Update2: Microsoft released a critical bulletin MS15-078 for a font problem that affects all versions of Windows and allows Remote Code Execution. Microsoft credits Google’s Project Zero, Fireeye and TrendMicro. TrendMicro indicates that the vulnerability came out of the HackingTeam data breach. Google’s entry for the bug indicates that they are aware of exploit code avaliable in the wild, which explains Microsoft’s out-of-band release. Patch as quickly as possible.
Update: Oracle’s CPU July 2015 fixes the 0-day vulnerability CVE-2015-2590 in Java reported by Trend Micro. We recommend treating this patch with high priority. Note: if you think you cannot use new Java due to requirements for old versions, have you looked at Oracle’s deployment rulesets?
Original: When we started preparing internally for July’s Patch Tuesday, we debated what the biggest issue of the month would be. Two parties emerged, we were split in the middle between end-of-life of Windows Server 2003, and the mystery vulnerability MS15-058 that Microsoft did not release last month. Well, it turns out both parties were wrong: the biggest issues this month are the multiple 0-days in Adobe Flash.
On Sunday, July 5th an attacker leaked 400 GB of data taken from the network of the Italian surveillance software company HackingTeam. The data contains e-mails, documentation and source code that has been scrutinized for interesting information by a number of journalists and security researchers. HackingTeam’s main product is a Remote Control Software called Galileo aimed at the government market.
Galileo provides its government customers a centralized console to monitor and control targeted computers through the installation of an agent. Security researchers were interested in the mechanisms that HackingTeam uses to get their agent onto the targets running Windows, Mac OS X, Linux, iOS and Android. They were assuming that Galileo contains a number of 0-day vulnerabilities usable for remote infections.
So far they have found four 0-day vulnerabilities: three in Adobe Flash and one in Microsoft Windows. Adobe already addressed the first vulnerability last week in an out-of-band patch (APSB15-16) that also fixed 35 other vulnerabilities, in essence anticipating their normal Patch Tuesday release. Since then two other 0-day vulnerabilities in Adobe Flash have been found that Adobe acknowledges in APSA15-04 and is addressing today. But security researchers are not the only ones using the data dump to search for vulnerabilities. Cybercriminals have been doing their own research and have been able to integrate all three 0-day vulnerabilities into the major ExploitKits exposing the general public to these previously unknown attacks. Since no patches had been available before today, our advice so far has been to either uninstall Flash to completely neutralize the attack, use EMET on Windows to provide additional hardening for your browser or use Google Chrome as your browser as it was not affected by at least the first Flash 0-day. BTW, for more info on the data breach, I recommend Steve Ragan’s Salted Hash blog post as a starting point.
Adobe and Microsoft 0-days are not the only ones that are out there. Trend-Micro reported on a 0-day in Java, that affects the latest Java v8u45, which is used in targeted attacks at the moment. Oracle is releasing their quarterly Critical Patch Update July 2015 today, which will address 25 vulnerabilities in Java, which covers this 0-day already. but does not cover this particular vulnerability yet. Stay tuned for a potential out-of-band release.
So, where does this whole situation leave you? This year we have seen multiple 0-day attacks quickly integrated into mainstream attack products. This affects every organization and every user on the web and not only the companies that are under targeted attacks by sophisticated actors. You can address this by:
Minimizing your software footprint: an uninstalled software package can be taken out of your threat model. Even uninstalling on part of your infrastructure is worth the effort.
- Fast patching: Stay ahead of the attackers that are increasingly professional in the analysis of patches and the reverse engineering of the vulnerabilities addressed.
- Additional hardening: Software like EMET and other “process strait jackets” can help to buy you the time needed to come up with a permanent solution. For Java take a look at Deployment Rule Sets that allow you to selectively enable Java where needed.
Ok, enough of an intro to today’s large Patch Tuesday. Let’s get into the details: there are also fixes from Adobe for Reader and Shockwave, as well as Microsoft 14 bulletins for both server and client side and the large Oracle delivery that covers tens of product and fixes over 100 vulnerabilities.
For Adobe and Microsoft here are the bulletins that come out on the top of the list:
- APSB15-18 addresses the currently exploited CVE-2015-5122 and 5213. Apply this patch now.
- MS15-065 addresses 28 vulnerabilities in Internet Explorer, with three of them known already (CVE-2051-2413, CVE-2015-2419 and CVE-2015-2421 ). CVE-2015-2425 also comes from the data dump at HackingTeam as well and I am impressed by the fix speed that Microsoft showed here. Of the other vulnerabilities a full 19 are of type RCE and allow the attacker to take over the targeted machine simply by browsing to an malicious, or infected site.
- MS15-070 addresses eight Remote Code Execution (RCE) vulnerabilities in Microsoft Office, with one under current exploitation (CVE-2015-2424).
- MS15-077 fixes a vulnerability in the Adobe Type Manager that is under active exploitation (CVE-2015-2387).
- MS15-058 is the vulnerability that got left behind last month. It covers three critical RCE type issues in MS-SQL server, which has not had any security patches since the last service packs. If you use MS-SQL take a look at the scenarios that apply, which are restricting somewhat who is affected.
- MS15-067 a critical vulnerability in RDP. If you use RDP as your remote access protocol on Windows 7, 8 or 2012 this should be high on your list.
- MS15-068 fixes 2 critical vulnerabilities in Hyper-V, which you should look at if you make production use of Microsoft’s virtualization technology.
The remaining bulletins address issues in Windows of critical and important severity levels. These should be implemented after you have worked your way through the priority issues from Adobe and Microsoft. Btw, Adobe also released updates for Reader (46 CVEs addressed) and Shockwave Player.
BTW, July is the last month of patches for Windows Server 2003. Nine of the 14 bulletins affected Windows Server 2003. That is a clear indication that attackers will continue to find issues in Windows 2003 at roughly that rate (take a look at qualys.com/research for a some example of Windows XP). There are only two things to do to avoid that threat, migrate away from Server 2003 or pay Microsoft for the necessary patches through a special support contract.
Please feel free to comment, either here in the blog or via e-mail at firstname.lastname@example.org. I am very interested in hearing how this higher speed in information security is affecting your and your teams.