Tag Archives: microsoft

Avoid MS14-045; Windows Kernel-mode Drivers Patch

Last week, I covered Microsoft Patch Day and recommend you install all the latest Windows, IE, Office, and server updates. This week, I need to warn you against one of those updates.

According to recent reports, the Windows kernel-mode driver update (MS14-045) is causing some computers to have blue screens of death (BSOD). If you haven’t installed this update yet, I recommend you avoid it until further notice. If you have installed it, and have suffered issues, Microsoft has shared instructions on how to remove it.

In the past, I’ve argued that Microsoft’s QA has gotten better, with fewer crash inducing updates. I guess they’re still not perfect. In general, this is a great example of why you should always test updates before pushing them into production. You can do this by maintaining a virtual version of your infrastructure and testing updates there.  — Corey Nachreiner, CISSP (@SecAdept)

SQL Server Update Fixes XSS and DoS Vulnerability

Severity: Medium

Summary:

  • These vulnerabilities affect: Most current versions of SQL Server
  • How an attacker exploits it: Various, including enticing someone to click a specially crafted link
  • Impact: In the worst case, an attacker can steal your web cookie, hijack your web session, or essentially take any action you could on the SQL server
  • What to do: Deploy the appropriate SQL Server updates as soon as possible

Exposure:

SQL Server is Microsoft’s popular database server. According to Microsoft’s security bulletin, SQL Server suffers from both a Cross-site Scripting (XSS) and Denial of Service (DoS) vulnerability.

The XSS flaw poses the most risk. The SQL Master Data Services (MDS) component suffers from a Cross-site Scripting (XSS) vulnerability due to its inability to properly encode output. By enticing someone to click a specially crafted link, an attacker could leverage this flaw to inject client-side script into that user’s web browser. This could allow the attacker to steal web cookie, hijack the web session, or essentially take any action that user could on your SQL Server’s associated web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer.

The DoS flaw poses less risk, but is worth patching too. Essentially, if an attacker can send specially crafted queries to you SQL server, he could lock it up. However, since most administrator block SQL queries from the Internet, the attacker would have to reside on the local network to launch this attack.

Solution Path:

Microsoft has released SQL Server updates  to correct this vulnerability. You should download, test, and deploy the appropriate update as soon as possible. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s SQL Server bulletin.

As an aside, the Cross-site Scripting (XSS) protection mechanisms built into many modern web browsers, like Internet Explorer (IE) 8 and above, can often prevent these sorts of attacks. We recommend you enable these mechanisms, if you haven’t already.

For All WatchGuard Users:

Since attackers might exploit some of these attacks locally, we recommend you download, test, and apply the SQL Server patches as quickly as possible.

Status:

Microsoft has released updates to fix this vulnerability.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Windows Updates for Media Center, .NET, and LRPC

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, such as enticing you into opening maliciously crafted Office file.
  • Impact: In the worst case, an remote attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing seven vulnerabilities in Windows and related components, such as the .NET Framework. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-043:  Windows Media Center Code Execution Flaw

Windows Media Center is the media player and Digital Video Recording (DVR) application that ships with the popular operating system. MCplayer.dll, a component Media Center uses for audio and video playback, suffers from a “use after free” vulnerability. By tricking you into running a specially crafted Office file, a remote attacker could leverage this flaw to execute code on your computer, with your privileges. If you’re a local adminstrator, the attacker could gain complete control of your machine. Note, this flaw mostly affects the latest versions of Windows.

Microsoft rating: Critical

  • MS14-045:  Multiple Kernel-Mode Driver Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from three local code execution flaws. The flaws differ technically, but most have to do with the kernel-mode driver improperly handling certain objects, which can result in memory corruptions. Smart attackers can leverage memory corruption flaws to execute code. In a nutshell, if a local attacker can run a specially crafted application, he could leverage most of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability.

Microsoft rating: Important

  • MS14-046:  .NET Framework ASLR Bypass Flaw

The .NET Framework is software framework used by developers to create new Windows and web applications. Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. In short, the .NET framework doesn’t use ASLR protection. This means attackers can leverage .NET to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. This update fixes the ASLR bypass hole.

