on Monday, security researcher Graham Cluley wrote the reoccurring problems with Patch Tuesday releases was highly concerning given the number of users that rely on the fixes.
In last month’s patch release, Microsoft pulled a patch that addresses three vulnerabilities in Exchange Server. In that incident, the Patch Tuesday fix ended up scrapped after Microsoft became aware that installing it caused problems.
“Following so soon after last month’s buggy security update, one has to wonder what’s going wrong at Microsoft Quality Control,” Cluley said. “The company can’t afford to keep messing up like this. The risk is that millions of users around the world will begin to question Microsoft’s ability to properly patch security vulnerabilities, and lose trust in the firm.”
Microsoft did catch one bug in its Patch Tuesday update before dispatching the release. The company had originally planned to release 14 fixes, but only shipped 13 last week, leaving out one patch that would have addressed an issue in its .Net software framework, which could allow denial-of-service.
Wednesday, September 11, 2013 @ 09:09 AM gHale
Microsoft’s Patch Tuesday brought out 13 bulletins.
Of the 13 bulletins, the MS Office family has seven vulnerabilities and Windows OS patches have six.
There are four advisories labeled as critical. All of these are going to be important, subjective to the deployment of various versions of Windows in your environment. One of these is going to be the monthly IE update. All versions of IE require this update.
Microsoft is putting top priority on MS13-067, which affects SharePoint Server. The advisory covers multiple CVEs, but the most severe of is CVE-2013-1330, which allows remote code execution by malicious content sent to the server without user interaction, genuine real-time remote exploitation. Of the 10 CVEs, one is public, but supposedly that is not CVE-2013-1330. There is a workaround for CVE-2013-1330 related to enabling state inspection for message authentication code attributes.
Of the other two critical advisories, both require user interaction to trigger the vulnerability; however, MS13-068 affecting Microsoft Outlook is particularly toxic because it can occur when users view malicious content in the Outlook preview pane.
MS13-070 only applies to XP and Server 2003 and those vulnerabilities tend to be less “contained” than more mature versions of Windows. XP and Office 2003 have shown no let up in patching frequency, despite the end of support for XP looming just around the corner in April 2014.
If you are running an MS heavy shop and have significantly invested in the back office technology of SharePoint, then this month is going to be very busy. There are lots of vulnerabilities to patch, many of which are high risk. Office vulnerabilities typically end up mitigated because they require a user to interact with something malicious, either through an attachment or a link. But with the Office Server (SharePoint) that degree of mitigation may go away and other factors of defense in depth will come into play.
Wednesday, August 14, 2013 @ 04:08 PM gHale
Some patches are more of a rush job than others and this month Microsoft took less than 30 days to incorporate an Oracle Outside In patch and fix a critically rated remote code execution bug in Exchange Servers.
Those are is among the eight bulletins released as part of Microsoft’s August 2013 Patch Tuesday security updates.
Oracle patched Outside In with its July Critical Patch Update (CPU); the technology allows developers to turn unstructured file formats into normalized files. MS13-061 includes the Outside In Patch, which is part of the WebReady Document Viewing and Data Loss Prevention features on Exchange Servers.
Exploits could allow an attacker to remotely execute code if a user previews or opens a malicious file using Outlook Web App (OWA). The attacker would have the same privileges as the transcoding services on the Exchange Server; that would be the LocalService account for WebReady Document Viewing and the Filtering Management service for the DLP feature. Both, however, run with minimal privileges.
If a users is running Exchange and users have OWA, they should address this issue as quickly as possible. Microsoft also recommends a workaround that turns off Outside In document processing.
MS13-059 is another cumulative patch for Internet Explorer and repairs 11 remotely executable vulnerabilities in the browser, including a sandbox bypass vulnerability discovered and exploited by VUPEN researchers during the Pwn2Own contest in March. IE 6-10 is vulnerable to exploit; Microsoft said it is not aware of any active exploits for any of these vulnerabilities.
The IE rollup includes patches for nine memory corruption vulnerabilities, as well as fixes for a privilege escalation flaw in the way in which the browser handles process integrity level assignment and an information disclosure cross-site scripting vulnerability in EUC-JP character encoding, Microsoft said.
The final critical bulletin, MS13-060, patches a Windows vulnerability in the Unicode Scripts Processor; the patch corrects the way Windows parses certain OpenType font characteristics. An exploit could allow an attacker to run code remotely if a user opens a malicious document or visits a website that supports OpenType fonts.
The remaining bulletins all ended up rated important by Microsoft.
• MS13-062 patches a privilege escalation vulnerability in Windows RPC, correcting the manner in which Windows handles asynchronous RPC messages.
• MS13-063 is another privilege escalation issue in the Windows kernel. Four vulnerabilities ended up patched in this bulletin, the most severe of which enables elevated privileges if an attacker is able to log in locally and run a malicious application. In addition to memory corruption bugs, one of the vulnerabilities in this bulletin enables an attacker to bypass Address Space Layout Randomization (ASLR), a memory protection native to the OS.
• MS13-064 patches a denial of service vulnerability in Windows NAT Driver.
• MS13-065 also fixes a denial of service bug in ICMPv6; Vista, Windows Server 2008, Windows &, Windows 8, Windows RT and Windows Server 2012.
• MS13-066 patches an information-disclosure vulnerability in Active Directory Federation Services on Windows Server 2008 and Windows Server 2012.
