Happy New Year! In the first Patch Tuesday of 2017 Microsoft fixed only 3 vulnerabilities which makes it one of the smallest patch months ever. Patches were released for Microsoft Office, the Edge browser and LSASS. It’s an unusually small patch update and will definitely make system administrators happy. It is worth noting that starting next month Microsoft will scrap the existing system where users get a document each month in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide. The new security portal is driven by an online database, and instead of having to browse through an index of documents, users can sort, search, and filter the database to find details about a specific security bulletin and its associated updates.
Today is Patch Tuesday May 2015, and it is coming on strong. Microsoft released 13 bulletins bringing the count for this year to 53. 53 is quite a bit higher than in any of the last five years, in fact I cannot remember a similar active year. Our internal tracking of vulnerability numbers now projects north of 140 advisories for this year, certainly also new record:
April’s Patch Tuesday continues the 2015 trend of high volume patches. This month we have a full set of 11 patches from Microsoft addressing 26 vulnerabilities.The vulnerabilities affect Windows and Office on both servers and workstations. In addition, Oracle is publishing their quarterly Critical Patch Update fixing 98 vulnerabilities in over 25 software categories, including Java, Oracle RDBMS and MySQL.
Add to that the fixes in Adobe, Mozilla and Google Chrome software that were initiated by the results of the PWN2OWN competition in Vancouver, and every defensive IT security professional will have their work doubled this month.
Update2: McAfee published an analysis of an exploit for CVE-2014-1761. Very interesting and eye-opening, as everything is controlled through the RTF document itself:
- The attackers use an listoverridecount level of 25, which is outside of the 0,1 or 9 specified in the standard. This confuses the RTF handler in Word and makes it possible to control the content of the program counter of the processor.
- This gives the attacker the basis for arbitrary code execution. In this case the attackers are able to point the program counter to machine code that is included in the document itself, which makes the exploit very self-contained, no additional setup files are needed.
Conclusion: Patch this as quickly as possible, i.e. next Tuesday. The attacks are real and happening now. The exploit does not look that hard to replicate with the information provided. Beyond patching it makes sense to disable RTF opening any way, which is what the FixIt in KB2953095 does. It certainly looks as if there is more potential for this type of vulnerability that can be found with relatively little investment into file fuzzing. See Charlie Miller’s presentation on "dumb fuzzing" for some initial reading.
Microsoft today published eight security bulletins for the November 2013 Patch Tuesday, addressing 19 distinct vulnerabilities.
At the top of our priority list of patches and workarounds are the two open 0-day vulnerabilities:
- The Internet Explorer 0-day disclosed last week (see the blogpost by FireEye) can be addressed with a real patch, MS13-090, which implements a simple killbit setting that disables the affected ActiveX control “Information Card Signin Helper.” The attack vector here is a malicious webpage configured for a drive-by-download attack. More information in Microsoft’s SRD blog post.
- The TIFF graphic format vulnerability in the GDI+ library, also disclosed last week, which continues with no patch this month. However, there is an easy-to-implement workaround — a registry setting disabling the rendering of TIFF files — detailed in security advisory KB2896666 and made available as an MSI file. The attack vector seen in the wild is a malicious Word document.
Microsoft announced its lineup for next week’s Patch Tuesday. We will get 14 bulletins, already bringing the number for this year to 80 in September. We are well on our way to get more than 100 bulletins this year compared to 83 in 2012 and exactly 100 in 2011, a good reflection of how challenging the computer security business continues to be.