Tag Archives: excel

Microsoft’s March Patch Day Madness

Pull up your bootstraps Microsoft administrators, because you’re in for a long patch slog this month. According to their March Patch Day summary,  Microsoft released 14 security bulletins, many fixing critical issues. I highlight the details below, so get ready to get patching.

By the Numbers:

February Microsoft Patch DayToday, Microsoft released 14 security bulletins, fixing a total of 45 security vulnerabilities in many of their products. The affected products include:

  • all current versions of Windows,
  • Internet Explorer (IE),
  • Office,
  • Exchange server,
  • and VBScript.

They rate five bulletins as Critical and the rest as Important.

Patch Day Highlights:

There are many vulnerabilities worth fixing this month, but two major highlights.

  1. Remember FREAK? It’s that SSL implementation vulnerability that I’ve been talking about in blog posts and multiple videos. Well, it affects Windows too and they fixed it this month. If you’ve been concerned about black hats sniffing your SSL, be sure to get the FREAK update (MS15-031).
  2. Also, remember Stuxnet? I’m sure you do, since it was one of the most sophisticated attacks the industry has ever seen. When it was discovered, it used four different zero day vulnerabilities to help itself spread, including a .LNK file vulnerability that helped it infect others via USB storage devices. Microsoft tried to patch this flaw years ago, but apparently failed. The MS15-020 update completes the botched job, so be sure to get that update. If you want to learn more about the update’s relation to Stuxnet, check out this HP blog post.

While these those two updates are probably the most interesting, this month’s bulletins include many more critical patches. For instance, March’s Internet Explorer (IE) update fixes 12 security flaws that bad guys can leverage in drive-by download attacks. Also, Exchange administrators will probably want to apply its update quickly, even though Microsoft only reports it as Important. If attackers can get your email users to click a link, they can exploit various Exchange flaws to gain access to your users’ OWA accounts. In short, we recommend you apply Microsofts updates quickly, in the order we share them below.

Quick Bulletin Summary:

We summarize the March security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS15-018 – Critical – IE Memory Corruptions Flaws – The Internet Explorer (IE) update mostly fixes a bunch of memory corruption flaws remote attackers could leverage to execute code. These are the types of flaws typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC. Web-based drive-by downloads are pretty popular with attackers right now, so we recommend you apply this update quickly.
  • MS15-019 – Critical- VBScript RCE Flaw – VBScript is a Microsoft specific scripting language that ships with Windows and IE. It suffers from a memory corruption flaw that attackers could leverage to execute code with your privileges. This is actually one of the vulnerabilities corrected by the IE update mentioned above, but Microsoft has to fix it in VBScript as well since it ships independently. Similar to the IE flaws, attackers would likely leverage this vulnerability in drive-by download attacks.
  • MS15-020 – Critical – Two Windows Code Execution Flaws – Remember Stuxnet? This update fixes one of its zero day vulnerabilities… again! Windows suffers from two code execution flaws involving its Windows Text Services (WTS) and the way it loads DLLs. The WTS flaw poses the most obvious risk. If an attacker can trick one of your users into visiting a malicious web site, or opening a specially crafted file, she can exploit the WTS issue to execute code on that user’s computer, with the user’s privileges. If the user was a local admin, the attacker gains full control of your user’s PC. However, the “DLL Planting” vulnerability is pretty bad too, since it’s actually one that the infamous Stuxnet malware exploited years ago. While Microsoft’s alert doesn’t describe it this way, the DLL loading fix is related to the shortcut .LNK vulnerability that was supposedly fixed in 2010. You can read more about it on this blog.
  • MS15-021 – Critical – Multiple Adobe Font Driver Vulnerabilities – Windows ships with an Adobe font driver to handle—as its name suggests—Adobe fonts. This driver suffers from many flaws, including a denial of service (DoS) issue, an information leak flaw, and a number of memory corruption vulnerabilities. Attackers could exploit the memory corruption flaws to execute code on your computer, assuming they can trick you into visiting a booby-trapped web site, or opening a file with maliciously crafted fonts.
  • MS15-022 – Critical – Multiple Office Component Vulnerabilities - Office, and the components that ship with it (such as Word, Excel, and Sharepoint server), suffer from a range of five vulnerabilities. The worst are three code execution flaws that black hats can exploit by luring you into opening malicious office documents. However, Sharepoint also suffers from a few cross-site scripting (XSS) vulnerabilities as well.
  • MS15-026 – Important – Five Exchange Server Vulnerabilities - Exchange, Microsoft’s popular email server, suffers from five vulnerabilities. The four worst flaws are all cross-site scripting (XSS) vulnerabilities in various parts of Outlook Web Access (OWA). While they differ technically, they all have the same affect. If an attacker can lure you into clicking a specially crafted link, or into visiting a web site containing a malicious link, he can exploit any of these four flaws to gain control of your OWA account, and do anything you could (for instance, send and read your email). Since OWA is pretty popular among Exchange administrators, and often exposed publicly, I consider this update a fairly high priority.
  • MS15-023 – Important – Four Kernel-Mode Driver Flaws- The Windows Kernel-Mode Driver suffers from four security vulnerabilities; the most serious being a local elevation of privilege (EoP) flaw. If an attacker can log into your system, and run a specially crafted program, he can leverage this particular EoP flaw to gain complete control of that Windows computer. The remaining three issues are memory disclosure vulnerabilities attackers could use to gain more information about your system than you would like.
  • MS15-024 – Important – PNG Information Disclosure Flaw - Windows doesn’t handle PNG images correctly. If an attacker can get you to open a malicious PNG image, he can leverage this flaw to learn more about your system, which could aid him in further attacks.
  • MS15-025 – Important – Windows Kernel EoP Flaws - The Windows kernel suffers from two vulnerabilities that local attackers can exploit to elevate their privileges. Though the flaws differ technically, they share the same impact. By running a specially crafted program, a local attacker (with valid credentials) can gain full control of a Windows system. However, they can’t exploit these flaws unless they can already log onto your systems.
  • MS15-027 – Important – NETLOGON Spoofing Vulnerability - The Windows NETLOGON component suffers from a flaw that allows local attackers to spoof another legitimate user on your Windows network. However, to exploit this flaw an attacker must already be able to log in to your network using valid domain credentials, which significantly lessens its impact.
  • MS15-028 – Important – Task Scheduler Security Bypass Flaw - The Windows Task Scheduler—a component that allows users to run programs at specified times—suffers from a flaw involving its inability to properly enforce user privileges. In short, an unprivileged user can leverage this issue to run programs they’re not supposed to have access to. That said, they need credentials on your system to exploit this flaw.
  • MS15-029 – Important – JPEG XR Information Disclosure Flaw - The component used to display certain JPG images suffers from memory handling flaw that unintentionally leaks information about your system. If you view a malicious image, the attacker may (or may not) gain access to some information that could aid him further in an attack.
  • MS15-030 – Important – RDP DoS Vulnerability- The Windows Remote Desktop Protocol (RDP) suffers from a denial of service (DoS) vulnerability. In short, by sending specially crafted packets and unauthenticated attacker can take out your RDP server, and prevent legitimate users from connecting. If you allow access to RDP, you’ll want to fix this flaw.
  • MS15-031 – Important – Schannel FREAK Vulnerability- You know that SSL FREAK vulnerability we’ve written about and done multiple videos about over the past week? This Schannel update fixes it for Windows. If you concerned with SSL man-in-the-middle (MitM) attackers, you should apply this patch.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download February’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1634)
  • WEB Cross-site Scripting -11
  • WEB Cross-Site Scripting -7
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1626)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1625)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1624)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1623)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1622)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0100)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0099)
  • FILE Vulnerabilities in Adobe Font Driver Could Allow Remote Code Execution
  • SMB NETLOGON Spoofing Vulnerability (CVE-2015-0005)
  • WEB-CLIENT Microsoft Internet Explorer VBScript Memory Corruption Vulnerability (CVE-2015-0032)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0056)
  • WEB-CLIENT Microsoft Internet Explorer Elevation of Privilege Vulnerability (CVE-2015-0072)
  • WEB-CLIENT Microsoft Internet Explorer JPEG XR Parser Information Disclosure Vulnerability (CVE-2015-0076)
  • WEB-CLIENT Microsoft Internet Explorer Malformed PNG Parsing Information Disclosure Vulnerability (CVE-2015-0080)
  • WEB-CLIENT Microsoft Internet Explorer WTS Remote Code Execution Vulnerability (CVE-2015-0081)
  • FILE Microsoft Office Component Use After Free Vulnerability (CVE-2015-0085)
  •  FILE Microsoft Office Memory Corruption Vulnerability (CVE-2015-0086)
  • FILE Microsoft Word Local Zone Remote Code Execution Vulnerability (CVE-2015-0097)
  • FILE Microsoft DLL Planting Remote Code Exectution Vulnerability (CVE-2015-0096)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)

 

Microsoft Delivers Nine Security Bulletins for February

As the second Tuesday of the month, it’s time for Microsoft administrators to get patchin’. You can find this month’s Patch Day details at Microsoft’s February Patch Day Summary page, but I’ll summarize some of the highlights below.

By the Numbers:

February Microsoft Patch DayToday, Microsoft released nine security bulletins, fixing a total of 60 security vulnerabilities in many of their products. The affected products include:

  • all current versions of Windows,
  • Internet Explorer (IE),
  • Office,
  • and Microsoft System Center Virtual Machine Manager (VMM).

They rate three bulletins as Critical, six as Important.

Patch Day Highlights:

The most interesting vulnerability this month is probably Microsoft’s Group Policy remote code execution flaw. This is a rather complex flaw that requires an attacker successfully pull off a man-in-the-middle (MitM) attack on a computer that is configured to connect to an Active Directory domain. Once the attacker can intercept your traffic, he can trick it into running a malicious login script, which allows him to run anything he wants. Since the flaw relies on a domain login, it primarily affects corporate Windows users. Check out this article to learn more.

Internet Explorer (IE) also got a rather beefy patch, which fixes 41 security flaws. The update mostly fixes memory corruption vulnerabilities that bad guys can leverage in drive-by download attacks. However, this update also includes updates to IE’s SSLv3 handling to mitigate the POODLE flaw. Finally, this update does NOT fix the recent IE11 cross-site scripting (XSS) flaw that Google disclosed. That said, I’d recommend you install the IE update first, as web drive-by download attacks are much more popular and targeted than the Group Policy attack mentioned above.

Quick Bulletin Summary:

We summarize February’s security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS15-009 – Critical – Cumulative Internet Explorer update fixes 41 vulnerabilities – The Internet Explorer (IE) update primarily fixes a bunch of memory corruption flaws remote attackers could leverage to execute code. These are the types of flaws typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC.
  • MS15-010 – Critical- Kernel-mode Driver RCE flaw – The kernel-mode driver that ships with Windows suffers from various elevation of privilege flaws that could allow unprivileged users to execute code with full privileges. However, the attacker needs local system access and credentials to carry out the attack.
  • MS15-011 – Critical – Group Policy Remote Code Execution Flaw – The Windows Active Directory Group Policy Component suffers from complex code execution vulnerability. If an attacker can successfully intercept all the traffic of a Windows computer that connects to a domain, she can exploit this flaw to run arbitrary code on that computer. However, the attacker would most likely have to be on the same network as the victim in order for such a man-in-the-middle attack to succeed.
  • MS15-012 – Important – Office Code Execution Flaws – Various Office components, like Word and Excel, suffer from document handling code execution flaws. If an attacker can get you to open a maliciously crafted document, he could exploit these to gain control of your computer.
  • MS15-013 – Important – Office Security Bypass Flaw - Office doesn’t properly leverage Windows’ Address Space Layout Randomization (ASLR) feature. Since ASLR makes it harder for bad guys to exploit memory corruption issues, this bypass flaw makes it easier for attackers.
  • MS15-014 – Important – Group Policy Security Bypass Flaw - Using a man-in-the-middle attack, an attacker can trick Group Policy into reverting to its less secure, default state. This attack only works against Windows machines that connect to a domain. This flaw can be used in conjunction with MS15-011 to execute code.
  • MS15-015 – Important – Windows Elevation of Privilege Flaw - In short, if a unprivileged user can run code on a Windows machine, he can leverage this flaw to gain system privileges. However, he needs valid credentials and enough access to log in to the computer in the first place.
  • MS15-016 – Important – Windows Graphic Component Information Disclosure Flaw - The Graphics component of Windows suffers from a minor flaw that attackers could leverage to learn about the current memory state of your computer. This flaw serves little purpose alone, but could help attackers exploit other memory corruption vulnerabilities easier. Also, the attacker would have to entice you into viewing a TIFF image in order to exploit this flaw.
  • MS15-017 – Important – VMM Elevation of Privilege Flaw - If an attacker has credentials to login to your Microsoft Virtual Machine Manager (VMM), even as an under-privileged role, that attacker could leverage this flaw to gain full access to VMM and all your virtual machines.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

IMPORTANT NOTE: We have already read rumors about problems with some of today’s Microsoft updates. We highly recommend you test the patches before applying them to production servers.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download February’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-8967)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0017)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0018)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0019)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0020)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0021)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0022)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0023)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0025)
  •  WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0026)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0029)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0030)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0031)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0035)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0036)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0037)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0038)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0039)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0040)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0041)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0042)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0043)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0071)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0070)
  • WEB-CLIENT Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-0069)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0068)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0067)
  • FILE Microsoft Office Word OneTableDocumentStream Remote Code Execution Vulnerability (CVE-2015-0065)
  • FILE Microsoft Office Word Remote Code Execution Vulnerability (CVE-2015-0064)
  • FILE Microsoft Office Excel Remote Code Execution Vulnerability (CVE-2015-0063)
  • FILE Microsoft Office TTF TrueType Font Parsing Remote Code Execution Vulnerability (CVE-2015-0059)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0053)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0052)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0051)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0050)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0049)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0048)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0046)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0045)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0044)
  • FILE Adobe Flash Player BitmapFilter Invalid Object Corruption Remote Code Execution (CVE-2015-0314)
  • FILE Adobe Flash Player Video Event Dispatch Use After Free (CVE-2015-0315)
  • FILE Adobe Flash Player OP_ANYBYTE PCRE Library Memory Corruption (CVE-2015-0316)
  • FILE Adobe Flash Player XMLSocket.connect Type Confusion (CVE-2015-0317)
  • FILE Adobe Flash Player PCRE Regex Compilation Memory Corruption (CVE-2015-0318)
  • FILE Adobe Flash Player Multiple Type Confusion (CVE-2015-0319
  • FILE Adobe Flash Player MessageChannel.send() Use After Free (CVE-2015-0320)
  • FILE Adobe Flash Player Parsing Malformed mp4 Video Memory Corruption (CVE-2015-0321)
  • FILE Adobe Flash Player ActionScript Pushscope Opcode Memory Corruption (CVE-2015-0322)
  • FILE Adobe Flash Player Special Regex Character Sets Heap Overflow (CVE-2015-0323)
  • FILE Adobe Flash Player JSON.stringify Integer Heap Overflow (CVE-2015-0324)
  • FILE Adobe Flash Player RemoveFromDeviceGroup() Use After Free (CVE-2015-0325)
  • FILE Adobe Flash Player ActionScript URLRequest.requestHeaders Type Confusion (CVE-2015-0326)
  • FILE Adobe Flash Player Stringifying Proxy Objects Heap Overflow (CVE-2015-0327)
  • FILE Adobe Flash Player NetConnection Request Null Dereference (CVE-2015-0328)
  • FILE Adobe Flash Player Multibyte UTF-8 Characters Regular Expressions Memory Corruption (CVE-2015-0329)
  • FILE Adobe Flash Player PCRE Regex Heap Overflow (CVE-2015-0330)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)

 

Poodle’s Back – WSWiR Episode 132

Another week, another batch of information security (infosec) news. Would you like a quick summary, rather than hunting it down yourself? No problem! Just check out our weekly video every Friday.

Today’s episode covers the Patch Day bonanza, lots of updates on the Sony Pictures breach, and a new twist on the “Poodle” SSL/TLS vulnerability. Press play for the scoop, and check our the References and Extras section for more stories and details.

(Episode Runtime: 7:13)

Direct YouTube Link: https://www.youtube.com/watch?v=WbbZjRtyODA

EPISODE REFERENCES:

EXTRAS:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft’s Last Patch Day Until 2015; Three Critical Patches

It’s that time of the month again; Microsoft Patch Day. Yesterday, Microsoft posted their regular batch of security updates, so it’s time you patch your Windows systems. I’ll summarize some Patch Day highlights below, but you should visit Microsoft’s December Patch Day Summary page for more details

By the Numbers:

On Tuesday, Microsoft released seven security bulletins, fixing a total of 25 security vulnerabilities in many of their products. The affected products include:

  • all current versions of Windows,
  • Internet Explorer (IE),
  • Office,
  • and Exchange Server.

They rate three bulletins as Critical, four as Important.

Patch Day Highlights:

The Exchange update is the most interesting one, but lets start with what you should patch first. I’d start with the Internet Explorer (IE) update, as it closes a bunch of holes bad guys can use for drive-by download attacks. Next, even though Microsoft doesn’t rate it as Critical, the Exchange update fixes a few flaws attackers could leverage to access your users’ email (if they can get those users to click links). Since email is so important, I’d take care of that next. Then move on to the various Office updates, to make sure your users aren’t affected by malicious Office documents. Finally, even though it poses minimal risk, finish with the Graphics component update.

Quick Bulletin Summary:

We summarize December’s security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

  • MS14-080 – Critical – Cumulative Internet Explorer update fixes 14 vulnerabilities – The Internet Explorer (IE) update primarily fixes a bunch of memory corruption flaws remote attackers could leverage to execute code. These are the types of flaws typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC.
  • MS14-075 – Important- Four Exchange Server Vulnerabilities – Microsoft’s email server, Exchange, suffers from four security flaws. The worst are a pair of cross-site scripting (XSS) flaws. If an attacker can trick you into clicking a specially crafted link on a system you use for OWA, he could exploit these flaws to gain access to your email as you. The remaining flaws allow attackers to spoof emails to appear to come from someone else, or to spoof links that appear to link to somewhere else.
  • MS14-081 – Critical – Two Word Remote Code Execution Flaws – Word suffers from two flaws involving how it handles specially crafted Office files. In short, if an attacker can get you to open a malicious Office file, she can exploit these flaws to execute code on your computer.
  • MS14-082 – Important – Office Code Execution Flaw – Word, an Office component, suffers from yet another code execution vulnerability, similar to the two described above. I’m not sure why Microsoft included this is a separate bulletin, with a lower severity, since it seems to have a similar impact and mitigating factors as the flaws above.
  • MS14-083 – Important – Two Excel Code Execution Flaws - Excel suffers from a pair of code execution vulnerabilities attackers could exploit by getting you to interact with malicious spreadsheets.
  • MS14-084 – Important – Windows VBScript Memory Corruption Flaw - The Windows VBScript component suffers from a memory corruption flaw that attackers could leverage through your browser. If an attacker can lure you to a website with malicious code, he could exploit this flaw to execute code with your privileges.
  • MS14-085 – Important – Windows Graphic Component Information Disclosure Flaw - The Graphics component of Windows suffers from a minor flaw that attackers could leverage to learn about the current memory state of your computer. This flaw serves little purpose alone, but could help attackers exploit other memory corruption vulnerabilities easier.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

You can get the updates three ways:

  1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
  2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
  3. Download December’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-8966)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6376)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6375)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6374)
  • WEB Microsoft Graphics Component Information Disclosure Vulnerability (CVE-2014-6355)
  • FILE Microsoft Word Remote Code Execution Vulnerability (CVE-2014-6357)
  • FILE Microsoft Excel Global Free Remote Code Execution Vulnerability (CVE-2014-6360)
  • WEB-CLIENT Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6368)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6369)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6373)
  • EXPLOIT Adobe Flash Player Memory Corruption (CVE-2014-0574)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6327)
  • WEB MIcrosoft Internet Explorer XSS Filter Bypass Vulnerability (CVE-2014-6328)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6329)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6330)
  • FILE Microsoft Excel Invalid Pointer Remote Code Execution Vulnerability  (CVE-2014-6361)
  • WEB-CLIENT Microsoft VBScript Memory Corruption Vulnerability (CVE-2014-6363)
  • WEB-CLIENT Microsoft VBScript Memory Corruption Vulnerability (CVE-2014-6366)
  • FILE Adobe Flash Player opcode pushwith Memory Corruption Vulnerability (CVE-2014-0586)
  • FILE Adobe Flash Player opcode pushscope Memory Corruption Vulnerability (CVE-2014-0585)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)

 

Office Updates Include Patches for SharePoint Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products like SharePoint Server
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents, or interacting with web resources
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a number of vulnerabilities in Office, SharePoint, and related components. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS14-022: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both multiple remote code execution vulnerabilities and a cross-site scripting (XSS) flaw. The remote code execution flaws pose the most risk, and involve several unspecified input sanitation vulnerabilities in a number of SharePoint pages. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges. Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. If you run SharePoint servers, you should patch this as quickly as you can.

Microsoft rating: Critical

  • MS14-023: Office Remote Code Execution Flaw

Various Office components suffer from two publicly reported vulnerabilities. The worst is a remote code execution flaw involving the way Office’s “Grammar Checker” feature loads Dynamic Link Libraries (DLL). However, the flaw only affects Grammar Checker when the language is set to Chinese (Simplified). If a remote attacker can convince you to open an Office document that resides in the same directory (local or over a network) as a malicious DLL, she could exploit this flaw to execute code with your privileges. If you have local administrative access, the attacker gains complete control of your computer. However, this flaw will likely primarily affect Chinese Office users, which somewhat limits its impact. Office also suffers from something call a “token reuse” flaw, but it poses a lesser risk that the remote code execution one.

Microsoft rating: Important

  • MS13-086 MCCOMCTL ASLR Bypass Vulnerabilities

Office (and many other Microsoft products) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Office’s MSCOMCTL component doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. This update fixes the ASLR bypass hole.

Microsoft rating: Important

Solution Path:

Microsoft has released Office and SharePoint-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Trio of Office Updates Fix SharePoint Flaw & ASLR Bypass

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products, including SharePoint
  • How an attacker exploits them: Varies. Typically by enticing users to visit malicious web content or open Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a like number of vulnerabilities in Microsoft Office and related products like SharePoint. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-100: SharePoint Code ExecutionVulnerability

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from an unspecified remote code execution flaw having to do with how it parses specially crafted page content. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges.

Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. However, Microsoft assigns this particular flaw an Important severity rating, probably because the attacker needs valid SharePoint credentials to exploit it.

Microsoft rating: Important

  • MS13-104: Office Access Token Hijacking Flaw

When you login to an Office or Sharepoint server, the server verifies your credentials and then produces an access token, which allows you to continue accessing the server for a limited period of time. Office suffers from an unspecified flaw having to do with how it handles documents hosted on web sites. If an attacker can entice you into opening an Office document hosted on a malicious site, he could exploit this flaw to gain access to your access token, and then may be able to leverage that token to hijack your SharePoint of Office server sessions.

Microsoft rating: Important

Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. One of the shared components that ships with Office products doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. Since Internet Explorer (IE) loads this component, it’s particularly useful for attackers. This update fixes the ASLR bypass hole. If you’d like more details about this fix, and how it helps your overall Windows security, see this Microsoft blog post. Though Microsoft only gives this their medium severity rating, we recommend you apply the update quickly.

Microsoft rating: Important

As an aside, Microsoft also released a security bulletin (MS03-103) describing a flaw that primarily affects developers and organizations that specifically use the ASP.NET SignalR library. If you happen to use the ASP.NET SignalR library, do know it suffers from a relatively minor cross-site scripting (XSS) vulnerability, and you should update.

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of many of these vulnerabilities. For instance, you might use firewall policies to prevent external users from accessing your SharePoint server. Furthermore, Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Sharepoint, Excel, and Word Security Updates

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including SharePoint, Word, and Excel
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix five vulnerabilities in SharePoint, Word, and Excel, which are all part of Microsoft’s Office suite of products. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-084: Two SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both a remote code execution and cross-site scripting (XSS) flaw. The remote code execution is the more severe issue, and involves a flaw in the way Sharepoint handles specially crafted Excel files (this flaw directly relates to an Excel flaw we describe below). If an attacker can entice you to open a specially crafted Excel file from a SharePoint server (or from the Office Services or Web Apps), he could leverage this flaw to execute code on your computer, with your privileges. If you’re an administrator, the attacker has total control of your machine.

These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.

Microsoft rating: Critical

  • MS13-085Two Excel Memory Corruption Vulnerabilities

Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. One of these two Excel flaws is identical the the Excel-related flaw in Sharepoint. This flaw does not affect Excel 2003, but it does affect Excel for Mac

Microsoft rating: Important

  • MS13-086 Two Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It, like Excel, suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word 2003 and 2007, not Word for Mac.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of these attacks:

  • WEB Microsoft Parameter Injection Vulnerability (CVE-2013-3895)
  • EXPLOIT Microsoft Word Memory Corruption Vulnerability (CVE-2013-3891)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Install the IE Update First

If you follow the blog, you’re surely aware that today’s Microsoft Patch Day; and it’s an especially important one. Though it doesn’t set any records, Microsoft has released an update to fix a fairly significant, zero day Internet Explorer (IE) vulnerability, which many attackers have exploited in the wild for the past few weeks. If you can only apply one patch today, I recommend the IE one.

In their summary post, Microsoft shares details about eight security bulletins that fix 27 vulnerabilities in many of their popular products. They rate half the bulletins as Critical, and the other half as Important. Here’s the breakdown of affected products:

  • Internet Explorer (IE) [10 issues fixed]
  • Windows and its components [12 issues fixed]
  • Office products [5 issues fixed]
    • SharePoint Server
    • Word
    • Excel

If you use any of these products, you should update as soon as possible. As mentioned earlier, I recommend you install the IE update first; and try to get to it as quickly as you can. Though Microsoft previously released a FixIt for this issue (which I hope you’re running), it’s better to be safe than sorry. That said, don’t discount the other Critical updates. In general, I recommend you download, test and deploy all of Microsofts patches as soon as you can. For more details on today’s Patch Day, check out the October bulletin summary, or wait for our detailed alerts.

On the subject of patching, today is also Adobe patch day too. They’ve released updates to fix Reader, Acrobat, and Robohelp. I’d also recommend you install those updates (the Reader one likely affects most people) as soon as you can. You can learn more about Adobe’s updates on their security page, but I’ll release an alert about them later today.

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day.  — Corey Nachreiner, CISSP (@SecAdept)

Office Updates Fix SharePoint, Outlook, Word, and More

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and other components
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released seven security bulletins that fix 26 vulnerabilities in a range of Microsoft Office products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and an IME component. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-067: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from a number of vulnerabilities, ranging from remote code execution flaws to a denial of service (DoS) condition. The worst vulnerability is an input validation flaw involving how SharePoint handles specially crafted content. If an attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges.

Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. In either case, Microsoft assigns this particular flaw their highest severity rating, so SharePoint administrators should patch as soon as possible, especially if you expose your services publicly.

These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.

Microsoft rating: Critical

  • MS13-068: Outlook S/MIME Code Execution Flaw

Outlook is the popular Windows email client that ships with Office. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting MIME data, or put more simply, it allows you to encrypt email. Outlook suffers from a code execution vulnerability involving the way it handles specially crafted S/MIME messages. An attacker could exploit this flaw to execute code on your computer simply by sending you a specially crafted email (though you’d have to open or preview the message first). The code runs with your privileges, and if your users have local administrator privileges, the attacker gains complete control of their PCs. This flaw sounds, and is, pretty severe with one small exception. Microsoft believes it is technically pretty difficult to exploit. Nonetheless, we recommend you apply the patch posthaste.

Microsoft rating: Critical

  • MS13-072 :  Ten Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It suffers from ten memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects the Windows versions of Word and Word Viewer, not Word for Mac.

Microsoft rating: Important

  • MS13-073 Two Excel Memory Corruption Vulnerabilities

Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. These flaws are essentially the same as the Word ones described above, but they affect Excel related documents. So in short, if an attacker tricks your into opening a malicious excel file, he can execute code as you. If you’re a local administrator, he has full control of your computer.  Again, the flaws only affects the Windows versions, not Mac ones.

Microsoft rating: Important

  • MS13-074 Three Access Memory Corruption Vulnerabilities

Access is the popular database program that ships with Office. It suffers from three memory corruption vulnerabilities having to do with how it handles specially crafted database files. These flaws are identical in scope and impact to the two above, only they affect Access files. If you open the wrong database, an attack can execute code as you.

Microsoft rating: Important

  • MS13-078: FrontPage Information Disclosure 

FrontPage is a WYSIWYG HTML editor for creating web sites, which ships with Office.  It suffers from an information disclosure. If an attacker can trick a FrontPage user into opening a specially crafted FrontPage document, she could exploit this flaw to read the contents of any file on that user’s computer (assuming they knew the location of a specific file).

Microsoft rating: Important

  • MS13-075 : Chinese IME Elevation of Privilege Vulnerability

Input Method Editors (IME) are optional components that allows Latin keyboard users to type non-Latin characters in Office or Windows. Unfortunately, the Office IME for Pinyin Chinese suffers from an elevation of privilege (EoP) vulnerability. If an attacker can gain local access to your computer using valid Windows credentials, he could run a specially crafted program that would give him full SYSTEM-level privileges on your computer. Of course, the attack only affects those who’ve specifically installed the Pinyin Chinese Office IME, and the attacker must have a valid login to exploit the issue.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of many of these vulnerabilities. For instance, you might use firewall policies to prevent external users from accessing your SharePoint server, or use the SMTP proxy to block messages containing S/MIME content (by blocking the application/pkcs7-mime MIME content type).

Furthermore, Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of these attacks:

  • EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -1 (CVE-2013-0081)
  • EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -2 (CVE-2013-0081)
  • EXPLOIT Microsoft Office Could Allow Remote Code Execution (CVE-2013-3850)
  • EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -1 (CVE-2013-3180)
  •  EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -2 (CVE-2013-3180)
  • EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -3 (CVE-2013-3180)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: The Largest Patch Day of 2013 (So Far)

Today’s Patch Day is the largest so far for 2013, with Microsoft releasing 13 security bulletins. While it doesn’t break any records (that Patch Day was probably the 17 bulletin one in April 2011), it’s still nothing to sneeze at. Here’s today’s patch break down.

Microsoft’s 13 bulletins fix around 47 security vulnerabilities affecting the following products:

  • Internet Explorer (IE)
  • Windows
  • many Office products
    • SharePoint Server
    • Outlook
    • Word
    • Excel
    • Access
    • FrontPage

Microsoft rates four of the bulletins as Critical, and the remaining ones Important. The impacts of these flaws range from remote code execution, elevation of privileges, information disclosure, and denial of service (DoS). For more details, check out the September bulletin summary, or wait for our detailed alerts.

At first glance, you might think the Critical Outlook bulletin is the most severe, and the first you should fix. I mean… gaining control of a user’s system simply by getting them to open an email sounds pretty horrible. However, Microsoft believes that this flaw is technically pretty difficult to exploit.

On the flip side, you might be less worried about the SharePoint issues, since you’d assume most organizations put SharePoint servers behind firewalls. Yet, as it turns out, many organizations provide public access to their SharePoint services allowing external employees easy access; some even disable authentication. My point being, I would apply the SharePoint patches first, assuming you manage SharePoint servers, but would still consider the Outlook update a close second (and don’t forget the Critical IE and Windows updates either).

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day. We’ve posted Microsoft’s update matrix below, for your convenience.  — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day: Sept. 2013

Follow

Get every new post delivered to your Inbox.

Join 7,871 other followers

%d bloggers like this: