It is March Patch Tuesday 2015, but similar to last month we are having more issues than expected in a normal month. Or maybe that is the new normal: patches from Microsoft, Adobe and a set of other security issues to deal with.
Before we get to these patches, it’s important to note that we also had two out-of-band issues this month: FREAK and Superfish.
FREAK is a vulnerability in SSL, discovered by the team at SMACKTLS. The vulnerability allows an attacker that has a Man-in-the-Middle (MITM) position to downgrade your computer’s SSL communication to an export grade cipher (512 bit RSA), which is breakable relatively quickly (< 24 hours). Once the attacker has the key she can eavesdrop on your communication and even modify it and redirect you to impostor sites. SMACKTLS has a short video on their site where they demo this effect on the National Security Agency (NSA) website. Matthew Green has a well written blog post expanding on some of the issues and their historical background (i.e. what is an export grade cipher and why do we need it). The good news: the issue is addressed at least mostly, OpenSSL fixed the issue (CVE-2015-1637) in January, Apple is releasing patches today in 2015-002 for Mac OS X and iOS 82. for the iPhone. Microsoft is updating the vulnerable SChannel library in MS15-031. You can check out individual systems, both server and clients over at SSL Labs.
Superfish is a company that makes an advertising module for browsers. The idea is to analyze your browsing/traffic and offer you the best advertising possible. Lenovo is one of their customers and preinstalled Superfish on a number of consumer laptops starting last year. In order to analyze and modify your SSL traffic, Superfish installs a local network shim on your machine that intercepts all SSL decrypts it and re-encrypts it using its own certificate. In order to do that transparently it installs its own root certificate authority on the machine. An SSL site that you go to will appear normal in your browser, but when you look at the certificate you will see that it was signed by Superfish, Inc. This behavior is already quite invasive, after all your browsing habits are sent to a server that analyzes your behavior, but unfortunately the implementation of the mechanism has two serious vulnerabilities in it:
- The certificate used to sign the new traffic is the same across all machines, allowing an attacker that has reversed the certificate on his machine to use the knowledge to manipulate the traffic on all other machines as well. A MITM position is a necessary pre-condition.
- The module tries to invalidate self signed certificates but only deals with the most obvious case of self-signed certificates, another one passes by unmodified, allowing the attacker to use self-signed certificates for an attack. Again, a MITM position is a necessary precondition.
Security researchers reversed the certificate quickly and found the password in the code. Robert Graham from ErrataSec showed how a MITM attack could be mounted with a small computer, a RaspBerry PI. Our recommendation: uninstall the Superfish software and remove the offending certificate. Instructions can be found here at Lenovo’s site: http://support.lenovo.com/en/product_security/superfish_uninstall
Ok, back to Microsoft’s patches: 14 this month, five of them critical. The highest priority goes to MS15-018, the bulletin for Internet Explorer. All versions of IE are affected from IE6 (on Windows Server 2003) to IE11. The new version addresses 12 vulnerabilities, 10 of which are critical and could be used to execute code on the target machine. One of the vulnerabilities has been publicly disclosed, but it is not of the Remote Code Execution type, taking some of the exposure off. In an typical scenario an attacker would plant malicious HTML code on a website that is under her control and lure the target to the site, or hack a site that the target habitually browses to and simply wait for the target to come to the site. MS15-019 is the sister bulletin to MS15-018, it fixes the VBScript component for IE6 and IE7 that is addressed in MS15-018 for newer browsers. Install this bulletin first.
MS15-022 is our next bulletin in terms of severity. It addresses five vulnerabilities in Microsoft Office, one of them critical in the RTF parser. The RTF parser can be executed automatically in the preview pane when receiving an e-mail, so Microsoft rates this vulnerability critical. But even two of the remaining vulnerabilities give the attacker Remote Code Execution, so we rank this bulletin highly in today’s lineup.
MS15-021 addresses eight font based vulnerabilities in Windows. An attacker that can trick the target into visualizing a corrupt font can gain Remote Code Execution on the target’s machine. Attacks can be through web pages or document based, i.e Office or PDF documents.
MS15-020 is the last critical bulletin in this months lineup. An attacker that can trick the target into browsing a directory on a website or opens a file. Windows Text Services has a vulnerability that allows the attacker to gain remote code execution on the machine. It also has a fix for CVE-2015-0096, a vulnerability related to the original Stuxnet vulnerability CVE-2010-2568. HP ZDI related that vulnerability to Microsoft and has a good technical writeup on their blog.
The remaining bulletins are all ranked lower, i.e. only as important typically because they do not give an attacker remote code execution capabilities, but rather have Information Leaks or allow for local escalation of privileges. MS15-024 and MS15-029 address bugs found through lcamtuf’s afl-fuzz tool, which he is continuously improving and making smarter. Take a look at his blog for a series of posts on afl-fuzz.
MS15-026 is a bulletin for Microsoft Exchange that addresses a number of privilege escalation and information leakage issues. If you run Outlook Web Access take a look at this bulletin. FREAK also applies to servers, even though in a different way. On the server side if you can disable export grade ciphers you ensure that your users cannot be exploited through the FREAK vulnerability even though their clients are not patched. Head over to SSLLabs if you want to do a quick check on your server state.
Adobe is also releasing an update (APSB15-05) for Flash, which Microsoft embeds in Internet Explorer, but apparently it will only come out on Thursday. Microsoft writes in KB2755801: "On March 10, 2015, Microsoft released an update (3044132) for Internet Explorer 10 on Windows 8, Windows Server 2012, Windows RT, and for Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows Technical Preview, and Windows Server Technical Preview. The update addresses the vulnerabilities described in Adobe Security bulletin APSB15-05 (available March 12, 2015). For more information about this update, including download links, see Microsoft Knowledge Base Article 3044132."
That is it for this month. Patch as quickly as possible but also take a look at your exposure to Superfish and be aware that there are a number of other applications that modify your root certificate store and might be used to eavesdrop on your communication.