Tag Archives: remote code execution

Latest Flash Update Mends Four Flaws

Summary:

  • This vulnerability affects: Adobe Flash Player running on all platforms and Adobe Air
  • How an attacker exploits it: By enticing users to visit a website containing malicious Flash content
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player for your platform

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

This week, Adobe released a security bulletin describing four security vulnerabilities (based on CVE numbers) that affect Flash Player running on any platform. It doesn’t describe the flaws in much technical detail, other than saying they consist mostly of buffer overflow vulnerabilities and other types of memory corruption flaws (and a cross-site scripting issue). That said, Adobe does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, he could exploit many of these unspecified vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

Though it doesn’t look like attackers are exploiting these flaws in the wild yet, Adobe rates the flaws as a “Priority 1” issues for Windows and Macintosh users, and recommends you apply the updates within 72 hours. These vulnerabilities also affect other platforms as well, such as Internet Explorer (IE) 11 and Chrome. I recommend you update any Flash capable platform as soon as you can.

Solution Path

Adobe has released new versions of Flash Player to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

You can download Flash for your computer at the link provided below. See the bulletin’s “Affected Software” section for more details on getting Flash updates for other platforms:

Keep in mind, if you use Google Chrome or IE 11, you’ll have to update it seperately.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the memory corruption vulnerabilities described in Adobe’s alert:

  • WEB  Adobe Flash Player High Surrogate Parsing Cross Site Scripting  (CVE-2014-0509)
  • WEB-CLIENT Adobe Flash Player Information Disclosure (CVE-2014-0508)
  • EXPLOIT Adobe Flash Player Memory Corruption (CVE-2014-0506)
  • EXPLOIT Adobe Flash Player Memory Corruption (CVE-2014-0507)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Adobe’s Flash update to completely protect yourself from all of these flaws.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Windows File Handling Remote Code Execution Flaw

Severity: Medium

Summary:

  • These vulnerabilities affect: All current versions of Windows
  • How an attacker exploits them: By tricking your users into running a .bat or .cmd file from a network location
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

As part of Patch Day, Microsoft released a Windows security bulletin describing a code execution vulnerability involving the way it handles .bat and .cmd files, otherwise known as Windows batch files. Windows batch files allow you to write multiple, scripted commands which will run together (as a batch) when you run the file. Window’s suffers from a vulnerability in they way they process these files, which attackers could exploit to execute arbitrary code. If an attacker can trick one of your users into running a .bat or .cmd file from a network location, they could exploit this issue to execute any code with that user’s privileged. In most Windows environments, users have local administrator privileges, so this attack could give hackers full control of your machine.

That said, this flaw takes significant user interaction to succeed, and most savvy Windows users know batch files could be dangerous, and don’t run them randomly. Nonetheless, we recommend you patch Windows as soon as you can.

Also note, this will be the last security update for Windows XP. If you haven’t figured out your Windows XP migration path yet, you really should start thinking about it. That said, security companies like WatchGuard will continue to develop IPS and anti-malware signatures to detect and block threats against Windows XP systems. If you absolutely cannot upgrade XP, be sure to at least implement IPS, AV, and UTM systems to protect your vulnerable computers.

Solution Path:

Microsoft has released updates that correct this vulnerability. You should download, test, and deploy the appropriate update throughout your network as soon as you can. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate some of the risk of this flaw (such as allowing you to block .bat and cmd files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit it over the local network too. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Four Windows Updates: Hijack Windows with Malicious Images

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like Silverlight)
  • How an attacker exploits them: Multiple vectors of attack, including luring users into viewing malicious images
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as Silverlight. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-013DirectShow JPEG Handling Vulnerability

DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams, images, and files. It suffers from an unspecified memory corruption vulnerability having to do with how it handles specially crafted JPEG (JPG) images. By getting your users to view such a malicious image, perhaps via a web site or email, an attacker could leverage this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative privileges, the attacker gains full control of the users’ machines.

Microsoft rating: Critical

  • MS14-015:  Multiple Kernel-Mode Driver Code Execution Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from two security vulnerabilities. The worst is an elevation of privilege flaw having to do with it handles memory. In a nutshell, if a local attacker can run a specially crafted application, he could leverage this flaw to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability. The second issue could allow attackers to gain access to information in restricted sections of your computer’s memory, but doesn’t pose as high a risk as the first.

Microsoft rating: Important

  • MS14-016:  SAMR Lockout Bypass Vulnerability

The Security Account Manager or SAM file is a database file on Windows computers that contains all the hashed user credentials. The Security Account Manager Remote (SAMR) protocol is a client-to-server communication protocol Windows uses to check credentials against a SAM database. SAMR suffers from a flaw that allows attackers to bypass its user lockout feature. Windows allows you to lockout a user who has entered the wrong password a certain number of times. This makes it harder for attackers to launch “brute-force” password cracking attacks, since it limits the amount of failed password attempts. However, by sending specially crafted SAMR messages, an attacker can bypass this lockout feature, and try unlimited passwords against your Windows system. While this doesn’t directly give the attacker access to your computer, it does allow attackers on your local network to try and brute-force your passwords.

Microsoft rating: Important

  • MS14-014:  Silverlight DEP/ASLR Bypass Flaw

Silverlight is a cross-platform and cross-browser software framework used by developers to create rich media web applications. Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems (OS) use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Data Execution Prevention (DEP) is another such feature that makes it hard for attackers to execute code from memory. Unfortunately, Silverlight does not implement Windows’ DEP and ASLR protection properly. This means that it’s relatively easy for attackers to exploit any memory corruption flaws in Silverlight. By itself, this bypass flaw is worthless. It doesn’t give an attacker access to your computer. However, assuming attackers find memory corruption flaws in Silverlight, this bypass flaw would make it easier for them to exploit those flaws to execute code. You should apply this update simply to improve the general security of Silverlight.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as allowing you to block .jpg files, or enabling GAV or IPS services to detect attacks and the malware they distribute), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Windows Updates Fix Code Execution, DoS, and Privilege Elevation Flaws

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Windows (and related components like the .NET Framework and VBScript Engine)
  • How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web sites or into viewing malicious vector graphics
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released five security bulletins describing seven vulnerabilities in Windows and its components. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-011VBScript Code Execution Vulnerability

VBScript is a scripting language created by Microsoft, and used by Windows and its applications. The VBScript Scripting Engine, which ships with Windows, suffers from an unspecified memory corruption vulnerability having to do with its inability to properly handle certain objects in memory when rendering script for Internet Explorer (IE). By enticing you to a specially crafted web page, an attacker could leverage this flaw to execute code on your computer with your privileges. If you have admin rights, then The attacker gains computer control of your computer.

Microsoft rating: Critical

  • MS14-007:  Direct2D Memory Corruption Vulnerability

DirectX is a multimedia development API, primarily used by programmers to make games for Windows and to handle multimedia. It includes Direct2D, a component Windows uses to render two dimensional vector graphics. Direct2D suffers from a memory corruption vulnerability having to do with how it improperly handles specially crafted vector figures. By enticing you to open a malicious vector graphic, an attacker can exploit this flaw to execute code on your system, with your privileges. Of course, if you have administrative privileges, as most Windows users do, the attacker gains complete control of your computer. Since this vulnerability requires some user interaction to succeed, Microsoft assigns it an Important severity rating.

Microsoft rating: Important

  • MS14-009Multiple .NET Framework Vulnerabilities

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers. The .NET Framework suffers from three new security vulnerabilities, including an elevation of privilege flaw, a denial of service (DoS) vulnerability, and an issue that allows attackers to bypass one of Windows’ security features (Address Space Layout Randomization or ASLR). The worst of the three is the elevation of privilege flaws. Without going into technical detail, if an attacker can entice one of your users to visit a malicious .NET web page or run an .NET application locally, she can exploit this flaw to gain full control of that user’s system.

Microsoft rating: Important

  • MS14-005:  MSXML Information Disclosure Flaw

Microsoft XML Core Services (MSXML)  is a component that helps Windows, Internet Explorer, and other Microsoft products handle XML content. It ships with various versions of Windows, and other Microsoft products. If you have a Windows computer, you very likely have MSXML. MSXML suffers from an information disclosure vulnerability due to a flaw in the way it handles cross-domain policies. By luring your users to a malicious web site or specially crafted link, an attacker could exploit this flaw to gain access to some of the files on that user’s computer.

Microsoft rating: Important

Windows ships with a TCP/IP stack used to handle network traffic, and this stack now supports  IPv6. Unfortunately, the Windows IPv6 TCP/IP stack suffers from a denial of service vulnerability involving the way it handles large amounts of specially crafted router advertisement messages.  If an attacker on your local network sends a large amount of such packets, he can cause your Windows computer to stop responding. Of course, the attackers needs to be on the same subnet as the victim, with relegates this primarily to an insider threat. 

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. Especially, server related updates.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block a few of the issues described above, including:

  • WEB Microsoft ASP.NET POST Request DoS Vulnerability (CVE-2014-0253)
  • WEB-CLIENT Microsoft Graphics Component Memory Corruption Vulnerability (CVE-2014-0263)
  • WEB-CLIENT Microsoft MSXML Information Disclosure Vulnerability (CVE-2014-0266)

Your XTM appliance should get this new IPS update shortly.

However, attackers can exploit some of these flaws locally. Since your gateway appliance can’t protect you against local attacks, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Trio of Office Updates Fix SharePoint Flaw & ASLR Bypass

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products, including SharePoint
  • How an attacker exploits them: Varies. Typically by enticing users to visit malicious web content or open Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a like number of vulnerabilities in Microsoft Office and related products like SharePoint. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-100: SharePoint Code ExecutionVulnerability

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from an unspecified remote code execution flaw having to do with how it parses specially crafted page content. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges.

Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. However, Microsoft assigns this particular flaw an Important severity rating, probably because the attacker needs valid SharePoint credentials to exploit it.

Microsoft rating: Important

  • MS13-104: Office Access Token Hijacking Flaw

When you login to an Office or Sharepoint server, the server verifies your credentials and then produces an access token, which allows you to continue accessing the server for a limited period of time. Office suffers from an unspecified flaw having to do with how it handles documents hosted on web sites. If an attacker can entice you into opening an Office document hosted on a malicious site, he could exploit this flaw to gain access to your access token, and then may be able to leverage that token to hijack your SharePoint of Office server sessions.

Microsoft rating: Important

Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. One of the shared components that ships with Office products doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. Since Internet Explorer (IE) loads this component, it’s particularly useful for attackers. This update fixes the ASLR bypass hole. If you’d like more details about this fix, and how it helps your overall Windows security, see this Microsoft blog post. Though Microsoft only gives this their medium severity rating, we recommend you apply the update quickly.

Microsoft rating: Important

As an aside, Microsoft also released a security bulletin (MS03-103) describing a flaw that primarily affects developers and organizations that specifically use the ASP.NET SignalR library. If you happen to use the ASP.NET SignalR library, do know it suffers from a relatively minor cross-site scripting (XSS) vulnerability, and you should update.

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of many of these vulnerabilities. For instance, you might use firewall policies to prevent external users from accessing your SharePoint server. Furthermore, Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Office Updates Mend Word and Outlook Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word and Outlook
  • How an attacker exploits them: Typically by enticing users to open or interact with maliciously crafted Office documents or email
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins that fix four vulnerabilities in Word and Outlook. We summarize the bulletins below, in order from highest to lowest severity.

  • MS13-091: Multiple Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office.  It suffers from three memory corruption vulnerabilities having to do with how it handles malformed Word and WordPerfect files. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious Word or WordPerfect document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs. These flaws affect all versions of Word except for Word for Mac.

Microsoft rating: Important

  • MS13-094:  Outlook S/MIME Information Disclosure Flaw

Outlook is the popular Windows email client that ships with Office. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting MIME data, or put more simply, it allows you to encrypt email. Outlook suffers from an information disclosure vulnerability involving the way it handles specially crafted S/MIME certificates. By convincing one of your users to open or preview a malicious email with a specially crafted S/MIME certification, an attacker could exploit this flaw to learn a bit about the victim system, including its IP address and the ports it listens on. However, the attacker could not leverage the flaw to compromise the victim system.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Updates Correct One of Two Zero day

Today’s the second Tuesday of the month, which means it’s Microsoft (and Adobe) Patch Day. One of Microsoft updates fixes a zero day vulnerability, so we recommend you install at least that one as quickly as possible.

According to their summary post for November 2013, Microsoft released eight security bulletins today, fixing 18 security flaws in products like Internet Explorer (IE), Windows, Office products, and Hyper-V. They rate three of the bulletins as Critical.

The most critical update is the ActiveX one, since it fixes a zero day flaw. A few days ago, researchers at FireEye reported that advanced attackers were exploiting a previously unknown IE flaw in targeted attacks. Microsoft quickly confirmed the flaw was due to a particular ActiveX control, and promised to fix it today. Since attackers are exploiting this particular ActiveX control in the wild, you should apply the ActiveX “killbit” patch first. The IE and GDI updates also fix some pretty serious issues, so I would apply those patches quickly as well.

For those wondering, Microsoft hasn’t yet released a patch for the previously reported zero day TIFF vulnerability. If you haven’t installed the FixIt I recommended last week, be sure to do that too.

In a nutshell, check out Microsoft’s summary and try to install all the updates at your earliest convenience. Microsoft’s Auto Update can make the process easier, but I still recommend you test server-related updates before applying them.

I’ll post more detailed alerts about Microsoft updates throughout the day, so stay tuned. As an aside, it’s also Adobe patch day. I’ll eventually post an alert for that too, but you can get a preview here.  — Corey Nachreiner, CISSP (@SecAdept)

Attackers Exploiting a Zero Day in Windows, Office, and Lync

Today, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability that affects Windows, Office, and Lync.

In a nutshell, the vulnerability has to do with how certain versions of Windows, Office, and Lync handle specially crafted TIFF images. If an attacker can trick you into viewing a malicious image, including ones embedded in Office documents, he can exploit this flaw to execute code on your computer, with your privileges. If you have local administrative permissions, as most Windows users do, they attacker gains complete control of your computer.

McAfee researchers first discovered this flaw being exploited in the wild, and they share some interesting details about the issue on their blog (Microsoft also shares some extra technical detail here). While the flaw lies in Microsoft’s image handling components (GDI+), the public attack actually arrives as a malicious Word document with an embedded TIFF, which the attackers send via email. Microsoft claims attackers are only exploiting the flaw in limited, targeted cases.

Since they just learned about the flaw recently, Microsoft hasn’t had time to patch it yet. However, they have released a FixIt which mitigates the issue. FixIts are not considered full patches, but they can protect you until Microsoft releases their final update. If you use any of the affected versions of Windows, Office, or Lync, I highly recommend you apply the FixIt as soon as you can. Microsoft does also offers a few other workarounds, such as disabling the TIFF codec, or using the EMET tool (something I suggest you do in general), but I think the FixIt is the quickest and most reliable solution.

I’ll continue to follow this issue as it evolves, and will post here as soon as Microsoft releases a patch. — Corey Nachreiner, CISSP (@SecAdept)

Sharepoint, Excel, and Word Security Updates

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including SharePoint, Word, and Excel
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix five vulnerabilities in SharePoint, Word, and Excel, which are all part of Microsoft’s Office suite of products. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-084: Two SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both a remote code execution and cross-site scripting (XSS) flaw. The remote code execution is the more severe issue, and involves a flaw in the way Sharepoint handles specially crafted Excel files (this flaw directly relates to an Excel flaw we describe below). If an attacker can entice you to open a specially crafted Excel file from a SharePoint server (or from the Office Services or Web Apps), he could leverage this flaw to execute code on your computer, with your privileges. If you’re an administrator, the attacker has total control of your machine.

These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.

Microsoft rating: Critical

  • MS13-085Two Excel Memory Corruption Vulnerabilities

Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. One of these two Excel flaws is identical the the Excel-related flaw in Sharepoint. This flaw does not affect Excel 2003, but it does affect Excel for Mac

Microsoft rating: Important

  • MS13-086 Two Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It, like Excel, suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word 2003 and 2007, not Word for Mac.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of these attacks:

  • WEB Microsoft Parameter Injection Vulnerability (CVE-2013-3895)
  • EXPLOIT Microsoft Word Memory Corruption Vulnerability (CVE-2013-3891)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

IE Update Fixes Two Zero Day Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: All current versions of Internet Explorer (IE)
  • How an attacker exploits them: By enticing one of your users to visit a web page containing malicious content
  • Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
  • What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing ten vulnerabilities affecting Internet Explorer (IE); including two that attackers have been exploiting in the wild.

On it’s surface, this bulletin looks very similar to many of Microsoft’s past IE bulletins.  It describes ten “memory corruption” vulnerabilities, which share the same scope and impact. If an attacker can lure one of your users to a web page containing maliciously crafted content, he can exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Since Windows users often have local administrative privileges, attackers can leverage these issues to gain complete control of their machines.

However, today’s IE update differs slightly in that it fixes two zero day vulnerabilities that attackers are exploiting in the wild. We’ve warned you about the first in a previous post, and just learned about a second one today.

These remote code execution flaws pose significant risk to IE users, especially the two zero day ones. Attackers can exploit them to launch drive-by download attacks, and we’ve already seen them doing so with two of these vulnerabilities. If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s September IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3897)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3875)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3871)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3886)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3885)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3874)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3873)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Follow

Get every new post delivered to your Inbox.

Join 7,379 other followers

%d bloggers like this: