Tag Archives: DoS

Microsoft Corrects Lync Server and .NET Framework DoS Flaws

Severity: Medium

Summary:

  • These vulnerabilities affect: Lync Server and .NET Framework
  • How an attacker exploits them: Various, including by sending maliciously crafted packets or launching specially crafted calls
  • Impact: An attacker could slow down or disrupt connections to the server, or stop it from responding at all.
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins that fix a pair of Denial of Service (DoS) vulnerabilities in two of their products; Lync Server and the .NET Framework. If you used either of these products, you should update them as soon as you can. We summarize the two DoS bulletins below:

  • MS13-053: .NET Framework DoS Vulnerability

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. It suffers from a DoS vulnerability involving the way it handles communications that are hashed. In short, if a remote attacker sends a small amount of specially crafted packets to a server that uses .NET Framework ASP applications, he can cause the server to slow down, and eventually stop responding. If you have any public servers or web applications that use .NET, you should download and install the update as soon as possible.

Microsoft rating: Important

 Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator. It suffers from three vulnerabilities, including a DoS flaw involving the way it handles specially crafted calls. By sending a malicious call to your Lync server, a remote attacker can exploit the DoS flaw to cause the Lync Server to stop responding. If you rely on Lync for communications, you should patch your servers as soon as you can.

Microsoft rating: Important

Solution Path:

Microsoft has released patches that correct both these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

Though you can use your XTM appliance to block the ports necessary for Lync, or use application control to restrict it, this would prevent you from using it externally at all. Right now, Microsoft’s patch are your best solution to these issues.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Windows Updates Fix GDI+, RDP, and TCP Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like XML Core Services)
  • How an attacker exploits them: Multiple vectors of attack, including enticing you to malicious web sites, or into interacting with malicious documents or images.
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as XML Core Services. An attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-036: Two GDI+ Code Execution Vulnerabilities

The Graphics Device Interface (GDI+) is one of the Windows components that helps applications output graphics, to your display or printer. GDI+ suffers from two security flaws. Though they differ technically, the flaws share the same scope and impact, and have to do with how GDI+ handles specially crafted documents or images. If an attack can entice one of your users into viewing a malicious image or document, perhaps embedded in an email or web site, he can exploit either flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer.

Microsoft rating: Critical

  • MS14-033:  MSXML Information Disclosure Vulnerability

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It often ships with various versions of Windows, and other Microsoft products like Office, SharePoint Server, Groove Server, and Expressions. If you have a Windows computer, you very likely have MSXML.

According to today’s bulletin, MSXML suffers from an information disclosure vulnerability. If an attacker can entice one of your users to a specially crafted web site, or into opening a malicious document, she could invoke MSXML and leverage this flaw to obtain sensitive information from your user’s system. Specifically, the attacker can gain access to some local path information, and your user’s username.

Microsoft rating: Important

  • MS14-031:  TCP Protocol Denial of Service Flaw

As you would expect, the Windows TCP/IP stack is a set of networking protocols that allows your computer to get on the Internet and participate in modern networking. Unfortunately, the Windows TCP/IP stack suffers from an unspecified Denial of Server (DoS) vulnerability involving its inability to properly parse a specially crafted sequence of TCP packets. By sending a sequence of packets, an attacker could leverage this flaw to cause you computer to stop responding, causing a DoS situation. However, the attacker would have to initiate a large number of connections, and have control over the TCP options field of each packet.

Microsoft rating: Important

  • MS14-030:  RDP traffic tampering vulnerability

The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network to directly control your desktop. Unfortunately, the RDP component that ships with Windows doesn’t use very robust encryption by default. If an attacker can intercept your RDP traffic in a Man-in-the-Middle (MitM) attack, he could tamper with the RDP session in a way that allowed him to read session information or modify the RDP session. You can enable Network Level Authentication (NLA) to mitigate the risk of this flaw

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as blocking TCP traffic), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Office Updates Include Patches for SharePoint Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products like SharePoint Server
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents, or interacting with web resources
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a number of vulnerabilities in Office, SharePoint, and related components. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS14-022: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both multiple remote code execution vulnerabilities and a cross-site scripting (XSS) flaw. The remote code execution flaws pose the most risk, and involve several unspecified input sanitation vulnerabilities in a number of SharePoint pages. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges. Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. If you run SharePoint servers, you should patch this as quickly as you can.

Microsoft rating: Critical

  • MS14-023: Office Remote Code Execution Flaw

Various Office components suffer from two publicly reported vulnerabilities. The worst is a remote code execution flaw involving the way Office’s “Grammar Checker” feature loads Dynamic Link Libraries (DLL). However, the flaw only affects Grammar Checker when the language is set to Chinese (Simplified). If a remote attacker can convince you to open an Office document that resides in the same directory (local or over a network) as a malicious DLL, she could exploit this flaw to execute code with your privileges. If you have local administrative access, the attacker gains complete control of your computer. However, this flaw will likely primarily affect Chinese Office users, which somewhat limits its impact. Office also suffers from something call a “token reuse” flaw, but it poses a lesser risk that the remote code execution one.

Microsoft rating: Important

  • MS13-086 MCCOMCTL ASLR Bypass Vulnerabilities

Office (and many other Microsoft products) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Office’s MSCOMCTL component doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. This update fixes the ASLR bypass hole.

Microsoft rating: Important

Solution Path:

Microsoft has released Office and SharePoint-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Paranoia 2014 – WSWiR Episode 100

Word 0day, Cisco DoS, and Bricked Androids

My weekly InfoSec summary arrives bit late this time due to business travel. Last week, I spoke at Watchcom’s Paranoia conference in Oslo Norway, so I couldn’t post my security news summary until the weekend. Nonetheless, why not start your week off by quickly catching up on last week’s news.

This week’s episode includes a quick summary of the Paranoia show, news of a new Word zero day flaw, information about Cisco IOS updates, and a story about a new android vulnerability attackers can use to brick phones. Check out the video for the details, and scroll down to the Reference section for a few extra stories.

As an aside, I’ll be traveling the next two weeks as well, so my weekly video may show up either earlier or later than normal, due to travel.

(Episode Runtime: 5:27)

Direct YouTube Link: https://www.youtube.com/watch?v=BNiCOytV5sg

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Windows Updates Fix Code Execution, DoS, and Privilege Elevation Flaws

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like the .NET Framework and VBScript Engine)
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web sites or into viewing malicious vector graphics
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing seven vulnerabilities in Windows and its components. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-011VBScript Code Execution Vulnerability

VBScript is a scripting language created by Microsoft, and used by Windows and its applications. The VBScript Scripting Engine, which ships with Windows, suffers from an unspecified memory corruption vulnerability having to do with its inability to properly handle certain objects in memory when rendering script for Internet Explorer (IE). By enticing you to a specially crafted web page, an attacker could leverage this flaw to execute code on your computer with your privileges. If you have admin rights, then The attacker gains computer control of your computer.

Microsoft rating: Critical

  • MS14-007:  Direct2D Memory Corruption Vulnerability

DirectX is a multimedia development API, primarily used by programmers to make games for Windows and to handle multimedia. It includes Direct2D, a component Windows uses to render two dimensional vector graphics. Direct2D suffers from a memory corruption vulnerability having to do with how it improperly handles specially crafted vector figures. By enticing you to open a malicious vector graphic, an attacker can exploit this flaw to execute code on your system, with your privileges. Of course, if you have administrative privileges, as most Windows users do, the attacker gains complete control of your computer. Since this vulnerability requires some user interaction to succeed, Microsoft assigns it an Important severity rating.

Microsoft rating: Important

  • MS14-009Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. The .NET Framework suffers from three new security vulnerabilities, including an elevation of privilege flaw, a denial of service (DoS) vulnerability, and an issue that allows attackers to bypass one of Windows’ security features (Address Space Layout Randomization or ASLR). The worst of the three is the elevation of privilege flaws. Without going into technical detail, if an attacker can entice one of your users to visit a malicious .NET web page or run an .NET application locally, she can exploit this flaw to gain full control of that user’s system.

Microsoft rating: Important

  • MS14-005:  MSXML Information Disclosure Flaw

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It ships with various versions of Windows, and other Microsoft products. If you have a Windows computer, you very likely have MSXML. MSXML suffers from an information disclosure vulnerability due to a flaw in the way it handles cross-domain policies. By luring your users to a malicious web site or specially crafted link, an attacker could exploit this flaw to gain access to some of the files on that user’s computer.

Microsoft rating: Important

Windows ships with a TCP/IP stack used to handle network traffic, and this stack now supports  IPv6. Unfortunately, the Windows IPv6 TCP/IP stack suffers from a denial of service vulnerability involving the way it handles large amounts of specially crafted router advertisement messages.  If an attacker on your local network sends a large amount of such packets, he can cause your Windows computer to stop responding. Of course, the attackers needs to be on the same subnet as the victim, with relegates this primarily to an insider threat. 

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block a few of the issues described above, including:

  • WEB Microsoft ASP.NET POST Request DoS Vulnerability (CVE-2014-0253)
  • WEB-CLIENT Microsoft Graphics Component Memory Corruption Vulnerability (CVE-2014-0263)
  • WEB-CLIENT Microsoft MSXML Information Disclosure Vulnerability (CVE-2014-0266)

Your XTM appliance should get this new IPS update shortly.

However, attackers can exploit some of these flaws locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Trio of Office Updates Fix SharePoint Flaw & ASLR Bypass

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products, including SharePoint
  • How an attacker exploits them: Varies. Typically by enticing users to visit malicious web content or open Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a like number of vulnerabilities in Microsoft Office and related products like SharePoint. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-100: SharePoint Code ExecutionVulnerability

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from an unspecified remote code execution flaw having to do with how it parses specially crafted page content. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges.

Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. However, Microsoft assigns this particular flaw an Important severity rating, probably because the attacker needs valid SharePoint credentials to exploit it.

Microsoft rating: Important

  • MS13-104: Office Access Token Hijacking Flaw

When you login to an Office or Sharepoint server, the server verifies your credentials and then produces an access token, which allows you to continue accessing the server for a limited period of time. Office suffers from an unspecified flaw having to do with how it handles documents hosted on web sites. If an attacker can entice you into opening an Office document hosted on a malicious site, he could exploit this flaw to gain access to your access token, and then may be able to leverage that token to hijack your SharePoint of Office server sessions.

Microsoft rating: Important

Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. One of the shared components that ships with Office products doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. Since Internet Explorer (IE) loads this component, it’s particularly useful for attackers. This update fixes the ASLR bypass hole. If you’d like more details about this fix, and how it helps your overall Windows security, see this Microsoft blog post. Though Microsoft only gives this their medium severity rating, we recommend you apply the update quickly.

Microsoft rating: Important

As an aside, Microsoft also released a security bulletin (MS03-103) describing a flaw that primarily affects developers and organizations that specifically use the ASP.NET SignalR library. If you happen to use the ASP.NET SignalR library, do know it suffers from a relatively minor cross-site scripting (XSS) vulnerability, and you should update.

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of many of these vulnerabilities. For instance, you might use firewall policies to prevent external users from accessing your SharePoint server. Furthermore, Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Sharepoint, Excel, and Word Security Updates

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including SharePoint, Word, and Excel
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix five vulnerabilities in SharePoint, Word, and Excel, which are all part of Microsoft’s Office suite of products. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-084: Two SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both a remote code execution and cross-site scripting (XSS) flaw. The remote code execution is the more severe issue, and involves a flaw in the way Sharepoint handles specially crafted Excel files (this flaw directly relates to an Excel flaw we describe below). If an attacker can entice you to open a specially crafted Excel file from a SharePoint server (or from the Office Services or Web Apps), he could leverage this flaw to execute code on your computer, with your privileges. If you’re an administrator, the attacker has total control of your machine.

These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.

Microsoft rating: Critical

  • MS13-085Two Excel Memory Corruption Vulnerabilities

Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. One of these two Excel flaws is identical the the Excel-related flaw in Sharepoint. This flaw does not affect Excel 2003, but it does affect Excel for Mac

Microsoft rating: Important

  • MS13-086 Two Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It, like Excel, suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word 2003 and 2007, not Word for Mac.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of these attacks:

  • WEB Microsoft Parameter Injection Vulnerability (CVE-2013-3895)
  • EXPLOIT Microsoft Word Memory Corruption Vulnerability (CVE-2013-3891)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Office Updates Fix SharePoint, Outlook, Word, and More

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and other components
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released seven security bulletins that fix 26 vulnerabilities in a range of Microsoft Office products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and an IME component. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-067: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from a number of vulnerabilities, ranging from remote code execution flaws to a denial of service (DoS) condition. The worst vulnerability is an input validation flaw involving how SharePoint handles specially crafted content. If an attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges.

Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. In either case, Microsoft assigns this particular flaw their highest severity rating, so SharePoint administrators should patch as soon as possible, especially if you expose your services publicly.

These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.

Microsoft rating: Critical

  • MS13-068: Outlook S/MIME Code Execution Flaw

Outlook is the popular Windows email client that ships with Office. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting MIME data, or put more simply, it allows you to encrypt email. Outlook suffers from a code execution vulnerability involving the way it handles specially crafted S/MIME messages. An attacker could exploit this flaw to execute code on your computer simply by sending you a specially crafted email (though you’d have to open or preview the message first). The code runs with your privileges, and if your users have local administrator privileges, the attacker gains complete control of their PCs. This flaw sounds, and is, pretty severe with one small exception. Microsoft believes it is technically pretty difficult to exploit. Nonetheless, we recommend you apply the patch posthaste.

Microsoft rating: Critical

  • MS13-072 :  Ten Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It suffers from ten memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects the Windows versions of Word and Word Viewer, not Word for Mac.

Microsoft rating: Important

  • MS13-073 Two Excel Memory Corruption Vulnerabilities

Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. These flaws are essentially the same as the Word ones described above, but they affect Excel related documents. So in short, if an attacker tricks your into opening a malicious excel file, he can execute code as you. If you’re a local administrator, he has full control of your computer.  Again, the flaws only affects the Windows versions, not Mac ones.

Microsoft rating: Important

  • MS13-074 Three Access Memory Corruption Vulnerabilities

Access is the popular database program that ships with Office. It suffers from three memory corruption vulnerabilities having to do with how it handles specially crafted database files. These flaws are identical in scope and impact to the two above, only they affect Access files. If you open the wrong database, an attack can execute code as you.

Microsoft rating: Important

  • MS13-078: FrontPage Information Disclosure 

FrontPage is a WYSIWYG HTML editor for creating web sites, which ships with Office.  It suffers from an information disclosure. If an attacker can trick a FrontPage user into opening a specially crafted FrontPage document, she could exploit this flaw to read the contents of any file on that user’s computer (assuming they knew the location of a specific file).

Microsoft rating: Important

  • MS13-075 : Chinese IME Elevation of Privilege Vulnerability

Input Method Editors (IME) are optional components that allows Latin keyboard users to type non-Latin characters in Office or Windows. Unfortunately, the Office IME for Pinyin Chinese suffers from an elevation of privilege (EoP) vulnerability. If an attacker can gain local access to your computer using valid Windows credentials, he could run a specially crafted program that would give him full SYSTEM-level privileges on your computer. Of course, the attack only affects those who’ve specifically installed the Pinyin Chinese Office IME, and the attacker must have a valid login to exploit the issue.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of many of these vulnerabilities. For instance, you might use firewall policies to prevent external users from accessing your SharePoint server, or use the SMTP proxy to block messages containing S/MIME content (by blocking the application/pkcs7-mime MIME content type).

Furthermore, Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of these attacks:

  • EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -1 (CVE-2013-0081)
  • EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -2 (CVE-2013-0081)
  • EXPLOIT Microsoft Office Could Allow Remote Code Execution (CVE-2013-3850)
  • EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -1 (CVE-2013-3180)
  •  EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -2 (CVE-2013-3180)
  • EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -3 (CVE-2013-3180)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Blackhat 2013 – WSWiR Episode 72

Details on Femtocell hacking, Mactans, and SCADA Honeypots

This is the week of the Blackhat and Defcon security conferences; two of the biggest security research conferences of the year. So rather than quickly summarize InfoSec newslike I do most weeksI’ll share details about three of my favorite talks from this year’s Blackhat show (Defcon is going on now).

Two of my favorite presentations fill in details about stories from past episodes. Both the researchers that hacked a Verizon femtocell, and the ones that created a malicious iOS charger, shared the technical details around these attacks. Want to learn how it’s done? Watch below.

The third interesting talk centers around using honeypots to learn who are attacking our SCADA systems. While the attacker profile data shared in the presentation was interesting, I was more concerned with how the researcher profiled his attackers. Essentially, he hacked them back. His hack back technique was at best legally grey area, and at worst totally illegal. And this researcher’s actions were not the exception. I attended a few talks this year where researchers used hacking techniques to out their attacks. Perhaps the industry is adopting “strike back” after all.

In any case, if you’d like a quick glimpse of some of my favorite presentations from the show, be sure to click play below. I will also post some written summaries about the talks I attended in the next few days. Finally, though I didn’t have time to cover the regular Infosec news this week, be sure to check the Reference section for links to a few fairly important industry stories.

(Episode Runtime: 15:15)

Direct YouTube Link: https://www.youtube.com/watch?v=-xBHxQUVJnU

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

WatchGuard Security Week in Review: Episode 58 – Darkleech Apache Attack

Telephony DoS, OpFreeKorea, and Darkleech

What do zombie video games, North Korea, and emergency telephone systems have in common? They’ve all been compromised by cyber attackers this week.

If you’re too busy dousing IT fires to keep up with InfoSec news on your own, give our weekly security news summary a try. In this short video, I quickly highlight the biggest security stories from the week, and give some practical defense tips along the way.

This week’s episode covers a new telephony denial of service (TDos) extortion scheme , a serious flaw in a common database system, the latest Anonymous operation, and a mysterious Apache hijacking campaign that has affected over 20,000 web servers. Watch the video below for the full scoop, and check out the Reference section for additional stories.

(Episode Runtime: 9:03)

Direct YouTube Link: http://www.youtube.com/watch?v=K18Snt0Lrm0

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,582 other followers

%d bloggers like this: