Back to
32 posts

January 2012 Patch Tuesday

2012’s first Patch Tuesday has seven bulletins, including the postponed bulletin from December 2011 that addresses the BEAST style information disclosure. Talking about changes in schedules, Microsoft also released a bulletin MS11-100 for ASP.NET originally planned for this January between Christmas and New Years of 2011, which you might have missed.

Our highest priority is MS12-004, which fixes two vulnerabilities in Windows Media Player, one critical in MIDI playing, one important in the closed caption (CC) interpretation. The vulnerabilities are relatively easy to trigger and require a specially crafted media input file. Attacks against these vulnerability can be both through e-mail or hosting the media file on a website. They have the potential to be used in a drive-by-download attack.

Next on our list is MS12-005, a vulnerability in the Windows .NET packager that can be triggered through a malicious Microsoft Office Word or PowerPoint document. Microsoft rates it only as 'important', but we consider vulnerabilities that only rely on a user opening a file critical enough to move them up in priority.

MS12-006 is the mentioned fix for the BEAST attack and should be deployed on all of your webservers. BEAST was first demonstrated at the September 2011 Ekoparty conference in Buenos Aires and is a crypto attack against SSL/TLS that allows the attacker to decode and eavesdrop on HTTPS sessions. If you did miss the MS11-100 release over the holidays, now is a good time to take the opportunity to bundle both together. Tools for triggering MS11-100 are actively being researched and are very simple to build, meaning that they will soon get added to the common DoS tools, maybe even to the one advertised here by Crista ( via @mikko).

MS12-001 is the bulletin that was tagged as addressing a 'Security Feature Bypass' flaw. This is a new category and Microsoft has written a blog post explaining the details involved. In summary: a certain version of Visual-C (2003 RTM) implemented the the SAFESEH security measure in a way that Windows XP, 2003, Vista, Win7 and 2008 were unable to read the information and fell back to run the binary without the SAFESEH handler. Binaries compiled with the later versions of Visual-C (starting with SP1) are generated correctly and MS12-001 now changes the affected Windows Operating systems to be able to read the older format as well. There is no direct vulnerability here, but an attacker would have to identify a software compiled with the old version of Visual-C, find a vulnerability in it and code an exploit that would use the SEH exploit mechanism. Install it when you can, as it is a useful defense-in-depth measure.

Please also take a look at Adobe’s release today of a new version of Adobe Reader 9 and X. It will cover CVE-2011-4369 for Adobe Reader X, which they had already addressed for Adobe Reader 9 out-of-band due to exploits in the wild on December 16th plus a security enhancement that allows for better control of embedded JavaScript.

2011 Year in Review, Trends for 2012

Tony Bradley published yesterday a blog entry that contains a great summary of the top security incidents of 2011. This is worth reading for any IT administrator as these attacks will grow in 2012 and if you are like me, you may agree that one always learns better by looking at real-life examples.

Tony Bradley, The Security Detail at TechTarget

Adobe Patch for Newest Reader 0-day

Adobe today released a patch for a flaw (CVE-2011-2462) in Adobe Reader 9. The flaw is actively being used in targeted attacks and can be used to take full control of the targeted machine. If you are interested in the technical details, one of the samples has been analyzed in detail by Brandon Dixon and Mila Parkour.

We recommend applying this patch as quickly as possible.

Adobe Reader X contains the same flaw, but the current attack is neutralized due its additional sandbox. While this does not mean that Adobe Reader X users are completely safe, it is a remarkable illustration of the effectiveness of the additional security features that newer products have been enhanced with.

The designers of Google’s Chrome browser spent a considerable amount of time on its sandboxing capabilities (see here for a illustrated walk-through on some of the design choices) and it has been quite effective – we do not know of any publicly disclosed attacks against Google’s browser at this time.

There is a great technical evaluation of security in browsers available at Accuvant, and, while it is was funded by Google, the technical insight it provides is valuable. It’s a very enjoyable technical read, written by some of the industry’s brightest security engineers. Hopefully you have time to look at it over the holidays.

Fixing Java Vulnerabilities By Industry Collaboration

Malware operators are always looking for new ways to allow their programs to take control over additional machines. Their primary targets are Windows based machines, because they have the largest install base. However, the operating system has become increasingly difficult to attack, so exploit writers have focused their attention on critical vulnerabilities in 3rd party applications. These 3rd party vulnerabilities usually require user interaction (i.e. browse to a certain web page, open an e-mail, play a media file) to be successfully exploited, but malware operators have been able to get high conversion rates by using social engineering techniques and planting their attacks on trusted web sites. While the first wave of these exploits focused on Windows Office and the second wave on Adobe Reader and Flash products, we are now seeing an increased attention on Java – Java attends to the basic characteristics: it is a widely installed, it has a set of well known vulnerabilities and it has been largely ignored by IT administrators for patching.

Through our BrowserCheck application we have collected data that shows that over 80% of all visiting workstations have Java installed. Of these machines over 40% run a version of Java that has a critical vulnerability, making it the most vulnerable plug-in of all and giving the malware a excellent chance to install itself and control the targeted machine.

A possible solution is to include Java in an existing automated update process. It would be ideal if Oracle/Sun could collaborate with Microsoft to use the well established and robust WSUS update process to distribute fixes to Java. If this mechanism could then be extended to all major software vendors, the Internet would become increasingly safer to use for all of us.


Additional September Security Advisories – Update


  • Twitter today fixed an XSS vulnerability that was triggered by hovering over a link on their website. The vulnerability had been fixed some time ago, but was unwillingly reintroduced in a recent update. Today it was disclosed again and spread quite quickly. Twitter has more info in their post here.
    Minded Security has an interesting analysis of an additional issue in the used JavaScript code and shows that finding a valid fix that works across all browsers requires experience and structured QA testing. Mikko Hypponen suggests that twitter implements a bounty based program, but it seems that the problems are much lower in the dev/testing stack.

After last week’s patch Tuesday a few high profile vulnerabilities and patches have appeared this week:

  • Adobe accelerated their patch for the Flash 0-day vulnerability by one week and came out with it yesterday, Monday September 20. Google Chrome users got the patch through Chrome’s update mechanism and received it even earlier on Friday, September 17. Google Chrome users can also use the Chrome-embedded PDF reader for most of their PDF usage, at least the simpler document viewing/printing and escape from the still open Adobe Reader 0-day.
  • Samba, the popular filesharing server issued a patch for a critical vulnerability . The vulnerability allows external users to cause a DOS condition and potentially take over control of the Samba server. Most users will run a version of Samba supplied by their vendor and should contact them for the updates, i.e. RedHat, IBM, Apple etc.
  • An exploit for a vulnerability in the 64 bit Linux kernel was published. The vulnerability allows a local user to take full control over the targeted machine. Limited reports of use of the exploit are coming in. A tool has been made available to detect infection. Engage your vendor for a patch.
  • Web applications that use Microsoft’s are vulnerable to an "oracle padding" attack against application cookies which allows the attacker to gain access to private information. There is a demo video online on YouTube. Microsoft issued security advisory KB2416728 and has acknowledged a limited number of attacks seen in the wild. The advisory contains workarounds that mitigate the information leak. Web application firewalls with the technology to protect application cookies can also help with the issue
  • Apple published an update to Mac OS X 10.6 (Snow Leopard) fixing a single issue, which is quite uncommon as they normally bundle many security updates together. Earlier versions of Mac OS X are not affected. Quicktime for Windows was updated as well to address a known 0-day vulnerability.
  • Twitter today fixed an XSS vulnerability that was triggered by hovering over a link on their website. The vulnerability had been fixed some time ago, but was unwillingly reintroduced in a recent update. Today it was disclosed again and spread quite quickly. Twitter has more info in their post here.

Microsoft issues out of band update for LNK

Microsoft will issue an out-of-band update next Monday, August 2nd. The update will address the critical LNK vulnerability that applies to all versions of the Windows Operating system, from Windows XP SP3 to Windows 7.

Microsoft’s decision to issue this upgrade before the normal Patch Tuesday on August 10 is due to reports of increasing number of attacks that use the LNK flaw.

Windows 2000 and XP SP2 users will not be covered and are now in a predicament that will become increasingly urgent. Attacks will continue to become more prevalent and their defensive options are limited. Microsoft’s work-around in Advisory KB2286198 has a serious impact on the usability of the system as desktop icons are all replaced by standard generic representations and navigation is hampered. The best option for XP SP2 users is to upgrade to SP3 as soon as possible, Windows 2000 users need to migrate to a new OS alltogether.

Primary attack vectors for the LNK vulnerability are USB sticks and shared drives, ahe attack depends on a specially crafted LNK file and a custom DLL to function. Remote attacks through e-mail or websites are theoretically possible, but require multiple steps and user interaction. Nevertheless disabling SMB and WebDAV protocols in the outbound ruleset of internet facing firewalls is a measure that provides additional protection against the remote attack vector.

CSA Top Threat Report Coming

For the last couple of months we have participated in the Cloud Security Alliance’s project "Top Threats to Cloud Computing". A first version will be published at RSA 2010 at the Cloud Security Alliance Summit during RSA 2010.

Please help us with this effort by completing the Top Threats Survey. The survey takes about 5 minutes to complete and will help us understand whether we are on the right track with the areas covered.

The idea is to present summarized results of this survey at RSA. The project will continue to evolve after the conference as we incoporate your feedback.

Come see the results at the Cloud Security Alliance Summit !

SMB2 – 8 Days From 0-day To Exploit

Security Researchers at Immunity have released today an exploit for the SMB2 flaw in Vista/2008, as reported today by The Register’s Dan Goodin. The code is available under the Canvas Early Updates program and a paid subscription is needed to access it.

The Exploit works on all versions of Vista and Windows 2008 with the exception of 2008 R2. Microsoft has described in this advisory a workaround, amounting to turning off SMB2. The implementation of this workaround is now becoming critical as attackers will have access to the code soon, in the most optimistic case next week when HDMoore thinks that Metasploit will have the exploit implemented.

Firefox browser to check for Flash updates

Yesterday the Mozilla foundation announced on their security blog that Firefox will start checking for outdated Flash plug-ins. This is a great way of improving the security of web browsers, Flash is often used by attackers to exploit client machines and unfortunately notoriously difficult to update, requiring (on Windows) different update packages for Internet Explorer and all other browsers.

Now we just need to convince Hillary Clinton to let the Department of State use Firefox.

As you can see this worked fine for me on my Mac under Firefox 3.0.14.

IIS FTP 0-day Exploit Released – Updated

This Monday proof of concept exploit code for a Microsoft IIS FTP vulnerability was posted to the milw0rm site. The code allows the attacker to take control of the machine that runs the vulnerable FTP server and can easily be automated and turned into a mass attack tool by combining it with a scanning tool. In order to be exploitable, the vulnerable FTP server need to allow write access and the creation of directories. Unfortunately, even anonymous write access is good enough to make the server vulnerable, but nevertheless this cuts down on the number of potential targets.

Microsoft acknowledged the vulnerability and published an advisory 975191 this afternoon and list 5.0, 5.1, 6.0 and also 7.0 as affected. The advisory suggests as work-arounds to either disable FTP altogether, limit access to only authorized and named users or use NTFS capabilities to prohibit the creation of directories on the server. The NTFS solution seems to be the way to go for users that cannot make a bigger change to their FTP services and has minimal impact, so it is a good interim solution until a real patch comes out. We don’t expect this problem to be addressed in next week’s Patch Tuesday release as the Development and QA time are too long; it makes sense to prepare for a longer period without a real solution. An alternate way of dealing with the problem is to evaluate whether a robust FTP server with more granular management capabilities can be deployed instead of the one built-in within IIS.

HD Moore ported the exploit code to his Metasploit project yesterday. This makes it even simpler for IT administrators to demonstrate the existence of the exploit and argue for the deployment of an alternative FTP server.

Updated to include IIS 7.0 as Microsoft amended their advisory on 9/3/2009