Back to qualys.com
90 posts

May 2013 Patch Tuesday Preview

It is the week before Patch Tuesday May and Microsoft has published its Advance Notification, giving us insight into what to expect next Tuesday.

There will be 10 bulletins this month, covering all versions of Internet Explorer (IE), Microsoft Office and Windows. The fixes for IE include the patch for the current 0-day vulnerability. A total of five bulletins allow for remote code execution (RCE) and should be the focus points for your patching next week.

Continue reading …

New Adobe Flash Addresses Attacks on Firefox

Adobe released a new version of their Flash player fixing three vulnerabilities. The new version should be installed as soon as possible, as Adobe is aware on attacks occurring in the wild against two of the vulnerabilities. Interestingly Adobe found these attack to be directed against Firefox and bypassing the Firefox Sandbox:

"Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target Flash Player in Firefox."
We recommend updating your installation of Flash as soon as possible even if you are not using  Mozilla’s Firefox browser.
Microsoft has updated KB2755801 for Internet Explorer 10 (IE10) which indicates that IE10 users are getting a new version of the browser as well. On Tuesday Microsoft had made IE10 available to all Windows 7 users as an optional download, bringing enhanced speed and security to Windows 7.
Adobe states that Google Chrome users will also see automatic updates to their browser:
"Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh and Linux."
but I have not seen the update come out yet. Stay tuned – we will update the post as soon as we hear news on Chrome.

February 2013 Patch Tuesday

The second Patch Tuesday of 2013 has a much higher volume than usual. There are 12 bulletins, five of which are critical, addressing a total of 57 vulnerabilities. But the majority are concentrated in two bulletins, one covering Internet Explorer (IE), the other one the Windows Kernel driver win32k.sys.

The two bulletins affecting IE are the highest priority. One of them, MS13-009, is referred to as the "core" IE update by Microsoft because it addresses a number of vulnerabilities directly in IE. It covers 13 bugs with all but one of them being Remote Code Execution vulnerabilities that can be used by an attacker to gain control over a user’s machine via drive-by-download. That type of attack is common and is easily accomplished by surreptitiously installing malware on a Web surfer’s computer when he or she visits a page with malicious code on it.

The second bulletin also affecting IE, MS13-010, addresses a vulnerability in an ActiveX Dynamic-Link Library (DLL). It is rated critical and quite urgent to fix because the vulnerability is being exploited in the wild. The bug is in the VML (Vector Markup Language) DLL, the ActiveX control for the largely unused XML-based standard format for two-dimensional Vector graphics. VML has been patched twice before in 2007 and 2011 and it would probably be safest to delete it altogether, but there does not seem to be a way to do this short of disabling all ActiveX processing. Both IE updates, core and VML, should be installed as quickly as possible.

Speaking of patching quickly: after last week’s Flash release from Adobe to address two 0-day vulnerabilities, today they released again a new version (APSB13-05) of its Flash plug-in, this time addressing 17 vulnerabilities. Users of IE 10 and Google Chrome will get updated automatically, because these two browsers integrate Adobe Flash in their sandboxes. By the way, Qualys' free MS13-012. It addresses vulnerabilities in the popular Outlook Web Access (OWA) component of Microsoft Exchange caused by the inclusion of the Oracle Outside-In libraries in Exchange. Attackers could exploit this vulnerability by sending a malicious document to a user. If the user opens it through OWA, the act of rendering the document infects the mail server as it uses the vulnerable libraries. It is not the first time that the Oracle libraries have caused this problem in Exchange, and attackers might be quick in exploring this vulnerability. As a result, we recommend to schedule a patch as quickly as possible.

Here are a couple of other updates of note:

  • MS13-020 is a critical bulletin that affects only installations of Windows XP, which is on its way to becoming obsolete. If you are still running XP, you should make this patch a high priority and start planning for its replacement as its end-of-life is set for April 2014.
  • MS13-011 is the last critical bulletin and fixes an issue in Windows that can only be exploited when a certain codec popular in Asian countries is installed. There is public PoC code available, so if you are in the target group you should prioritize accordingly.
  • MS13-016 is where the bulk of this month vulnerabilities reside. Security researcher j00ru from Google reported 30 new vulnerabilities in a Microsoft kernel driver, all of which can be used to gain system privileges on a machine that the attacker already has some control over. BTW, j00ru is also on the team that is credited with 15 vulnerabilities found in Adobe Flash.

February 2013 Patch Tuesday Preview

Today Microsoft published its Advance Notice for this month’s Patch Tuesday. But more importantly Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild on both Windows and Mac OS X. Update your Flash installations as quickly as possible – Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.

Now back to Microsoft itself. We are looking at a little bit heavier Patch Tuesday with 12 bulletins that will address a total of 57 vulnerabilities. Five of the bulletins have a severity of critical, including bulletin 1 and bulletin 2, which both address Internet Explorer vulnerabilities affecting all versions of IE from 6 – 10, including on Windows RT running on the Surface tablet. Bulletin 3 is a critical Operating System level bulletin for Windows XP, 2003 and Vista, whereas users of the newer versions of Windows will not be affected. Bulletin 4 is the expected Patch to Microsoft Exchange, which uses the Outside-In software library from Oracle that contains critical vulnerabilities and that Oracle updated in last month’s Critical Patch Update (CPU). The last critical vulnerability is covered by Bulletin 12 and affects only Windows XP, so again, users of the newer versions of Windows will be spared from having to apply that patch.

The remaining bulletins are all rated important and are mostly "Local Elevation of Privilege" type of vulnerabilities, meaning that one already has to be on the targeted computer to be able to attack them. One exception is Bulletin 5, which can be used for Remote Code Execution. It affects the FAST Indexing server for Sharepoint and it also caused by Oracle’s update of the Outside In libraries that are used by Microsoft for document conversion processes.

Internet Explorer 0-day bulletin – Update

Update:
MS13-008 is live for download. Due to the availability of exploits treat with the highest priority and install as quickly as possible.

Please note that this update is a real patch and not a cumulative update, as we are used to for typical Internet Explorer updates. It is highly recommended to have MS12-077 (the last cumulative Internet Explorer update) installed before applying MS13-008.

Original:
Microsoft has posted an advance notification for an Internet Explorer update that will be released later today. The update will address the current 0-day vulnerability (CVE-2012-4792) that was first detected in late December 2012.

January 2013 Patch Tuesday

The first Patch Tuesday of 2013 started with a relatively normal rhythm. We are getting seven bulletins, with two bulletins considered "critical" and five bulletins "important." The one thing upsetting this normal balance is a current 0-day vulnerability that affects Internet Explorer 6, 7 and 8 — which represents 90% of the IE install base at this time — but which is not part of the Patch Tuesday release. It was initially reported by FireEye on December 28 and the exploit has since made it into a Metasploit module and at least one Exploit kit. While Microsoft is not providing a patch today, they have provided a Fix-It for the issue, which addresses the known attacks in the wild, and also counters the Metasploit module. However, as Exodus Intelligence pointed out over the weekend, there are other ways of triggering the vulnerability that have not been covered by the Fix-It. IT admins in enterprises should track this vulnerability closely, as a large percentage of enterprises still run the affected versions of Internet Explorer 6, 7 and 8. And admins should apply the Fix-It even though it can be bypassed because it addresses the currently known attacks

ie_percentages.png

Back to January’s bulletins, where MS13-002 is the most important patch in the lineup. It addresses a vulnerability in the MSXML library, which is an integral part of many Microsoft software packages. It is affecting every Windows version from XP to RT, plus all Office versions and a number of other packages, such a Sharepoint and Groove. The most likely attack vector is a malicious webpage. But an email with Office document attachment can also be a viable alternative for attackers. Patch this one as quickly as possible.

MS13-001, the second critical vulnerability, is in the Microsoft Windows Printer spooler software on the client side. It is located in a part of the spooler that provides extended functionality, and is not exercised by any Windows software, only by third-party software. The necessity of third-party software and the combination of the steps and events necessary to exploit this vulnerability makes us rank it on a lower level than MS13-002. Microsoft has a good post at the SRD blog explaining the components involved.

All the other bulletins are ranked as "important" as they do not allow code execution:

  • MS13-004 addresses several .NET issues, but attacks are limited to the Intranet context and cannot be initiated from the Internet lowering the risk of this bulletin.
  • MS13-005 fixes a flaw in the win32k.sys kernel module that weakens the AppContainer sandbox in Windows 8. By itself it is not a critical flaw, but could be used in conjunction with other vulnerabilities to attack a Windows 8 system.
  • MS13-006 prevents a protocol attack on SSL v3 that can happen when a Microsoft browser communicates with a third-party web server. An attacker that controls a network device in between the browser and server could downgrade communication to SSL v2. The attacker could then exploit any of the common flaws in SSLv2, ultimately eavesdropping on the communication.

In addition to the Microsoft patches, there is new software coming from Adobe as well. Adobe announced a new version of their Adobe Reader and Acrobat software – APSB13-02. The advisory applies to Windows, Mac OS X and Linux. Microsoft also updated security advisory KB2755801 for Internet Explorer 10, because it includes a new Adobe Flash build, and IT admins should look at the standalone Adobe Flash APSB13-01 release, as well. Adobe has also published advisory APSA13-01 for three ColdFusion vulnerabilities. The advisory provides information for workarounds, while Adobe is working on a patch.

Overall we are looking at a pretty normal Patch Tuesday, with the main worry for IT administrators centered on the Internet Explorer situation and its potential workarounds. One interesting option is to look at Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which has a number of additional mitigation steps that can be applied to Internet Explorer. EMET is effective in preventing the current 0-day and has worked the same way against the last IE 0-day in September, too. I have been running EMET for 6 months now with no side effects – highly recommended as an additional security measure.

January 2013 Patch Tuesday Preview

Microsoft just published the Advanced Notification for the first Patch Tuesday of 2013. We will be looking at seven Bulletins, two rated "critical" and the remaining five rated "important." In total a wide variety of software will be updated including all versions of Windows (Windows RT is affected by four bulletins), Office, Sharepoint and System Center Operations Manager.

For IT administrators the focus should be on the two critical bulletins. While the first one affects only Windows 7 and Windows 2008 R2, the second one lists all versions of Windows, plus a number of server software. It is likely that it is a vulnerability in one of the base libraries of Windows that is widely used, such as Windows XML Core Services, which had its last fix in July of 2012 under MS12-043.

IT administrators should further take a look at the latest Internet Explorer 0-day vulnerability that Microsoft acknowledged the problem in KB2794220. While it affects Internet Explorer 6, 7 and 8, Microsoft is only aware of working exploits for IE8. They have published a workaround for the issue as a Fix-It and we recommend that organizations evaluate that until Microsoft provides a permanent patch for Internet Explorer itself.

Microsoft also published an advisory with a certificate update that invalidates a fraudulent certificate for *.google.com that was issued by the Turkish CA TURKTRUST. The certificate update will be transparent for organizations that have the automated certificate updater installed . All others , which includes Windows XP users for example, should push out KB2798897 manually to avoid the possibility of having their Web traffic intercepted by someone using the fraudulent certificate. See also the Google announcement and the blog post by Mozilla on the same issue originally discovered in late December by Google.

Please note that later this month, on January 15, Oracle will publish its quarterly Critical Patch Update (CPU) as well.

New 0-day Vulnerability in Internet Explorer

Update:

Microsoft published a Fix-it script that uses the appcompat Shim mechanism to counter the exploit and turn it into a crash rather than code execution.
  
Original:
Microsoft just made public advisory 2794220 for a new vulnerability that affects Internet Explorer 6, 7 and 8. Yesterday Fireeye had published a post on their blog describing an active attack on that vulnerability hosted on the Council of Foreign Relation’s (CFR) website, which they believe to have been active since Dec 21st. The attack on CFR’s site is targeted, works only against IE 8 and uses Adobe Flash to setup the environment necessary.

Internet Explorer 9 or 10 are not affected by this vulnerability and upgrading to these versions of IE is a good option for individual users. IT admins that cannot up[garde that fast, should take a look at the EMET toolkit which Microsoft has been listing as a defensive workarounds for this attack and as well as the last IE 0-day in September (2757760). 
Microsoft’s SRD blog post goes over the technical details of the current attacks and provides some insight how the attackers circumvent IE’s built-in protection mechanisms by using a components from Flash, Java and Office.

December 2012 Patch Tuesday

Today is the last Patch Tuesday of 2012. Its seven bulletins bring the total count for the year to 83, significantly down from last year’s 100 bulletins and even more from the 2010 count, which ended at 106 bulletins. Maybe even more important than the raw numbers is the more regular release rhythm that Microsoft set this year. We see this as a clear sign of a more mature process. Compare the relative smoothness of this year’s releases (blue line) to the two years before (red and green) and you can see where we are coming from:

bpm.png

Back to the December Bulletins: Five of this month’s bulletins are rated as critical by Microsoft, meaning that the addressed vulnerabilities can be used by an attacker to gain complete control over the targeted machine. Of the five, we think that MS12-079, a bulletin for Microsoft Word, is the most important. The attack can be accomplished through e-mail using a flaw in the Rich Text Format (RTF). An attacker can gain control of a computer without end user interaction because Microsoft Outlook automatically displays the malicious text in the Preview Pane. A potential work-around is to manually configure the preview pane in Outlook’s Trust Center to use plain text only, but one loses a significant amount of functionality that way. A close second in priority is the Internet Explorer bulletin MS12-077, which addresses vulnerabilities in Internet Explorer 9 and 10, the newest versions of IE that run under Vista, Windows 7 and Windows 8. Here, an attacker would have to lure the attack target to browse to a malicious webpage. This is a tad harder than sending the target a simple e-mail, another common attack method.

MS12-081 fixes a vulnerability in Windows Explorer and is triggered through a malicious Unicode filename. The attacker would have to control an SMB or WebDAV fileserver that the target accesses in order to exploit the vulnerability. A good mitigation for these types of attacks would be firewall SMB filesharing and WebDAV on the outbound firewall or proxy to restrict the use of these protocols to the internal network and limit their use on the Internet.

MS12-080 is this month’s only server side bulletin and it addresses a vulnerability in Microsoft Exchange and Sharepoint that stems from the inclusion of the Oracle Outside In file conversion software. IT admins should treat this bulletin the same way that they treated MS12-058 in August 2012 which had the exact same root cause, i.e. Oracle’s release of a new version of Outside In in their quarterly Critical Patch Update.

Please note that KB2755801 was updated, which shows that Microsoft embedded a new version of Flash in Internet Explorer 10. If you are not on IE10 yet and have Flash installed, you should take a look at Adobe’s Product Security Incident Response Team (PSIRT) site to apply the update yourself, which addresses three critical vulnerabilities.

Microsoft has also published a new whitepaper on defensive techniques against "Pass the Hash" attacks. "Pass the Hash" is a technique used by attackers after the initial exploit, in which they use the stored password hashes to gain access to other machines in the local network. It is an interesting read and offers plenty of configuration advice to help defend against this popular exploitation technique. The whitepaper is recommended reading over the holidays!

December 2012 Patch Tuesday Preview

Today Microsoft announced seven bulletins that will be released in next week’s Patch Tuesday. Five of the bulletins are rated critical, and two are important. Between them they affect all currently supported Operating Systems, including Windows 8 and Windows RT.

Bulletin 1 is rated critical and affects Internet Explorer 9 and 10 on all platforms that support IE 9 and IE10, starting at Vista all the way to Windows 8 and RT. Bulletin 2, which is rated critical as well, applies to all versions of Windows and again includes both Windows 8 and Windows RT.

Bulletin 3 is special, as it affects Microsoft Word and is rated critical, which happens very rarely. Usually Microsoft downgrades even Remote Code Execution Office vulnerabilities to "Important," because a user interaction (e.g., opening a malicious file) is required. In this case we assume the "critical" rating comes from Outlook, which can be configured to use Word to visualize documents in its preview pane. This is an automatic mechanism that does not require user interaction. In any case, this is will be an important bulletin to watch out for.

Bulletin 4 is a critical fix for a number of Microsoft server software products. It includes the widely installed Exchange and Sharepoint, plus an update for Microsoft Office Web Apps 2010 Service Pack 1. Office Web Apps are the webified version of Word, Excel, etc., and we expect them to have lesser impact on IT, as the applications have fewer installations. In any case, Server Administrators need to take a good look at this bulletin to see if they need to take action.

All in all, we are looking at a normal-sized Patch Tuesday with a mix of browser, operating system and Office updates that will keep all areas of IT administration quite busy through the end of the year. For many Windows RT users, it will be the first time for a software update, and it will be interesting to see how they react and what the uptake of the patches will be.