Tag Archives: Patches

Windows Updates Mend Critical Journal Vulnerability & More

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like XML Core Services)
  • How an attacker exploits them: Multiple vectors of attack, including enticing you to malicious web sites, or into interacting with malicious documents or images.
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as XML Core Services. An attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

Windows Journal is a basic note taking program that ships with Windows systems (though the server versions of Windows do not install it by default). It suffers from a vulnerability involving how it  handles specially crafted Journal files (.JNT). If an attacker can trick you into opening a malicious Journal file, perhaps embedded in an email or web site, he can exploit this flaw to execute code on your computer, with your privileges. If you have local administrative privileges, the attacker gains full control of your computer.

Microsoft rating: Critical

  • MS14-039:  On-Screen Keyboard Privilege Elevation Vulnerability

Windows ships with an accessibility option called the On-Screen Keyboard (OSK), which displays a virtual keyboard on your display you can use for character entry. It suffers from a local elevation of privilege (EoP) vulnerability. Basically, low privileged processes can run the OSK and use it to run other programs with the logged in users privileges. However, to exploit this flaw an attacker would first have to exploit another vulnerability in a low integrity process, which lessens the severity of this issue.

Microsoft rating: Important

  • MS14-040:  AFD Privilege Elevation Vulnerability

The Ancillary Function Driver (AFD) is a Windows component that helps manage Winsock TCP/IP communications. It suffers from a local elevation of privilege (EoP) issue. By running a specially crafted application, an attacker can leverage this flaw to execute code with full system privileges, regardless of his actual user privilege. However, in order to run his special program, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.

Microsoft rating: Important

  • MS14-041:  DirectShow Privilege Elevation Vulnerability

DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams, images, and files. It suffers from a local elevation of privilege (EoP) vulnerability. If an attacker can exploit another vulnerability to gain access to a low integrity process, she could then exploit this flaw this flaw to elevate her privileges to that of the currently logged in user.

Microsoft rating: Important

Microsoft’s Patch Day Video Summary:

Microsoft has recently started producing short videos to summarize each month’s Patch Day, which I’ve linked here for your convenience.

(Runtime: 2:24)

Direct YouTube Link: https://www.youtube.com/watch?v=3j-5-xIMgks

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws; especially the Critical Windows Journal vulnerability. If you choose, you can leverage our proxies to prevent your users from receiving Journal files (.JNT) via email, web sites, or FTP sites. However, attackers can exploit some of the other flaws locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

TweetDeck XSS – WSWiR Episode 111

Patch Day, P.F. Changs Hack, and TweetDeck XSS

This week delivered a lot of infosec news and a ton of software security updates. If you didn’t have time to follow it all, check out our weekly computer security video to fill in the blanks.

During today’s episode, I cover the critical patches from Microsoft, Adobe and Mozilla, mention the latest credit card breach against a U.S. restaurant chain, and talk about the cross-site scripting worm spreading via TweetDeck. Click play below to learn more, and check out the References for other interesting infosec stories.

Before wishing you a great weekend, here are a couple of quick show notes. First, I’m starting a vacation during the middle of next week, so I won’t be publishing this weekly video for the next two weeks. It will return in July.

Second, if you are a WatchGuard customer curious about our OpenSSL updates, we are in the process of posting new versions of software for many of our products. Keep your eye on this blog, as those will likely start coming out early next week.

(Episode Runtime: 7:37)

Direct YouTube Link: https://www.youtube.com/watch?v=hbGqdrxvOyA

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Word 2007 Patch Fixes Embedded Font Vulnerability

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Word 2007 (and related components)
  • How an attacker exploits them: By enticing users to open or interact with a maliciously crafted Word document
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing a vulnerability affecting Word 2007, and related software like the Office compatibility pack.

Word is the popular word processor that ships with Office.  It suffers from A memory corruption vulnerabilities having to do with how it handles embedded fonts in documents. By luring one of your users into downloading and opening a malicious Word document, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs.

Microsoft only rates this update as Important (their medium severity), since it requires user interaction to succeed. However, we’ve seen many attackers successfully use malicious Office documents in emails, as part of their advanced spear-phishing campaigns. For that reason, we recommend you install Microsoft’s Word updates as soon as you can.

Solution Path:

Microsoft has released a Word (and related product) update to correct these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

See the “Affected and Non-Affected Software” section of Microsoft’s Word bulletin for links to the updates.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus service can often prevent the most common malicious documents from reaching your users. You can also leverage our XTM appliance’s proxies policies to block all Word documents if you like; though most administrators prefer not to since Office documents are often shared as part of business. To fully protect yourself, we recommend you install Microsoft’s updates.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Windows Updates Fix GDI+, RDP, and TCP Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like XML Core Services)
  • How an attacker exploits them: Multiple vectors of attack, including enticing you to malicious web sites, or into interacting with malicious documents or images.
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as XML Core Services. An attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-036: Two GDI+ Code Execution Vulnerabilities

The Graphics Device Interface (GDI+) is one of the Windows components that helps applications output graphics, to your display or printer. GDI+ suffers from two security flaws. Though they differ technically, the flaws share the same scope and impact, and have to do with how GDI+ handles specially crafted documents or images. If an attack can entice one of your users into viewing a malicious image or document, perhaps embedded in an email or web site, he can exploit either flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer.

Microsoft rating: Critical

  • MS14-033:  MSXML Information Disclosure Vulnerability

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It often ships with various versions of Windows, and other Microsoft products like Office, SharePoint Server, Groove Server, and Expressions. If you have a Windows computer, you very likely have MSXML.

According to today’s bulletin, MSXML suffers from an information disclosure vulnerability. If an attacker can entice one of your users to a specially crafted web site, or into opening a malicious document, she could invoke MSXML and leverage this flaw to obtain sensitive information from your user’s system. Specifically, the attacker can gain access to some local path information, and your user’s username.

Microsoft rating: Important

  • MS14-031:  TCP Protocol Denial of Service Flaw

As you would expect, the Windows TCP/IP stack is a set of networking protocols that allows your computer to get on the Internet and participate in modern networking. Unfortunately, the Windows TCP/IP stack suffers from an unspecified Denial of Server (DoS) vulnerability involving its inability to properly parse a specially crafted sequence of TCP packets. By sending a sequence of packets, an attacker could leverage this flaw to cause you computer to stop responding, causing a DoS situation. However, the attacker would have to initiate a large number of connections, and have control over the TCP options field of each packet.

Microsoft rating: Important

  • MS14-030:  RDP traffic tampering vulnerability

The Remote Desktop Protocol (RDP) is a Microsoft communication standard designed to allow you to gain access to your computers over a network to directly control your desktop. Unfortunately, the RDP component that ships with Windows doesn’t use very robust encryption by default. If an attacker can intercept your RDP traffic in a Man-in-the-Middle (MitM) attack, he could tamper with the RDP session in a way that allowed him to read session information or modify the RDP session. You can enable Network Level Authentication (NLA) to mitigate the risk of this flaw

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as blocking TCP traffic), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Seven Security Bulletins Include a Huge IE Update

If there is one day of the month you should really focus on software patching, this is the day. The second Tuesday of the month is both Microsoft and Adobe patch day. If you run a Windows shop, or you use Adobe products on any platform, it’s time for you to get patching!

As they promised, Microsoft released seven bulletins today to fix a wide range of security vulnerabilities in a number of their products, including:

  • Windows and its components,
  • Office (Word),
  • Internet Explorer (IE),
  • and Lync Server.

Microsoft rates two of the bulletins as Critical.

The big news here is the major Internet Explorer (IE) update. Not only does it fix a zero day vulnerability I discussed a few weeks ago, but it corrects a whooping total of 59 security flaws in the popular web browser. If you have Windows computers in your network, you need to patch IE immediately. The second Critical update fixes a Windows graphics component (GDI+) flaw, which attackers can leverage simply by tricking your users into viewing maliciously crafted images.

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can or you can also let Windows’ Automatic Update do it for you. You can find more information about these bulletins and updates in Microsoft’s June Summary advisory.

Adobe’s Patch Day, on the other hand, seems a bit lighter than Microsoft’s. They only released one security update fixing six security flaws in Flash Player. That said, the update fixes some pretty serious vulnerabilities that attackers could exploit just by enticing you to the wrong web site. Be sure to update Flash as well.

I’ll share more details about today’s patches on the blog throughout the day, so stay tuned.  — Corey Nachreiner, CISSP (@SecAdept).

Four Windows Bulletins Fix Group Policy, .NET, and iSCSI Flaws

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, though most require authenticated attackers to do things locally
  • Impact: In the worst case, an authenticated attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as the .NET Framework. An authenticated attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-025: Group Policy Preferences Password Elevation of Privilege Flaw

Group Policy is the Windows feature that allows administrators to push configuration and settings to other Windows computers throughout their network. Group Policy Preferences are simply an extension of settings you can push via Group Policy. Microsoft’s alert describes a vulnerability in the way Active Directory sends password information with certain Group Policy Preferences. If you use Group Policy to set system administrator accounts, map drives, or run scheduled tasks—all things that require privileges—Group Policy stores an encrypted version of the password or credential needed for this task on the local computer. Local, authenticated attackers can then use that information to crack the password, and perhaps elevate their privileges. For instance, if you use your domain administrator account to run a particular scheduled task on every Windows computer network when it boots, local Windows users may have the information they need to crack your domain administrator account. That said, attackers would need valid credentials to log into one of your windows computers in order to exploit this flaw. So this primarily poses an insider risk.

Microsoft rating: Important

  • MS14-026:  .NET Framework Elevation of Privilege Vulnerability

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework suffers from an unspecified elevation of privilege vulnerability. If an authenticated attacker can send specially crafted data to an app that uses .NET Remoting, he can exploit this flaw to execute code on that system with full system privileges.

Microsoft rating: Important

  • MS14-027:  Windows Shell Elevation of Privilege Vulnerability

The Windows Shell is the primary GUI component for Windows. It suffers from a vulnerability having to do with its ShellExecute Application Programming Interface (API). If a local attacker can log in to one of your Windows systems and run a specially crafted program, he can exploit this flaw to execute code with local administrator privileges, thus gaining full control of the computer.

Microsoft rating: Important

  • MS14-028:  Two iSCSI DoS Vulnerabilities

iSCSI is a standard that supports network based storage devices. The Windows iSCSI component suffers from two Denial of Service (DoS) vulnerabilities. By sending a large amount of specially crafted packets to the iSCSI service (TCP 3260), an attacker could exploit this flaw to cause the iSCSI service to stop responding. Of course, the attacker needs access to the iSCSI service, which most administrator might block with their firewall.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. I especially recommend you test the Group Policy Preference update before deploy it, as it may slightly change the way Group Policy Preferences work.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as blocking TCP port 3260), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Office Updates Include Patches for SharePoint Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products like SharePoint Server
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents, or interacting with web resources
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a number of vulnerabilities in Office, SharePoint, and related components. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS14-022: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both multiple remote code execution vulnerabilities and a cross-site scripting (XSS) flaw. The remote code execution flaws pose the most risk, and involve several unspecified input sanitation vulnerabilities in a number of SharePoint pages. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges. Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. If you run SharePoint servers, you should patch this as quickly as you can.

Microsoft rating: Critical

  • MS14-023: Office Remote Code Execution Flaw

Various Office components suffer from two publicly reported vulnerabilities. The worst is a remote code execution flaw involving the way Office’s “Grammar Checker” feature loads Dynamic Link Libraries (DLL). However, the flaw only affects Grammar Checker when the language is set to Chinese (Simplified). If a remote attacker can convince you to open an Office document that resides in the same directory (local or over a network) as a malicious DLL, she could exploit this flaw to execute code with your privileges. If you have local administrative access, the attacker gains complete control of your computer. However, this flaw will likely primarily affect Chinese Office users, which somewhat limits its impact. Office also suffers from something call a “token reuse” flaw, but it poses a lesser risk that the remote code execution one.

