Back to qualys.com
66 posts

New Java 0-Day Disclosed – Update 4

Update 4
Apple published an updated version of Java 1.6 for Mac OS X containing security in depth changes. Java 1.6 was not vulnerable to the exploit that affected the newer Java version v7, but Oracle included a new version nevertheless in last week’s update. We recommend installing this update according to your normal update schedule.

Update 3
Oracle just released an out-of-band patch for the flaw CVE-2012-4681

Update 2
The use of this exploit for the Java 0-day is continuing to spread – Websense states that the exploit has been detected on over 100 sites so far.

The best defensive option continues to be to limit use of Java 7. The US CERT has a good comprehensive list of technical measures.

There is also some information about the initial disclosure of the vulnerability. Polish security research company Security Explorations reported this and a number of other Java vulnerabilities to Oracle in April. However the exploit in the wild uses a slightly different codepath and so they do not believe that is based on their reports, but rather that attackers found the vulnerability independently.

Update
Deep End Research has some more information available, including a pointer to an unofficial patch and some details on its workings. David Maynor from ErrataSec put the Metasploit module through its paces and it performs well under Windows, Mac OS X and Linux.

Original
Over the weekend, an exploit for a new Java 0-day vulnerability was described by Atif Mushtaq at the FireEye Malware Intelligence Lab blog. The attackers serve a malicious piece of Java code through a web server to a browser, install a Trojan.Dropper, which then gets the final malware, a Remote Access Trojan installed on the machine.

Earlier today Proof-of-Concept code was integrated into the Metasploit Framework and the code works against Windows, Mac OS X and Linux as long as they have any version Java v7 (any available versions, even the latest revisions) installed.

We expect this exploit to be integrated into the current Exploit Kit frameworks soon and gain widespread use.

IT administrators only defense at the moment is to limit the use to Java. This can be implemenetd by uninstalling Java where not needed or by using the Zone mechanism in Internet Explorer, forbidding Java use in the Internet Zone (setting Registry Key 1C00 to 0 in Zone 3) and allowing it only on whitelisted websites in the Trusted Zone.

1c00.png

Mac OS X can turn off Java by unsetting the "On" field in their Java Preferences program, but note that recent versions of Mac OS X have included a generic and proactive security measure that deactivates Java if it has not been used in the last 35 days.

For once, users of the older Java v6 do seem to be better off as the vulnerability does not affect that version of Java. Stay tuned for more information.

August 2012 Patch Tuesday – Update

Update
Great explanation and technical detail on how to exploit MS12-052 through use-after-free with heapspray by Derek Soeder.

Orginal
On this month’s Patch Tuesday, Microsoft released nine bulletins addressing a total of 26 vulnerabilities. In addition, Adobe also released new versions of its Adobe Acrobat and Adobe Reader(APSB12-16), Shockwave (APSB12-17) and Flash (APSB12-18) products. Taken together, both workstation and server administrators will have their hands full.

All of the Adobe bulletins and five of the Microsoft bulletins are rated "critical" and at least the first four in our list deserve an even higher urgency due to their potential impact on workstations and servers:

  • MS12-060 fixes a vulnerability that is already being exploited in the wild. The vulnerability is located in the Windows Common Control and can be triggered through Office documents and through malicious web pages. The currently known attacks have been targeting Word and WordPad through RTF files attached to e-mail messages.
  • APSB12-18 is a fix for a single vulnerability in the Adobe Flash Player. According to Adobe the vulnerability is currently being used in targeted attacks. The known attack vector is a Word document with an embedded ActiveX Flash object.
  • MS12-054 addresses a flaw in the Remote Administration Protocol (RAP) of Windows Networking, that an attacker can use to spread quickly within enterprise networks. The attacker first needs to gain access to a machine on the network and then needs to share a resource (say a printer) with a specifically crafted name that encodes the exploit for the vulnerability. All Windows machines will periodically query the network for shared resources and automatically execute the exploit code contained in the resource name. The vulnerability allows Remote Code Execution only for Windows XP and 2003; if you are on a current version, you are not affected. Microsoft published a detailed post with more background information on the SRD blog.
  • MS12-058 patches the flaw in the Exchange Server disclosed three weeks ago in KB2737111. The popular Outlook Web Access (OWA) Exchange component uses a vulnerable module from Oracle’s Outside In product to perform document conversions. An attacker who can lure a user to look at a malicious document through OWA can gain access to the Exchange server at a low privilege level. The attacker would have to combine the exploit with a second exploit, a local privilege escalation to gain full control over the server. Again, Microsoft published more details on the SRD blog.
  • MS12-052 is a new version of Internet Explorer (IE) that addresses two critical vulnerabilities. All versions of IE from 6 to 9 are affected. Web browsing is one of the most common attack entry points and this new version should be included in the initial patch rollout. Remember that Microsoft in July implemented an accelerated rollout cycle for IE, so from now on you can expect to get an update for IE every rather than every other month.
  • MS12-053 is a fix for a remote desktop protocol (RDP) vulnerability in Windows XP running Terminal Services. This is the third RDP vulnerability this year (MS12-020, MS12-04X) and we are hopeful that most organizations have been cataloging their externally exposed RDP services and will be able to patch this vulnerability as quickly as possible.

These five vulnerabilities together with the Adobe updates should be on your priority list of updates to evaluate and install where applicable. Also don’t forget that the vulnerable Oracle Outside In is used in other industry software packages; that will have to be patched eventually. For a list of software known to contain Outside In see the list at US CERT.

The remaining Microsoft bulletins are rated "important" and address a local privilege escalation vulnerability Windows (MS12-055), a file format problem in Visio DXF format (MS12-059), a problem in Javascript on 64 bit machines (MS12-056) and a fix for the Office CGM, a graphics file format (MS12-057). They are lower priority and their installation can be postponed until a fitting maintenance window becomes available.

For a more technical background on the Adobe Reader vulnerabilities, take a look at the blog post by Mateusz Jurczyk and Gynvael Coldwind.

July 2012 Patch Tuesday Preview

Today Microsoft released its Advanced Notification for July 2012 containing nine bulletins addressing 16 vulnerabilities. Three bulletins are rated "critical", affecting members of the Windows operating system family. The remaining bulletins are rated "important" and address flaws in Windows, Office, Sharepoint and Office for the Mac.

Bulletin 1, rated "critical", affects all versions of Windows, and we expect it to address the XML vulnerability disclosed by Microsoft in June’s Patch Tuesday as KB2719615. This bulletin will be the highest priority for users, at least for those who did not apply Microsoft’s FixIt supplied in the advisory. Bulletin 2 is for Internet Explorer (IE), and is a bit of a surprise as it breaks the usual cycle of supplying an update for IE every two months. The bulletin only applies to IE9 and is thus limited to Vista and above. Bulletin 3 is "critical" for all desktop operating systems, XP, Vista and WIndows 7; for all others it is rated only "moderate".

From the remaining bulletins all ranked "important", we recommend paying attention to bulletin 4 which affects all versions of Office for Windows. It is a Remote Code Execution vulnerability and is ranked "important" because it requires the targeted user to open a malicious file. We typically consider "important" bulletins for Office as almost the same severity level as "critical"; after all these document-based attack campaigns are usually quite successful in convincing at least a subset of end users to open the malicious document.

Bulletin 6 is a bit curious. It is for a Remote Code Execution vulnerability and applies to all versions of Windows, but it is rated only "important". It will be interesting to see what kind of mitigating circumstances made Microsoft come to that rating.

Users of the latest version of Microsoft Office for Mac OS X should keep an eye on bulletin 9 and apply it as soon as possible.

Over the last few weeks, Microsoft has also been rolling out the improved version of the Windows Update client, which has improved security measures that will be used for the first time in this month’s update. The changes are related to the Flame malware that came up with a sophisticated certificate collision attack and was able to abuse Microsoft’s update service to infect its targets.

Apple Security Update Fixing QuickTime Vulnerabilities

Guest post from Rodrigo Branco, Director of Vulnerability and Malware Research at Qualys

Apple just released an advisory addressing 17 security flaws in QuickTime Media Player. The update is rated critical as several of the fixed vulnerabilities can be used to achieve "Remote Code Execution". One of the critical vulnerabilities addressed is CVE-2012-0671, which I discovered and reported to Apple earlier this year.

How was the vulnerability discovered?

I found the vulnerability by manually investigating and reverse engineering the binary code of QuickTime and created a fuzzer to cover specific portions of the Apple media formats. In this particular vulnerability, QuickTime does not parse .pct media files properly, which causes a corruption in the module DllMain through a malformed file with an invalid value located at offset 0x20E. In my testing I used QuickTime Player version 7.7.1 (1680.42) on Windows XP SP 3 – PT_BR, but most likely other versions on Windows affected as well.

A PoC repro01.pct is available for interested parties and was shared with Apple on February 22, 2012 to help them locate and fix the problem.

What does this vulnerability mean?

If you use QuickTime, attackers can take total control of your machine through this vulnerability, which is triggered by playing a malicious media file that uses overly large values in the PCT image format. A typical attack would embed such a file into a webpage and use social engineering to drive users into viewing the page. So far, there have been no reports of attackers exploiting this vulnerability yet.

To put this into context, QuickTime is used by 61% of all internet enabled PCs, including 49% of all Windows PCs and 98% of all Apple computers (numbers courtesy of Qualys BrowserCheck). Even if you don’t use QuickTime by default to play movies and videos, it can be used as the media player for the PCT format on all web browsers, including Chrome, Safari, Internet Explorer and Firefox.

All users, consumers and businesses alike, should download the security update as soon as possible since simply browsing to a malicious web page on any web browser can activate this vulnerability. If you’re not sure whether your QuickTime plug-in is updated, you can use Qualys BrowserCheck, a free service, to check if you need to download the update.

Throughout the whole process, Apple was very professional in handling this issue and provided constant status updates upon my request. It was great to see a company of Apple’s size taking a proactive role to ensure that their software and their users are protected from major vulnerabilities like this one.

A detailed advisory can be accessed at https://community.qualys.com/docs/DOC-3511

May Patch Tuesday 2012

This month, Microsoft released seven bulletins, three critical and four important, that addressed a total of 23 vulnerabilities. MS12-029 is the bulletin that should be highest on the list for most organizations, as it can be used to gain control of an end-user’s machine without requiring user interaction. The bulletin provides a patch for a vulnerability in the RTF file format that can be exploited through Microsoft Office 2003 and 2007. It is rated critical because simply viewing an attached file in the preview pane of Microsoft Outlook is sufficient to trigger the exploit.

MS12-034 — addressing 10 vulnerabilities — is the second critical bulletin, and it applies to the broadest selection of Microsoft software this month. Here’s some background to help to understand why: In December of 2011 Microsoft issued bulletin MS11-087, which patched a vulnerability in the TrueType Font handling in win32k.sys DLL that had actively been exploited by the Duqu malware. After the fix was delivered, Microsoft’s internal security team started an effort to identify further occurrences of the vulnerable code in Microsoft’s other software packages and found multiple products that contained the flawed code. MS12-034 now provides the patches necessary to address these "Sons of Duqu vulnerabilities," together with a number of other security fixes (9 CVEs) that were bundled into the same files. Please note that we are not aware of any malware currently exploiting this issue. See Microsoft’s SRD blog for a good summary of their internal engineering process.

MS12-035 is the third critical bulletin and addresses a flaw in XBAP, a Microsoft browser based application delivery format. It is probably the least urgent bulletin to install, as it can only be exploited without user interaction by an attacker that sits in the Intranet zone of the target. Since June 2011, with the MS11-044 bulletin, Windows has changed its behavior from simply running an XBAP application to asking the user (via a popup window) whether it is ok to execute the application, which provides an additional layer of security. However, similar to our recommendation for Java, we advise users to completely disable XBAP to improve the overall robustness of your installation.

Of the remaining four important bulletins, we recommend focusing on MS12-030 for Excel and MS12-031 for Visio. Both are file-format vulnerabilities that allow an attacker to take control over the targeted machine if its user opens a specifically crafted file. As we have seen in some of the last year’s data breaches, this lowers the success rate only slightly as attackers are capable of drafting a convincing e-mail that can trick a percentage of the e-mails recipients into opening such a file.

Adobe also released its monthly patches today, addressing five vulnerabilities in its Shockwave player. Three of the vulnerabilities were discovered by Rodrigo Branco, Qualys' Director of Vulnerability and Malware Research. You can find the detailed advisories published at http://www.qualys.com/research/security-advisories/. If you have any questions about the Adobe patches, you can discuss the advisories at community.qualys.com, which Rodrigo will be actively monitoring, or simply drop him an e-mail at rbranco@qualys.com

Fast Updating: the Best Way to Defend Against Java Attacks

This week Brian Krebs posted some important news – according to his sources, the BlackHole exploit kit has been equipped with an exploit for the Java vulnerability CVE-2012-0570, released a mere month ago on Feb. 14 by Oracle. BlackHole is a widely disseminated, exploit kit, commercially available in the underground. It allows interested groups with basic computer knowledge to implement an operation to attack target machines through their web browsers by setting up malicious web sites. Used in conjunction with a malware kit such as Zeus or SpyEye, these groups can build botnets that can then be used to harvest personal information for sale, rented out for SPAM or DDoS operations or handed over to pay-per-install operators.

The quality of exploit kits play an important role in such a setup, as it concentrates the rather sophisticated attack knowledge. The kit has to select the correct exploit based on the user’s configuration and the detected vulnerabilities. Most included exploits focus on older and well-known vulnerabilities (such as CVE-2010-1885 in Internet Explorer or CVE-2011-2110 in Adobe Flash), because they are the most stable and well-researched. A well-maintained target machine can usually not be penetrated with one of these off-the-shelf toolkits, as all software components are at the latest level. However, Java is difficult to update and the addition of an exploit for such new vulnerability in Java sharply increases the risk of an attack for the Internet population at large.

Our recommendation: update your Java installation to the latest version available. There are a number of tools available to help you to find out the version of Java you are running, including Oracle’s own version checker. I recommend our own tool, BrowserCheck. Just point your browser to https://browsercheck.qualys.com and get a precise diagnostic on the state of your browser and its plugins, including Java and other attacker favorites such as Adobe Flash and Adobe Reader.

If you cannot update Java (or you want to make your machine or the ones that you are responsible for more resilient to future attacks) there is a configuration setting in Windows that can be used to limit Java to a few selected and trusted sites. This requires a simple modification of the Windows Registry: changing Registry Value 1C00 to Setting 0 in Zone 3 (Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3) which prohibits the Java from running in the Internet Zone.

Sites that need Java can be whitelisted under Internet Options/Security/Trusted Sites. This works across all versions of IE and is non-overridable. Google Chrome has a similar mechanism, but I like the Internet Explorer better than Google’s implementation, which prompts the user for a decision on whether to run the plugin. Unfortunately most users will opt-in just to get rid of the prompt and continue to load the site, which has the potential to increase their security exposure.

February 2012 Patch Tuesday Preview

Microsoft published its Patch Tuesday Preview for February of 2012 and as expected we are getting a larger batch of nine bulletins addressing a total of 21 vulnerabilities. Four bulletins are classified as "critical" and the remaining as "important". There is the expected critical update to Internet Explorer which should be highest priority. After all, we saw last month how quickly attackers are incorporating browser based attacks into their toolkits; an exploit for MS12-004 was detected a mere 15 days after Patch Tuesday.

There are also two critical fixes for WIndows itself, plus one for the .NET framework that should be prioritized.

In the "important" category, there are three Remote Code Execution vulnerabilities, one of them in Office. Most likely we are looking at file based attacks and at least the Office vulnerability should be included in your first tier of patching.

January 2012 Patch Tuesday

2012’s first Patch Tuesday has seven bulletins, including the postponed bulletin from December 2011 that addresses the BEAST style information disclosure. Talking about changes in schedules, Microsoft also released a bulletin MS11-100 for ASP.NET originally planned for this January between Christmas and New Years of 2011, which you might have missed.

Our highest priority is MS12-004, which fixes two vulnerabilities in Windows Media Player, one critical in MIDI playing, one important in the closed caption (CC) interpretation. The vulnerabilities are relatively easy to trigger and require a specially crafted media input file. Attacks against these vulnerability can be both through e-mail or hosting the media file on a website. They have the potential to be used in a drive-by-download attack.

Next on our list is MS12-005, a vulnerability in the Windows .NET packager that can be triggered through a malicious Microsoft Office Word or PowerPoint document. Microsoft rates it only as 'important', but we consider vulnerabilities that only rely on a user opening a file critical enough to move them up in priority.

MS12-006 is the mentioned fix for the BEAST attack and should be deployed on all of your webservers. BEAST was first demonstrated at the September 2011 Ekoparty conference in Buenos Aires and is a crypto attack against SSL/TLS that allows the attacker to decode and eavesdrop on HTTPS sessions. If you did miss the MS11-100 release over the holidays, now is a good time to take the opportunity to bundle both together. Tools for triggering MS11-100 are actively being researched and are very simple to build, meaning that they will soon get added to the common DoS tools, maybe even to the one advertised here by Crista (http://www.youtube.com/watch?v=ySdaJbgO5gc via @mikko).

MS12-001 is the bulletin that was tagged as addressing a 'Security Feature Bypass' flaw. This is a new category and Microsoft has written a blog post explaining the details involved. In summary: a certain version of Visual-C (2003 RTM) implemented the the SAFESEH security measure in a way that Windows XP, 2003, Vista, Win7 and 2008 were unable to read the information and fell back to run the binary without the SAFESEH handler. Binaries compiled with the later versions of Visual-C (starting with SP1) are generated correctly and MS12-001 now changes the affected Windows Operating systems to be able to read the older format as well. There is no direct vulnerability here, but an attacker would have to identify a software compiled with the old version of Visual-C, find a vulnerability in it and code an exploit that would use the SEH exploit mechanism. Install it when you can, as it is a useful defense-in-depth measure.

Please also take a look at Adobe’s release today of a new version of Adobe Reader 9 and X. It will cover CVE-2011-4369 for Adobe Reader X, which they had already addressed for Adobe Reader 9 out-of-band due to exploits in the wild on December 16th plus a security enhancement that allows for better control of embedded JavaScript.

2011 Year in Review, Trends for 2012

Tony Bradley published yesterday a blog entry that contains a great summary of the top security incidents of 2011. This is worth reading for any IT administrator as these attacks will grow in 2012 and if you are like me, you may agree that one always learns better by looking at real-life examples.

Tony Bradley, The Security Detail at TechTarget

Microsoft Releases MS11-100 for ASP.NET DoS Attack

Today Microsoft released a security bulletin addressing a flaw in ASP.NET that was disclosed early morning yesterday at the Chaos Communication Congress (CCC) in Berlin. Microsoft tested and finished MS11-100 in record time, taking about 30 days for the process of integrating this new vulnerability with the fix that was already scheduled for January 2012. We consider Microsoft’s reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work. We will be tracking how the other projects and vendors affected (PHP, Oracle, Phython, Ruby and others) are rolling out their patches.

The bulletin fixes the DoS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 1000 which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.

Overall the bulletin addresses four issues. CVE-2011-3416 is an ASP.Net Forms Authentication Bypass issue which is rated as critical. CVE-2011-3414 is the hash table collision DoS issue discussed above and is rated as important. CVE-2011-3417 is the ASP.NET Ticket Caching vulnerability which is also rated as important. And finally CVE-2011-3415 is the Insecure Redirect vulnerability which is rated as moderate. We recommend installing as soon as possible if you have web based infrastructure that uses ASP.NET.

Resources: