Today, Microsoft has published the July Advance Notification for next week’s Patch Tuesday. We will get seven bulletins, 6 rated as "critical" and providing Remote Code Execution (RCE) and one bulletin (for Windows Defender on Windows 7) marked "important".
Bulletin 4 is for Internet Explorer and affects all versions from IE6 on Windows XP to IE10 on Windows 8 and RT. This will probably the most important Bulletin to implement, together with Bulletin 3 which addresses vulnerabilities capable of giving RCE to an attacker in Windows, Office and Lync.
Microsoft will also address a vulnerability (CVE-2013-3660) that has been discussed quite a bit since May, when Tavis Ormandy first posted about a possible way of exploiting a memory managment problem in win32k.sys and soon thereafter several implementations became public (including one in Metasploit), making it in essence a 0-day.
All in all, a normally sized Patch Tuesday, but with a large number of critical issues. Stay tuned for our port on next Tuesday, but for time being it seems as if this Patch Tuesday will generate work for both Desktop and Server admins.
For Patch Tuesday this month, we are receiving critical updates from both Microsoft and Adobe. Microsoft has five bulletins, bringing the six-month total up to 51 bulletins, about 20% more than we had in 2012.
The most important Microsoft bulletin is MS13-047, a fix for Internet Explorer (IE).The bulletin is rated “critical,” addresses 19 vulnerabilities and affects all versions of IE, from IE6 to IE10, running on all versions of Windows, from XP to RT. Given the large number of vulnerabilities fixed, this will be the main target for attackers to reverse engineer and construct an exploit that can be delivered through a malicious webpage. Apply this bulletin as quickly as possible on all workstations that use IE for Internet access.
Microsoft has published its June Advance Notification, giving us insight into what to expect next Tuesday. This release looks relatively small with only one critical and four important security bulletins making it the smallest of 2013 yet. But it does patch some of the more widely used and important windows components.
Bulletin 1 is rated as critical and affects all versions of Internet Explorer on all Windows platforms. If left unpatched, this vulnerability can cause RCE (remote code execution) which implies that an attacker can take control of the victim computer if the victim browses to a malformed website using Internet Explorer(IE). Since the browser is a window to the internet, IE users should apply this RCE patch as soon as it is released.
Today for Patch Tuesday, Microsoft and Adobe are both coming out with critical fixes for a number of widely installed and attacked programs. Microsoft has 10 bulletins addressing a total of 33 vulnerabilities, and Adobe is releasing new versions of Adobe Reader, Adobe Flash and Coldfusion.
It is the week before Patch Tuesday May and Microsoft has published its Advance Notification, giving us insight into what to expect next Tuesday.
There will be 10 bulletins this month, covering all versions of Internet Explorer (IE), Microsoft Office and Windows. The fixes for IE include the patch for the current 0-day vulnerability. A total of five bulletins allow for remote code execution (RCE) and should be the focus points for your patching next week.
It’s the Thursday before April’s Patch Tuesday, and Microsoft’s Advance Notice has gone live.
There are nine bulletins this month, affecting all versions of Windows, some Office and server components and also Windows Defender on Windows 8 and RT. However only two bulletins are rated “critical”.
Bulletin 1 is for all versions of Internet Explorer (IE), including the newest IE 10 on Windows 8 and RT, and should be on the top of your patching efforts. It is rated “critical” and allows Remote Code Execution through today’s most common attack vector: one of your users browsing to a malicious website. Bulletin 2 is the second vulnerability, rated “critical”, and affects the Windows Operating System, except the newest versions, WIndows 8, Server 2012 and Windows RT (the tablet version).
The remaining bulletins are all rated “important” and affect Windows, the Sharepoint server, — and interestingly a security product — Microsoft’s malware scanner, Windows Defender on Windows 8 and Windows RT. The vulnerabilities addressed in these bulletins typically allow the attacker Escalation of Privilege from a normal user to an admin level user once they are already on the machine or can trick the user to open a specifically-crafted file.
In other important news, the PostGreSQL Open Source project has published a new version of its database product that addresses five security flaws. One of them, CVE-2013-1899 allows the attacker to delete database files without authentication, leading to data loss and denial of service, and they considered it important enough to warrant last week a pre-announcement of the upcoming release expected this week.
Please keep also in mind that Oracle has scheduled an extra release for Java this month. Normally Java is on a four-month release cycle: February, June and October of each year. Due to the amount and severity of recent vulnerabilities discovered, there will be an additional release that will go live on April 16th.
Google and Mozilla patched their browsers within 24 hours of the receipt of the vulnerabilities found through PWN2OWN .
It is the beginning of March and Microsoft just published the Advance Notice for this month’s Patch Tuesday.
We will get seven bulletins next week, affecting all versions of Windows, some Office components and also Mac OS X, through Silverlight and Office. Four of the bulletins carry the highest severity rating of “critical”.
Bulletin 1 will be on the top of our list next week. It fixes critical vulnerabilities that could be used for machine takeover in all versions of Internet Explorer from 6 to 10, on all platforms including Windows 8 and Windows RT. Bulletin 2 addresses critical vulnerabilities in Microsoft Silverlight, both on Windows and Mac OS X, and is widely installed at least on end-user workstations to run media applications, for example Netflix. Bulletin 3 is a vulnerability in Visio and the Microsoft Office Filter Pack. It is puzzling to see such a high rating for this software that typically requires opening of an infected file in order for the attack to work. It will be interesting to see the attack vector for this vulnerability that warrants the “critical” rating. The last critical bulletin is for Sharepoint server.
The three remaining bulletins are all rated “important” and apply to OneNote, Office 2010 for Mac and Windows itself.
In other security news, the ZDI’s PWN2OWN competition is currently going on at the CanSecWest security conference in Vancouver. PWN2OWN awards prizes ranging from US$ 20,000 to US$ 100,000 to security researchers who can demonstrate vulnerabilities in the following products: Adobe Flash, Adobe Reader, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Oracle Java. In yesterday’s run, prizes have been claimed for Oracle Java by James Forshaw, Oracle Java again by Joshua Drake, IE10 on Windows 8 by VUPEN, Google Chrome on Windows 7 by a team from MWR Labs, John and Nils and finally Mozilla Firefox and finally Oracle Java, both by the team at VUPEN. Today the competition continues with attacks on Adobe Reader, Adobe Flash and IE10, and is then followed by Google’s Pwnium3, which awards prizes of over US$ 100,000 for vulnerabilities in Google’s ChromeOS.
You can expect patches for these vulnerabilities to be released over the coming weeks. We will keep you updated here, so stay tuned.
In the October 2011 Patch Tuesday, Microsoft released update MS11-077 to fix a null pointer de-reference vulnerability (CVE-2011-1985). In this paper, we will reverse engineer the patch for MS11-077 (CVE-2011-1985) to get a better understanding of the vulnerability fixed by this patch.
Using binary diff, we can see the changes that were made to the vulnerable file win32k.sys. Figure 1 below shows the TurboDiff results.
Figure 1: TurboDiff Results
As you can see in Figure 1 above, while most of the functions are identical, there are a couple of functions that look ‘suspicious’ and some others that are ‘changed’. The large number of changes is not a surprise because Microsoft has fixed four different vulnerabilities with this patch.
Taking a closer look at all the functions that were changed, you will see that the changes made to functions ‘NtUserfnINLBOXSTRING’, ‘NtUserfnSENTDDEMSG’ and ‘NtUserfnINCBOXSTRING’ are all the same. Figure 2, below shows the changes made.
Figure 2: Binary Diff for function NtUserfnINLBOXSTRING(x,x,x,x,x).
Looking at the binary difference, it is clear that the patch is checking that the arg_0 (first argument passed to the function) is 0xFFFFFFFF and if it is 0xFFFFFFFF, call _UserSetLastError() with 0x578 and return from the function.
This gives us two pointers to exploit the vulnerability. The first is that the arg_0 has to be 0xFFFFFFFF. The second pointer is that the patched function bails out setting system error code to 0x578. This is the system error code for ERROR_INVALID_WINDOW_HANDLE, thus hinting us that the argument is of type HWND.
Everything until now is pretty simple and it looks easy to exploit this vulnerability. However, the really challenge here is finding a user mode function that will call the vulnerable function. It turns out this isn’t very straightforward, and we will need to understand the Windows GUI subsystem.
Win32 GDI Subsystem:
Figure 3: Win32 interfaces and their relation to the kernel components
The GDI (Graphics Device Interface) APIs are implemented in the GDI32.DLL and include all the low-level graphics services such as drawing lines, displaying BMPs etc. The GDI APIs make system calls into the WIN32k.sys to implement most APIs. The User APIs are implemented in USER32.DLL module and include all higher-level GUI-related services such as window management, menus, dialog boxes, user controls etc. USER heavily relies on GDI to do its work.
One of the most important means of communication in Windows is Messages. Windows-based applications are event-driven and act upon messages sent to them. The way you program in Windows is by responding to events. These events are called Messages. Messages can signal many events, caused by the user, the operating system, or another program. Each window, owned by a thread, has a window procedure (function) for processing input messages and dispatching them to the operating system. If a thread accesses any of the user interface or GDI system calls (handled by win32k.sys), the kernel creates a THREADINFO structure which holds three message queues used to process input. These are the input queue, the post queue, and the send queue. The input queue is primarily used for mouse and keyboard messages, while the send and post queues are used for synchronous (send) and asynchronous (post) window messages respectively.
Asynchronous messages are used in one-way communication between window threads and are typically used to notify a window to perform a specific task. Asynchronous messages are handled by the PostMessage APIs and are sent to the post queue of the receiving thread. The sender does not wait for the processing to complete in the receiving thread and thus returns immediately.
Synchronous messages differ from asynchronous messages as the sender typically waits for a response to be provided or a timeout to occur before continuing execution. Thus, they require mechanisms to ensure that the threads are properly synchronized and in the expected state. Synchronous messages use the SendMessage APIs which in turn directs execution to the NtUserMessageCall system call in win32k.sys.
This information is enough for us to take our analysis further.
Hitting the vulnerable function:
As described above, the message mechanism plays an integral role in the user interface component of the Windows operating system. There are many different types of message codes and those less than 0x400 are reserved by operating system. Depending upon the type of message code, NtUserMessageCall() calls a particular function to handle the message. Let’s take a closer look at how NtUserMessageCall, calls the appropriate functions to handle different message types.
Figure 4: Assembly code for NtUserMessageCall()
As seen in the above figure, the function first checks if the Msg code is less than 0x400(EAX has the Msg code) to check if it’s a system message code. Each Message code denotes an index in the win32k!MessageTable byte array. This byte value is than logically AND to 0x3F, since the last 6bits of the byte obtained from win32k!MessageTable determines the function that will handle the Message code. _gapfnMessageCall is a function table that stores address of all the functions that can handle different messages. See Figures below to see how _gapfnMessageCall table looks.
Figure 5: _gapfnMessageCall function table
Thus if we can get the index of our vulnerable function in _gapfnMessageCall, we can easily compute how we can call the vulnerable function. The index of our vulnerable functions are 29(0x1D), 27(0x27) and 43(0x2B) for NtUserfnINLBOXSTRING(),NtUserfnINCBOXSTRING() and NtUserfnSENTDDEMSG() respectively.
Following is the pseudo code to compute Msg codes for hitting the vulnerable function:
for i in range[0x00 to 0x400] if MessageTable[i] & 0x3F == 0x1D //NtUserfnINLBOXSTRING() Hit! if MessageTable[i] & 0x3F == 0x1B //NtUserfnINCBOXSTRING() Hit! if MessageTable[i] & 0x3F == 0x2B //NtUserfnSENTDDEMSG() Hit!
Proof of Concept:
Other Possible Msg codes for hitting vulnerable functions are: