All Posts

7 posts

Internal MITM attack in French Government Agency

On Saturday Adam Langley from Google documented a MITM attack on Google sites that happened in France in early December. A French government agency associated with the Treasury obtained certificates for Google sites in order to be able to transparently (i.e. without users noticing)  proxy and decode the traffic to those Google sites. According to the government agency this was only done for internal traffic within the ministry.

Google noticed the unauthorized certificate through one of the monitoring mechanisms built into the Chrome browser and followed up with the certificate authority in question ANSSI, which confirmed that the certificate had been emitted in disregard of their own policies.  The certificate has been revoked.

Google, Microsoft and Mozilla have updated their certificate stores to reflect the revocation. Google and Microsoft have their respective automatic update mechanisms will take care of the propagation for Chrome and Windows 7 and above. Mozilla’s upadte will be released later this week in Firefox 26.

New Adobe Flash Addresses Attacks on Firefox

Adobe released a new version of their Flash player fixing three vulnerabilities. The new version should be installed as soon as possible, as Adobe is aware on attacks occurring in the wild against two of the vulnerabilities. Interestingly Adobe found these attack to be directed against Firefox and bypassing the Firefox Sandbox:

"Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target Flash Player in Firefox."
We recommend updating your installation of Flash as soon as possible even if you are not using  Mozilla’s Firefox browser.
Microsoft has updated KB2755801 for Internet Explorer 10 (IE10) which indicates that IE10 users are getting a new version of the browser as well. On Tuesday Microsoft had made IE10 available to all Windows 7 users as an optional download, bringing enhanced speed and security to Windows 7.
Adobe states that Google Chrome users will also see automatic updates to their browser:
"Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh and Linux."
but I have not seen the update come out yet. Stay tuned – we will update the post as soon as we hear news on Chrome.

February 2013 Patch Tuesday Preview

Today Microsoft published its Advance Notice for this month’s Patch Tuesday. But more importantly Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild on both Windows and Mac OS X. Update your Flash installations as quickly as possible – Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.

Now back to Microsoft itself. We are looking at a little bit heavier Patch Tuesday with 12 bulletins that will address a total of 57 vulnerabilities. Five of the bulletins have a severity of critical, including bulletin 1 and bulletin 2, which both address Internet Explorer vulnerabilities affecting all versions of IE from 6 – 10, including on Windows RT running on the Surface tablet. Bulletin 3 is a critical Operating System level bulletin for Windows XP, 2003 and Vista, whereas users of the newer versions of Windows will not be affected. Bulletin 4 is the expected Patch to Microsoft Exchange, which uses the Outside-In software library from Oracle that contains critical vulnerabilities and that Oracle updated in last month’s Critical Patch Update (CPU). The last critical vulnerability is covered by Bulletin 12 and affects only Windows XP, so again, users of the newer versions of Windows will be spared from having to apply that patch.

The remaining bulletins are all rated important and are mostly "Local Elevation of Privilege" type of vulnerabilities, meaning that one already has to be on the targeted computer to be able to attack them. One exception is Bulletin 5, which can be used for Remote Code Execution. It affects the FAST Indexing server for Sharepoint and it also caused by Oracle’s update of the Outside In libraries that are used by Microsoft for document conversion processes.

January 2013 Patch Tuesday Preview

Microsoft just published the Advanced Notification for the first Patch Tuesday of 2013. We will be looking at seven Bulletins, two rated "critical" and the remaining five rated "important." In total a wide variety of software will be updated including all versions of Windows (Windows RT is affected by four bulletins), Office, Sharepoint and System Center Operations Manager.

For IT administrators the focus should be on the two critical bulletins. While the first one affects only Windows 7 and Windows 2008 R2, the second one lists all versions of Windows, plus a number of server software. It is likely that it is a vulnerability in one of the base libraries of Windows that is widely used, such as Windows XML Core Services, which had its last fix in July of 2012 under MS12-043.

IT administrators should further take a look at the latest Internet Explorer 0-day vulnerability that Microsoft acknowledged the problem in KB2794220. While it affects Internet Explorer 6, 7 and 8, Microsoft is only aware of working exploits for IE8. They have published a workaround for the issue as a Fix-It and we recommend that organizations evaluate that until Microsoft provides a permanent patch for Internet Explorer itself.

Microsoft also published an advisory with a certificate update that invalidates a fraudulent certificate for * that was issued by the Turkish CA TURKTRUST. The certificate update will be transparent for organizations that have the automated certificate updater installed . All others , which includes Windows XP users for example, should push out KB2798897 manually to avoid the possibility of having their Web traffic intercepted by someone using the fraudulent certificate. See also the Google announcement and the blog post by Mozilla on the same issue originally discovered in late December by Google.

Please note that later this month, on January 15, Oracle will publish its quarterly Critical Patch Update (CPU) as well.

June Patch Tuesday 2012 – Update 2

Update 2:

As expected Oracle released a new version of Java today with 14 fixes for vulnerabilities. Oracle Java 1.6 is now at the update 33 level, while Java 7 is at the update 5 level. In a change from past behavior Apple synchronized their own release of Java with Oracle’s and provides Java for OS X 2012-004 and Java for Mac OS X 10.6 Update 9 in advisory APPLE-SA-2012-06-12-1.

Update 1:

Microsoft today also published Security Advisory 2719615 which describes a vulnerability in XML Core Services that is currently being exploited in the wild. Machines running Windows XP upto Windows 7 are affected by the vulnerability that ican be exploited by a specifically crafted, malicious webpage. The vulnerability was discovered by Google and the Qihoo 360 Security Center.

June’s Patch Tuesday comes in with a slight change. Microsoft is holding back the bulletin for Office and replacing it with a bulletin for Microsoft Lync, the enterprise instant messaging offering, also rated important ( The number of advisories stays the same but the number of vulnerabilities addressed goes from 28 to 26.

Initially we also expected to get a new Windows Update client to further harden the Windows Update process , but this has been postponed to start after Patch Tuesday. The new Windows Update client is designed to address one of the security findings brought to light by the Flame malware, a code-signing flaw that allows attackers to sign executables with a key from Microsoft, making malware appear as legitimate software. As an immediate workaround, it is recommended for organizations to install KB2718704 which removes the offending certificates from the local workstation certificate store as soon as possible. Ultimately Microsoft is changing its software distribution process to gain additional robustness, by delivering a new Windows Update client that requires a new and unique code signing certificate and secures the delivery channel with additional restrictions.

Notwithstanding the changed advisory, the highest priority continues to be MS12-037, an advisory for Internet Explorer that fixes 12 vulnerabilities. One of them, CVE-2012-1875 is already being used in limited attacks in the wild, making it urgent to apply the patches for the vulnerability as quickly as possible. Another one of the vulnerabilities addressed is CVE-2012-1876, which was turned over to Microsoft by VUPEN during the PWN2OWN contest, held in early March at CanSecWest in Vancouver. Related to PWN2OWN, Google also released this week a description of the second exploit against Google’s Chrome browser discovered at CanSecWest, which examines how security researcher Sergey Glazunov chained together an impressive 14 vulnerabilities to gain control over the target machine.

Our second highest priority is advisory MS12-036, which fixes two vulnerabilities (one critical) in the Microsoft RDP service, which were discovered internally by Microsoft after further auditing the RDP code during investigations of the MS12-020 advisory. Similar to MS12-020, using NLM to authenticate RDP sessions is a valid work-around, and we recommend looking into configuring NLM as the standard authentication mechanism as a hardening measure.

MS12-038 is the third critical advisory, which covers a .NET weakness in the delivery of the XBAP application through the browser. IE9 is not affected as XBAP, at least in the Internet Zone, as it is disabled by default, a great defensive setting. XBAP also gained additional warnings in the older IE browsers with the release of MS11-044 last year.

Operating System level hardening also helps against one of the other vulnerabilities, MS12-039 that has a DLL pre-loading vulnerability. The recommended configuration setting (KB2264107 from June 2010) of changing the DLL search path constitutes a valid work-around and would prevent machines from falling prey to an attack using this mechanism.

Other vendors are also releasing important patches. Last Friday, Adobe published a new version of its Flash player that addressed six vulnerabilities and introduced several new security mechanisms: Sandboxing in Firefox, automatic updating for Mac OS X, and developer ID signing in preparation for the coming roll-out of the Mac OS X 10.8 Mountain Lion and its Gatekeeper component. Today, Oracle is also coming out with a new version of its Java programming language, and we recommend implementing this update as soon as possible, as attackers have been increasingly using Java security flaws for malware distribution.

By the way, if you are interested in the technical underpinnings of the Flame malware, the very sophisticated attack on the code signing certificate, including an estimate on the amount of work necessary to achieve a successful exploit take a look at this paper from Alexander Sotirov, one of the original implementors of a similar attack against a CA in 2008.

March 2012 Patch Tuesday Preview

Microsoft today released its Advanced Notification for March 2012 with a total of six bulletins that affect all versions of Windows and two Microsoft applications, Visual Studio and Expression Design.

Bulletin 1 will be the most important; it is critical rated Remote Code Execution (RCE) and is applicable in all versions of Windows from XP to the latest Win 7 and Server 2008R2. The other RCE vulnerability is in Bulletin 5, rated important, because opening a malicious file is required for Expression Design, an application competing with Adobe’s graphics tools.

Speaking of Adobe, they have released earlier this week a new version of their Flash player that addresses two vulnerabilities found by Google security engineers Fermin Serna and Tavis Ormandy. In this release they used for the first time their new "Priority" mechanism, which gives users some guidance regarding the urgency of applying patches – Priority 1 patches should be applied within 72 hours, Priority 2 within 30 days, and Priority 3 is left to the user. This particular Flash release is rated Priority 2 – fix within 30 days, but I would suggest fixing it as quickly as possible as detailed information will become available soon.

Google showed remarkable agility this week and released a new version of its Chrome browser, that addresses the vulnerability exploited on Tuesday at the Pwnium contest held at CanSecWest, where they rewarded security researcher Sergey Glazunov a prize of US$ 60,000.

Silent Updating for Internet Explorer

Good security news this morning…

Microsoft announced that in 2012 Internet Explorer will be updated "silently" to its newest possible version. This new silent update will eliminate the pop-up window that currently allows users to opt-out or postpone the update.

Silent updating is generally seen as a big improvement to security on the Internet; just take a look at the study done at the Swiss Technical University ETH by Stefan Frei. Being on the newest possible Internet Explorer (IE8 on WIndows XP, IE9 on Vista/Win7) brings a significant increase in security and robustness to malware infections due to better architecture, sandboxing and the included URL filtering feature.

Microsoft is not alone in moving to silent updates. It follows Google’s Chrome browser which pioneered the concept of silent updating in 2009, and more recently Mozilla Firefox has revealed that they are working on a "Firefox Updater Service" that will allow for silent updates as well. Overall this change is in line with the new update mechanisms coming in Windows 8, which will make the overall update experience much smoother for Windows users.

As expected, Enterprise users that control their patches tightly will not be affected by the change; they will continue to have full control over the versions of their browsers. For anybody interested in staying on their old browser, Blocker Toolkits for both IE8 and IE9 upgrades are available for download at Microsoft and their settings will continue to be honored.

The roll out starts in Australia and Brazil in January 2012 and I am looking forward to see the feedback data from Microsoft on what the level of success will be.