On Friday, a hacker group known as The Shadow Brokers publicly released a large number of functional exploit tools. Several of these tools make use of zero-day vulnerabilities, most of which are in Microsoft Windows. Exploiting these vulnerabilities in many cases leads to remote code execution and full system access.
Both end-of-support and current Windows versions are impacted, including Windows 2003, XP, Vista, 7, 2008, 8, and 2012. Microsoft has released patches for each vulnerability across all supported platforms, but will not be releasing patches for end-of-support versions of Windows. It is highly recommended that any end-of-support Windows systems be replaced or isolated, as these systems will often be impacted by new vulnerabilities, without the availability of a patch.
For zero-day vulnerabilities in Operating Systems, you can use your existing asset inventory information from Qualys AssetView, and search for any OS to determine how many vulnerable assets are deployed. This can be done without additional scanning if the data is relatively fresh.
Google’s threat analysis group has observed active attacks for Windows kernel win32k.sys vulnerability and has therefore disclosed this previously unknown vulnerability. It’s a local privilege escalation issue which implies that an attacker would need valid local credentials to trigger the issue. If exploited an attacker with low privilege could obtain higher privilege like that of an administrator. The only technical details known at this point is that the issue can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.
There is currently no patch or acknowledgement from Microsoft about the issue. Please stay tuned for updates. For reference, see the Google disclosure blog post.
It is Windows 10 first Patch Tuesday and 40% of the August bulletins for generic Windows apply to the newest version of the operating system: Windows 10. In addition there is an exclusive bulletin for the new browser Microsoft Edge, the leaner and faster replacement for Internet Explorer that addresses three critical vulnerabilities. Windows 10 fares a bit better than WIndows 8, which had 60% in its first two months, where three out of five bulletins were applicable. From a security perspective Windows 10 brings much improvement and we are curious to see how the acceptance of Windows 10 will play out, especially comparing the enterprise side and consumer side. On the Enterprise level we think the Virtual Secure Mode that takes credential hashes out of the Windows kernel the biggest advance, while for the consumer it is the new patching schedule, which basically keeps Windows always updated with the latest updates.
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) is responsible for IT security within the German Federal government. In addition they work on IT security standards for Germany and are moving into a national incident tracking function as well. In December 2014 they published their yearly report summarizing the IT security state in Germany as "critical", with attacks rising, German companies leaking data and exposing their infrastructure to even physical damage. Much of it is due to a 'Digitale Sorglosigkeit', a digital carelessness where the IT industry does not pay attention to avoidable threats.
Summary: This is a minor change to add flexibility in expanded platform support. There will be no downtime with this update, but you will need to make changes to policies and possibly some controls being used against Windows 2012 R2 or Windows 8.1.
While the Black Hat security conference is ongoing in Las Vegas (stay tuned to this blog for a rundown of our favorite presentations), Microsoft has published theirAdvance Noticefor the month of August. That document gives us an idea of the size of next week’s Patch Tuesday: we will get nine bulletins affecting a wide variety of Microsoft software including Internet Explorer, Windows, Office, SQL Server and Sharepoint. Two of the bulletins are rated “critical,” as they allow for Remote Code Execution (RCE) and a third one for Microsoft Office OneNote also provides RCE capabilities.
July’s Advance Notice by Microsoft has just arrived. This month, Microsoft is publishing six bulletins in July, affecting all versions of Internet Explorer, Windows and one server components. Two bulletins are rated “critical,”, as they allow for Remote Code Execution (RCE), three are rated “important” as they allow for elevation of privilege inside on Windows.
The most critical patch to consider is Bulletin 1 is for all versions of Internet Explorer (IE), all the way from Internet Explorer 6, but only supported on Windows Server 2003 since XP has been retired, to the newest IE 11 on Windows 8.1 and R. This patch should be top of your list, since most attacks involve your web browser in some way. Take a look at the most recent numbers in Microsoft SIR report v16, which illustrate clearly that web- based attacks, which include Java and Adobe Flash are the most common.
Bulletin 2 is a critical update for Windows and all desktop versions of Vista, WIndows 7, 8 and RT are affected. On the server side all but the the oldest Windows server 2003 are affected. The update will require a reboot, which is something to include in your planning, especially on the server side.
Bulletin 3, 4, and 5 are all elevation of privilege vulnerabilities in Windows. They are affect all versions of Windows. They are local vulnerabilities, i.e they cannot be used to achieve code execution remotely through the network, but require that the attacker already haves a presence on the targeted machine as a normal or standard user. Exploits for these types of vulnerabilities are part of the toolkit of any attacker as they are extremely useful, when the attackers gets an account on the machine, say through stolen credentials. In any practical scenario, the attacker then wants to assure continued control of the machine and will need to become administrator of the machine to install their controlling malware. This is where these vulnerabilities come in – we consider these extremely important to fix to help frustrate or slow down attackers once they are on the target machine.
Lastly, Bulletin 6 is a Denial of Service vulnerability in the Service Bus for Windows. The Service Bus is a newer component of Windows in use in the Windows Azure environment for the development of loosely coupled applications. In our estimate few companies will have installed that component and on Azure, Microsoft will take of the patching for you.
Later Also this month Oracle is publishing their Critical Patch Update (CPU) July 2014. It is expected to come out on July 15 and typically contains fixes for hundreds of vulnerabilities. How applicable the patches are for your organization depends on your software inventory, but at least the update for Java will be important for most organizations.
Please stay tuned to this blog for next week’s release and further updates from Oracle.
Microsoft updated today the security advisory page for May and we are expecting eight security bulletins next Tuesday. Three of the bulletins address vulnerabilities that can be used by the attacker for Remote Code Execution (RCE) which are the highest priority type vulnerabilities.
Bulletin #1 is rated critical, addresses Internet Explorer (IE) and affects all currently supported versions from IE6-IE11. IE6, IE7 and IE8 are being patched for Windows Server 2003, but not for Windows XP, which had its End-of-Life date last month in April 2014 and will not receive any more regular updates. The Internet Explorer update should contain the cumulative fix for last months 0-day, already addressed by Microsoft in an out-of-band fashion last week in MS14-021 and the vulnerabilities disclosed during the year’s PWN2OWN competition at CanSecWest. This update should be high on your list, especially if you have not applied MS14-021 yet.
Bulletin #2 addresses critical vulnerabilities that also allow for RCE in Sharepoint server 2007, 2010 and 2013, plus a number of other server platforms. This should be high on your list, especially if you expose any of the listed platforms on the Internet.
Bulletin #3 is an update for Office 2007, 2010 and 2013. It is rated important and provides RCE to the attacker, indicating that the attacker vector is a malicious document that the target has to open in order to trigger the attack. Attackers would use a document like that in a social engineering attack, which aims at convincing the user to open the document, for example by making it appear as coming from the user’s HR department or promising information about a subject of interest to the user.
The remaining bulletins are fixes for Windows, .Net and Office that address local vulnerabilities, with the exception of Bulletins #7 that addresses a Denial-of-Service condition in Server 2008 R2 and 2012 R2.
In addition to Microsoft, Adobe has announced that they will publish a new version of Adobe Reader. Since the PDF format is frequently abused by attackers, you should include Adobe Reader on your priority list.
Update2: MS14-021 has now been published. Note that differently from a normal update it is not cumulative (i.e. it only addresses this particular vulnerability CVE-2014-1776, which is common for an out-of-band update such as this one) and it is recommended to install the latest cumulative update before applying MS14-021, i.e. MS14-018 for most versions of Windows, but MS14-012 for IE11 on Windows 7 and Windows 8.
While attacks continue to be targeted, we recommend installing this update as soon as possible, rather than waiting 2 weeks for next Patch Tuesday.
Update: Microsoft will release an out-of-band patch for Internet Explorer later today, and it will include an update for Windows XP. Good news for users of the operating system that went EOL last month. Stay tuned for more news.
Original: Microsoft just published security advisory 2963983 which acknowledges limited exploits against a 0-day vulnerability in Internet Explorer (IE). The vulnerability CVE-2014-1776 affects all versions of IE starting with version 6 and including version 11, but the currently active attacks are targeting IE9, IE10 and IE11. The attack vector is a malicious web page that the targeted user has to access with one of the affected browsers.