Archive | Editorial Articles RSS feed for this section

Office Updates Include Patches for SharePoint Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products like SharePoint Server
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents, or interacting with web resources
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a number of vulnerabilities in Office, SharePoint, and related components. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS14-022: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both multiple remote code execution vulnerabilities and a cross-site scripting (XSS) flaw. The remote code execution flaws pose the most risk, and involve several unspecified input sanitation vulnerabilities in a number of SharePoint pages. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges. Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. If you run SharePoint servers, you should patch this as quickly as you can.

Microsoft rating: Critical

  • MS14-023: Office Remote Code Execution Flaw

Various Office components suffer from two publicly reported vulnerabilities. The worst is a remote code execution flaw involving the way Office’s “Grammar Checker” feature loads Dynamic Link Libraries (DLL). However, the flaw only affects Grammar Checker when the language is set to Chinese (Simplified). If a remote attacker can convince you to open an Office document that resides in the same directory (local or over a network) as a malicious DLL, she could exploit this flaw to execute code with your privileges. If you have local administrative access, the attacker gains complete control of your computer. However, this flaw will likely primarily affect Chinese Office users, which somewhat limits its impact. Office also suffers from something call a “token reuse” flaw, but it poses a lesser risk that the remote code execution one.

Microsoft rating: Important

  • MS13-086 MCCOMCTL ASLR Bypass Vulnerabilities

Office (and many other Microsoft products) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Office’s MSCOMCTL component doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. This update fixes the ASLR bypass hole.

Microsoft rating: Important

Solution Path:

Microsoft has released Office and SharePoint-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Patches for IE, Sharepoint, Office, and Windows

Calling all Microsoft administrators! It’s Microsoft Patch Day, and their security updates are available for download.

You know the drill by now. As they do every second Tuesday of the month, Microsoft has released May’s important security updates. You can find this month’s Patch Day highlights in Microsoft’s summary post, but here’s what you really need to know:

  • Microsoft released eight bulletins, two rated Critical and the rest Important.
  • The affected products include
    • Windows
    • Office
    • Internet Explorer (IE)
    • and Sharepoint Server.
  • Attackers are apparently exploiting some of the Windows and IE vulnerabilities in the wild already, in what Microsoft calls “limited, targeted attacks.
  • As expected, Windows XP users aren’t getting patches this month (or from hereafter).

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can. You can also let Windows’ Automatic Update do it for you. While I don’t recommend Automatic Update on servers (due to potential patch bugs), I do think you should enable it on your clients computers. As always, concentrate on installing the Critical updates as soon as you can (especially the IE one this month), and handle the others later.

I’ll share more details about today’s patches on the blog throughout the day, though these posts may be slightly delayed due to my participation in WatchGuard’s US Partner Summit.  — Corey Nachreiner, CISSP (@SecAdept).

World Password Day – WSWiR Episode 106

MS Patch Day, 4chan Hacked, and Password Security

If you’re too busy helping your users and maintaining your network to read the latest information security news, you might miss out on new tip that could save your network. No worries. Let my short, weekly Infosec video summarize the week’s biggest news for you.

Today, I warn you about all the upcoming patches next Tuesday, talk about a popular web site hack and what administrators can learn from it, and share my three primary password tips for World Password Day. Click play below for all the details, and take a peek at the Reference section for links to other stories.

Enjoy your weekend, and stay safe out there.

(Episode Runtime: 7:32)

Direct YouTube Link: https://www.youtube.com/watch?v=fKU3Qoaj_Dw

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

IE & Flash 0day – WSWiR Episode 105

White House Cyber Disclosure, Traffic Light Hacking, and Zero Day Exploits

There was a ton of Information Security news this week. More than most people can keep up with; especially busy IT administrators who are already putting out other fires. If you have little time to read the latest news, but want a quick recap of the most important infosec stories each week, this is the vlog for you.

In this episode, I react to the White House talking about their zero day disclosure policy, I share news about a researcher hijacking traffic lights across the US, and I warn you about two critical zero day flaws in very popular software products. If you want to stay informed and get the latest security advice, watch the video below. You can also explore the Reference section for links to more stories.

Enjoy your weekend, and stay safe out there.

(Episode Runtime: 8:04)

Direct YouTube Link: https://www.youtube.com/watch?v=UxQoInvMBcw

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Winter is Coming… But These Cyber Tips Can Help You Prepare

Last month, I shared a Help Net Security article I wrote combining two things I love; Information Security (InfoSec) and The Walking Dead. If you haven’t read that yet, feel free to check it out. This month, I continue my pop culture series by mashing up InfoSec with another admired book and TV series; Game of Thrones.

The fictional world of Westeros is an unforgiving land, where inhabitants must quickly learn to defend themselves if they have any hope of survival. Unfortunately, the Internet also seems to be evolving into a fairly dangerous landscape, where just visiting the wrong web site might infect your computer. Is there anything a network security professional can learn from the medieval warriors of Westeros?

That’s exactly what my latest article explores. If you’re interested in the Six InfoSec Tips I Learned from Game of Thrones, check out my article below, and join me for A Song of Ice and Firewalls:

If you enjoy the article, and want to share your own pop culture security tips, I’d love to hear from you! Unfortunately, Help Net Security doesn’t have commenting in their articles, but if you want to share some Game of Thrones tips of your own, please feel free to comment below. — Corey Nachreiner, CISSP (@SecAdept)

iOS Malware- WSWiR Episode 104

Apple Updates, Reappearing Backdoors, and iOS Malware

If you looking for a quick security news round up, subscribe to this weekly Infosec vlog. Today, I cover a number of Apple stories, from the latests patches to iOS malware; I warn about a supposedly fixed router backdoor that has re-appeared; and I talk about the trend of governments withholding zero day exploits. Watch the video below for the details, and check out the References for more information and news. Here’s a bonus security tip;  If you jump out a plane (like I did), take a parachute! Have a great weekend. (Episode Runtime: 7:38) Direct YouTube Link: https://www.youtube.com/watch?v=JfJbCaLlFns

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Oracle CPU – WSWiR Episode 103

Oracle Patches, Heartbleed Update, and Cool Gaming Hacks

Information security has become a hot topic, with tens of new infosec articles and issues showing up each week. Perhaps you’re concerned with the latest security news, but don’t have to time to keep up with it among your other administrative tasks. If that sounds like you, check out my weekly infosec news video for a quick summary of the week’s most interesting stories.

Today’s episode is quite simple. I quickly cover Oracle’s April Critical Patch Update (CPU), share some interesting Heartbleed vulnerability updates, and end with a fun, gaming-related hack to cap off the week. Watch the video below, and browse the Reference section for links to more stories and details.

Have a great Easter weekend.

(Episode Runtime: 6:42)

Direct YouTube Link: https://www.youtube.com/watch?v=NtwbM82vVF0

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Black Tuesday: Word 0day Fix & More

Microsoft’s monthly Patch Day went live earlier today. As expected they released four security bulletins, fixing flaws in Windows, Internet Explorer (IE), and Office. Microsoft rates two of the bulletins as critical, one that fixes Word vulnerabilities (including a zero day one I warned about earlier) and another that fixes IE flaws.

If you use the affected Microsoft products, you should apply these patches as soon as you can. I’d apply the updates in the order Microsoft recommends; the Word update first, the IE one second, and the Windows and Publisher updates last.

In any case, I’ll share more details about today’s Patch Day bulletins on the blog throughout the day.  However, I am currently traveling in Asia, so my blog posts may be late due to timezone issues and travel. So I recommend you check out the April bulletin summary in the meantime, if you’d like an early peek. Also, keep in mind that Adobe released a Flash update today as well. — Corey Nachreiner, CISSP (@SecAdept).

You Got Your Walking Dead in My Cyber Security

Keep Calm and Eat Pudding

Sometimes two things that don’t seem to go together, make the most magical combinations; things like peanut butter and chocolate, maple and bacon, and even Jon Snow and Ygritte. In hopes of adding to such delightful duos, I have started a new series of security articles trying to uncover another unexpected pairing—information security and pop culture.

What can popular movies, TV shows, books, or video games teach us about cyber security? Maybe nothing, maybe everything. In my new Help Net Security series, I plan to see if your favorite guilty pleasures can uncover any cyber security insights you’d never have expected. Join me for my first article at Help Net Security, where I share eight information security tips I learned from The Walking Dead (TWD).

By the way, if you like the article, or you love The Walking Dead, feel to share some TWD cyber security tips of your own? Come back here and add your own interesting infosec parallels to the comments section below. Feel free to draw parallels to other pop culture media too! — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Black Tuesday: Patch IE Zero Day & Windows Vulnerabilities

Microsoft’s March Patch Day is live, and looks to be by the numbers. As expected, they released five bulletins, including one that contains a fix for a zero day vulnerability in Internet Explorer. Their Patch Day summary highlights five security bulletins that fix 23 vulnerabilities in various Microsoft products, including Internet Explorer (IE), Windows and its various components, such as Silverlight. They rate two of these bulletins as Critical, and the rest as Important.

MS Patch Day: March 2014As I mentioned in my notification post, the most important update this month is the IE cumulative patch. Besides fixing 23 memory corruption flaws, many of which attackers could exploit to execute code, one specifically fixes a critical zero day flaw which attackers have been leveraging in watering hole attacks. Though Microsoft released a Fix-it for this vulnerability a few weeks ago, this update completely corrects the underlying issue. Make sure to install the IE update on all your clients as soon as possible. Hopefully, you already have Automatic Updates set to do it for you. Of course, you should also install the Windows updates too, especially the DirectShow one. If an attacker can trick one of your users into viewing a malicious JPEG image, he could exploit it to gain control of that user’s computer, with their privileges. You don’t want that.

While we are talking about Windows updates, let me take this time to continue to remind you that these updates are among the last that Windows XP will receive. XP users will likely see a few more updates next month, but after than it goes End-of-Life. Hopefully, most of you are saying, “Why do I care? I’ve been using Windows 7 or above for years.” But for the stragglers out there, you might want to consider upgrading to a more recent version of Windows. While I don’t want to come off as promoting Microsofts “upgrade” sales message, I do believe XP will likely pose more risk once the official updates stop. It seems very likely that some cyber attacker (or nation-state groups) out there are sitting on a zero day XP exploit or two; saving them until after Microsoft’s fixes run out. You might want to get away from XP before that happens.

In any case, I’ll share more details about today’s Patch Day bulletins on the blog throughout the day. Meanwhile, check out the March  bulletin summary now, if you’d like an early peek. — Corey Nachreiner, CISSP (@SecAdept).

Follow

Get every new post delivered to your Inbox.

Join 7,532 other followers

%d bloggers like this: