Back to qualys.com
69 posts

Oracle CPU October 2012 Preview

The below is a guest post from Amol Sarwate, Director of Vulnerability Labs for Qualys

Oracle has pre-released information on the patches expected in its quarterly Critical Patch Update (CPU) on October 16.  This Critical Patch Update contains 109 new security vulnerability fixes across hundreds of Oracle products including Oracle Database, WebLogic server, PeopleSoft, Siebel, MySQL and VM Virtual Box. All affected components have one or more vulnerabilities that can be exploited remotely without authentication.

Oracle Fusion Middleware has 26 new security fixes which are more than any other component being fixed in this release.  The CPU contains five new security fixes for the Oracle Database Server, nine new security fixes for Oracle E-Business Suite, Oracle Supply Chain and PeopleSoft. It also has two security fixes for Siebel and 13 for Oracle Financials.

There are 18 security updates for the former Sun products like GlassFish, Solaris and SPARC. MySQL gets 14 security updates.

Overall, this is a big release that will keep system administrators busy on all fronts.

Patch Tuesday October 2012

Microsoft’s Patch Tuesday for October 2012 brings seven bulletins – MS12-064 to MS12-70 and two interesting security advisories.

MS12-064 is the only bulletin rated "critical". It fixes two vulnerabilities in Microsoft Word and applies to all versions of Microsoft Office. It addresses a vulnerability that can be exploited via a malicious RTF formatted e-mail through the Outlook Preview pane without having to open the e-mail. Since the development complexity of an attack against this vulnerability is low, we believe this vulnerability will be the first to have an exploit developed and recommend applying the MS12-064 update as quickly as possible.

All other bulletins are rated as important and apply to a wide variety of software ranging from Windows to Sharepoint to SQL Server, and include:

  • MS12-069 is a bulletin that applies to Windows 7 and Windows 2008 R2 and addresses a DoS style vulnerability where a specifically malformed Kerberos packet can crash the target machine.
  • MS12-066 addresses an XSS vulnerability in Microsoft’s SafeHTML library that is in use in a number of products, including Microsoft Sharepoint and LYNC, Microsoft’s IM client.
  • MS12-067 is another instance of a vulnerability introduced by the Oracle Outside-In library. Oracle addressed a number of critical vulnerabilities in that library in its last CPU in June 2012, and now all software vendors that had embedded a version of this vulnerable library need to provide updates to their products. This instance is a non-default, paid add-on to Sharepoint that provides document indexing capabilities. An organization could be exploited if the add-on is installed and if an attacker is able to upload a malicious file into a Sharepoint server.
  • MS12-070 fixes an XSS vulnerability in one of the reporting modules of Microsoft SQL Server. An attacker could use it to gain information about the SQL Server installation and would have to convince an SQL server administrator to click on a link that contains the malicious XSS code.

We recommend applying the updates as quickly as possible within your organization’s normal patching cycle.

Besides the seven bulletins, there are several security advisories that are being published. This month, KB2661254 is being switched to automatic download and will start enforcing a minimum of 1024 bit key length for certificates. This was announced three months ago and should not cause any disruption. Key lengths of under 1024 bits are forgeable and certificate authorities have stopped emitting such certificates for several years now. KB2749655 is a new advisory and explains a problem in Microsoft’s code signing infrastructure. During the three months in the summer of 2012, a number of binary files in Microsoft Security Bulletins were signed in a flawed way that will lead to their loss of validity – causing them to stop working in January 2013. To solve the problem, Microsoft will publish new versions of the affected bulletins, and organizations will need to reinstall the affected updates. This month the updated packages are MS12-053, MS12-054, MS12-055 and MS12-058. Microsoft provides more background on this process in their post on the SRD blog.

When planning the roll-out of these patches, don’t forget to include yesterday’s critical Adobe Flash update  and to plan for next week’s Oracle Java update, that will contain fixes for a number of critical vulnerabilities that we already know about.

New 0-day for Internet Explorer – Update 3

Update 3
The update for Internet Explorer is out – MS12-063. It fixes the current 0-day and addresses four other unrelated vulnerabilities. Interestingly in the bulletin Microsoft credits TippingPoint for reporting CVE-2012-4969.

We recommend installing the update as soon as possible, even if you are not running one of the configurations that are currently being exploited, i.e. Internet Explorer plus Flash or version Java v1.6. Attackers are surely working on way to exploit the vulnerability directly without the help of plug-ins.

Update 2
Microsoft has just released further information on a patch for the 0-day vulnerability in Internet Explorer. Today they have made available a "Fix-it" that uses their application compatibility shim mechanism to fix the code segment affected on all versions of Internet Explorer.

They also announced that they are working on a permanent patch that will come out on Friday, September 21st.

The decision on whether to deploy the FixIt or whether to wait for the final patch should take into account that attacks are not widespread yet; currently attacks using the vulnerability continue to be of the targeted type with low infection rates reported.

For more detail on the nature of the patch and the pre-requisites for the exploit to run sucessfully, take a look a Microsoft’s SRD blog entry.

Update
Microsoft acknowledged the vulnerability in Security Advisory 2757760 and lists Internet Explorer 6,7,8 and 9 as affected. The vulnerability’s CVE is CVE-2012-4969. The advisory points to EMET as a working mitigating factor. EMET is an optional technology for Windows that provides additional security mitigation technologies to Windows programs, but due to its potential side-effects has to be configured by the system administrator to protect a subset of specific programs. Its newest version 3.0 was released in May of 2012 and can be managed through Group Policies, which should enable its use in a production environment. All installed browsers plus often targeted 3rd party applications are great targets to include in EMET configurations. Once EMET is configured to restrict Internet Explorers actions, the current exploit is prevented, even though it causes the browser to crash.

Original
Over the weekend security researcher Eric Romang discovered a 0-day exploit for Internet Explorer on an attack site in Italy. Analysis of the exploit file shows that it uses Adobe Flash to setup the necessary environment and works against IE 7,8 and 9.

A Metasploit module for the exploit was released today, allowing one to test the exploit. We expect the exploit to be integrated in all major attack frameworks soon.

Stay tuned for more information.

New Java 0-Day Disclosed – Update 4

Update 4
Apple published an updated version of Java 1.6 for Mac OS X containing security in depth changes. Java 1.6 was not vulnerable to the exploit that affected the newer Java version v7, but Oracle included a new version nevertheless in last week’s update. We recommend installing this update according to your normal update schedule.

Update 3
Oracle just released an out-of-band patch for the flaw CVE-2012-4681

Update 2
The use of this exploit for the Java 0-day is continuing to spread – Websense states that the exploit has been detected on over 100 sites so far.

The best defensive option continues to be to limit use of Java 7. The US CERT has a good comprehensive list of technical measures.

There is also some information about the initial disclosure of the vulnerability. Polish security research company Security Explorations reported this and a number of other Java vulnerabilities to Oracle in April. However the exploit in the wild uses a slightly different codepath and so they do not believe that is based on their reports, but rather that attackers found the vulnerability independently.

Update
Deep End Research has some more information available, including a pointer to an unofficial patch and some details on its workings. David Maynor from ErrataSec put the Metasploit module through its paces and it performs well under Windows, Mac OS X and Linux.

Original
Over the weekend, an exploit for a new Java 0-day vulnerability was described by Atif Mushtaq at the FireEye Malware Intelligence Lab blog. The attackers serve a malicious piece of Java code through a web server to a browser, install a Trojan.Dropper, which then gets the final malware, a Remote Access Trojan installed on the machine.

Earlier today Proof-of-Concept code was integrated into the Metasploit Framework and the code works against Windows, Mac OS X and Linux as long as they have any version Java v7 (any available versions, even the latest revisions) installed.

We expect this exploit to be integrated into the current Exploit Kit frameworks soon and gain widespread use.

IT administrators only defense at the moment is to limit the use to Java. This can be implemenetd by uninstalling Java where not needed or by using the Zone mechanism in Internet Explorer, forbidding Java use in the Internet Zone (setting Registry Key 1C00 to 0 in Zone 3) and allowing it only on whitelisted websites in the Trusted Zone.

1c00.png

Mac OS X can turn off Java by unsetting the "On" field in their Java Preferences program, but note that recent versions of Mac OS X have included a generic and proactive security measure that deactivates Java if it has not been used in the last 35 days.

For once, users of the older Java v6 do seem to be better off as the vulnerability does not affect that version of Java. Stay tuned for more information.

August 2012 Patch Tuesday – Update

Update
Great explanation and technical detail on how to exploit MS12-052 through use-after-free with heapspray by Derek Soeder.

Orginal
On this month’s Patch Tuesday, Microsoft released nine bulletins addressing a total of 26 vulnerabilities. In addition, Adobe also released new versions of its Adobe Acrobat and Adobe Reader(APSB12-16), Shockwave (APSB12-17) and Flash (APSB12-18) products. Taken together, both workstation and server administrators will have their hands full.

All of the Adobe bulletins and five of the Microsoft bulletins are rated "critical" and at least the first four in our list deserve an even higher urgency due to their potential impact on workstations and servers:

  • MS12-060 fixes a vulnerability that is already being exploited in the wild. The vulnerability is located in the Windows Common Control and can be triggered through Office documents and through malicious web pages. The currently known attacks have been targeting Word and WordPad through RTF files attached to e-mail messages.
  • APSB12-18 is a fix for a single vulnerability in the Adobe Flash Player. According to Adobe the vulnerability is currently being used in targeted attacks. The known attack vector is a Word document with an embedded ActiveX Flash object.
  • MS12-054 addresses a flaw in the Remote Administration Protocol (RAP) of Windows Networking, that an attacker can use to spread quickly within enterprise networks. The attacker first needs to gain access to a machine on the network and then needs to share a resource (say a printer) with a specifically crafted name that encodes the exploit for the vulnerability. All Windows machines will periodically query the network for shared resources and automatically execute the exploit code contained in the resource name. The vulnerability allows Remote Code Execution only for Windows XP and 2003; if you are on a current version, you are not affected. Microsoft published a detailed post with more background information on the SRD blog.
  • MS12-058 patches the flaw in the Exchange Server disclosed three weeks ago in KB2737111. The popular Outlook Web Access (OWA) Exchange component uses a vulnerable module from Oracle’s Outside In product to perform document conversions. An attacker who can lure a user to look at a malicious document through OWA can gain access to the Exchange server at a low privilege level. The attacker would have to combine the exploit with a second exploit, a local privilege escalation to gain full control over the server. Again, Microsoft published more details on the SRD blog.
  • MS12-052 is a new version of Internet Explorer (IE) that addresses two critical vulnerabilities. All versions of IE from 6 to 9 are affected. Web browsing is one of the most common attack entry points and this new version should be included in the initial patch rollout. Remember that Microsoft in July implemented an accelerated rollout cycle for IE, so from now on you can expect to get an update for IE every rather than every other month.
  • MS12-053 is a fix for a remote desktop protocol (RDP) vulnerability in Windows XP running Terminal Services. This is the third RDP vulnerability this year (MS12-020, MS12-04X) and we are hopeful that most organizations have been cataloging their externally exposed RDP services and will be able to patch this vulnerability as quickly as possible.

These five vulnerabilities together with the Adobe updates should be on your priority list of updates to evaluate and install where applicable. Also don’t forget that the vulnerable Oracle Outside In is used in other industry software packages; that will have to be patched eventually. For a list of software known to contain Outside In see the list at US CERT.

The remaining Microsoft bulletins are rated "important" and address a local privilege escalation vulnerability Windows (MS12-055), a file format problem in Visio DXF format (MS12-059), a problem in Javascript on 64 bit machines (MS12-056) and a fix for the Office CGM, a graphics file format (MS12-057). They are lower priority and their installation can be postponed until a fitting maintenance window becomes available.

For a more technical background on the Adobe Reader vulnerabilities, take a look at the blog post by Mateusz Jurczyk and Gynvael Coldwind.

July 2012 Patch Tuesday Preview

Today Microsoft released its Advanced Notification for July 2012 containing nine bulletins addressing 16 vulnerabilities. Three bulletins are rated "critical", affecting members of the Windows operating system family. The remaining bulletins are rated "important" and address flaws in Windows, Office, Sharepoint and Office for the Mac.

Bulletin 1, rated "critical", affects all versions of Windows, and we expect it to address the XML vulnerability disclosed by Microsoft in June’s Patch Tuesday as KB2719615. This bulletin will be the highest priority for users, at least for those who did not apply Microsoft’s FixIt supplied in the advisory. Bulletin 2 is for Internet Explorer (IE), and is a bit of a surprise as it breaks the usual cycle of supplying an update for IE every two months. The bulletin only applies to IE9 and is thus limited to Vista and above. Bulletin 3 is "critical" for all desktop operating systems, XP, Vista and WIndows 7; for all others it is rated only "moderate".

From the remaining bulletins all ranked "important", we recommend paying attention to bulletin 4 which affects all versions of Office for Windows. It is a Remote Code Execution vulnerability and is ranked "important" because it requires the targeted user to open a malicious file. We typically consider "important" bulletins for Office as almost the same severity level as "critical"; after all these document-based attack campaigns are usually quite successful in convincing at least a subset of end users to open the malicious document.

Bulletin 6 is a bit curious. It is for a Remote Code Execution vulnerability and applies to all versions of Windows, but it is rated only "important". It will be interesting to see what kind of mitigating circumstances made Microsoft come to that rating.

Users of the latest version of Microsoft Office for Mac OS X should keep an eye on bulletin 9 and apply it as soon as possible.

Over the last few weeks, Microsoft has also been rolling out the improved version of the Windows Update client, which has improved security measures that will be used for the first time in this month’s update. The changes are related to the Flame malware that came up with a sophisticated certificate collision attack and was able to abuse Microsoft’s update service to infect its targets.

Apple Security Update Fixing QuickTime Vulnerabilities

Guest post from Rodrigo Branco, Director of Vulnerability and Malware Research at Qualys

Apple just released an advisory addressing 17 security flaws in QuickTime Media Player. The update is rated critical as several of the fixed vulnerabilities can be used to achieve "Remote Code Execution". One of the critical vulnerabilities addressed is CVE-2012-0671, which I discovered and reported to Apple earlier this year.

How was the vulnerability discovered?

I found the vulnerability by manually investigating and reverse engineering the binary code of QuickTime and created a fuzzer to cover specific portions of the Apple media formats. In this particular vulnerability, QuickTime does not parse .pct media files properly, which causes a corruption in the module DllMain through a malformed file with an invalid value located at offset 0x20E. In my testing I used QuickTime Player version 7.7.1 (1680.42) on Windows XP SP 3 – PT_BR, but most likely other versions on Windows affected as well.

A PoC repro01.pct is available for interested parties and was shared with Apple on February 22, 2012 to help them locate and fix the problem.

What does this vulnerability mean?

If you use QuickTime, attackers can take total control of your machine through this vulnerability, which is triggered by playing a malicious media file that uses overly large values in the PCT image format. A typical attack would embed such a file into a webpage and use social engineering to drive users into viewing the page. So far, there have been no reports of attackers exploiting this vulnerability yet.

To put this into context, QuickTime is used by 61% of all internet enabled PCs, including 49% of all Windows PCs and 98% of all Apple computers (numbers courtesy of Qualys BrowserCheck). Even if you don’t use QuickTime by default to play movies and videos, it can be used as the media player for the PCT format on all web browsers, including Chrome, Safari, Internet Explorer and Firefox.

All users, consumers and businesses alike, should download the security update as soon as possible since simply browsing to a malicious web page on any web browser can activate this vulnerability. If you’re not sure whether your QuickTime plug-in is updated, you can use Qualys BrowserCheck, a free service, to check if you need to download the update.

Throughout the whole process, Apple was very professional in handling this issue and provided constant status updates upon my request. It was great to see a company of Apple’s size taking a proactive role to ensure that their software and their users are protected from major vulnerabilities like this one.

A detailed advisory can be accessed at https://community.qualys.com/docs/DOC-3511

May Patch Tuesday 2012

This month, Microsoft released seven bulletins, three critical and four important, that addressed a total of 23 vulnerabilities. MS12-029 is the bulletin that should be highest on the list for most organizations, as it can be used to gain control of an end-user’s machine without requiring user interaction. The bulletin provides a patch for a vulnerability in the RTF file format that can be exploited through Microsoft Office 2003 and 2007. It is rated critical because simply viewing an attached file in the preview pane of Microsoft Outlook is sufficient to trigger the exploit.

MS12-034 — addressing 10 vulnerabilities — is the second critical bulletin, and it applies to the broadest selection of Microsoft software this month. Here’s some background to help to understand why: In December of 2011 Microsoft issued bulletin MS11-087, which patched a vulnerability in the TrueType Font handling in win32k.sys DLL that had actively been exploited by the Duqu malware. After the fix was delivered, Microsoft’s internal security team started an effort to identify further occurrences of the vulnerable code in Microsoft’s other software packages and found multiple products that contained the flawed code. MS12-034 now provides the patches necessary to address these "Sons of Duqu vulnerabilities," together with a number of other security fixes (9 CVEs) that were bundled into the same files. Please note that we are not aware of any malware currently exploiting this issue. See Microsoft’s SRD blog for a good summary of their internal engineering process.

MS12-035 is the third critical bulletin and addresses a flaw in XBAP, a Microsoft browser based application delivery format. It is probably the least urgent bulletin to install, as it can only be exploited without user interaction by an attacker that sits in the Intranet zone of the target. Since June 2011, with the MS11-044 bulletin, Windows has changed its behavior from simply running an XBAP application to asking the user (via a popup window) whether it is ok to execute the application, which provides an additional layer of security. However, similar to our recommendation for Java, we advise users to completely disable XBAP to improve the overall robustness of your installation.

Of the remaining four important bulletins, we recommend focusing on MS12-030 for Excel and MS12-031 for Visio. Both are file-format vulnerabilities that allow an attacker to take control over the targeted machine if its user opens a specifically crafted file. As we have seen in some of the last year’s data breaches, this lowers the success rate only slightly as attackers are capable of drafting a convincing e-mail that can trick a percentage of the e-mails recipients into opening such a file.

Adobe also released its monthly patches today, addressing five vulnerabilities in its Shockwave player. Three of the vulnerabilities were discovered by Rodrigo Branco, Qualys' Director of Vulnerability and Malware Research. You can find the detailed advisories published at http://www.qualys.com/research/security-advisories/. If you have any questions about the Adobe patches, you can discuss the advisories at community.qualys.com, which Rodrigo will be actively monitoring, or simply drop him an e-mail at rbranco@qualys.com

Fast Updating: the Best Way to Defend Against Java Attacks

This week Brian Krebs posted some important news – according to his sources, the BlackHole exploit kit has been equipped with an exploit for the Java vulnerability CVE-2012-0570, released a mere month ago on Feb. 14 by Oracle. BlackHole is a widely disseminated, exploit kit, commercially available in the underground. It allows interested groups with basic computer knowledge to implement an operation to attack target machines through their web browsers by setting up malicious web sites. Used in conjunction with a malware kit such as Zeus or SpyEye, these groups can build botnets that can then be used to harvest personal information for sale, rented out for SPAM or DDoS operations or handed over to pay-per-install operators.

The quality of exploit kits play an important role in such a setup, as it concentrates the rather sophisticated attack knowledge. The kit has to select the correct exploit based on the user’s configuration and the detected vulnerabilities. Most included exploits focus on older and well-known vulnerabilities (such as CVE-2010-1885 in Internet Explorer or CVE-2011-2110 in Adobe Flash), because they are the most stable and well-researched. A well-maintained target machine can usually not be penetrated with one of these off-the-shelf toolkits, as all software components are at the latest level. However, Java is difficult to update and the addition of an exploit for such new vulnerability in Java sharply increases the risk of an attack for the Internet population at large.

Our recommendation: update your Java installation to the latest version available. There are a number of tools available to help you to find out the version of Java you are running, including Oracle’s own version checker. I recommend our own tool, BrowserCheck. Just point your browser to https://browsercheck.qualys.com and get a precise diagnostic on the state of your browser and its plugins, including Java and other attacker favorites such as Adobe Flash and Adobe Reader.

If you cannot update Java (or you want to make your machine or the ones that you are responsible for more resilient to future attacks) there is a configuration setting in Windows that can be used to limit Java to a few selected and trusted sites. This requires a simple modification of the Windows Registry: changing Registry Value 1C00 to Setting 0 in Zone 3 (Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3) which prohibits the Java from running in the Internet Zone.

Sites that need Java can be whitelisted under Internet Options/Security/Trusted Sites. This works across all versions of IE and is non-overridable. Google Chrome has a similar mechanism, but I like the Internet Explorer better than Google’s implementation, which prompts the user for a decision on whether to run the plugin. Unfortunately most users will opt-in just to get rid of the prompt and continue to load the site, which has the potential to increase their security exposure.

February 2012 Patch Tuesday Preview

Microsoft published its Patch Tuesday Preview for February of 2012 and as expected we are getting a larger batch of nine bulletins addressing a total of 21 vulnerabilities. Four bulletins are classified as "critical" and the remaining as "important". There is the expected critical update to Internet Explorer which should be highest priority. After all, we saw last month how quickly attackers are incorporating browser based attacks into their toolkits; an exploit for MS12-004 was detected a mere 15 days after Patch Tuesday.

There are also two critical fixes for WIndows itself, plus one for the .NET framework that should be prioritized.

In the "important" category, there are three Remote Code Execution vulnerabilities, one of them in Office. Most likely we are looking at file based attacks and at least the Office vulnerability should be included in your first tier of patching.