Wednesday, July 10, 2013 @ 11:07 AM gHale
Patch Tuesday brought out seven bulletins from Microsoft this month, which addresses 34 vulnerabilities. Six of the bulletins rate as “critical” and allow for Remote Code Execution.
Of the 34 holes in Windows, Internet Explorer, Office among other products, a Windows kernel vulnerability that affected the Windows privilege system for over a month ended up fixed.
Google security expert Tavis Ormandy discovered the kernel hole in May and didn’t wait too long before disclosing details. Shortly afterwards, an exploit followed that opens a Windows prompt at system privilege level – regardless of the user’s actual privilege level.
The hole, with CVE identification number CVE-2013-3660, affects all versions of Windows. Microsoft didn’t warn its customers about the security problem ahead of the patch day despite, according to the company, the hole being a part of targeted attacks.
Patch bulletin MS13-053 closes further critical security holes, including an issue in the code for processing TrueType fonts, and users should install it as soon as possible.
The .NET framework and Silverlight also struggle with specially crafted TrueType fonts, potentially allowing attackers to inject malicious code. Microsoft said two of the vulnerabilities the patch bulletin fixes already were out. The GDI+ graphics library contains a critical font processing issue that allows attackers to infect systems with malware. The library is part of quite a few Microsoft applications, all of which suffer from the issue: All versions of Windows, Office 2003 to 2010, Visual Studio .NET 2003 and Microsoft Lync.
Microsoft also released a collective update for Internet Explorer, a critical update for DirectShow and another for the Windows Media Format runtime.
There is a patch for Windows Defender to close a hole that allows attackers to execute code at system privilege level in Windows 7 and Server 2008 R2. To exploit the hole, however, potential attackers must be able to log into a system, and apparently they must also have the right to write to the highest level of the system disk. This is the only update that Microsoft has rated at the second highest threat level.
The company also said the developers of apps available in the Windows Store, Windows Phone Store, Office Store and Azure Marketplace will, in future, have 180 days to close “critical” and “important” vulnerabilities. A prerequisite for this grace period is there must not be a public exploit for the hole. Otherwise, Microsoft said, it will withdraw vulnerable apps at short notice if necessary.
Wednesday, June 12, 2013 @ 01:06 PM gHale
Microsoft took advantage of a light Patch Tuesday by releasing an update to its certificate handling infrastructure.
Building on features native to Windows 8 that automatically move untrusted or compromised certificates to the Windows Certificate Trust List, Microsoft has enhancements that give enterprises additional options when managing PKI installations.
The update allows for computers on the same Active Directory domain to auto-update certificate lists without having to access Windows Update; they can also end up configured to opt-in to auto-update for trusted and disallowed certificates. In addition, administrators will be able to choose a subset of roots for distribution via Group Policy.
Auto-update came into play one year ago, said Dustin Childs, group manager, Trustworthy Computing; it is available starting with Windows Vista through Windows 8, Windows Server 2012 and Windows RT.
“Over the coming months, we’ll be rolling out additional updates to this advisory — all aimed at bolstering Windows’ cryptography and certificate-handling infrastructure,” Childs said. “Our efforts here aren’t in response to any specific incident; it’s the continuing evolution of how we handle digital certificates to ensure the safest possible computing environment for our customers.”
On Patch Tuesday, Microsoft issued five bulletins, including another cumulative update for Internet Explorer that patches 19 vulnerabilities, all critical remote-code execution flaws. Another remote execution bug in Office released, but it did not rate as critical despite Microsoft being aware of limited targeted attacks exploiting the vulnerability.
Meanwhile, administrators looking for a patch for vulnerability disclosed by Google engineer Tavis Ormandy will have to wait at least another month for an update.
The Ormandy issue, meanwhile, dates back to May 17 when he posted a note to the Full Disclosure mailing list he had found an elevation of privilege vulnerability locally in the Windows kernel and was soliciting help in developing an exploit, which he said he developed three days later.
The IE update is the lone critical bulletin for June. MS13-047 affects IE 6-10 and in 18 of the 19 vulnerabilities, remote code execution is possible because of the way IE handles objects in memory. The remaining flaw, a Script Debug vulnerability, happens because IE improperly processes script while debugging a webpage leading to memory corruption that could allow an attacker to run code remotely once a user visits a site hosting an exploit.
The Office vulnerability, MS13-051, also enables remote code execution but it does not rate as critical because it affects only Office 2003 Service Pack 3 and Microsoft Office for Mac 2011. Users would have to open a malicious Office document or view a malicious email in Outlook in order to suffer from the exploit, Microsoft said. Attackers taking advantage of the buffer overflow vulnerability would be able to install malware, change or delete data, and add accounts with full privileges.
The remainder of the bulletins rated important and include a pair kernel vulnerabilities.
• MS13-048 is an information-disclosure vulnerability in Windows kernel and requires local access to a computer and execution of a malicious application. An attacker would need valid credentials to exploit this flaw, Microsoft said.
• MS13-049 is a denial of service vulnerability in Windows Kernel-Mode Driver. An attacker would have to send specially crafted packets to a server to cause it to crash. Microsoft said standard default firewall configurations should help mitigate potential attacks.
• MS13-050 is a privilege escalation bug in Windows Print Spooler components. An attacker would need valid credentials and be logged on to exploit this bug.