Microsoft rating: Important

Local Remote Procedure Call (LRPC) is a protocol Microsoft Windows uses to allow processes to communicate with each other and execute tasks, whether on the same computer or another computer over the network. It suffers from a ASLR bypass vulnerability that has the same scope and impact as the .NET one described above.

Microsoft rating: Important

  • MS14-049:  Windows Installer Service Elevation of Privilege Flaw

As its name suggests, the Windows Installer services is a component that helps you install and configure stuff in Windows. It suffers from a privilege escalation vulnerability involving the way it improperly handles the repair of a previous application. If a local attacker can log into one of your Windows systems and run a specially crafted application, he could exploit this flaw to gain complete control of the system (even if he started out with only Guest privileges). Of course, the attacker would need valid login credentials, which significantly lowers the severity of this issue.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as blocking Office files), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Latest IE Patch Corrects 26 Vulnerabilities

Summary:

  • These vulnerabilities affect: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released as part of Patch Day, Microsoft released an update that fixes a 26 new vulnerabilities in all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Most of the vulnerabilities described in this alert (24 of the 26) are memory corruption vulnerabilities, which share the same general scope and impact. If an attacker can lure you to a web page containing malicious web code, he can exploit these flaws to execute code on your computer, inheriting your privileges. If you have local administrative privileges, which most Windows users do, the attack could potentially gain full control of your computer

The patch also fixes a pair of privilege escalation vulnerabilities, but the memory corruption flaws alone should convince you to update IE as soon as you can.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4063)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4057)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4050)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2824)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2823)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2820)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2799)

Your XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Nine Microsoft Security Bulletins Coming Tomorrow; Two Critical

Is it just me, or are the months flying by this year? It’s already time for yet another Microsoft Patch Day. According to their advanced notification post for August, Microsoft will release nine security bulletins tomorrow, two with a Critical severity rating. The bulletins will include updates to fix flaws in Windows, Internet Explorer, Office, the .NET Framework, SQL server, and other Microsoft Server Software. You can find a little more color about the upcoming patches at Microsoft’s Security Response Center blog.

In short, if you are a Microsoft administrator, you should prepare yourself for a busy day of patching. I’ll post more details about these updates tomorrow, as they come out. However, I am traveling this week to attend a show, so my posts may not go live as quickly as normal. Be sure to keep you eye on their summary post tomorrow, if you’d like to get the details early. — Corey Nachreiner, CISSP (@SecAdept)

Weak Passwords are Good? – WSWiR Episode 113

Oracle Patches, Project Zero, and Password Problems

Another week, another big batch of InfoSec news. If your IT job is already overwhelming you with tasks, leaving you no time to keep up with computer and network security, “I’ve got ya bro.” Check out our weekly security news summary for all the important action.

Today’s episode covers Oracle’s quarterly Critical Patch Update (CPU), a neat security project from Google, and a bevy of password security related news and issues. It’s all in the video, so give it a play. Also, don’t forget the Reference section below for other interesting news.

Enjoy your summer weekend, and stay safe!

(Episode Runtime: 8:59)

Direct YouTube Link: https://www.youtube.com/watch?v=yOtbuwhqZVo

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Hardware Malware – WSWiR Episode 112

Tons of Patches, Facebook Botnets, and Infected Hand Scanners

After a couple weeks of hiatus, we’re finally back with our weekly security news summary video. If you want to learn about all the week’s important security news from one convenience resource, this is the place to get it.

This episode covers the latest popular software security updates from the last two weeks, and interesting Litecoin mining botnet that Facebook helped eradicate, and an advanced attack campaign that leverages pre-infected hardware products. Watch the video for the details, and check out the Reference’s for more information, and links to many other interesting InfoSec stories.

Enjoy your summer weekend, and stay safe!

(Episode Runtime: 7:37)

Direct YouTube Link: https://www.youtube.com/watch?v=oAHYUW1KkM0

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Service Bus DoS Mostly Affects Enterprise Web Developers.

Among this week’s Microsoft security bulletins is one that likely only affects a small subset of Microsoft customers, and thus not worth a full security alert.

Microsoft Service Bus is a messaging component that ships with server versions of Windows, providing enterprise developers with the means to create message-driven applications. According to Microsoft’s bulletin, Service Bus suffers from a denial of service (DoS) vulnerability involving it’s inability to properly handle a sequence of specially crafted messages. If you have created an application that uses Service Bus, an attacker who could send specially crafted messages to your application could exploit this flaw to prevent the application from responding to further messages. You’d have to restart the service to regain functionality.

Windows itself doesn’t really use Service Bus for anything, but if you have internal applications that do, this vulnerability may be significant to you. If you use Service Bus, be sure to check out the bulletin to get your updates. — Corey Nachreiner, CISSP (@SecAdept)

Windows Updates Mend Critical Journal Vulnerability & More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like XML Core Services)
  • How an attacker exploits them: Multiple vectors of attack, including enticing you to malicious web sites, or into interacting with malicious documents or images.
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as XML Core Services. An attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

Windows Journal is a basic note taking program that ships with Windows systems (though the server versions of Windows do not install it by default). It suffers from a vulnerability involving how it  handles specially crafted Journal files (.JNT). If an attacker can trick you into opening a malicious Journal file, perhaps embedded in an email or web site, he can exploit this flaw to execute code on your computer, with your privileges. If you have local administrative privileges, the attacker gains full control of your computer.

Microsoft rating: Critical

  • MS14-039:  On-Screen Keyboard Privilege Elevation Vulnerability

Windows ships with an accessibility option called the On-Screen Keyboard (OSK), which displays a virtual keyboard on your display you can use for character entry. It suffers from a local elevation of privilege (EoP) vulnerability. Basically, low privileged processes can run the OSK and use it to run other programs with the logged in users privileges. However, to exploit this flaw an attacker would first have to exploit another vulnerability in a low integrity process, which lessens the severity of this issue.

Microsoft rating: Important

  • MS14-040:  AFD Privilege Elevation Vulnerability

The Ancillary Function Driver (AFD) is a Windows component that helps manage Winsock TCP/IP communications. It suffers from a local elevation of privilege (EoP) issue. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

  • MS14-041:  DirectShow Privilege Elevation Vulnerability

DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams, images, and files. It suffers from a local elevation of privilege (EoP) vulnerability. If an attacker can exploit another vulnerability to gain access to a low integrity process, she could then exploit this flaw this flaw to elevate her privileges to that of the currently logged in user.

Microsoft rating: Important

Microsoft’s Patch Day Video Summary:

Microsoft has recently started producing short videos to summarize each month’s Patch Day, which I’ve linked here for your convenience.

(Runtime: 2:24)

Direct YouTube Link: https://www.youtube.com/watch?v=3j-5-xIMgks

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws; especially the Critical Windows Journal vulnerability. If you choose, you can leverage our proxies to prevent your users from receiving Journal files (.JNT) via email, web sites, or FTP sites. However, attackers can exploit some of the other flaws locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

IE Update Fixes Remote Code Execution and Certificate Issues

Summary:

  • This vulnerability affects: All current versions of Internet Explorer
  • How an attacker exploits it: Mostly by enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released as part of Patch Day, Microsoft describes an update that fixes a 23 new vulnerabilities that affect all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Most of the vulnerabilities described in this alert (22 of the 23) are memory corruption vulnerabilities, which share the same general scope and impact. If an attacker can lure you to a web page containing malicious web code, he can exploit these memory corruption vulnerabilities to execute code on your computer, inheriting your privileges. If you have local administrative privileges, which most Windows users do, the attack could potentially gain full control of your computer

The update also fixes a publicly reported certificate handling issue having to do with how IE handles extended validation (EV) certificates and wildcards. Attackers could leverage this flaw to help make their phishing sites look more legitimate. Though this issue is pretty bad, the memory corruption flaws pose even more risk. They alone should convince you to update IE as soon as you can.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1765)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2787)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2795)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2797)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2801)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2804)

Your XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Follow

Get every new post delivered to your Inbox.

Join 7,560 other followers

%d bloggers like this: