Qualys Blog

Windows 8 launched this week. It brings a new interface, but under the hood, it introduces a number of new security features.

The most significant change in terms of security is the use of the Unified Extensible Firmware Interface (UEFI) replacing the old BIOS. With UEFI, a computer will only run operating system kernels that have been digitally signed by an approved software vendor. Thus, the user is guaranteed that the operating system has not been tampered with by attackers.

Windows Defender, Microsoft’s Anti-Malware solution is now more comprehensive and is included by default in Windows 8, which is particularly attractive for consumers who will receive Anti-Malware protection out of the box. Organizations, which typically require management capabilities, such as reports on machine update status and alerts of neutralized malware, will still need to look for an enterprise malware solution.

Memory Management in Windows 8 has been rearchitected to provide additional safeguards, such as comprehensive randomization and guard pages. Most of the memory exploit tactics, such as heap sprays, that attackers use to gain control of a Windows 7 machine will now fail under Windows 8, which benefits all applications running on Windows 8.

Lastly, the Windows App Store will have significant impact on security. As users begin to favor the App Store as their main source for applications, overall security will be enhanced because it will be near impossible for an attacker to place a trojan horse in the store. In addition, the App Store will take care of keeping applications updated with the latest security patches.

Personally, I am in line for upgrading my home Windows machine to Windows 8

Today’s Microsoft Patch Tuesday should be a relatively fast event for most IT organizations. Microsoft released two bulletins, both rated "important," and both related to Cross Site Scripting (XSS). MS12-061 affects the development product "Team Foundation Server", and MS12-062 affects the system administration product "System Management Server". These software packages have a limited installed base, so only a small number of organizations need to install this update.

In other security related news, Security Advisory 2661254, which tightens Windows certificate acceptance rules, deserves attention. KB2661254 will go into automatic installmode through Windows Update in October, and IT admins should be aware of the consequences. The patch will change the Windows certificate system, and it will stop accepting certificates that are using RSA keys with fewer than 1024 bits because those keys are considered forgeable. The associated Microsoft Support article explains that the services that are potentially impacted by KB2661254 are web browsing and e-mail. For more background information on the recent Microsoft Certificate changes, look at Microsoft’s reaction to the DigiCert incident and recent events around the Flame malware.

For Internet accessible websites, our research data from the SSL Pulse project indicates that only two of the websites we monitor use a certificate with a short RSA key. End-users who access these sites after the update will see the following warning:

Microsoft’s newest operating system, Windows 8, already implements these tighter certificate checks, so installing KB26661254 standardizes the certificate treatment across operating system lines. BTW, Microsoft is not alone in outlawing this type of certificate; Google Chrome users will also run into a similar error, which is worded more technically:

We recommend installing KB2661254 on a limited number of internal machines in your organization this month to gather feedback on potential impacts. Your external websites can easily be checked for this type of key by using our SSL Labs tool. For internal sites and other services that use certificates such as mail servers and VPN, we recommend using a scanning tool with SSL support, which all major scanners include, for example Qualys Id: 38171 – Server Public Key too small.

Last week, NSS Labs published a report on the efficiency of protection provided by 13 consumer endpoint protection (AV) products against attacks targeting recent critical Microsoft vulnerabilities. John Dunn wrote about this report in NetworkWorld, and as he pointed out, the products struggled to shield the endpoint systems. While protecting against exploits of vulnerabilities is usually not the primary focus of these products, but nevertheless all of the companies tested receive detailed vulnerability information from Microsoft under the MAPP program so that they can implement proactive protections wherever possible. NSSLabs took a look at MS12-037 (CVE-2012-1875) in Internet Explorer fixed in June 2012 and MS12-043 (CVE-2012-1889) in Microsoft XML Core Services addressed in July 2012 and updated again in August 2012. Both of the vulnerabilities were 0-days and have been under active attack before the patches were released.

Results

The results revealed that many AV products have problems detecting these two exploits. When the exploits were served over HTTP, eight products caught all of them, while the remaining five had problems detecting all variations. When the exploit was served over HTTPS, only four of the products continued to be able to protect against the exploit.

The results are not very surprising. Endpoint protection packages have a long tradition in finding infected files on the machine, i.e. they are good at telling you that malware has found its way onto the system and in many cases are able to remove the infection or at least to quarantine the infected files. Proactive protection is a newer area and requires distinctly different technology more akin to Host-based intrusion prevention systems (HIPS).

The report sums it up: “Consumers, who delay patching, or fail to patch more than their operating system alone are at an elevated risk of compromise” and recommends: “Users of products that fail to block these attacks should update/patch immediately or otherwise mitigate”

In other words patching is still the best way of neutralizing exploits and stopping malware before they even get to the system. Patching has the recommendation of both the US and Australian governments as the security measure that has the best ROI.

In addition, NSS Labs did not push the products and tested only basic evasion techniques such as Base 64, Unicode and JavaScript encoding, and did not invest any effort into modifying the exploits, using them as available in Exploit-DB or Metasploit. In contrast, sophisticated attackers are capable of modifying the publicly available exploits and will not use the standard exploits if they are detected by the common endpoint protection packages.

Overall an interesting and eye-opening report from NSSLabs; I am looking forward to the comprehensive test that they will publish later this year.

Today, Microsoft released nine bulletins addressing 16 vulnerabilities for July’s Patch Tuesday. Of the three bulletins rated critical, the top priority goes to MS12-043 that addresses the MSXML vulnerability, which has been under attack for the last 30 days. Microsoft initially warned about limited targeted attacks against a Heap overflow in KB2719615 during June’s Patch Tuesday. Since then, an exploit for the vulnerability has made it into the Metasploit toolkit and at least into one of the popular ExploitKits called BlackHole. MS12-043 addresses the vulnerability for version 3,4 and 6 of MSXML, while version 5, which corresponds with Office 2003 and Office 2007, will be addressed in the future. Users of Office 2003 or 2007 should look into the newly published workaround in KB2722479, which contains a FixIt that addresses the vulnerability.

By the way, both the current workaround described in KB2719615 and the new one for MSXML in KB2722479 are applied via Microsoft’s in-memory patching technique known as appcompat shims, originally developed for maintaining application compatibility. They are very similar to the final patch and 100% effective, so if you have applied the FixIt, you have bought yourself some additional time for testing and deployment.

Bulletin MS12-044 is an update for Internet Explorer 9 that addresses two critical vulnerabilities. Both can be triggered through a malicious webpage, and both allow the attacker "Remote Code Execution," i.e., full control of the targeted machine. Apply this patch as quickly as possible if you run IE9. The exploitability index is 1, meaning that Microsoft believes that it is easy for attackers to reverse engineer the patch and develop an exploit. What makes MS12-044 more interesting is that it only applies to IE9, a clear sign that security researchers have started to shift their attention to the new version of the browser. It is also the product of an accelerated update cycle that Microsoft has been working on. In the past, Internet Explorer was updated only every two months – that was how long it took to get through all the compatibility testing required for a stable release. Now, Microsoft has streamlined this process to reduce the time needed by 50%.

The third critical bulletin (MS12-045) is an update for the MDAC component. While MDAC is a Windows component, the most likely attack vector is through web browsing, similar to the previous two bulletins.

The rest of the bulletins are rated important and should all be deployed conforming to your normal rollout schedule for that severity, but MS12-046 deserves special attention, primarily if you have machines that are configured for Asian character input. The bulletin addresses a Remote Code Execution vulnerability in Microsoft Office through the IMESHARE.dll, which is used in multi-byte character input. We generally believe that Office vulnerabilities that allow for remote code execution deserve a rating higher than "important". One mitigating factor is that not all Office installations are affected, but only machines that have multi character input are enabled. This vulnerability has seen some attacks already in the Far East and was originally reported by Huawei.

Beyond the normal bulletins, there are two interesting additional security advisories. The first deals with changes to the way certificates are handled – e.g., RSA certificates with fewer than 1024 key length will be considered insecure by default. In addition, Microsoft will publish an enhanced version of a certificate management tool for Windows Vista and above. The tool will allow Microsoft to react more rapidly to certificate problems by streamlining the emission and revocation of certificates overall.

The second advisory provides a tool to disable "Gadgets" in Windows Vista and Windows 7. Support for Gadgets is being discontinued by Microsoft, and from a security standpoint, the recommendation is to turn off Gadget capabilities in Vista and Windows 7. In Windows 8, Gadgets do not exist anymore, but similar functionality is provided by Metro Apps.

This month is also the first time that we will use the new WIndows Update infrastructure that was upgraded and hardened in response to the investigation of the Flame malware, which abused certain aspects of the update mechanism to propagate itself.

Microsoft today released its Advanced Notification for June containing seven bulletins addressing a total of 25 vulnerabilities. This is the same number of bulletins as last month and we are also getting the same number of 'critical' issues: three receive the highest rating, while four are the 'important' level. The bulletins affect all versions of Windows, the .NET framework, Microsoft Office, and Dynamics AX, the Microsoft ERP application.

Bulletins 1,2 and 3 are the critical bulletins for Windows. Bulletin 1 is for a vulnerability in Windows rated 'moderate' on XP, but 'critical' on all other versions of Windows including Windows 7. Bulletin 2 brings a new version of Internet Explorer (6,7,8,9 depending on Operating System) that include the fixes for the attack disclosed at the PWN2OWN contest in March. Bulletin 3 is an update to the .NET framework, again applicable to all versions of Windows currently supported.

Bulletin 4 is an update for Office, rated important, which in the Office context is roughly as severe as critical, as it usually indicates that the user needs to open a file to trigger the attack. Opening a file is an action completely natural to users of Office, so it does not really present a safeguard against this attack. Upgrading to the latest version of Office does represent a good safeguard in this case, as Office 2010, while affected by this vulnerability, is apparently immune to its triggering condition. Users of Office 2003 and 2007 should update as quickly as possible; Office 2010 users can apply the update at their leisure.

Bulletin 5 will only be interesting to a small subset of our users. It covers a vulnerability in Microsoft’s ERP portal Dynamics AX.

Bulletins 6 and 7 are local elevation of privilege vulnerabilities in Windows and are rated 'important'. However Vista users do not need to worry about Bulletin 7.

Most users should focus on bulletins 1-4, Windows and Office, together with the important security announcement from Microsoft regarding the abuse of a Microsoft certificate in the signing of the Flame malware. If you have not installed the update in Security Advisory 2718704 yet, you should plan on rolling it out as quickly as possible at least together with the other critical patches next week. It is a simple patch that only removes the offending certificates from the the system certificate store and will harden the OS against the expected use of the Flame signing technique by future Malware.

Also Oracle will publish an update of its Java version that we expect to be of critical importance. Stay tuned for more information from us next week.

Guest post from Rodrigo Branco, Director of Vulnerability and Malware Research at Qualys

Apple just released an advisory addressing 17 security flaws in QuickTime Media Player. The update is rated critical as several of the fixed vulnerabilities can be used to achieve "Remote Code Execution". One of the critical vulnerabilities addressed is CVE-2012-0671, which I discovered and reported to Apple earlier this year.

How was the vulnerability discovered?

I found the vulnerability by manually investigating and reverse engineering the binary code of QuickTime and created a fuzzer to cover specific portions of the Apple media formats. In this particular vulnerability, QuickTime does not parse .pct media files properly, which causes a corruption in the module DllMain through a malformed file with an invalid value located at offset 0x20E. In my testing I used QuickTime Player version 7.7.1 (1680.42) on Windows XP SP 3 – PT_BR, but most likely other versions on Windows affected as well.

A PoC repro01.pct is available for interested parties and was shared with Apple on February 22, 2012 to help them locate and fix the problem.

What does this vulnerability mean?

If you use QuickTime, attackers can take total control of your machine through this vulnerability, which is triggered by playing a malicious media file that uses overly large values in the PCT image format. A typical attack would embed such a file into a webpage and use social engineering to drive users into viewing the page. So far, there have been no reports of attackers exploiting this vulnerability yet.

To put this into context, QuickTime is used by 61% of all internet enabled PCs, including 49% of all Windows PCs and 98% of all Apple computers (numbers courtesy of Qualys BrowserCheck). Even if you don’t use QuickTime by default to play movies and videos, it can be used as the media player for the PCT format on all web browsers, including Chrome, Safari, Internet Explorer and Firefox.

All users, consumers and businesses alike, should download the security update as soon as possible since simply browsing to a malicious web page on any web browser can activate this vulnerability. If you’re not sure whether your QuickTime plug-in is updated, you can use Qualys BrowserCheck, a free service, to check if you need to download the update.

Throughout the whole process, Apple was very professional in handling this issue and provided constant status updates upon my request. It was great to see a company of Apple’s size taking a proactive role to ensure that their software and their users are protected from major vulnerabilities like this one.

A detailed advisory can be accessed at https://community.qualys.com/docs/DOC-3511

Update Edited to reflect that Oracle has released a configuration workaround, not a patch

This week Oracle released an out-of-band Security alert for the CVE-2012-1675 vulnerability in the Oracle Database Server V10 and V11, addressing a 0-day vulnerability that was recently published on the full-disclosure mailing list under the name "TNS Poison" by Joxean Koret. Apparently Joxean discovered the vulnerability in 2008, then sold it to iSightPartners and was under the mistaken impression that the vulnerability was fixed in last month’s CPU, when he released his advisory. More details can be found in a follow-up post on the ful-disclosure list and a video of the vulnerability being exploited can be seen here

The vulnerability is in the TNS listener part of the Oracle database server and allows an attacker to perform a man-in-the-middle attack by registering an additional database instance in the TNS listener. The listener will then start load-balancing traffic to the new instance. This allows the attacker to receive the database transactions, record them and forward them to the original database. The attacker can potentially modify the transactions and execute commands on the original database server.

While Oracle recommends addressing the vulnerability as soon as possible, we believe that the position of the Oracle databases in your network plays an important role in determining your modification roll-out. Production Oracle database installations typically do not expose their TNS listener to the Internet or even the enterprise network. A good map of your network environment will be helpful in determining where to act first.

Today Microsoft released its Advanced Notification for April 2012 with six bulletins addressing 11 vulnerabilities. Four of the bulletins are rated critical, two are rated important. The bulletins affect all versions of Windows, Internet Explorer and Microsoft Office, plus some of Microsoft’s developer tools.

Bulletin 1 will be the highest priority. It is a critical vulnerability affecting all versions of Internet Explorer (6,7,8,9) on their respective platforms XP, 2003, Win7 and 2008 both 32 and 64 bit. Bulletin 2 is the second most critical and updates the Windows operating system, again encompassing all versions, both 64- and 32-bit. Bulletin 3 is a critical update to the .NET framework. Bulletin 4 will be challenging as it addresses a wide variety of applications including server side software. It is critical and applies to all versions of Microsoft Office, but also to SQL Server and other Microsoft server products.

One of the important bulletins also deserves attention, at least for Office 2007 SP2 users. Bulletin 6 is rated important, but allows Remote Code Execution on that platform, probably using a maliciously crafted input file as the attack vector.

Google also released a new version of its Chrome Browser today. It fixes multiple vulnerabilities and includes the updates made to Adobe Flash last week in the wake of the PWN2OWN contest at CanSecWest. If you are using Chrome you should check in the "About Chrome" page to see whether you have received the automatic update already – there should be a green checkbox.

Today Microsoft released a security bulletin addressing a flaw in ASP.NET that was disclosed early morning yesterday at the Chaos Communication Congress (CCC) in Berlin. Microsoft tested and finished MS11-100 in record time, taking about 30 days for the process of integrating this new vulnerability with the fix that was already scheduled for January 2012. We consider Microsoft’s reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work. We will be tracking how the other projects and vendors affected (PHP, Oracle, Phython, Ruby and others) are rolling out their patches.

The bulletin fixes the DoS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 1000 which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.

Overall the bulletin addresses four issues. CVE-2011-3416 is an ASP.Net Forms Authentication Bypass issue which is rated as critical. CVE-2011-3414 is the hash table collision DoS issue discussed above and is rated as important. CVE-2011-3417 is the ASP.NET Ticket Caching vulnerability which is also rated as important. And finally CVE-2011-3415 is the Insecure Redirect vulnerability which is rated as moderate. We recommend installing as soon as possible if you have web based infrastructure that uses ASP.NET.

Resources:

• Advisory by oCERT – lists all affected platforms and technologies
• Advisory by nruns – technical detail
• Presentation by Alexander Klink and Julian Wälde at 28c3
• Microsoft SRD blog post on the workarounds available
• SRD blog post with implementation details and improved Snort rules
• KB2659883 – original Microsoft advisory

Last week Microsoft published advisory 2639658 for a new 0-day vulnerability in Windows' embedded font processing. The vulnerability now tagged as CVE-2011-2043 has been used in the infection vector for the recently discovered DuQu Malware.

Rodrigo Branco, our Director of Vulnerability and Malware Research just returned from the Microsoft BlueHat conference in Seattle with additional information on the behaviour of the vulnerability. Watch our conversation for further insight on the existing workarounds, their impacts and the current urgency to deploy them.

http://youtu.be/kE9fnQHTP2A