Back to qualys.com
73 posts

Oracle Critical Patch Update January 2013

Oracle has had two major updates in the last 2 days. On Sunday, Jan. 13 a new version of Java 7 was released that addresses the 0-day vulnerability that has been exploited in the wild. And today, the Oracle Critical Patch Update (CPU) came out that addresses all other Oracle products. Overall, the January 2013 CPU fixes over 80 vulnerabilities in 10 product groups.

With the number of products patched being substantial, it is important to have a good map of installed software and versions in your organization. As usual we recommend starting with exposed services first, this month lead by the MySQL patches. Fortunately in most installations Oracle’s core RDBMS will not be affected.

Here is an overview of the update:

  • The Oracle RDBMS product has only one update, and it is located in the Spatial Oracle component. Many Oracle RDBMS will not have that option installed and might be free from installing any patches this quarter.
  • The Mobile/Lite version of Oracle’s database has five vulnerability addressed with a CVSS of 10, which indicates they are highly critical vulnerabilities.
  • Oracle’s other database, MYSQL, has 18 vulnerabilities addressed, with a maximum CVSS score of 9.0, indicating a high level of severity and prompting for a quick turn-around.
  • Oracle’s Fusion product group has seven vulnerabilities addressed, two of them in the Oracle Outside In product. Oracle Outside In is an SDK that is used by outside vendors for document conversions. One of the outside vendors is Microsoft that uses the Outside In in their Exchange Mail Server in the Outlook Web Access part. Microsoft has shipped two updates to Exchange last year, partly due to update the Outside In SDK.
  • Oracle Solaris is affected by eight flaws but has no remotely exploitable vulnerabilities. IT administrators for Solaris should take a look at the vulnerabilities and decide on a adequate roll-out schedule.
  • Further product areas with Security updates include Peoplesoft, JD Edwards, Supply-Chain, E-Business and VirtualBox

Last but not least please do not forget the roll-out of the latest Java 7 version (update 11) that addresses a highly critical vulnerability that has known exploits in the wild.

Internet Explorer 0-day bulletin – Update

Update:
MS13-008 is live for download. Due to the availability of exploits treat with the highest priority and install as quickly as possible.

Please note that this update is a real patch and not a cumulative update, as we are used to for typical Internet Explorer updates. It is highly recommended to have MS12-077 (the last cumulative Internet Explorer update) installed before applying MS13-008.

Original:
Microsoft has posted an advance notification for an Internet Explorer update that will be released later today. The update will address the current 0-day vulnerability (CVE-2012-4792) that was first detected in late December 2012.

January 2013 Patch Tuesday

The first Patch Tuesday of 2013 started with a relatively normal rhythm. We are getting seven bulletins, with two bulletins considered "critical" and five bulletins "important." The one thing upsetting this normal balance is a current 0-day vulnerability that affects Internet Explorer 6, 7 and 8 — which represents 90% of the IE install base at this time — but which is not part of the Patch Tuesday release. It was initially reported by FireEye on December 28 and the exploit has since made it into a Metasploit module and at least one Exploit kit. While Microsoft is not providing a patch today, they have provided a Fix-It for the issue, which addresses the known attacks in the wild, and also counters the Metasploit module. However, as Exodus Intelligence pointed out over the weekend, there are other ways of triggering the vulnerability that have not been covered by the Fix-It. IT admins in enterprises should track this vulnerability closely, as a large percentage of enterprises still run the affected versions of Internet Explorer 6, 7 and 8. And admins should apply the Fix-It even though it can be bypassed because it addresses the currently known attacks

ie_percentages.png

Back to January’s bulletins, where MS13-002 is the most important patch in the lineup. It addresses a vulnerability in the MSXML library, which is an integral part of many Microsoft software packages. It is affecting every Windows version from XP to RT, plus all Office versions and a number of other packages, such a Sharepoint and Groove. The most likely attack vector is a malicious webpage. But an email with Office document attachment can also be a viable alternative for attackers. Patch this one as quickly as possible.

MS13-001, the second critical vulnerability, is in the Microsoft Windows Printer spooler software on the client side. It is located in a part of the spooler that provides extended functionality, and is not exercised by any Windows software, only by third-party software. The necessity of third-party software and the combination of the steps and events necessary to exploit this vulnerability makes us rank it on a lower level than MS13-002. Microsoft has a good post at the SRD blog explaining the components involved.

All the other bulletins are ranked as "important" as they do not allow code execution:

  • MS13-004 addresses several .NET issues, but attacks are limited to the Intranet context and cannot be initiated from the Internet lowering the risk of this bulletin.
  • MS13-005 fixes a flaw in the win32k.sys kernel module that weakens the AppContainer sandbox in Windows 8. By itself it is not a critical flaw, but could be used in conjunction with other vulnerabilities to attack a Windows 8 system.
  • MS13-006 prevents a protocol attack on SSL v3 that can happen when a Microsoft browser communicates with a third-party web server. An attacker that controls a network device in between the browser and server could downgrade communication to SSL v2. The attacker could then exploit any of the common flaws in SSLv2, ultimately eavesdropping on the communication.

In addition to the Microsoft patches, there is new software coming from Adobe as well. Adobe announced a new version of their Adobe Reader and Acrobat software – APSB13-02. The advisory applies to Windows, Mac OS X and Linux. Microsoft also updated security advisory KB2755801 for Internet Explorer 10, because it includes a new Adobe Flash build, and IT admins should look at the standalone Adobe Flash APSB13-01 release, as well. Adobe has also published advisory APSA13-01 for three ColdFusion vulnerabilities. The advisory provides information for workarounds, while Adobe is working on a patch.

Overall we are looking at a pretty normal Patch Tuesday, with the main worry for IT administrators centered on the Internet Explorer situation and its potential workarounds. One interesting option is to look at Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which has a number of additional mitigation steps that can be applied to Internet Explorer. EMET is effective in preventing the current 0-day and has worked the same way against the last IE 0-day in September, too. I have been running EMET for 6 months now with no side effects – highly recommended as an additional security measure.

December 2012 Patch Tuesday Preview

Today Microsoft announced seven bulletins that will be released in next week’s Patch Tuesday. Five of the bulletins are rated critical, and two are important. Between them they affect all currently supported Operating Systems, including Windows 8 and Windows RT.

Bulletin 1 is rated critical and affects Internet Explorer 9 and 10 on all platforms that support IE 9 and IE10, starting at Vista all the way to Windows 8 and RT. Bulletin 2, which is rated critical as well, applies to all versions of Windows and again includes both Windows 8 and Windows RT.

Bulletin 3 is special, as it affects Microsoft Word and is rated critical, which happens very rarely. Usually Microsoft downgrades even Remote Code Execution Office vulnerabilities to "Important," because a user interaction (e.g., opening a malicious file) is required. In this case we assume the "critical" rating comes from Outlook, which can be configured to use Word to visualize documents in its preview pane. This is an automatic mechanism that does not require user interaction. In any case, this is will be an important bulletin to watch out for.

Bulletin 4 is a critical fix for a number of Microsoft server software products. It includes the widely installed Exchange and Sharepoint, plus an update for Microsoft Office Web Apps 2010 Service Pack 1. Office Web Apps are the webified version of Word, Excel, etc., and we expect them to have lesser impact on IT, as the applications have fewer installations. In any case, Server Administrators need to take a good look at this bulletin to see if they need to take action.

All in all, we are looking at a normal-sized Patch Tuesday with a mix of browser, operating system and Office updates that will keep all areas of IT administration quite busy through the end of the year. For many Windows RT users, it will be the first time for a software update, and it will be interesting to see how they react and what the uptake of the patches will be.

Oracle CPU October 2012 Preview

The below is a guest post from Amol Sarwate, Director of Vulnerability Labs for Qualys

Oracle has pre-released information on the patches expected in its quarterly Critical Patch Update (CPU) on October 16.  This Critical Patch Update contains 109 new security vulnerability fixes across hundreds of Oracle products including Oracle Database, WebLogic server, PeopleSoft, Siebel, MySQL and VM Virtual Box. All affected components have one or more vulnerabilities that can be exploited remotely without authentication.

Oracle Fusion Middleware has 26 new security fixes which are more than any other component being fixed in this release.  The CPU contains five new security fixes for the Oracle Database Server, nine new security fixes for Oracle E-Business Suite, Oracle Supply Chain and PeopleSoft. It also has two security fixes for Siebel and 13 for Oracle Financials.

There are 18 security updates for the former Sun products like GlassFish, Solaris and SPARC. MySQL gets 14 security updates.

Overall, this is a big release that will keep system administrators busy on all fronts.

Patch Tuesday October 2012

Microsoft’s Patch Tuesday for October 2012 brings seven bulletins – MS12-064 to MS12-70 and two interesting security advisories.

MS12-064 is the only bulletin rated "critical". It fixes two vulnerabilities in Microsoft Word and applies to all versions of Microsoft Office. It addresses a vulnerability that can be exploited via a malicious RTF formatted e-mail through the Outlook Preview pane without having to open the e-mail. Since the development complexity of an attack against this vulnerability is low, we believe this vulnerability will be the first to have an exploit developed and recommend applying the MS12-064 update as quickly as possible.

All other bulletins are rated as important and apply to a wide variety of software ranging from Windows to Sharepoint to SQL Server, and include:

  • MS12-069 is a bulletin that applies to Windows 7 and Windows 2008 R2 and addresses a DoS style vulnerability where a specifically malformed Kerberos packet can crash the target machine.
  • MS12-066 addresses an XSS vulnerability in Microsoft’s SafeHTML library that is in use in a number of products, including Microsoft Sharepoint and LYNC, Microsoft’s IM client.
  • MS12-067 is another instance of a vulnerability introduced by the Oracle Outside-In library. Oracle addressed a number of critical vulnerabilities in that library in its last CPU in June 2012, and now all software vendors that had embedded a version of this vulnerable library need to provide updates to their products. This instance is a non-default, paid add-on to Sharepoint that provides document indexing capabilities. An organization could be exploited if the add-on is installed and if an attacker is able to upload a malicious file into a Sharepoint server.
  • MS12-070 fixes an XSS vulnerability in one of the reporting modules of Microsoft SQL Server. An attacker could use it to gain information about the SQL Server installation and would have to convince an SQL server administrator to click on a link that contains the malicious XSS code.

We recommend applying the updates as quickly as possible within your organization’s normal patching cycle.

Besides the seven bulletins, there are several security advisories that are being published. This month, KB2661254 is being switched to automatic download and will start enforcing a minimum of 1024 bit key length for certificates. This was announced three months ago and should not cause any disruption. Key lengths of under 1024 bits are forgeable and certificate authorities have stopped emitting such certificates for several years now. KB2749655 is a new advisory and explains a problem in Microsoft’s code signing infrastructure. During the three months in the summer of 2012, a number of binary files in Microsoft Security Bulletins were signed in a flawed way that will lead to their loss of validity – causing them to stop working in January 2013. To solve the problem, Microsoft will publish new versions of the affected bulletins, and organizations will need to reinstall the affected updates. This month the updated packages are MS12-053, MS12-054, MS12-055 and MS12-058. Microsoft provides more background on this process in their post on the SRD blog.

When planning the roll-out of these patches, don’t forget to include yesterday’s critical Adobe Flash update  and to plan for next week’s Oracle Java update, that will contain fixes for a number of critical vulnerabilities that we already know about.

New 0-day for Internet Explorer – Update 3

Update 3
The update for Internet Explorer is out – MS12-063. It fixes the current 0-day and addresses four other unrelated vulnerabilities. Interestingly in the bulletin Microsoft credits TippingPoint for reporting CVE-2012-4969.

We recommend installing the update as soon as possible, even if you are not running one of the configurations that are currently being exploited, i.e. Internet Explorer plus Flash or version Java v1.6. Attackers are surely working on way to exploit the vulnerability directly without the help of plug-ins.

Update 2
Microsoft has just released further information on a patch for the 0-day vulnerability in Internet Explorer. Today they have made available a "Fix-it" that uses their application compatibility shim mechanism to fix the code segment affected on all versions of Internet Explorer.

They also announced that they are working on a permanent patch that will come out on Friday, September 21st.

The decision on whether to deploy the FixIt or whether to wait for the final patch should take into account that attacks are not widespread yet; currently attacks using the vulnerability continue to be of the targeted type with low infection rates reported.

For more detail on the nature of the patch and the pre-requisites for the exploit to run sucessfully, take a look a Microsoft’s SRD blog entry.

Update
Microsoft acknowledged the vulnerability in Security Advisory 2757760 and lists Internet Explorer 6,7,8 and 9 as affected. The vulnerability’s CVE is CVE-2012-4969. The advisory points to EMET as a working mitigating factor. EMET is an optional technology for Windows that provides additional security mitigation technologies to Windows programs, but due to its potential side-effects has to be configured by the system administrator to protect a subset of specific programs. Its newest version 3.0 was released in May of 2012 and can be managed through Group Policies, which should enable its use in a production environment. All installed browsers plus often targeted 3rd party applications are great targets to include in EMET configurations. Once EMET is configured to restrict Internet Explorers actions, the current exploit is prevented, even though it causes the browser to crash.

Original
Over the weekend security researcher Eric Romang discovered a 0-day exploit for Internet Explorer on an attack site in Italy. Analysis of the exploit file shows that it uses Adobe Flash to setup the necessary environment and works against IE 7,8 and 9.

A Metasploit module for the exploit was released today, allowing one to test the exploit. We expect the exploit to be integrated in all major attack frameworks soon.

Stay tuned for more information.

New Java 0-Day Disclosed – Update 4

Update 4
Apple published an updated version of Java 1.6 for Mac OS X containing security in depth changes. Java 1.6 was not vulnerable to the exploit that affected the newer Java version v7, but Oracle included a new version nevertheless in last week’s update. We recommend installing this update according to your normal update schedule.

Update 3
Oracle just released an out-of-band patch for the flaw CVE-2012-4681

Update 2
The use of this exploit for the Java 0-day is continuing to spread – Websense states that the exploit has been detected on over 100 sites so far.

The best defensive option continues to be to limit use of Java 7. The US CERT has a good comprehensive list of technical measures.

There is also some information about the initial disclosure of the vulnerability. Polish security research company Security Explorations reported this and a number of other Java vulnerabilities to Oracle in April. However the exploit in the wild uses a slightly different codepath and so they do not believe that is based on their reports, but rather that attackers found the vulnerability independently.

Update
Deep End Research has some more information available, including a pointer to an unofficial patch and some details on its workings. David Maynor from ErrataSec put the Metasploit module through its paces and it performs well under Windows, Mac OS X and Linux.

Original
Over the weekend, an exploit for a new Java 0-day vulnerability was described by Atif Mushtaq at the FireEye Malware Intelligence Lab blog. The attackers serve a malicious piece of Java code through a web server to a browser, install a Trojan.Dropper, which then gets the final malware, a Remote Access Trojan installed on the machine.

Earlier today Proof-of-Concept code was integrated into the Metasploit Framework and the code works against Windows, Mac OS X and Linux as long as they have any version Java v7 (any available versions, even the latest revisions) installed.

We expect this exploit to be integrated into the current Exploit Kit frameworks soon and gain widespread use.

IT administrators only defense at the moment is to limit the use to Java. This can be implemenetd by uninstalling Java where not needed or by using the Zone mechanism in Internet Explorer, forbidding Java use in the Internet Zone (setting Registry Key 1C00 to 0 in Zone 3) and allowing it only on whitelisted websites in the Trusted Zone.

1c00.png

Mac OS X can turn off Java by unsetting the "On" field in their Java Preferences program, but note that recent versions of Mac OS X have included a generic and proactive security measure that deactivates Java if it has not been used in the last 35 days.

For once, users of the older Java v6 do seem to be better off as the vulnerability does not affect that version of Java. Stay tuned for more information.

August 2012 Patch Tuesday – Update

Update
Great explanation and technical detail on how to exploit MS12-052 through use-after-free with heapspray by Derek Soeder.

Orginal
On this month’s Patch Tuesday, Microsoft released nine bulletins addressing a total of 26 vulnerabilities. In addition, Adobe also released new versions of its Adobe Acrobat and Adobe Reader(APSB12-16), Shockwave (APSB12-17) and Flash (APSB12-18) products. Taken together, both workstation and server administrators will have their hands full.

All of the Adobe bulletins and five of the Microsoft bulletins are rated "critical" and at least the first four in our list deserve an even higher urgency due to their potential impact on workstations and servers:

  • MS12-060 fixes a vulnerability that is already being exploited in the wild. The vulnerability is located in the Windows Common Control and can be triggered through Office documents and through malicious web pages. The currently known attacks have been targeting Word and WordPad through RTF files attached to e-mail messages.
  • APSB12-18 is a fix for a single vulnerability in the Adobe Flash Player. According to Adobe the vulnerability is currently being used in targeted attacks. The known attack vector is a Word document with an embedded ActiveX Flash object.
  • MS12-054 addresses a flaw in the Remote Administration Protocol (RAP) of Windows Networking, that an attacker can use to spread quickly within enterprise networks. The attacker first needs to gain access to a machine on the network and then needs to share a resource (say a printer) with a specifically crafted name that encodes the exploit for the vulnerability. All Windows machines will periodically query the network for shared resources and automatically execute the exploit code contained in the resource name. The vulnerability allows Remote Code Execution only for Windows XP and 2003; if you are on a current version, you are not affected. Microsoft published a detailed post with more background information on the SRD blog.
  • MS12-058 patches the flaw in the Exchange Server disclosed three weeks ago in KB2737111. The popular Outlook Web Access (OWA) Exchange component uses a vulnerable module from Oracle’s Outside In product to perform document conversions. An attacker who can lure a user to look at a malicious document through OWA can gain access to the Exchange server at a low privilege level. The attacker would have to combine the exploit with a second exploit, a local privilege escalation to gain full control over the server. Again, Microsoft published more details on the SRD blog.
  • MS12-052 is a new version of Internet Explorer (IE) that addresses two critical vulnerabilities. All versions of IE from 6 to 9 are affected. Web browsing is one of the most common attack entry points and this new version should be included in the initial patch rollout. Remember that Microsoft in July implemented an accelerated rollout cycle for IE, so from now on you can expect to get an update for IE every rather than every other month.
  • MS12-053 is a fix for a remote desktop protocol (RDP) vulnerability in Windows XP running Terminal Services. This is the third RDP vulnerability this year (MS12-020, MS12-04X) and we are hopeful that most organizations have been cataloging their externally exposed RDP services and will be able to patch this vulnerability as quickly as possible.

These five vulnerabilities together with the Adobe updates should be on your priority list of updates to evaluate and install where applicable. Also don’t forget that the vulnerable Oracle Outside In is used in other industry software packages; that will have to be patched eventually. For a list of software known to contain Outside In see the list at US CERT.

The remaining Microsoft bulletins are rated "important" and address a local privilege escalation vulnerability Windows (MS12-055), a file format problem in Visio DXF format (MS12-059), a problem in Javascript on 64 bit machines (MS12-056) and a fix for the Office CGM, a graphics file format (MS12-057). They are lower priority and their installation can be postponed until a fitting maintenance window becomes available.

For a more technical background on the Adobe Reader vulnerabilities, take a look at the blog post by Mateusz Jurczyk and Gynvael Coldwind.

July 2012 Patch Tuesday Preview

Today Microsoft released its Advanced Notification for July 2012 containing nine bulletins addressing 16 vulnerabilities. Three bulletins are rated "critical", affecting members of the Windows operating system family. The remaining bulletins are rated "important" and address flaws in Windows, Office, Sharepoint and Office for the Mac.

Bulletin 1, rated "critical", affects all versions of Windows, and we expect it to address the XML vulnerability disclosed by Microsoft in June’s Patch Tuesday as KB2719615. This bulletin will be the highest priority for users, at least for those who did not apply Microsoft’s FixIt supplied in the advisory. Bulletin 2 is for Internet Explorer (IE), and is a bit of a surprise as it breaks the usual cycle of supplying an update for IE every two months. The bulletin only applies to IE9 and is thus limited to Vista and above. Bulletin 3 is "critical" for all desktop operating systems, XP, Vista and WIndows 7; for all others it is rated only "moderate".

From the remaining bulletins all ranked "important", we recommend paying attention to bulletin 4 which affects all versions of Office for Windows. It is a Remote Code Execution vulnerability and is ranked "important" because it requires the targeted user to open a malicious file. We typically consider "important" bulletins for Office as almost the same severity level as "critical"; after all these document-based attack campaigns are usually quite successful in convincing at least a subset of end users to open the malicious document.

Bulletin 6 is a bit curious. It is for a Remote Code Execution vulnerability and applies to all versions of Windows, but it is rated only "important". It will be interesting to see what kind of mitigating circumstances made Microsoft come to that rating.

Users of the latest version of Microsoft Office for Mac OS X should keep an eye on bulletin 9 and apply it as soon as possible.

Over the last few weeks, Microsoft has also been rolling out the improved version of the Windows Update client, which has improved security measures that will be used for the first time in this month’s update. The changes are related to the Flame malware that came up with a sophisticated certificate collision attack and was able to abuse Microsoft’s update service to infect its targets.