Posts Tagged ‘Patch Tuesday’

Thursday, April 10, 2014 @ 06:04 PM gHale

Patch Tuesday, while small in nature this month, it was huge in that the industry will no longer see Windows XP as a part of the Microsoft environment.

Four patches — two rated as critical and another two rated as important by Microsoft – did end up releasing.

RELATED STORIES
Industry Faces Life after XP
XP Risks, Protection Tips after April 8
Patch Tuesday: XP, IE Take Center Stage
Security Awareness: A Matter of Safety

This first update (MS14-017) rated critical relates to one private and two publicly disclosed Remote Code Execution vulnerabilities in Microsoft’s Office productivity suite. This attack requires the user to click-on a specially crafted file which allows a successful attacker the same rights as the affected user. This vulnerability in Microsoft Office affects the entire spectrum of Office document handling products including all versions of Microsoft Word (2003, 2007, 2010, 1013, RT) and the Office Word document handling Web services such as SharePoint and Microsoft Web Apps. This issue also affects the Microsoft Word Viewer and the Microsoft Compatibility Pack.

This is the second attempt by Microsoft to resolve this issue as this update is a direct replacement for a security update earlier this year.

The second update (MS14-018) release relates to six privately reported memory corruption vulnerabilities that affect almost all versions of Internet Explorer from version 6 to Version 11 for 32 and 64-bit platforms and for the Windows RT platform – but not Internet Explorer 10 due to its recent Out of Band Update from Microsoft.

This vulnerability ends up exposed through a user accessing a specially crafted web page which could result in the same privileges as the logged in user.

The third (MS14-019) update rated important deals with a single privately reported vulnerability in the file handling functionally in all Windows platforms (32 and 64-bit). Using specially crafted batch or Command files (.bat or .cmd) files an attacker could gain the same access as a user through a Remote Code Execution vulnerability. Microsoft has resolved this security issue with an update to how these files (.bat and .cmd) files are run from remote or network based locations.

And the last update (MS14-020) relates to Microsoft Publisher which deals with a Remote Code Execution security vulnerability if a user opens a specially crafted file in Microsoft Publisher.

Tuesday, January 14, 2014 @ 05:01 PM gHale

Here we are in 2014 and some things just don’t change with the New Year. Take today’s Patch Tuesday. Three of the IT behemoths issued the first patch report of the New Year with Oracle leading the way with Microsoft and Adobe not too far behind.

Oracle first patch update for the New Year was one of its biggest ever, including a slew of security patches, most of which address vulnerabilities in Java.

RELATED STORIES
Adobe Patches Flash Player, Shockwave
Patch Tuesday Fixes 24 Holes
Big Security Patch from Oracle
Adobe Fixes Flash Player, ColdFusion

The Critical Patch Update addresses 144 flaws in hundreds of Oracle products, 36 of which apply to vulnerabilities in Java SE, including 34 that are bugs that can end up remotely exploited by an attacker without requiring authentication.

“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products,” Oracle officials said. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”

Five of the security fixes apply to Oracle Database Server. One of these vulnerabilities might be remotely exploitable without authentication, meaning it could suffer exploitation over a network without the need for a username and password.

The patch update will include Oracle products and components like JavaFX, versions 2.2.45 and earlier, Java JDK and JRE, versions 5.0u55, 6u65, 7u45 and earlier, and Java SE Embedded, versions 7u45 and earlier.

The highest CVSS 2.0 Base Score for vulnerabilities in Oracle’s Critical Patch Update is 10.0 for Java SE, Java SE Embedded, and JRockit of Oracle Java SE, MySQL Enterprise Monitor of Oracle MySQL, Oracle FLEXCUBE Private Banking of Oracle Financial Services Software and Oracle WebCenter Sites of Oracle Fusion Middleware.

Meanwhile, Microsoft disclosed four security bulletins describing six vulnerabilities, and released product updates to address these vulnerabilities.

This is the first month since September 2011 that Microsoft released no critical updates in a Patch Tuesday cycle, and the first since September 2012 they have released four or fewer updates.

The four bulletins rated important include:
• MS14-001: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605) — At least one of three memory corruption vulnerabilities affect every version of Word or the Word viewer, as well as the relevant parts of Office Web Apps and SharePoint. These are remote code execution vulnerabilities.
• MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) — A user with valid logon credentials who is able to log on locally could run a special program and elevate privilege. This vulnerability affects only Windows XP and Windows Server 2003.
• MS14-003: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602) — Windows 7 and Windows Server 2008 R2 are vulnerable to a privilege elevation vulnerability. The user must have valid logon credentials and be able to log on locally.
• MS14-004: Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826) — If an authenticated attacker submits specially crafted data to an affected Microsoft Dynamics AX Application Object Server (AOS) instance, the AOS instance could stop functioning.