Microsoft rating: Important

  • MS13-086 MCCOMCTL ASLR Bypass Vulnerabilities

Office (and many other Microsoft products) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Office’s MSCOMCTL component doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. This update fixes the ASLR bypass hole.

Microsoft rating: Important

Solution Path:

Microsoft has released Office and SharePoint-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Patches for IE, Sharepoint, Office, and Windows

Calling all Microsoft administrators! It’s Microsoft Patch Day, and their security updates are available for download.

You know the drill by now. As they do every second Tuesday of the month, Microsoft has released May’s important security updates. You can find this month’s Patch Day highlights in Microsoft’s summary post, but here’s what you really need to know:

  • Microsoft released eight bulletins, two rated Critical and the rest Important.
  • The affected products include
    • Windows
    • Office
    • Internet Explorer (IE)
    • and Sharepoint Server.
  • Attackers are apparently exploiting some of the Windows and IE vulnerabilities in the wild already, in what Microsoft calls “limited, targeted attacks.
  • As expected, Windows XP users aren’t getting patches this month (or from hereafter).

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can. You can also let Windows’ Automatic Update do it for you. While I don’t recommend Automatic Update on servers (due to potential patch bugs), I do think you should enable it on your clients computers. As always, concentrate on installing the Critical updates as soon as you can (especially the IE one this month), and handle the others later.

I’ll share more details about today’s patches on the blog throughout the day, though these posts may be slightly delayed due to my participation in WatchGuard’s US Partner Summit.  — Corey Nachreiner, CISSP (@SecAdept).

May Brings Eight Microsoft Bulletins and One Adobe Update

Patch Day is coming, Patch Day is coming.

In their advanced notification yesterday, Microsoft announced they’d release eight security bulletins next Tuesday to fix security vulnerabilities in a number of their products. The bulletins will include updates for Internet Explorer (IE), Windows, Office, and a yet unnamed Microsoft Server product. They give two of the bulletins a Critical rating, and the rest listed as Important. See the chart below for complete details.

As usual, Adobe shares the same Patch Day and plans to released one update as well. According to their prenotification post, Adobe plans to released a patch for Adobe Reader and Acrobat, which will fix a serious vulnerabilities in the popular PDF reader. They’ve assigned it a priority of 1 (their highest), so you should plan to apply the patch quickly if you use Reader.

In short, if you’re a Microsoft administrator, or you use Adobe products, be ready to test and deploy a number of updates next week. As always, you should start with the critical updates, and work your way down through the less severe ones. I’ll post details about all these bulletins next week, so stay tuned. — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day, May 2014

Microsoft Black Tuesday: Word 0day Fix & More

Microsoft’s monthly Patch Day went live earlier today. As expected they released four security bulletins, fixing flaws in Windows, Internet Explorer (IE), and Office. Microsoft rates two of the bulletins as critical, one that fixes Word vulnerabilities (including a zero day one I warned about earlier) and another that fixes IE flaws.

If you use the affected Microsoft products, you should apply these patches as soon as you can. I’d apply the updates in the order Microsoft recommends; the Word update first, the IE one second, and the Windows and Publisher updates last.

In any case, I’ll share more details about today’s Patch Day bulletins on the blog throughout the day.  However, I am currently traveling in Asia, so my blog posts may be late due to timezone issues and travel. So I recommend you check out the April bulletin summary in the meantime, if you’d like an early peek. Also, keep in mind that Adobe released a Flash update today as well. — Corey Nachreiner, CISSP (@SecAdept).

Follow

Get every new post delivered to your Inbox.

Join 7,560 other followers

%d bloggers like this: