Computer Security Articles

Yesterday, five weeks after shipping Firefox 4, the Mozilla project published the new browser’s first-ever security update. The Firefox version number bumps up to 4.0.1.

The update fixes 50-odd bugs in total, amusingly including three fixes listed as specific to OS/2. Ironically, the latest official release of the OS/2 port of Firefox, dubbed Warpzilla, hasn’t yet reached version 4 – it’s still back at version 3.6.8.

The release notes for Firefox 4.0.1 are hard to find from the main Mozilla.com page. (Browsing to Firefox.com doesn’t help, as this just redirects to the Mozilla page.) But if you know where to look, you’ll find that two critical security advisories are fixed in the 4.0.1 release.

MFSA2011-12 deals with memory corruption bugs in the browser engine itself; Mozilla experts officially opined that “with enough effort at least some of these could be exploited to run arbitrary code”. MFSA2011-17 deals with “two crashes that could potentially be exploited to run malicious code” in a graphics library called WebGLES, used by Firefox.

Because the 4.0.1 update addresses vulnerabilities that are considered remotely exploitable, we advise you to apply this update without delay.

The previous version, Firefox 3.6, also gets an update, moving to 3.6.17. This update also squashes some critical bugs, including the MFSA2011-12 memory corruption vulnerability affecting Firefox 4.

Two other critical vulnerabilities which don’t affect version 4 are fixed.

MFSA2011-13 deals with various “dangling pointer” bugs (a dangling pointer is a programming mistake in which a memory reference remains in use after the memory it points to has been returned to the operating system for re-use). MFSA2011-15 deals with a privilege escalation bug in the Java Embedding Plugin.

The MFSA2011-15 vulnerability is specific to the Mac OS X version of Firefox. Apple users who imagine themselves invulnerable simply by virtue of their choice of operating system, please take note!

There’s an update to Mozilla’s Thunderbird email client as well. Thunderbird moves to version 3.1.10.

Somewhat confusingly, the Thunderbird release notes don’t list any critical vulnerabilities fixed in this version, but the MFSA2011-12 advisory specifically states that the bugs it covers are “fixed in Thunderbird 3.0.10″.

If you’re a Thunderbird user, we advise you, too, to update as soon as you can.

Microsoft has issued a security patch for Silverlight KB2526954. It fixes several security issues. However, the Microsoft link to KB2526954 is still not live. If you have Microsoft update running, it is ready to install. This is rated as important and will auto install.

Direct download http://go.microsoft.com/fwlink/?LinkID=149156

[1] http://www.microsoft.com/getsilverlight/Get-Started/Install/Default.aspx

– Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Just as announced Friday last week, Microsoft released 17 security bulletins and according updates, fixing overall more than 60 security vulnerabilities in Windows, Internet Explorer, Office and the Developer tools. According to the exploitability index of the security bulletin summary, 44 of the 64 security vulnerabilities got the assessment 1, which means that exploitation of the vulnerability by cyber criminals is very likely to happen soon.

Some interesting updates affect the Windows Kernel in which many null-pointer dereferences and so-called use-after-free errors have been fixed; proper pointer usage seems to be not just complicated for beginners. Also the 64-bit Windows Kernel Patch Protection gets updated to ensure no unsigned drivers can be loaded and used. The Internet Explorer update is accompanied by another round of new ActiveX killbits which disable these installable and often insecure IE extensions.

As the patches fix critical security issues of which even Microsoft think they get abused soon, users and administrators should hurry up to install them as soon as possible!

Dirk Knop
Technical Editor

Compared with last month’s three security bulletins, Microsoft released a record-breaking 17 security bulletins to address 64 publicly disclosed vulnerabilities. This month’s release includes patches for bugs in Microsoft Windows, Microsoft Office, and Microsoft Visual Studio. It also includes a fix for the vulnerability in Internet Explorer that was uncovered during this year’s Pwn2Own contest.

Nine of the said security bulletins have been rated “critical,” as the vulnerabilities these addressed could end in remote code execution. Eight have been rated “important,” six of which could lead to arbitrary code execution, one could allow privilege escalation, and the last could result to unauthorized information disclosure.

This month’s batch of patches also addresses the MHTML vulnerability in Internet Explorer, reported in January, which could be likened to server-side cross-site scripting (XSS) vulnerabilities in terms of impact.

One critical patch addresses the vulnerability in SMB Browser, which was disclosed last February. According to Microsoft’s assessment, even though this may be used to spread malware, no attacks taking advantage of this threat were found.

Users are strongly advised to patch their systems as soon as possible. Trend Micro product users need not worry, however, as they are protected through Deep Security and OfficeScan with the Intrusion Defense Firewall (IDF) plug-in.  For more details, visit our security advisory page.

Post from: TrendLabs | Malware Blog – by Trend Micro

64 Vulnerabilities Fixed by April Patch Tuesday

Once again, this day of every month is the scheduled release of updates from Microsoft. April 2011 Patch Tuesday from Microsoft contains 17 security bulletins (covering 64 vulnerabilities) 9 of the issues rated “Critical” in terms of the Maximum Severity Rating and Vulnerability Impact.

Below is the list of the Critical security bulletins:

MS11-018 – Cumulative Security Update for Internet Explorer (2497640)

• CVE-2011-0094 – Layouts Handling Memory Corruption Vulnerability
• CVE-2011-0346 – MSHTML Memory Corruption Vulnerability
• CVE-2011-1244 – Frame Tag Information Disclosure Vulnerability
• CVE-2011-1245 – Javascript Information Disclosure Vulnerability
• CVE-2011-1345 – Object Management Memory Corruption Vulnerability

MS11-019 – Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)

• CVE-2011-0654 – Browser Pool Corruption Vulnerability
• CVE-2011-0660 – SMB Client Response Parsing Vulnerability

MS11-020 – Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)

• CVE-2011-0661 – SMB Transaction Parsing Vulnerability

MS11-027 – Cumulative Security Update of ActiveX Kill Bits (2508272)

• CVE-2010-0811 – Microsoft Internet Explorer 8 Developer Tools Vulnerability
• CVE-2010-3973 – Microsoft WMITools ActiveX Control Vulnerability
• CVE-2011-1243 – Microsoft Windows Messenger ActiveX Control Vulnerability

MS11-028 – Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)

• CVE-2010-3958 – .NET Framework Stack Corruption Vulnerability

MS11-029 – Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)

• CVE-2011-0041 – GDI+ Integer Overflow Vulnerability

MS11-030 – Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)

• CVE-2011-0657 – DNS Query Vulnerability

MS11-031 – Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)

• CVE-2011-0663 – Scripting Memory Reallocation Vulnerability

MS11-032 – Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)

• CVE-2011-0034 – OpenType Font Stack Overflow Vulnerability

Make sure that your computer and applications are always up to date, as well as your CA Security Product signatures!

Stay Safe!

A vulnerability within the current versions of Adobe Flash Player on all supported platforms has been found, warns the company. Affected are not only the Flash Player installations, but also Adobe Reader and Acrobat via the “authplay.dll” Flash Player integration. Currently there is no mitigation which will help against the exploitation – so only opening expected documents from trusted sources for the time being is a good advice.

Adobe explains that they found an Excel sheet with malicious SWF content exploiting the vulnerability as an email attachment in a very limited, targeted attack. The reason for this is simple – one wouldn’t expect such malicious content in an Excel sheet; not opening unrequested documents thus is a way to mitigate the risk. Adobe plans to ready an update until next week aorund the 21st of March and will ship it immediately then. For Adobe Reader X the patch will take a little longer as the integrated sandbox prevents a successful exploit.

Avira products detect the exploit as EXP/CVE-2011-0609.

Dirk Knop
Technical Editor

Until recently, only remote code execution vulnerabilities have made the mainstream news.

These are the bug strains which may let an attacker get into your computer if you do nothing more than simply read an email, look at a web page, or even just connect to the internet.

But simple Denial of Service (DoS) vulnerabilities are newsworthy again, it seems. A DoS – not to be confused with DOS, which was an operating system of sorts – is where an attacker tries to slow down or to crash a computer.

That DoS vulnerabilities are back in the spotlight is hardly surprising, given the rabble-rousing noise made recently by Anonymous to encourage individuals to join voluntary DoS attacks against major companies such as MasterCard and PayPal. (When lots of computers initiate a DoS attack at the same time, the result is a DDoS, or Distributed Denial of Service attack. A DDoS is just a DoS scaled up for even greater havoc.)

DoSses are a big deal. Uptime is a significant measure of the on-line credibility of a business these days. If you have seen the film The Social Network you’ll probably remember Fake Mark Zuckerberg ranting about how Facebook never goes down, mustn’t go down, can’t go down. For Fake Mark, that was a key business differentiator.

And the latest DoS vulnerability on the newswires is potentially troublesome. It’s a flaw in BIND, almost certainly the most widely-used DNS server in the world. DNS, or the Domain Name Services, is the global system which converts names such as sophos.com into IP numbers such as 213.31.172.77. To say it’s an important service is a serious understatement.

The details of the vulnerability can be found against vulnerability identifier CVE-2011-0414.

In short, authoritative name servers can be tricked into a deadlock for a brief window of time during an incremental zone transfer (IXFR).

To explain: an authoritative name server is one which contains official data about name-to-number mappings for a domain. (Caching name servers simply ask authoritative name servers and remember the answers for a while to help reduce load on the authoritatives.) A zone transfer is when one name server sends information to another server about changes to the official DNS records. And an incremental zone transfer, if you will pardon me stating the obvious, is one in which only recent changes are exchanged, to save time and bandwidth.

Finally, deadlock is when a computer program gets stuck. Part A waits for part B, and part B waits for part A. Deadlock, in a literary flourish rarely seen in computer science, is also known as deadly embrace.

The internet is very large, and changes very rapidly. Over the past five years, the number of computers online has increased by about 300,000 per day – and that’s just the aggregate increase, not taking account of the total number added and removed.

So IXFRs between authoritative name servers are a vital part of keeping DNS both alive and correct. Indeed, DNS servers are at the heart of many cloud-style security services, providing the mechanism by which up-to-date blocklist data is published. IXFRs between cloud-security DNS servers are critical in order to keep the latest blocklist information right up to date.

What does this mean?

If you are running a BIND DNS server, and you’re on version 9.7, you should update as soon as you can to the latest patch release, version 9.7.3.

(As an aside, Apple ships every Macintosh with a copy of BIND. Most users don’t run it, and so aren’t affected. Those who do are lucky this time – OS X 10.6.6, the latest version, comes with BIND 9.6. Sometimes, being behind the curve is a good thing.)

Java is out of date on more than 40 percent of machines

Wolfgang Kandeck, CEO of Qualys, said during a presentation at the RSA Security Conference in San Francisco that 80 percent of browsers his company’s BrowserCheck service checked were missing one or more patches, ComputerWorld has reported.

BrowserCheck checks for vulnerabilities in browsers (on Windows, Linux and Mac) and 18 browser plug-ins. Plugins include Flash and Reader (Adobe), Java (Oracle) and Silverlight (Microsoft) and Windows Media Player (Microsoft).

Excluding plug-ins from the figures showed that 25 percent of the machines scanned by BrowserCheck last month had an unpatched browser.

The fact that there are a lot of unpatched machines out there isn’t a surprise, but the fact that there are so many is shocking. Apparently Kandeck said as much in his presentation.

The average home user needs to be made aware of the importance of updates and it would probably help if it were a bit easier.

Tom Kelchner

Microsoft has issued 12 security bulletins making fixes in Windows, Office and Internet explorer.

MS11-003 — Cumulative Security Update for Internet Explorer
Critical (Remote Code Execution)
Microsoft Windows, Internet Explorer

MS11-004 — Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution
Important (Remote Code Execution)
Microsoft Windows

MS11-005 — Vulnerability in Active Directory Could Allow Denial of Service
Important (Denial of Service)
Microsoft Windows

MS11-006 — Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution
Critical (Remote Code Execution)
Microsoft Windows

MS11-007 — Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution
Critical (Remote Code Execution)
Microsoft Windows

MS11-008 — Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution
Important (Remote Code Execution)
Microsoft Office

MS11-009 — Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure
Important (Information Disclosure)
Microsoft Windows

MS11-010 — Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Important (Elevation of Privilege)
Microsoft Windows

MS11-011 — Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Important (Elevation of Privilege)
Microsoft Windows

MS11-012 — Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
Important (Elevation of Privilege)
Microsoft Windows

MS11-013 — Vulnerabilities in Kerberos Could Allow Elevation of Privilege
Important (Elevation of Privilege)
Microsoft Windows

MS11-014 — Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege
Important (Elevation of Privilege)
Microsoft Windows

Tom Kelchner

Adobe has issued patches to fix a number of vulnerabilities in:

– Adobe Reader X (10.0) for Windows and Macintosh;
– Adobe Reader 9.4.1 (and earlier) for Windows, Macintosh and UNIX
– Adobe Acrobat X (10.0) and earlier versions for Windows and Macintosh.

The vulnerabilities could crash the applications and enable an intruder to take control of the system. Adobe Reader X are protected from some vulnerabilities by Protected Mode mitigations.

Updates available:

– Adobe Reader X (Windows and Macintosh) update to version 10.0.1),
– Adobe Reader 9.4.1 (UNIX) update to Adobe Reader 9.4.2 (available February 28)
– Adobe Reader 8.2.6

Tom Kelchner

Michael Argast is my guest on this weeks Chet Chat as we discuss the weeks news you can use.

I have transcribed this episode (by hand) for the hearing impaired and those of you who prefer text to audio. Please send feedback to studio@sophos.com if you find this helpful. It is a lot of extra work, but I am willing to continue doing it if enough people prefer it.

Michael and I began by discussing the boat load of patches dropped by Microsoft and Adobe on Tuesday. We talked about the ins and outs of the HBGary hack, Google putting 20 G’s on the line at Pwn2Own, the hacking of Nasdaq and the guilty plea of a Russian hacker in the RBS WorldPay incident.

(7 February 2011, duration 12:33 minutes, size 9.05MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 47 or download a transcript. All of our past podcasts are available from http://podcasts.sophos.com and on iTunes.

As expected, today Microsoft and Adobe published updates for Windows, Internet Explorer, Windows FTP service, Visio, Flash Player, Shockwave Player, Reader, Acrobat and ColdFusion.

Microsoft published 3 critical and 9 important fixes today. The first noteworthy fix is MS11-003 (CVE-2010-3971), a recursive CSS vulnerability, discovered last December in Internet Explorer, that could allow remote code execution (RCE). Considering the vulnerability has been included in the MetaSploit Framework for well over a month and we haven’t seen it active in the wild, SophosLabs has rated it medium.

The second critical fix was for MS11-006, (CVE-2010-3970) a flaw in the graphics rendering engine that could allow RCE when thumbnails of files are viewed in Explorer. While we haven’t seen this successfully exploited in the wild yet, there have been reports that some malware authors have made unsuccessful stabs at it. SophosLabs has provided protection against exploitation as MAL/CVE3970-A and rates this flaw as medium.

The last critical patch is MS11-007 (CVE-2011-0033), which closes a hole that could allow an attacker to create a malicious font and lure a user to view a website using that font to compromise their machine. This bug was privately disclosed, but may be interesting to enterprising criminals. SophosLabs has not seen anyone using this as a method of exploitation, so they have decided to rate it medium as well.

Adobe bulletin APSB11-01 resolves 21 vulnerabilities in Shockwave Player. Adobe has rated this patch as critical and more worryingly all 21 vulnerabilities can lead to code execution. I’ve mentioned this before, but I feel the need to again… Do you really need Shockwave Player on your PC? If not, it’s best to reduce the attack surface of your machines by removing it. If you do require it, you can download the latest version at http://get.adobe.com/shockwave.

Adobe bulletin APSB11-02 fixes 13 vulnerabilities in Flash Player, all of which can lead to code execution. Adobe has rated this patch as critical. Because Flash Player is so widely used and distributed, we recommend updating your Flash Player installations as soon as possible. The latest Flash Player can be downloaded from http://get.adobe.com/flashplayer. Users of Google Chrome should have already received an update patching these vulnerabilities.

Adobe bulletin APSB11-03 addresses 29 vulnerabilities in Adobe’s Reader and Acrobat products. This includes fixes for 23 code execution, 1 elevation of privilege, 3 denial of service and 2 cross-site scripting flaws. Adobe has rated this patch as critical. Similar to Flash, the ubiquity of Adobe’s Reader software requires that you update as soon as possible. Fortunately Adobe Reader includes an auto-update function now. Those of you who need to download it for distribution can get it from http://get.adobe.com/reader.

The last bulletin, APSB11-04, affects Adobe ColdFusion and Adobe has rated it as important. It covers five flaws, two of which are related to cross-site scripting. ColdFusion users can find instructions for applying this hotfix in this technical note.

As always, for SophosLabs analysis of all important vulnerabilities visit our latest vulnerabilities page. Microsoft’s advice on the February 2011 patches can be found on their blog. The Adobe security bulletins can be found on their security page.

Creative Commons image of a Band-Aid courtesy of kevindean’s Flickr photostream. Creative Commons image of Bad Fonts courtesy of twcollins Flickr photostream. Creative Commons image of Adobe product montage courtesy of pcsiteuk’s Flickr photostream.

The two recent zero-day vulnerabilities in Internet Explorer and the Graphics Rendering Engine found in late December and in early January, respectively, have been addressed by today’s Patch Tuesday release.

This month’s release comprises 12 bulletins, three of which are rated “critical” while the remaining nine are rated ”important.” The other bulletins include those that address vulnerabilities in Windows Kernel, Microsoft Visio, Active Directory, and the Local Security Authority Subsystem Service (LSASS).

Despite the number of bulletins, Microsoft’s list of notable bugs to patch has yet to be cleared, as the recently found vulnerability in MHTML remains unpatched.

Although no active attacks have been found exploiting the MHTML vulnerability, applying security measures to protect systems from possible exploits is strongly recommended. Users may opt to implement the workarounds that Microsoft has provided. Trend Micro product users are already safe from being victimized by exploits leveraging this specific vulnerability through Deep Security and OfficeScan with the Intrusion Defense Firewall (IDF) plug-in.

Post from: TrendLabs | Malware Blog – by Trend Micro

Two Recent Zero-Day Bugs Fixed by February Patch Tuesday

Come Tuesday, Adobe is apparently planning to issue critical updatesfor Adobe Reader. Microsoft’s advance notification indicatesthat we’ll be getting a plethora of patches, most prominently a critical one (remote code execution) forInternet Explorer. Further, Firefox 3.6.14 is also tentatively scheduled for a release on same Tuesday. Looks like we’re in for a busy patch week.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft

Microsoft has posted advance notification of what we can expect on February Patch Tuesday next week:

There will be 12 security bulletins. Three are considered critical and nine important. They will cover updates and fixes in Windows, Internet Explorer and Microsoft Office.

Adobe

Adobe has posted a security advisory saying it will fix critical vulnerabilities on Tuesday with updates for:
– Adobe Reader X (10.0) (Windows and Macintosh),
– Adobe Reader 9.4.1 and earlier (Windows, Macintosh and UNIX),
– Adobe Acrobat X (10.0) (Windows and Macintosh), and
– Adobe Acrobat 9.4.1 and earlier (Windows and Macintosh).

A update for  UNIX versions will be available by the week of February 28, Adobe said.

Tom Kelchner

Full story: GFI Labs blog

After a quiet January Patch Tuesday, Microsoft will be issuing 12 updates fixing 22 vulnerabilities for February’s Patch Tuesday. These patches will update Windows, Internet Explorer, and the Visio diagramming software.

Three bulletins, including the Internet Explorer patch, earn the most severe “Critical” rating. The remaining nine, including the Visio fix, earn a still significant “Important” score. All bar three of the fixes will require a reboot.

Read the comments on this post

Full story: Security

Next Tuesday, on their regularly-scheduled quarterly Acrobat Patch Tuesday, Adobe will release security updates for all Windows and Mac Acrobat and Reader versions. Updates for the UNIX version are expected by the week of February 28, 2011.

Adobe committed about a year ago to a regular update cycle like Microsoft’s. It’s not often that they have been able to keep to it, as many of their updates have been urgent enough for them to go “out of band.”

Full story: Security Watch

After being battered by a record Patch Tuesday last month, January may come as a relief to system administrators everywhere. This month’s patch cycle includes two bulletins—one rated “important,” only covering Windows Vista; the other rated “critical,” covering all currently supported Windows versions.

What’s noticeable is what is not being patched. Two zero-day vulnerabilities are known to be present in Windows though neither was patched today. First is a vulnerability in Internet Explorer (IE) that we talked about in late December that has already been used in the wild. The second flaw in the Graphics Rendering Engine, on the other hand, has not been exploited to date.

As we previously mentioned when the IE vulnerability was discovered, our free add-on Browser Guard already offers protection by preventing browser exploits and analyzing in-browser scripts for malicious characteristics and behaviors. Until an official patch is issued, users should consider using Browser Guard as their way of mitigating a potential threat.

For enterprise users, we offer specific solutions to deal with vulnerabilities. Both Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in have rules that protect users not just against the vulnerabilities patched today but also against both unpatched vulnerabilities. A rule covering the IE vulnerability has been made available since late December while coverage for the Graphics Rendering Engine was part of a regular update.

Post from: TrendLabs | Malware Blog – by Trend Micro

January Patch Tuesday Fixes Three Vulnerabilities

Full story: TrendLabs | Malware Blog – by Trend Micro

After last month’s bumper crop of bulletins, January’s Patch Tuesday looks like it will be a more downbeat affair. There are just two bulletins fixing a total of three vulnerabilities will be released tomorrow.

The first bulletin has an “Important” rating and affects only Windows Vista. The second has a “critical” rating and applies to all supported versions of Windows. Both bulletins require a reboot.

Read the comments on this post

Full story: Security

Hello and welcome to this month’s blog on the Microsoft patch release. This is quiet month —the vendor is releasing two bulletins covering a total of three vulnerabilities. One of the issues is rated ‘Critical’ and it affects Microsoft Data Access Components (MDAC). The remaining two issues are rated ‘Important’ and affect MDAC and a previously public issue in Windows Backup Manager.

Attackers can exploit all of these issues to execute arbitrary code. As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or questionable integrity.

- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the January releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-jan.mspx

The following is a breakdown of the issues being addressed this month:

1. MS11-002 Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910)

CVE-2011-0026 (BID 45695) Microsoft Data Access Components Data Source Name Buffer Overflow Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Microsoft Data Access Components due to how it validates third-party API usage. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Data Access Components 2.8 SP1, 2.8 SP2, and 6.0

CVE-2011-0027 (BID 45698) Microsoft Data Access Components ActiveX Data Objects Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Microsoft Data Access Components due to how it validates memory allocation when handling internal data structures. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Data Access Components 2.8 SP1, 2.8 SP2, and 6.0

2. MS11-001 Vulnerability in Windows Backup Manager Could Allow Remote Code Execution (2478935)

CVE-2010-3145 (BID 42763) Microsoft Windows Backup 'fveapi.dll' DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)

A previously public (Aug 26, 2010) remote code-execution vulnerability affects Microsoft Backup Manager due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a ‘.wbcat’ file from a remote SMB or WebDAV share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Windows Vista SP1, SP2, x64 Edition SP1, and x64 Edition SP2

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Full story: Symantec Connect – Security Response – Blog Entries

Yesterday Microsoft released 17 security bulletins, finally fixing the last 0day flaw exploited by Stuxnet malware which had been left open up until now. In all, 7 out of 38 flaws fixed by Microsoft were already disclosed publicly and they allowed both remote code execution and elevation of privilege.

Microsoft patched some of their software which was vulnerable to the flaw disclosed in last August, relative to the insecure DLL loading exploit. We talked about this vulnerability in a specific blog post in August, where we already said this shouldn’t be considered as a vulnerability of the operating system itself, but a coding error by the software developers.

Finally, Microsoft patched the long discussed and well known Windows Task Scheduler exploit used by Stuxnet malware to gain administrative privileges. With this update, all the 0day exploits used by Stuxnet have been definitely fixed.

The task scheduler exploit was known since September and a working proof of concept exploit had been released publicly in November, allowing malware writers to use it in their malware code, evading by limited account and UAC restrictions.

In a Microsoft blog post written on 9th December 2010, Mike Reavey from Microsoft Security Response Center wrote that the 0day exploit affecting the Windows Task Scheduler had not been used anywhere else aside by the Stuxnet malware. Contrary to this we have had reports of the infamous TDL4 rootkit exploiting the same flaw since first days of December 2010. We have covered this topic in a previous blog post. Anyway, now the exploit has been fixed and TDL4 will need to other ways to elevate its privileges when dropped on the victims PC.

With this massive security update Microsoft patched a lot of flaws that could be exploited by malware. Is that all? Actually not. This massive update still leaves open a security flaw that allows privilege escalation, the one we talked about in a blog post written here, relative to the win32k.sys stack overflow flaw.

This is bad, and it becomes even more dangerous due to the fact that the exploit code for this vulnerability has been already disclosed publicly. In fact we should expect malware starting to use it for malicious purpose very soon. Now that the Windows Task Scheduler flaw has been successfully closed, this other exploit will probably be in the spotlight for a while until Microsoft releases a patch for it.

Looking at malware like TDL4 rootkit, its development trend suggests that their authors will use this exploit very soon, giving again the rootkit the ability to automatically elevate its privileges and infect both x86 and x64 versions of Microsoft Windows operating system, again.

Prevx customers are already protected by this Windows 0day exploit, so are the users of Prevx free version. So, while waiting for the Microsoft patch, why don’t you just give Prevx a try and stay protected from this exploit?

]]>

View the original article at Prevx Blog

Hello and welcome to this month’s blog on the Microsoft patch release. This is another large release —the vendor is releasing 17 bulletins covering a total of 40 vulnerabilities.

Eight of the issues are rated ‘Critical’ and they affect Internet Explorer and the OpenType Font (OTF) format driver. The remainder of the issues are rated ‘Important’ or ‘Moderate’ and affect Publisher, Office, SharePoint, Windows, Windows kernel, Exchange, and Hyper-V. Included in this patch release is a fix for the last of the vulnerabilities Stuxnet was exploiting, the Windows Task Scheduler issue.

 As always, customers are advised to follow these security best practices:

-     Install vendor patches as soon as they are available.

-     Run all software with the least privileges required while still maintaining functionality.

-     Avoid handling files from unknown or questionable sources.

-     Never visit sites of unknown or questionable integrity.

-     Block external access at the network perimeter to all key systems unless specific access is required.
 
Microsoft’s summary of the December releases can be found here:

http://www.microsoft.com/technet/security/bulletin/ms10-dec.mspx

The following is a breakdown of the ‘Critical’ bulletins being addressed this month:

1. MS10-090 Cumulative Security Update for Internet Explorer (2416400)

CVE-2010-3340 (BID 45255) Microsoft Internet Explorer Uninitialized Object CVE-2010-3340 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6 and 7

CVE-2010-3342 (BID 45256) Microsoft Internet Explorer CVE-2010-3342 Cross Domain Information Disclosure Vulnerability (MS Rating: Moderate / Symantec Rating: 5.7/10)

A cross-domain information-disclosure vulnerability affects Internet Explorer because it incorrectly allows cached content to be rendered as HTML across domains. An attacker can exploit this issue by tricking an unsuspecting victim into visiting a Web page containing malicious content. A successful exploit will result in the disclosure of potentially sensitive information. Information obtained may aid in further attacks. Affects: Internet Explorer 6, 7, and 8

CVE-2010-3343 (BID 45259) Microsoft Internet Explorer Uninitialized Object CVE-2010-3343 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6

CVE-2010-3345 (BID 45260) Microsoft Internet Explorer Uninitialized HTML Element CVE-2010-3345 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 8

CVE-2010-3346 (BID 45261) Microsoft Internet Explorer Uninitialized HTML Element CVE-2010-3346 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6, 7, and 8

CVE-2010-3348 (BID 45263) Microsoft Internet Explorer CVE-2010-3348 Cross Domain Information Disclosure Vulnerability (MS Rating: Moderate / Symantec Rating: 5.7/10)

A cross-domain information-disclosure vulnerability affects Internet Explorer because it incorrectly allows cached content to be rendered as HTML across domains. An attacker can exploit this issue by tricking an unsuspecting victim into visiting a Web page containing malicious content. A successful exploit will result in the disclosure of potentially sensitive information. Information obtained may aid in further attacks. Affects: Internet Explorer 6, 7, and 8

CVE-2010-3962(BID 44536) Microsoft Internet Explorer CSS Tags Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.3/10)

A previously public (Nov 3, 2010), remote code-execution vulnerability affects Internet Explorer when storing a certain combination of Cascading Style Sheet (CSS) tags, resulting in a use-after-free condition. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6, 7, and 8

2. MS10-091 Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Remote Code Execution (2296199)

CVE-2010-3956 (BID 45311) Microsoft Windows OpenType Font (OTF) Driver Invalid Array Index Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)

A remote code execution vulnerability affects the Windows OpenType Font (OTF) format driver when handling specially crafted OpenType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page, previewing an email, or opening a file containing malicious fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in kernel-mode; this may facilitate a complete compromise of an affected computer. Affects: Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based systems, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit systems, Windows Server 2008 for 32-bit systems SP2, Windows Server 2008 for x64-based systems, Windows Server 2008 for x64-based systems SP2, Windows Server 2008 for Itanium-based systems, Windows Server 2008 for Itanium-based systems SP2, Windows 7 for 32-bit systems, Windows 7 for x64-based systems, Windows Server 2008 R2 for x64-based systems, Windows Server 2008 R2 for Itanium-based systems

CVE-2010-3957 (BID 45315) Microsoft Windows OpenType Font (OTF) Driver Double-Free Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)

A remote code-execution vulnerability affects the Windows OpenType Font (OTF) format driver when handling specially crafted OpenType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page, previewing an email, or opening a file containing malicious fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in kernel-mode; this may facilitate a complete compromise of an affected computer. Affects: Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based systems, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit systems, Windows Server 2008 for 32-bit systems SP2, Windows Server 2008 for x64-based systems, Windows Server 2008 for x64-based systems SP2, Windows Server 2008 for Itanium-based systems, Windows Server 2008 for Itanium-based systems SP2, Windows 7 for 32-bit systems, Windows 7 for x64-based systems, Windows Server 2008 R2 for x64-based systems, Windows Server 2008 R2 for Itanium-based systems

CVE-2010-3959 (BID 45316) Microsoft Windows OpenType Font (OTF) Driver CMAP Table Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)

A remote code-execution vulnerability affects the Windows OpenType Font (OTF) format driver when handling specially crafted OpenType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page, previewing an email, or opening a file containing malicious fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in kernel-mode; this may facilitate a complete compromise of an affected computer. Affects: Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based systems, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit systems, Windows Server 2008 for 32-bit systems SP2, Windows Server 2008 for x64-based systems, Windows Server 2008 for x64-based systems SP2, Windows Server 2008 for Itanium-based systems, Windows Server 2008 for Itanium-based systems SP2, Windows 7 for 32-bit systems, Windows 7 for x64-based systems, Windows Server 2008 R2 for x64-based systems, Windows Server 2008 R2 for Itanium-based systems

More information on these and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

– Robert Keith on Symantec Connect – Security Response – Blog Entries

Microsoft has removed one of the updates this past Patch Tuesday. Problems have been observed with Microsoft Outlook 2007 on certain configurations. I have personally observed some of them.

1. Outlook may fail to connect if SPA (Secure Password Authentication) is configured for an account and the server doesn’t support SPA. Outlook connected to Google Apps is such a configuration.
2. Performance problems may be observed switching between folders if the account is not connected to a Microsoft Exchange server. I have seen this with my Google Apps account.
3. AutoArchive cannot be configured for IMAP, POP3, or Outlook Live Connector accounts unless there is also an Exchange account in the same profile.

If you are experiencing any of these problems, follow the instructions in the blog to remove the update. It’s a simple process.

Hat tip to the Internet Storm Center.

– on Security Watch

Next Tuesday, December 14, Microsoft will release 17 security bulletins and updates to address the 40 vulnerabilities disclosed in them.

Only 2 of the updates have a maximum rating of Critical, with 14 maxing out at Important and one at Moderate. This doesn’t mean that there are only 2 Critical vulnerabilities; in fact, as many as 25 could be critical. We won’t know those numbers, nor the full extent of the vulnerabilities, until Tuesday. The critical vulnerabilities affect various versions of Windows and Internet Explorer.

Among the bugs fixed will be the last of the Stuxnet zero-day vulnerabilities, a local privilege elevation attack which they say has not been seen in the wild outside of Stuxnet.The Internet Explorer fix appears to be the one publicly disclosed last month.

13 of the bulletins, including both Critical ones, affect Internet Explorer and all versions of Windows. Two Important bulletins affect Microsoft Office, another SharePoint Server 2007, and the final one affects x64-based Exchange Server 2007 Service Pack 2 and is rated Moderate.

There will also be several non-security updates on Tuesday including one for clock issues and issues caused by revised daylight saving time and time zone laws in several countries. There will also be the usual updates to the Malicious Software Removal Tool and Windows Mail Junk Filter.

In an entry on the MSRC (Microsoft Security Response Center) blog, MSRC Director Mike Reavey does a post-mortem on updates in 2010. The total for the year (unless it changes before Tuesday, which wouldn’t be unprecedented) is 106. This is up some over previous years. Reavey attributes this to increased outside reporting, which mostly means that there’s money to be made in bug bounty programs from TippingPoint, iDefense and the like.

– on Security Watch