Last, but not least, Adobe’s Patch Tuesday release had fixes for Flash Player, Acrobat and Reader. All vulnerabilities get the highest priority rating. This means future exploits are likely.

The Flash Player bulletin, CVE-2014-0491 and CVE-2014-0492, concerns remote code execution vulnerabilities.

CVE-2014-0493, CVE-2014-0495 and CVE-2014-0496 affect Acrobat and Reader. These CVEs also concern remote code execution vulnerabilities. All of this month’s vulnerabilities ended up reported to Adobe directly.

Tuesday, December 10, 2013 @ 07:12 PM gHale

Microsoft issued 11 Patch Tuesday advisories affecting 6 different product types. All supported versions of Windows, Office, SharePoint, Exchange, Lync and a mixed bag of developer tools are now on the mend.

Five of the advisories rate as critical, including one affecting Exchange and one affecting SharePoint and Lync, not to mention the critical patch for Internet Explorer. Microsoft has given a critical with priority 1 rating to the three of them, MS13-096 (GDI+), MS13-097 (IE, all versions) and MS13-099 (Scripting Runtime).

RELATED STORIES
Getting Ready for XP’s End of Life
Under Attack: XP Zero Day
Patch Tuesday Fixes Zero Day
Zero Day: Microsoft Under Attack

Regarding MS13-099, this is an interesting vulnerability because it’s exploitable by VBA script and EMET counter measures do not mitigate it.

This round of patching addresses the GDI+ issue publicly disclosed in early November in Security Advisory 2896666 and then blogged about by the various researchers.

There is also a Kernel Driver patch (MS13-101), but this round of patching does not include a fix for the publicly disclosed Kernel Elevation of Privilege issue reported in Security Advisory 2914486.

Wednesday, November 13, 2013 @ 06:11 AM gHale

Patch Tuesday for Microsoft meant the software giant addressed 19 unique vulnerabilities including Internet Explorer, Hyper-V, the Graphics Device Interface (GDI), Office, and others.

They also fixed the Zero Day vulnerability in Internet Explorer disclosed by FireEye over the weekend.

Of the advisories, the three most critical patches are the Internet Explorer patch (MS13-088), GDI (MS13-089), and the Zero Day flaw in ActiveX control which affected several versions of Internet Explorer (MS13-090), security experts said.

RELATED STORIES
Zero Day: Microsoft Under Attack
Microsoft Reinstates Update Tablet
Patch Tuesday Fixes Zero Days
Big Security Patch from Oracle

“Bulletin MS13-090 addresses the publicly-known issue in ActiveX Control, currently under targeted attacks. Customers with automatic updates enabled are protected against this vulnerability and do not need to take any action,” said Dustin Childs, group manager of Microsoft Trustworthy Computing.

Last week, security firm FireEye notified Microsoft of serious vulnerabilities in Internet Explorer, but it appears the team already knew about them as the ActiveX control patch (MS13-090) fixes the InformationCardSignInHelper flaw. Attackers have already targeted the bug in a watering-hole-style attack, and exploit code appeared on text-sharing site Pastebin, making this a high-priority issue.

Microsoft also disclosed a Zero Day vulnerability in how some versions of Microsoft Windows and older versions of Microsoft Office handled the TIFF graphics format. There is no patch available addressing this flaw in this Patch Tuesday release, so users who have not yet installed the FixIt temporary workaround should consider doing so as soon as possible.

Another IE patch (MS13-088) fixed two information disclosure bugs and eight memory corruption issues in various versions of the Web browser. Two of the vulnerabilities affect every version of IE, from versions 6 through 11, the latest version. While there have been no reported attacks exploiting these vulnerabilities, the fact that so many versions of Windows and Internet Explorer are affected means this patch should roll out as soon as possible.

The third highest priority bulletin (MS13-089) fixes a GDI bug, which affects every supported version of Windows from XP to Windows 8.1. Attackers need to create a malicious file and convince users to open it in WordPad to exploit this vulnerability.

The remaining patches addressed vulnerabilities in various versions of Microsoft Office (MS13-091), an information disclosure vulnerability in newer versions of Office (MS13-094), an elevation of privilege flaw in Hyper-V (MS13-092) in Windows 8 and Server 2012 R2, an information disclosure bug in Windows (MS13-093), and a denial of service (MS13-095) issue in the operating system.

Wednesday, October 9, 2013 @ 03:10 PM gHale

Microsoft released eight new security bulletins, with four rated critical and four important and two Zero Days in Internet Explorer.

The security update for Internet Explorer, MS13-080, addresses 10 separate vulnerabilities that affect all supported versions of the Web browser. Users should be aware because this update stems from two of the vulnerabilities that are Zero Day bugs already undergoing exploitation.

RELATED STORIES
IE Zero Day Attacks Go Way Back
IE Zero Day Attack Hits Japan
IE Zero Day Warning
Patch Tuesday Fixes Reissued

Security researchers have been watching the IE exploit since it first became public in mid-September.

The catch is now there is a patch released, attackers can reverse engineer and then they have an attack all lined up and ready to go because while Microsoft puts the patch out there, it does not mean everyone applies it. That makes those folks more susceptible to an attack.

There are two other security bulletins that follow the Internet Explorer security update.

MS13-081 addresses seven vulnerabilities in kernel-mode drivers affecting all versions of Windows except for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2. Two of the flaws are for font-parsing and could enable an attacker to remotely execute malicious code if successfully exploited.

Microsoft has released 87 security bulletins so far this year. That puts them 17 ahead of last year’s pace.

However, the number of bulletins should also come from the perspective that Microsoft has stepped up the pace for addressing identified vulnerabilities, and it is patching a growing number of supported platforms and applications.

Wednesday, September 18, 2013 @ 01:09 PM gHale

It was one more time for Microsoft as the software giant needed to reissue four security bulletins after its Patch Tuesday performance.

Microsoft said the new patches were available last Thursday on its blog, just two days after it released its scheduled Patch Tuesday update for products containing bugs.

RELATED STORIES
Microsoft Releases 13 Bulletins
Microsoft Addresses Security Bugs
Microsoft Fills 34 Holes
Microsoft Expands MAPP Program

New patches were available for four security bulletins: MS13-067, MS13-072, MS13-073 and MS13-074, which addressed bugs in series of Microsoft Office products, including Excel and SharePoint Server. Non-security updates also ended up re-released for Microsoft PowerPoint 2010, KB2553145 and PowerPoint Viewer 2010, KB2553351.

Customers complained about updates attempting to reinstall numerous times on their machines, the company said. In other instances, patches weren’t available to customers.

“Since the shipment of the September 2013 security bulletin release, we have received reports of updates being offered for installation multiple times, or certain cases where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM),” the blog post said. “We have investigated the issue, established the cause, and we have released new updates that will cease the unnecessary re-targeting of the updates or the correct offering of these updates.”

In a blog posted on Monday, security researcher Graham Cluley wrote the reoccurring problems with Patch Tuesday releases was highly concerning given the number of users that rely on the fixes.

In last month’s patch release, Microsoft pulled a patch that addresses three vulnerabilities in Exchange Server. In that incident, the Patch Tuesday fix ended up scrapped after Microsoft became aware that installing it caused problems.

“Following so soon after last month’s buggy security update, one has to wonder what’s going wrong at Microsoft Quality Control,” Cluley said. “The company can’t afford to keep messing up like this. The risk is that millions of users around the world will begin to question Microsoft’s ability to properly patch security vulnerabilities, and lose trust in the firm.”

Microsoft did catch one bug in its Patch Tuesday update before dispatching the release. The company had originally planned to release 14 fixes, but only shipped 13 last week, leaving out one patch that would have addressed an issue in its .Net software framework, which could allow denial-of-service.

Wednesday, September 11, 2013 @ 09:09 AM gHale

Microsoft’s Patch Tuesday brought out 13 bulletins.

Of the 13 bulletins, the MS Office family has seven vulnerabilities and Windows OS patches have six.

RELATED STORIES
Microsoft Addresses Security Bugs
Microsoft Fills 34 Holes
Microsoft Expands MAPP Program
Adobe Updates Flash, Shockwave, ColdFusion

There are four advisories labeled as critical. All of these are going to be important, subjective to the deployment of various versions of Windows in your environment. One of these is going to be the monthly IE update. All versions of IE require this update.

Microsoft is putting top priority on MS13-067, which affects SharePoint Server. The advisory covers multiple CVEs, but the most severe of is CVE-2013-1330, which allows remote code execution by malicious content sent to the server without user interaction, genuine real-time remote exploitation. Of the 10 CVEs, one is public, but supposedly that is not CVE-2013-1330. There is a workaround for CVE-2013-1330 related to enabling state inspection for message authentication code attributes.

Of the other two critical advisories, both require user interaction to trigger the vulnerability; however, MS13-068 affecting Microsoft Outlook is particularly toxic because it can occur when users view malicious content in the Outlook preview pane.

MS13-070 only applies to XP and Server 2003 and those vulnerabilities tend to be less “contained” than more mature versions of Windows. XP and Office 2003 have shown no let up in patching frequency, despite the end of support for XP looming just around the corner in April 2014.

If you are running an MS heavy shop and have significantly invested in the back office technology of SharePoint, then this month is going to be very busy. There are lots of vulnerabilities to patch, many of which are high risk. Office vulnerabilities typically end up mitigated because they require a user to interact with something malicious, either through an attachment or a link. But with the Office Server (SharePoint) that degree of mitigation may go away and other factors of defense in depth will come into play.

Wednesday, August 21, 2013 @ 02:08 PM gHale

Microsoft decided to re-release one of its August security patches for Windows Server 2008 in order to fix a regression issue that would cause some servers to stop working.

The MS13-066 patch released again Monday after Microsoft discovered the problem last week. The patch in the MS13-066 update fixes a vulnerability Active Directory Federation Services (AD FS) that could enable an attacker to cause a denial-of-service (DoS) condition on a vulnerable server under the right circumstances.

RELATED STORIES
Microsoft Addresses Security Bugs
Microsoft Fills 34 Holes
Microsoft Expands MAPP Program
Oracle Releases July Patches

“This security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS). The vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance,” Microsoft said in the original bulletin.

The vulnerability affects several versions of Windows Server 2008, as well as Windows Server 2003 and Windows Server 2012.

However, the regression issue that caused the re-release of the patch only affected Server 2008 installations. Customers that run affected versions should reinstall the patch.

“Microsoft rereleased this bulletin to announce the reoffering of the 2843638 update for Active Directory Federation Services 2.0 on Windows Server 2008 and Windows Server 2008 R2. The rereleased update addresses an issue in the original offerings that caused AD FS to stop working if the previously released RU3 rollup QFE (update 2790338) had not been installed; the rerelease removes this requirement. Furthermore, in creating this rerelease, Microsoft has consolidated the fixes contained in the two original updates (2843638 and 2843639) into a single 2843638 update. Customers who already installed the original updates will be reoffered the 2843638 update and are encouraged to apply it at the earliest opportunity. Note that when the installation is complete, customers will see only the 2843638 update in the list of installed updates,” the update said.

Wednesday, July 31, 2013 @ 07:07 PM gHale

When it comes to security, there is more talk about collaboration between companies and Microsoft is doing just that by expanding its MAPP program that shares attack and protection information with other security vendors and will now share some data with incident responders, as well.

The new system will enable organizations such as CERTs and internal IR teams to exchange information on specific attacks and general threats.

RELATED STORIES
C-Level Fears Own Security Profile
Survey: Security Metrics Too Complicated
Cyber Report: Attackers on Network
SMBs Need Data Breach Awareness

The Microsoft Active Protection Program (MAPP) has been ongoing for several years and until now has involved the company sharing some information on upcoming patches with security companies ahead of patch releases each month. Microsoft will give antimalware, IDS and other security vendors advance data about the Patch Tuesday fixes so they can have protection signatures ready when the patches release.

Now, Microsoft is expanding and changing the MAPP program so that more people will have access to some of the data and the information will be available earlier. Until now, MAPP members get access to patch data 24 hours before the release. Microsoft will be giving that information to MAPP companies three business days before Patch Tuesday going forward. The new MAPP for Responders program is an extension of the existing system and allows incident response teams to share information among themselves and to benefit from the threat intelligence that Microsoft has, as well.

“We have information that will benefit those IR organizations, the CERTs, enterprises and government agencies,” said Jerry Bryant, a senior security strategist for Trustworthy Computing at Microsoft. “We’re trying to facilitate the exchange of threat indicators and knowledge. We’re contributing our own threat data, malicious URLs and file hashes for Windows and Office products for whitelisting purposes.”

The new portion of MAPP also will require that participants contribute their own data and not just benefit from the work of others. Bryant said the idea is to gather and disseminate as much data as possible in order to protect as many machines as they can.

“In MAPP for Responders we’re going to require that people report telemetry back to us, which is important for things like out-of-band patches,” he said. “The more information we have internally, the better. We can aggregate that data and send it back out so that they can see where they have gaps.”

In addition to the expansion of MAPP to IR teams, Microsoft also is starting a pilot service that will allow members to send in potentially malicious files and URLs to have Microsoft check them for content-based attacks. MAPP members can submit any Office document, PDF or URL and Microsoft will run it through a scanner that will open the document or page in a virtual machine and see whether it’s trying to exploit a vulnerability.

 
 
Archived Entries